by Larry Magid
This post first appeared in the Mercury News
I’ve said this before, but a recently discovered flaw in Apple’s operating system for iPhones and iPads, is an urgent reminder of why it’s essential to keep your devices’ operating systems up to date. On Monday, Apple released iOS and iPadOS 14.7.1, which fixes a flaw that could allow an application “to execute arbitrary code with kernel privileges.” “Kernel privileges” means that the hacker has the keys to your entire device, including the basic hardware. It’s like unlocking your iPhone and handing it to hackers to do whatever they want with it and the information on it.
And, to make matters worse, Apple said that it “is aware of a report that this issue may have been actively exploited.” In security speak, that makes it a “zero day” flaw, which means that Apple wasn’t able to patch the flaw before it became available to hackers. Many security flaws are discovered by researchers and patched before the bad guys know about them, which is kind of like locking the proverbial barn door before the horse was stolen. But, victims of an exploited zero-day attack may never see their horse again. This latest update comes only days after a previous update to address other imminent threats.
Regardless of what device you’re using — an iPhone or iPad, an Android phone or tablet, a Mac, a Windows PC or even a smart home appliance — it’s important to keep operating systems, apps and browsers updated with the latest security patches. There has been a lot of talk about vulnerabilities to Windows PCs but very little about Macs and even less about iPhones and Android phones. But all are vulnerable and, even though Apple has traditionally had fewer attacks than Windows and Android, that is starting to change, especially now that iPhones are extremely popular and, therefore, a very tempting target for criminals who want to extract information and, in many cases, money from its customer-base.
Hacks for governments
In addition to the threat from criminals, there are companies that develop and sell spyware to governments and law-enforcement agencies, designed to help them break into people’s devices. NSO Group, an Israeli company, sells a program called Pegasus which, it says, it designed to help law enforcement investigate “Terrorists, drug traffickers, pedophiles, and other criminals.” But, according to the Guardian, that software has been used against “human rights activists, journalists and lawyers across the world,” despite the company’s assurances that its tools are for the “sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies.” On its website, NSO Group claims it has policies to “prevent product misuse, or where the rule of law creates an unduly high risk of misuse.” It’s unclear whether this latest update addresses the potential threat from NSO Group’s software, but Apple has previously patched security vulnerabilities that were exploited by companies that sell spyware to governments.
The mere existence of this Pegasus software reminds me of the saga of Apple vs. the FBI. After the horrific 2015 terrorist attack in San Bernadino, the FBI tried to get Apple to unlock one of the shooters’ iPhones so that they could extract information that might have been helpful in their investigation. Apple refused, but, according to the Washington Post, Azimuth Security, an Australian company “that says it sells its cyber wares only to democratic governments, secretly crafted the solution the FBI used to gain access to the device, according to several people familiar with the matter.” It’s worth noting that Apple’s refusal to unlock the phone was based on its concern that any exploit — even one written specifically for the FBI for use on a single iPhone — could wind up being misused. “Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable,” wrote Apple CEO Tim Cook in a 2016 letter to customers.
Your security and myth of “nothing to hide”
While I want law enforcement to be able to investigate crimes, I fully understand the outrage by Apple and by human rights activists over software that can be used to spy on individuals, and I worry about how flaws in operating systems or software can be used by criminals to jeopardize our privacy or exploit vulnerable individuals. I also support the right of people to use encryption tools to make it extremely difficult for others to spy on their messages. I’m not a human rights activist, I’m not engaged in criminal activity, and even though I’m a journalist, I don’t write about extremely sensitive subjects. But I have used encrypted messaging services to — among other things — provide passwords and other confidential information to colleagues and to share confidential story ideas with editors and producers.
Even though you might think you have “nothing to hide,” you actually do. At the very least, you have both the right and obligation to hide the passwords to your financial, email and social media accounts not only to protect your assets and privacy but to prevent bad actors from using those accounts to harm others.
All of us have a responsibility to protect the security of our devices and software. Even if you don’t care about your own security, a compromised device can be used by hackers as a vector to attack others. Protecting your devices is kind of like being vaccinated or wearing a mask to protect “the herd.”
So, for the sake of the rest of us, please keep your devices up-to-date. You’ll find links to instructions for iOS, Android, Mac and Windows at ConnectSafely.org/Updates.