Don’t Wait To Update! 90.4% Of iOS Phones Ripe For Hacking
By: Jim Stickley and Tina Davis
December 3, 2019
Using a personal device for work presents its own set of security challenges. Whether a smartphone, laptop or tablet, devices used in a mobile environment typically don’t have the same level of protection as those connected in an office space. Internal devices are usually overseen by an IT department that updates devices when security patches and operating system updates are available. Apple iPhone business enterprise users are now finding this out the hard way.
Apple recently discovered a vulnerability enabling bad actors to access files on an iPhone. That access includes anything using iMessage–pictures, texts, PDF’s, and any other data stored on their iPhone. Although Apple patched the weakness in their iOS 12.4 update, at that time, only 9.6% of the mobile workforce and consumers had updated their devices. That translates to 90.4% of iPhone users being subjected to hijacked data. Not only is that a security threat to any enterprise, but personal data stored on iPhones is also vulnerable.
Personal devices used for enterprise have long been the subject of security concerns. IT departments can patch security and other updates for those devices under their control. However, it’s up to personal device users to update their devices themselves. Conventional wisdom finds those updates don’t always get applied as quickly as they should, if at all. It may save a business significant resources to have staff use their personal devices for work, but they need to weigh if the savings are worth the security risk.
Oddly enough, Apple delayed letting iPhone users know the iOS 12.4 update was available via the usual alert on the device screen. Typically, iPhone users are made aware a system update is available simply by looking at the “Settings” icon on their screen. Absent the visual alert, the only way users know this latest update is available is by digging further into the Settings app and manually checking–something most users don’t do on their own. According to a systems engineer at Wandera, “This vulnerability calls into question the integrity of iOS sandboxing, which is one of the most significant fundamentals of the entire iOS security model. This iMessage exploit…exposes the file space on the device.”
The responsibility for updates in this and other situations lands squarely on the enterprise itself. Immediately notifying those using their own devices that updates are available would greatly increase the dismal number of users who do update. As discovered, waiting for the device manufacturer to properly alert users is a serious security risk. Threatpost reported that in this case, the most damaging system bugs are CVE-2019-8624 and CVE-2019-8646. With these security bugs, hackers can remotely access iOS files without a user–and their employer–being any the wiser. iOS is now on version 13.2+ and it’s wise advice for IT department personnel to ensure that users connecting personal devices to the networks are indeed on the current versions for whatever device they use. A business that immediately alerts their personal device users about all available updates is way ahead of the security curve.