Apple Crackers
Security Software is complex at best and those who delve into this arcane science are want to spend hours poring over lines of code that could as well be a foreign language to most, but black hat or white hat, discovering a vulnerability buried in millions of lines of code is like cracking the Da Vinci code and can catapult the discoverer to fame in this very specialized world. Apple (AAPL) has been battling with a small Israeli company, NSO Group (pvt), and Q Cyber (pvt) who developed one of its security software products based on a zero-day[1] vulnerability discovered in iOS. The defendants allege that they sell their software known as Pegasus, only to governments and law enforcement agencies as ‘lawful tools to fight terrorists and pedophiles’, while Apple alleges that’ the software has been used to perpetrate attacks on Apple users and data stored on user’s devices’, although not on Apple’s own servers.
Apple classifies the defendants as hackers and to their point the US government has placed the company on its trade blacklist, although the company insists the software cannot be used for surveillance in the US, while Apple alleges that it has been used on iOS mobile devices owned by US citizens and has therefore crossed international borders. NSO and Q Cyber have also faced lawsuits by other major CE companies, among whom are Microsoft (MSFT), Meta (FB), Google (GOOG), and Cisco (CSCO) but claim immunity from revealing customers as the governments to whom they sell their software should receive, although a recent 9th Circuit Court ruling held that the companies are not sovereigns and are therefore unable to claim immunity.
The iPhone and Apple products generally are considered among the most secure and are therefore used by lawyers, political officials, activists, and others who count of Apple’s security features to protect them from surveillance and data collection, but Apple alleges that while the company says they only sell the software, they have created fictitious Apple accounts and even admitted that their products have been used (maliciously) to violate fundamental human rights, but at the same time has continued to update the software to exploit multiple iOS vulnerabilities in order for the software to continue to capture communications, location history, Wi-Fi passwords, and a variety of other private data on phones that have been infected by the software tool.
Apple has just announced that it will be adding ‘Lock Mode’ to iOS 16 that will put the device into the highest security mode possible, for what will likely be a relatively small group of iOS users that need to be protected from what is military grade hacking software. The new mode will block all message attachments except images along with message previews and will do the same for Facetime invites from anyone outside of your list, while blocking all wired connections with other computers, principally closing the Lightning port for everything other than charging, and finally Lockdown mode will not allow any new configuration profiles to be added to the device or will it allow any unrecognized code to be run from the messaging app. Apple is so serious about this software that it is offering $2m[2] to anyone who can find a way to bypass the new mode and will donate $10m plus any proceeds from the lawsuit to organizations that investigate or expose targeted cyberattacks against journalists, human rights activists, and other targeted individuals.
All in, the security space is one that pits power and greed against the conveniences that consumers want and expect and that balance changes constantly. With every new update or patch comes the resources of those who wish to exploit individuals for their own purposes, political or otherwise, so the battle will continue, essentially using resources that could be used for more altruistic purposes, but the battle really comes down to how much security inconveniences the consumer, who thinks they have a handle on security because they change their password once or twice a year. In this case, the fix is really targeted to a very small group of Apple customers and would not be used by most, but on a general basis the average consumer is vulnerable to a wide variety of malware and corporate security remains lacking as noted in the list of the 5 largest security breaches compiled by UpGuard last month.
[1] A zero-day vulnerability is one that has been discovered and disclosed but has not been patched. Usually these are discovered by developers or research scientists before the company that originated the software, leaving users open to the vulnerability until the software’s developers can correct the flaw with an update or patch.
[2] Twice what Apple normally offers
Apple classifies the defendants as hackers and to their point the US government has placed the company on its trade blacklist, although the company insists the software cannot be used for surveillance in the US, while Apple alleges that it has been used on iOS mobile devices owned by US citizens and has therefore crossed international borders. NSO and Q Cyber have also faced lawsuits by other major CE companies, among whom are Microsoft (MSFT), Meta (FB), Google (GOOG), and Cisco (CSCO) but claim immunity from revealing customers as the governments to whom they sell their software should receive, although a recent 9th Circuit Court ruling held that the companies are not sovereigns and are therefore unable to claim immunity.
The iPhone and Apple products generally are considered among the most secure and are therefore used by lawyers, political officials, activists, and others who count of Apple’s security features to protect them from surveillance and data collection, but Apple alleges that while the company says they only sell the software, they have created fictitious Apple accounts and even admitted that their products have been used (maliciously) to violate fundamental human rights, but at the same time has continued to update the software to exploit multiple iOS vulnerabilities in order for the software to continue to capture communications, location history, Wi-Fi passwords, and a variety of other private data on phones that have been infected by the software tool.
Apple has just announced that it will be adding ‘Lock Mode’ to iOS 16 that will put the device into the highest security mode possible, for what will likely be a relatively small group of iOS users that need to be protected from what is military grade hacking software. The new mode will block all message attachments except images along with message previews and will do the same for Facetime invites from anyone outside of your list, while blocking all wired connections with other computers, principally closing the Lightning port for everything other than charging, and finally Lockdown mode will not allow any new configuration profiles to be added to the device or will it allow any unrecognized code to be run from the messaging app. Apple is so serious about this software that it is offering $2m[2] to anyone who can find a way to bypass the new mode and will donate $10m plus any proceeds from the lawsuit to organizations that investigate or expose targeted cyberattacks against journalists, human rights activists, and other targeted individuals.
All in, the security space is one that pits power and greed against the conveniences that consumers want and expect and that balance changes constantly. With every new update or patch comes the resources of those who wish to exploit individuals for their own purposes, political or otherwise, so the battle will continue, essentially using resources that could be used for more altruistic purposes, but the battle really comes down to how much security inconveniences the consumer, who thinks they have a handle on security because they change their password once or twice a year. In this case, the fix is really targeted to a very small group of Apple customers and would not be used by most, but on a general basis the average consumer is vulnerable to a wide variety of malware and corporate security remains lacking as noted in the list of the 5 largest security breaches compiled by UpGuard last month.
[1] A zero-day vulnerability is one that has been discovered and disclosed but has not been patched. Usually these are discovered by developers or research scientists before the company that originated the software, leaving users open to the vulnerability until the software’s developers can correct the flaw with an update or patch.
[2] Twice what Apple normally offers
RSS Feed