How to protect yourself against the latest big iPhone security scare (Updated)
Update: A12 processors are safe
There has been a great deal of coverage of this, but it is important to stress that, buried in the Project Zero write-ups, the researchers confirm the following:
“…none of the exploits bypassed the new, PAC-based JIT hardenings that are enabled on A12 devices.”
Which essentially means iPhone XS and XR devices are not and never have been affected by the vulnerability.
(Thanks to a generous reader for pointing this out to me).
The report also seems to suggest that other mobile browsers are susceptible to similar flaws — which is a HUGE problem on platforms that *cough* don’t deploy security software updates effectively…
It seems an undisclosed number of (hacked?) websites have been used to attack iPhones for two years. The researchers claim just visiting those sites (which it does not name) “was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
If the attack succeeded, the researchers claim criminals could get deep access to data on your iPhone.
“The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker’s server,” they claimed.
Is this still a threat?
Apple patched iPhones against this threat with the release of the iOS 12.1.4 security patch in February 2019, which means you can be reasonably certain your current iPhone isn’t impacted, so long as it is up to date.
The Google team is cited as identifying flaws in IOKit and Foundation in those release notes.
Both related to memory corruption.
It is not known if older versions of the OS were proofed against this particular bug when the company introduced security updates for those in June.
Who was affected?
In theory, everyone using an iPhone – but that’s not precisely the case. Security researchers seem to think this was a state-sponsored attack that was geographically targeted.
Your smartphone is your enemy
In a note to any smartphone user, Project Zero researcher Ian Beer warned,
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly. Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
What can I do to protect against this threat?
The problem with threats of this kind is that they are invisible, low level and hard to detect – however, there are some signs that may help identify if your device has been hacked:
- Has battery performance suddenly degraded? Check Settings>Battery and if you see an app you don’t recognize using a lot of power, delete it.
- Check your mobile data – are you suddenly using more than you ordinarily do, even though nothing has changed? That suggests something may be using your data in the background.
- Are you experiencing more app crashes than normal? You might want to delete the app(s) concerned and reinstall them from the App Store.
- You should also check that you recognize all the apps you have installed. This isn’t foolproof – in the case of the latest security threat, the malware doesn’t pose as an app – but you may find something you don’t remember putting into your phone. Remove it if you find it.
What can I do to protect myself now?
- Always update your iPhone to the latest version of iOS.
- In the case of this particular vulnerability, the malware isn’t persistent – simply rebooting your iPhone will stop it working if it is there at all – though data that has been purloined will be gone.
- I’m guessing that ultra-secure passcodes for all your apps may also help.
What can Apple do?
I think it’s time Apple developed on device AI-driven network-monitoring tools. These should assess outgoing communications from any device and warn users if information (such as passwords) is being shared using an app the user hasn’t approved.
Security protection has moved on.
It’s not about firewalls and virus checkers but connected cybersecurity systems and network traffic awareness. AI should be perfect for this, and major security vendors are most definitely exploring solutions of this kind.
The only problem (for users and for journalists) is that it remains quite challenging discerning good actors from bad in a fragmented security industry.
I am always dubious to recommend security solutions from firms I’ve not come across before, unless I have some way to affirm their credentials, and I believe that’s the correct approach.
Stay safe out there…