Recent Apple Security Flaws Reflect Larger Cybersecurity Trends [Weekly Cybersecurity Brief]

It’s no secret that Apple is one of the largest companies in the world. In 2020, it became the first U.S. company to surpass a worth of $2 trillion. But despite Apple’s size and dedication to security, which it recently addressed during a meeting at the White House where it committed to developing a program strengthening the technology supply chain, the company is still not immune to risks. This week’s news proves that.

We begin with a report that over 61 million records related to fitness trackers and wearables including Apple and Fitbit were exposed due to an unsecured database. According to Fierce Healthcare, Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered the non-password-protected database belonging to health and wellness data organization GetHealth and notified the organization swiftly. The information vulnerable to the situation included first and last names, display names, dates of birth, weight, height, gender, and geolocations. Although Fowler shared that the case was handled immediately, he also stated that this should serve as an example of potential cybersecurity problems posed by a growing reliance on devices related to IoT technologies.

Another cybersecurity concern was raised when Apple had to urge customers to update their products’ software following the application of an emergency security patch. The patch was created to prevent threats of hackers accessing devices without any knowledge on the owner’s behalf. Apple was made aware of this threat by researchers at the University of Toronto’s Citizen Lab. The researchers found that NSO Group, an Israeli spyware company, had been using “zero-click exploit” tactics since February, which it relied on to break into the phone of a Saudi Arabian activist. “Whereas typical cyberattacks require a user to engage with a malicious piece of content – such as clicking on a rogue link – zero click exploits do not require any sort of interaction with devices’ owners themselves,” Lisa Plaggemier, interim executive director of the National Cyber Security Alliance, told CBS News.

NBC News further explained that NSO Group was able to develop this method so much so that it could infect any Apple device simply by sending a fake GIF through iMessage. This style of exploit is referred to as “Zero Days” because of the extremely limited time software engineers have to build a patch for it, which, as stated above, Apple did. And while such attacks are carried out mostly by “elite government hackers” as NBC News wrote, or to target specific individuals, the case for broader concern is growing. Project Zero, a Google team focused on identifying and cataloging “zero days,” concluded that the number of these incidents have continued to increase since 2018. Maddie Stone, a Project Zero security researcher, stated, “I do believe more of us in the public need to be worried… [because] those instances of zero day attacks tend to have a much larger impact.”

Key Takeaways:

“Fitbit, Apple user data exposed in breach impacting 61M fitness tracker records” – Heather Landi, Fierce Healthcare

https://www.fiercehealthcare.com/digital-health/fitbit-apple-user-data-exposed-breach-impacting-61m-fitness-tracker-records

  • It was recently reported that 61 million records related to fitness trackers and wearables including Apple and Fitbit were exposed due to an unsecured database.
  • Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered the issue and notified GetHealth, the owner of the database.
  • Fowler stated that this should serve as an example of potential cybersecurity problems posed by a growing reliance on devices related to IoT technologies.

“Apple says its security flaw was fixed. Cyber analysts warn zero-click threats will persist.” – Musadiq Bidar, CBS News

https://www.cbsnews.com/news/iphone-apple-security-flaw-zero-click-threats/

  • Apple had to urge customers to update their products’ software following the application of an emergency security patch.
  • The patch was created to prevent threats of hackers accessing devices without any knowledge on the owner’s behalf, a tactic being used by the NSO Group since February, according to researchers at the University of Toronto’s Citizen Lab.
  • “Whereas typical cyberattacks require a user to engage with a malicious piece of content – such as clicking on a rogue link – zero click exploits do not require any sort of interaction with devices’ owners themselves,” Lisa Plaggemier, interim executive director of the National Cyber Security Alliance, told CBS News.

“It’s not just you: Emergency software patches are on the rise” – Kevin Collier, NBC News

https://www.nbcnews.com/tech/security/apple-iphone-security-update-points-growing-problem-zero-days-rcna2012

  • In its reporting on the new Apple security patch, NBC News further explained that the exploit of concern is known as a “Zero Days” attack.
  • While such attacks are carried out mostly by “elite government hackers” as NBC News wrote, or to target specific individuals, Project Zero concluded that this concern is expanding.
  • Maddie Stone, a Project Zero security researcher, stated, ““I do believe more of us in the public need to be worried… [because] those instances of zero day attacks tend to have a much larger impact.”
Share
Share on facebook
Share on twitter
Share on linkedin
Share on email