Project Description

Apple’s Zero-Day iOS Vulnerability Shows Cracks in its Walled Garden

Articles • Dec. 8, 2021

Vulnerabilities and security breaches are part and parcel of every IT company’s lifecycle. It would seem that more and more bugs are uncovered and exploited with each successive iteration of software and hardware updates. This is especially true for software that has long lifecycles, such as operating systems or applications for specific purposes (Photoshop, Excel, Blender, etc.). But it is the former that have it the hardest. Not only do operating systems have to contend with progressional releases (Windows XP to Vista) but incremental ones as well (Windows 8 to 8.1). It doesn’t even factor in the constant iterative updates and patches that need rolling out to run the software on updated hardware.

Couple all of these, and you have a soup of code that is riddled with issues. Factor in that the average developer has 70 bugs in every 1000 lines of code, and the overall picture looks grimmer than whatever North Korea is up to this week. These issues and bugs are especially prominent when zero-day is concerned.

What is Zero-Day?

All software comes with security vulnerabilities waiting for exploitation. It is why most software developers are always on the lookout for these vulnerabilities to patch and fix before an attack. These patches are software coding solutions that are then released in the next iterative update.

While developers work away diligently to iron out any issues in their software, there are times when hackers beat them to it. These vulnerabilities and issues are found and exploited by hackers or malicious actors before developers themselves. While it lingers in the code, these attackers write and implement code to take advantage of it, usually for nefarious or unethical purposes. This is called exploit code.

Zero-day is a general term that is used for security vulnerabilities that have been recently discovered, which can be used by hackers to to attack systems. In this way, zero-day is similar to exploit code. The name “zero-day means that the developer of an application or software has only recently learned of the flaw in the code, and has had zero days to fix the issue. And exactly like exploit code, zero-day attacks occur before the developers have the knowledge or time to fix a vulnerability.

Despite their common occurrence, zero-day attacks have the words vulnerability, exploit, and attack used alongside, but most people aren’t familiar with the differences between the three.

  • A zero-day vulnerability is a software vulnerability that is found and exploited by hackers before developers of the software are made aware of it. Due to this, no patches exist for zero-day vulnerabilities, which makes it more likely for attacks to succeed.
  • A zero-day exploit is the method hackers employ to attack systems which had previously unidentified vulnerabilities in them.
  • A zero-day attack uses zero-day exploits in order to steal data or damage software which is affected by a vulnerability.

Cracks in Apple’s “Walled Garden”

Cupertino’s walled garden approach isn’t unfamiliar to most people aware of its practices towards its technologies. Hardware and software work in tandem in a tightly-knit ecosystem, which gives Apple unique controls over its security and features. It means that all the apps developed for its platform have to go through Apple’s approval process in a bid to keep privacy and security intact for the user. As a result, unlike its competition, Apple doesn’t allow developers to tinker deep into the device or gather sensitive information.

So while user security is a guarantee with this process, it, perhaps mistakenly, affords the most elite hackers an advantage too. The same defenses that Apple has built around its ecosystem, work to protect the hacker once infiltrated the device or software. It is because, regardless of the claustrophobic nature of control that Apple insists on administering, the top 1% of hackers will utilize any vulnerabilities to find a way inside. And once they are in, the company’s blunt walled garden acts as a double-edged sword.

As a result of this infiltration, it can often be a daunting task for security companies and individuals to highlight any infections. The exploits allow hackers to take over technology almost invisibly. They also burrow themselves in restricted parts of the device, and once in, it can be Apple’s security itself that protects them from detection. Even when the user’s systems are under attack, it can be next to impossible to find clear evidence, even with Apple-specific antivirus software.

Details on Apple’s latest zero-day attack remain vague and secret. But despite the secrecy shrouding the matter, most agree that the exploitation is still under attack from hackers. According to Cupertino, the exploit can give access to an application to run arbitrary code and give it kernel privileges. To put it simply, the kernel, which controls the operating system, can remotely access phones through an iOS app. What’s worrying is that this wasn’t an issue with the newest iOS release either. iPhones going as far back as the 6S were affected.

This news comes after the widespread issue with iOS that allowed an Israeli security company to spy on targets with the help of stealth iOS 15+ monitoring software.

Apple could take a separate route in which certain entitlements could be allowed and given to known defenders. The entitlements would come with explicit permission from users, which would allow more freedom to investigate awkward device or software behavior. But this way cometh more exploitations. Not to mention the biggest consequence that needs to be kept in mind: most global governments already want Apple’s help to open up iPhones. If the Cupertino company created backdoors in its technology, the FBI would undoubtedly be the first to come knocking, which is exactly what Apple has spent years trying to avoid.

There is no neat fix. It is something that Apple and independent security experts both agree on. And Apple also strongly believes that it is making the correct trade-offs. Plus, Apple is right to not pick a definitive lane when nobody has convincingly demonstrated as of yet, that loosening security enforcement or making exceptions will help serve the greater good.

The practices afforded to users

Apple’s heavy-handed approach restricts the safety options available to users. Unlike Windows and Android, the level of personal control is vastly limited when using an iPhone. It extends to any of the devices or services in its ecosystem. This leaves users in a precarious position, where Apple secretly patches zero-day vulnerabilities when they’re spotted. Or after how long. Usually, this comes in late when attackers have already embedded stealth iOS 15+ monitoring software deep into the code.

But there do exist general guidelines for zero-day protection that users can incorporate. It can help individuals and organizations to keep their data and privacy safe by following cyber security best practices. Some of these include:

  • Ensuring that all your software, applications, and operating systems are always up to date. Security vendors and developers include security patches that are rolled out in incremental updates and these cover newly identified vulnerabilities in the latest releases. You are vastly more secure in running the latest version of the software.
  • Download, install and use only the applications you need. It can be very tempting to push your device’s storage to its limits, but this allows for more room for potential vulnerabilities. Using only the essential apps can often make the difference between a safe setup and a compromised one.
  • Use a firewall. Firewalls are the primary line of defense against any attacks on your device. It includes zero-day threats too. Maximum protection can be ensured if you configure your firewall to only allow necessary transactions.
  • Educate users within organizations. Human error is the primary cause of most zero-day attacks happening today. Having regular security conferences and teaching employees and users good digital safety will help improve online safety and protect organizations from zero-day exploits and other digital threats.
  • Using antivirus software. Antivirus software aid in keeping your devices protected by blocking known and unknown threats.
  • Use a reliable monitoring software. Human errors account for the vast number of zero-day attacks, so any employer or business can utilize Xnspy for instance, which can act as a stealth iOS 15+ monitoring software, to ensure no data leaks from digital assets. TeamViewer is also another popular consideration applied in organizations today. Both TeamViewer and Xnspy have remote monitoring functionalities, but business owners requiring a more hands-on approach might want to consider the latter option.

Bonus tips to identify zero-day attacks

Zero-day vulnerabilities can take multiple forms. These can come as missing data encryption, broken algorithms, common bugs, issues with password security, and missing authorizations. This makes them incredibly difficult to detect. Because of all these reasons, zero-day exploits are only detailed once they’re addressed and fixed.

Despite this, some of the most common techniques used for zero-day detection are:

  • Employing the use of existing databases of malware and the behavior they exhibit as a reference.
  • Enabling different techniques and software that can pick out zero-day malware characteristics by studying their interaction with the target system. This is where the previously mentioned Xnspy monitoring software can come in handy. It provides detailed reports of system behavior and usage on phones and can detect and incoming or outgoing traffic through applications.
  • Deploying machine learning to help in the detection of data from exploits recorded in the past. This can establish a baseline for safe system behavior and is usually based on the data of previous and current interactions with the software.

Suggested Read: How to Detect Pegasus Spyware on iPhone

Conclusion

Zero-day attacks are common and technology companies have to find ways to mitigate them. Whether that is through rigorous testing, ditching the waterfall method during testing, or participating in ethical hacking techniques to get ahead of zero-day attacks. However, our money is on the fact that as long as software exists in lines of code, these drawbacks will remain too. A perfect code does not exist. Nevertheless, steps should be taken to get the accuracy and bug-free percentages up for code, both through the company, and the consumer.