Apple has disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.
Apple released two security reports about the issue on Wednesday, although they didn’t receive wide attention outside of tech publications.
Apple’s explanation of the vulnerability means a hacker could get “full admin access” to the device. That would allow intruders to impersonate the device’s owner and subsequently run any software in their name, said Rachel Tobac, CEO of SocialProof Security.
According to the security reports, the vulnerabilities impacted Apple’s WebKit, which is the engine that powers the Safari web browser and other browsers on iOS; and the kernel, Apple’s core computer operating system.
Security experts have advised users to update affected devices — the iPhone6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running MacOS Monterey. The flaw also affects some iPod models.
Apple did not say in the reports how, where or by whom the vulnerabilities were discovered. In all cases, it cited an anonymous researcher.
Commercial spyware companies such as Israel’s NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets’ smartphones, siphons their contents and surveils the targets in real time.
In July 2021, Apple released a similar security point that said that a flaw in its security design was being “actively exploited.” Again, an anonymous researcher was credited for the discovery.
NSO Group has been blacklisted by the U.S. Commerce Department. Its spyware is known to have been used in Europe, the Middle East, Africa and Latin America against journalists, dissidents and human rights activists.
Security researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company has previously acknowledged similarly serious flaws and, in what Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had been exploited.
“Yes, hackers, threat actors can take control of devices,” said Daniel Tobok, the CEO of Toronto-based cybersecurity firm Cypfer, in an interview with CBC News.
The devices most vulnerable to targeted attacks are the ones that aren’t up-to-date on security patches, which is about 18 per cent of devices globally, according to Tobok.
Apple reveals security flaws more or less on an annual basis, particularly after the flaws have been detected by what Tobok calls “threat actors,” or hackers.
Typically, hackers will gain access to a device and then change its passwords so that the user is locked out of their own phone or laptop. But it’s extremely difficult for users to detect when their device has been compromised, he said.
“When you have a super power, privileged user on the phone, they could potentially do things without you even noticing,” Tobok said. “This is really one of the dangers of having a device that is compromised because, unlike Hollywood, you don’t see icons flashing and you don’t see your red lights bleeping.”
“You’re really not aware because what the threat actors are doing is moving very quietly, just exfiltrating your data or leveraging your phone as a hub for committing another potential crime.”