Severe security flaws in Apple devices ‘may have been actively exploited’

The software vulnerabilities have affected various models of the iPhone, iPad and Mac, with experts advising consumers to update their devices to secure them.

Apple has said it is “aware of a report that this issue may have been actively exploited”, and has published two security reports, but it did not give details regarding who discovered the flaw or how many users were affected by it.

Security experts have recommended users update their devices, particularly the ones affected:  iPhones6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running MacOS Monterey.

Apple’s explanation of the vulnerability means a hacker could get “full admin access to the device” so that they can “execute any code as if they are you, the user”, said Rachel Tobac, CEO of SocialProof Security. This is due to the fact that the flaw gives attackers “privileges to the highest level, the kernel, to execute code”, added Jelle Wieringa, Security Awareness Advocate at KnowBe4.

Although Apple had long claimed that its devices are “the most secure in the world,” the vulnerability has proved that even the best security designs are at risk. 

“The time that we all thought only Microsoft machines had serious vulnerabilities is long gone,” Wieringa added. 

As society becomes more and more technology-enhanced, devices hold increasing amounts of sensitive user data, due to the rising popularity of facial recognition features, and banking and health-monitoring apps.

With billions of devices all around the world, an Apple vulnerability could have “wide-reaching implications”, according to Andy Norton, chief cyber risk officer at Armis.

“Pretty much everything we hold dear resides on our Apple products,” he said. “Historically, many people have not updated their Apple products for fear of shortening the life span of their devices; that behaviour now must change. Follow the guidance, patch now.”

Jonathan Compton, a partner at city law firm DMH Stallard, pointed out previous rumours regarding a security flaw in Apple devices and stressed that, should the flaw be considered serious enough, it might lead to public authorities getting involved, to ensure that users are protected.   

“Many users keep the most sensitive personal details and information on their devices,” he said “I suspect that Data Commissioners will raise serious questions of Apple.”  

Although Apple has often relied on software updates to protect its devices and fix patches, several experts have noted the fact that the company has chosen to go public with this information while giving no technical analysis of the vulnerabilities. 

“Apple have released few details about the vulnerabilities other than the fact that they can allow ‘full admin access’ and have been ‘actively exploited in the wild’,” said Tom Davison, senior director, engineering international at mobile security provider Lookout. “This makes them as bad as it can get and users should update as soon as possible.”

“There are several known examples of previous vulnerabilities being exploited to deliver spyware to devices, such as NSO Group’s Pegasus. This can happen even without any user interaction.”

Commercial spyware company Pegasus NSO Group has been blacklisted by the US Commerce Department after its spyware was found to have been used in Europe, the Middle East, Africa and Latin America to monitor journalists, dissidents and human rights activists in real-time. 

Usually, Apple does not publicise security vulnerabilities and waits instead until the flaws have been solved. The largest risk at publicising a major vulnerability in the way Apple has done is that it alerts organisations such as Pegasus of the existence of this flaw, said Brian Higgins, security specialist at Comparitech.

“The big risk in publicising a major vulnerability is that now every cyber criminal on the planet knows it exists and Apple users are in a Zero Day race to update their devices before they can be infected,” he said. “If Apple think it’s so serious that they need to go public then if you haven’t already installed iOS 15.6.1 you need to go and do it right now.”