Thursday, March 28, 2024

How iPhone Provides a Backdoor Into Your Business Data

One of the biggest benefits cited by iPhone users for their choice of device is that it has better security than the ubiquitous Android however that very security may well prove to be a vulnerability in itself.

Whilst it is true that in many ways the iOS is more secure than other operating systems it isn’t without its flaws and it is by no means immune to poor user behaviour.

The fact that the iPhone is so secure also leads users into a false sense of security and in turn, ironically makes it more vulnerable to attack!

iPhones aren’t invulnerable

In many ways, the iPhone is more secure than Android.

The lockdown nature of the OS and the closely guarded nature of information means that the likelihood of an attack is reduced.

By restricting access to app developers Apple has been able to ensure that every download is properly scanned for vulnerabilities.

Android devotees would point to the fact that there are many fewer apple devices in circulation which makes them a lower priority for malicious attack although given that some 15 million iPhones were sold in the US alone in 2020 that seems like grasping at straws.

But all that having been said, Apple has still had its problems, the latest of which, the Apple Wireless Direct Link (AWDL) vulnerability requires no direct intervention from the phone user.

The AWDL, which allows users to transfer files over WiFi allowed malicious users to gain control of the code of the phone and even use the microphone and camera.


Thankfully now fixed, the threat was sufficient to force Apple to actually admit to the vulnerability, something it generally tends to shy away from.

The User Aspect

Arguably one of the main issues with the iPhone is owners’ perceptions of the level of security that is inherent in the device.

Sure, the iPhone is secure, but it can’t protect against every eventuality and user error is certainly one area ripe for exploitation.

The main problem is the user who hasn’t encountered any problems themselves or has heard talk of iPhones being immune to attack and that changes their behaviour.

People who feel secure tend to take more risks as in the case of the Cypres device designed to save skydivers from no-pull deaths.

In a no-pull death the skydiver fails to pull their ripcord or does so too late, the Cypres device was designed to eliminate this but actually failed to reduce the number of fatalities.

The reason was that people became used to the reduced risk so in turn began taking more risks to compensate thinking that they would still be safe.

In the same way, a user who has never experienced a malware attack and has heard that their phone is invulnerable will often have no hesitation clicking on a suspect link or downloading an unverified app.

What does this mean for business?

In today’s interconnected world there often is no alternative to allowing user devices to connect to your systems. The advent of the pandemic has exacerbated this as people work at home more often and connect in from more and more remote locations.

There’s good evidence that the trend towards remote working will continue and many companies are actively seeking to reduce desk space in their main offices, meaning that we can expect people to be connecting using all sorts of different WiFi, many of them unsecured.

A user who has downloaded malware, or has a device that has been compromised will present a very real threat to the company’s main systems.

The first threat is that of a virus being introduced to other parts of the company network which could end up in a security or data breach or even a ransomware attack.

As users connect in from a compromised location they could end up being spied upon or having their passwords compromised through keylogging or man-in-the-middle attacks.

This could result in the situation where the business spends all of its time trying to prevent more spectacular attacks such as DDOS yet falling prey to a simple password and username hack.

In truth, it doesn’t matter what level of security a device has if the user ends up falling prey to phishing and spear-phishing attacks!

The thought that a business could lose cash from an attack on their bank account, customers through the reputational damage of a data breach or systems access due to a ransomware attack should be enough to make any business owner take action.

What can the business do about it?

The first thing to do is to make sure that your users download updates and apply patches as soon as they are released.

Manufacturers like Apple spend a lot of time and money making sure that their OS is secured against attack but that can’t help if the device user refuses to update!

The second line of defence is to make sure your employees are connecting in a secure way.

Whilst we all know the risks of using public WiFi, it is also true to say that many home networks are just as vulnerable and with the power of home routers now being much greater than ever before it is a simple matter for a cybercriminal to park on a residential road and have access to several unsecured networks at a time.

Using an iPhone VPN will secure the employee’s connection and encrypt any data sent over the web.

A VPN makes sure that the connection can’t be intercepted and as a result malware downloaded onto the iPhone. It stops keylogging and man-in-the-middle attacks too.

Finally, employee education is vital.

Making sure that people understand that just because they have an iPhone doesn’t mean they are invulnerable is ultra-important.

Educating people about the ways that phishers work and why they need to update their phones is a simple, cheap and very effective way of reducing risk.

Protecting a business against unauthorised access is in many ways very simple and can be achieved for very little money and given the damage that could be done, makes total sense.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles