Search results
Mar 22, 2024 · University researchers have found an unpatchable security flaw in Apple Silicon Macs, which would allow an attacker to break encryption and get access to cryptographic keys. The flaw is present in...
Mar 22, 2024 · (Image credit: Tom's Guide) Researchers have discovered a new unpatchable security flaw that can break encryption on the best MacBooks if exploited by an attacker. As reported by 9To5Mac, this...
- Anthony Spadafora
People also ask
Can Apple fix the M1 M2 & M3 chip vulnerability?
Is there a vulnerability in Apple's m3 processors?
Could apple's M-series chips break encryption?
What happened to MySpace user data?
Jan 21, 2024 · Apple has confirmed that a new GPU vulnerability is present in the M2 MacBook Air, and could be present in other Apple devices. MacBook Air at WWDC22 (Photo by Justin Sullivan/Getty Images) The ...
- Overview
- Is patching effective?
- How does Pegasus spyware work?
- Who is being targeted?
- How secure is Apple, and how does it compare to Android?
- So, how can we stay protected?
- Are you a pro? Subscribe to our newsletter
News
By Toby Lewis
published 20 September 2021
Latest update and advice on the Pegasus hack
(Image credit: Farknot Architect / Shutterstock)
News that users of Apple devices were vulnerable to spyware broke this week after a security flaw was identified in the company’s operating system, requiring an urgent software patch across all of its devices, including iPads and iPhones. This development is yet another reminder that even the most widely used, and highly regarded, technologies are vulnerable to compromise by capable hackers. We must urgently accept this reality and fix fundamental problems.
What’s clear is that the way we have done security for the last twenty years is just not good enough against today’s cyber threats.
Once Apple was notified of the exploit, they moved incredibly quickly to implement a patch. Apple’s speed underscores both the gravity of the discovery and Apple’s commitment to security.
But today, patching is a never-ending game of whack-a-mole. The complexity of the digital world is such that complete visibility is incredibly difficult to achieve – perhaps impossible for humans to do alone. Attackers are innovative and increasingly professional in their approach, coming at organizations from all angles and investing both time and money into finding new entry points. As soon as defenders patch a vulnerability, a new one is identified.
What’s more, whilst patching addresses the vulnerability, it cannot mitigate a vulnerability that has already been exploited or a breach that has already happened. It cannot interrupt an attack which has successfully begun moving within the system and exfiltrating sensitive data.
Patching by itself is also an inadequate defense because it only deals with known vulnerabilities, and is always effectively one step behind. What about the unknown weaknesses which have not yet been spotted?
In today’s threat landscape, human security teams cannot be expected to anticipate every single way their technology could be exploited.
Pegasus uses a range of exploits to gain access to a device and these can be tailored to the target or attack campaign. Fundamentally, its users have access to a range of Apple and Android vulnerabilities that would allow them to exploit a range of native applications – often as simple as trying to open a file sent in an email or over text message, or clicking on a link that opens in Safari or another web browser.
In this case, the exploit identified was “zero-click”, meaning a recipient of a malicious message would not even have to open the attachment for their device to be infected, and would allow the hackers to run their own code – including installing the spyware component of Pegasus.
Exploits like these are highly sophisticated and, unsurprisingly, individuals who have access to highly classified or confidential information - such as intelligence officers, politicians and reporters – are the key targets. We live in a world where high profile individuals must accept that their name is on a target list somewhere.
As a commercially available cyber espionage toolkit, NSO have lowered the technical bar for organizations to conduct cyber-attacks against their targets, providing high-end nation state capability to whoever can pay the bill. And as we see with the Red Teaming tool CobaltStrike, it’s only a matter of time before a cracked version is made available online. So while these attacks might not seem like an immediate threat to the average Apple user, once these tools are created they can spread like wildfire.
For example, criminal attackers could use the access to steal personal data for bigger campaigns – to defraud victims, or potentially even to instigate a mass user lockout to demand payment in a form of ransomware attack.
Once spyware is invented the cat is out of the bag. It can be sold and proliferate quickly globally. If it gets into the wrong hands, it will be used nefariously and potentially against a broader group of targets. We have to accept that when it comes to hacking tools the genie is out of the bottle – and innovative attackers will always find a way in.
Companies like Apple are an incredibly attractive target for attackers; its technology and devices are ubiquitous across society.
From navigating with maps to accessing our bank accounts, smart devices have become part of the fabric of our daily lives and hold swathes of personal data.
Apple’s security architecture is predicated on a so-called “walled garden” where the underlying operating system on the phone is completely inaccessible to any third-party applications. These applications can only be installed via the official App Store and are run from a compartmentalized area of storage and processing.
Given the high degree of vetting for applications in the App Store, the only real way for malware to become installed on an Apple device is by exploiting the underlying operating system – a process often referred to as jailbreaking.
Android’s architecture, on the other hand, gives users greater freedom to install whatever applications they like, without some of the protections afforded by Apple. Even via the official Google Play app store, there is only limited vetting and moderation, increasing the risk of malware being installed without the need for such a clever exploit. Despite this, Pegasus stills comes loaded with Android-specific exploits akin those used to target Apple devices.
Overall, Apple has a great track record of working with researchers to identify exploits which they then quickly patch. But that doesn’t necessarily help those customers who may have been exploited before they have a chance to react.
Patching is an incredibly important part of basic cyber hygiene, protecting an organization and technology users from known vulnerabilities. However, it has limited capacity against novel, sophisticated attacks and hackers today move faster in creating new attacks than defenders can patch against.
Any modern business or high-profile individual will be on a hit list, but once malware proliferates any smart phone user could be the next victim. Technology is an enabler and opens up bountiful opportunities for transforming the way we operate and communicate, but it also introduces security risks – this is a fact of modern, digitized society that we must accept.
There is no way we can stop hackers successfully gaining entry to critical systems but what we can do is interrupt the threat, as soon as hackers gain entry, to minimize disruption and stop personal data falling into the wrong hands. Self-Learning AI allows organizations to detect malicious activity on employee devices before sensitive information is accessed and exfiltrated. Ultimately, cutting-edge technology is the key to combatting these threats – humans are outpaced and autonomous action at machine speed is necessary to identify and disrupt the threat before it is too late.
•Protect your mobile business devices with the best MDM solutions.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors
- Toby Lewis
Jun 1, 2016 · Myspace has revealed in an official announcement that it was the victim of a major data breach. The incident took place a few years ago and is thought to have affected close to 360 million accounts. Myspace’s technical security team confirmed that information that was being offered on an online forum is genuine. Myspace, which is a Time […]
Mar 22, 2024 · Friday March 22, 2024 5:19 am PDT by Tim Hardwick. An unpatchable vulnerability has been discovered in Apple's M-series chips that allows attackers to extract secret encryption keys from Macs under...
Jul 17, 2017 · Whoops! The Hack. Security researcher Leigh-Anne Galloway notified Myspace about the flaw in April, and published details about it on Monday after failing to receive a substantive response. The...
