Lessons from the iPhone hack

In August 2016 a serious vulnerability was discovered for the iPhone. A patch was released, and you should install it today by going to Settings, General, Software Update. If your version is 9.3.5 or later you have the patch.

The hack (named Trident) that targeted the vulnerability does not appear to be widely used. It was part of a targeted attack against a human rights activist and was designed to load government level espionage software (named Pegasus) that would have tracked the user’s location, given access to the camera and microphone, and allowed the copying of emails, text messages, contacts and other information.

Whilst this is thought to be a state-sanctioned attack (the UAE is suspected), it has raised concerns that iOS, which was thought to be very secure, is vulnerable.These concerns need to be tempered as:

  • The hack and the malware it was designed to load are very expensive to purchase (possibly a million USD or more) – the average cybercriminal is not going to spend that amount in order to grab information that might lead to a payoff when there are cheaper methods available
  • The vulnerability was patched very quickly – Apple was alerted on the 15th of August, and a patch was released 11 days later on the 26th

Aside from installing the patch, there are a few other things you can do to protect yourself whilst using your iPhone and iPad:

  • Don’t click on links in unsolicited emails or text messages – if you are unsure just delete them
  • Be careful about the websites you browse to. If the web address looks suspicious, it probably is

These good habits should also be applied to the emails your receive and websites you browse to from your computer.

In addition, you should:

  • Set a pin code – it is this that encrypts the contents of your iPhone/iPad
  • Use two-factor authentication – this notifies you when a change has been requested to your Apple account and asks you to confirm it. If you are running iOS 9 you can find this under Settings > iCloud > tap your Apple ID, Tap Password & Security, Tap Turn on Two-Factor Authentication. For earlier versions, it’s called two-step verification, and you’ll need to go to your Apple ID account page (https://appleid.apple.com ) to turn it on

If you have colleagues or family with Android phones they need to make sure that they have antivirus loaded, and have updated their phones to the latest patch. Because of the lower level of security around Android apps (17% of them are malware), many Android phones have been hacked. This enables criminals to obtain copies of emails, text messages and other information.

In regard to anti-virus for iOS, it really depends on how cautious you want to be. There are anti-virus products available, but the locked-down nature of iOS means that they can’t really do much scanning . However, the ones that include a check for malicious websites are worth considering, especially if you are in a corporate environment that requires a high level of security.

If you’d like to learn more about how to secure your firm against cybercriminals, using both technology and training, then please get in touch.

And if you’re interested in the details of the attack against Ahmed Mansoor then Citizen Labs, who discovered the vulnerability, has full details at this link https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/


%d bloggers like this: