Hackers target Apple devices.
Tech giant’s devices do have a reputation for security, but they are not invulnerable
Apple’s devices have a well-deserved reputation for security.
But if it wasn’t clear before, it should be now: They’re not invulnerable. And, in fact, they’ve become a prime target for hackers.
That was loud and clear Thursday with the news that a major trio of vulnerabilities — dubbed “Trident” by security researchers — had been discovered in iOS, the operating system underlying the iPhone and iPad. Apple already has a patch out, but reports indicate that the vulnerability has been around potentially for years and has been exploited.
Before I go any farther, if you have an iPhone or other
iOS device and haven’t yet installed the update Apple issued Thursday, do so right away. The security flaws it fixes are particularly dangerous and could allow a hacker to do some pretty scary stuff with your phone, such as viewing your text messages, listening in on your calls and reading your email — all without your knowledge.
Using this kind of vulnerability, an attacker could “figure out how to spy on every corner of your phone,” said Andrew Blaich, a staff researcher at Lookout, which helped identify and report the flaws.
“What we found is that’s actually being done,” he added. “It’s very much being used for that sort of purpose.”
The fact that Apple’s devices can have such critical vulnerabilities is not news to the community of computer security experts. But it may be somewhat of a shock to the company’s many fans.
In the 2000s, Apple helped to cultivate the notion that its devices were impervious to security problems. The company ran a series of ads contrasting the headaches Windows PC users faced due to the viruses and security problems plaguing those computers with the seemingly blissful experience the Mac’s purportedly rock-hard security promised its users.
In more recent years, Apple has touted the security of its iOS devices and has been very public about the steps it’s taken to better protect them, particularly during and in the wake of its dispute with the FBI over cracking the iPhone used by one of the San Bernardino shooters who killed 14 people in December.
The company’s not just making empty boasts. Security experts generally give the company high marks for the efforts Apple’s taken to secure its devices.
“Apple has some very strong claims they can make about being a secure platform,” said Dan Cornell, chief technology officer of Denim Group, a computer security consulting firm. “When I look at my iPhone, I have a trust that a lot has been done to secure it.”
And in some ways, the vulnerability revealed Thursday points to the efforts Apple has made. This wasn’t some routine hack discovered or created by a teenager with time to kill. Instead, it was reportedly developed by a shadowy Israeli corporation backed by a San Francisco-based venture capital firm and used by the United Arab Emirates, which gives an indication of the sophistication of the exploit and the resources that went into developing or identifying it.
But the vulnerability also shows that for the effort Apple has made, its devices aren’t invulnerable. And we shouldn’t expect them to be.
As Cornell put it, “there is no such thing as perfect security.”
It also emphasizes that hackers view Apple’s devices much differently than they did when the company was running its Mac versus PC commercials. Then, users of Apple’s devices really didn’t have much to worry about. In part that was because of the security the company built into them. But an even bigger factor was that because relatively few people were using them, they weren’t that attractive to hackers.
That situation has dramatically changed. According to Apple, there are now some 1 billion Apple devices in active use. And partly because Apple charges a premium for its products, the users of those devices tend to be more affluent and are more likely to be in positions of power or influence.
“Attackers are going to go where their targets are or their market share is,” said Lookout’s Blaich.
Apple is clearly aware of the increased scrutiny. Following past practices, the company is adding new layers of security into the next versions of iOS and the operating system underlying the Mac, building on what it’s done before.
In response to the heightened threats, the company also appears to be rethinking its attitudes toward the larger security community. In the past, the company has been criticized for being something of a black box, for not engaging with the larger community of security researchers. It’s also been taken to task for taking a long time to fix reported vulnerabilities and for not using a bug bounty program to encourage researchers to report security flaws.
But earlier this month, the company announced a “bug bounty” program. It did so in the context of a talk at the Black Hat conference that was reportedly one of its most open discussions to date of its security practices. And in the case of the Trident vulnerability, it fixed the bug and distributed a patch to users in a remarkable 10 days.
“Apple has started to take security much more seriously in recent years, especially this year,” said Eva Galperin, global policy analyst at the Electronic Frontier Foundation. “The bug bounty is the best sign that they’ve turned over a new life.”