The Apple Flaw & BYOD cyber-hygiene: 4 essential steps DFW business leaders need to take – now and forever

By Jenifer McIntosh, Dallas Business Journal, Sep 12, 2022 | Read original article here

As goes the old adage in cyber security, “it’s not if, but when.” Even the most robust systems are subject to human error or an unanticipated susceptibility.  Those errors once discovered, can be used by bad guys to wreak havoc on a person individually and businesses thoroughly. But your systems are not Mac- or Apple-based, so why should your business be at all concerned with an Apple vulnerability?

To that, I ask: Are you reading this on your Dell Laptop, or your Apple iPhone right before bed?

What, how, and where we work has drastically changed in the past 20 years. As we all know, drastic went radical in March of 2020, when the global economy was forced to work remotely through business portals and platforms, whether via a browser or an independent network. It’s probably not surprising to you that research shows employees – from the UPS driver to a commodities trader – are spending approximately 30% of their work on their personal phones, if not more. [1]

During and certainly post-Covid, more companies began using mobile applications for employees using their own devices. The Bring Your Own Device (BYOD) trend caught on for a number of reasons, but the ease of Mobile Device Management (MDM) and Mobile Application Management (MAM), or whatever Google is calling it, made BYOD pretty much standard by mid-Covid, if not before. For ease of management and in lieu of buying thousands of devices, organizations now deploy applications on an employee’s device, including (but certainly not limited to) Google Sheets, Outlook, and Slack. Such common apps are on everyone’s device and typically are very secure, even if an employee loses their phone, as permissions can be terminated or changed by your security or IT team.

At least, that is what a business can do when they know something is wrong. But what if you don’t? That’s where the Apple (Nasdaq: AAPL) vulnerability can be a problem.

What the Apple flaw means for your company

In the case of this most recent Apple zero-days [2] vulnerabilities, two different flaws were identified: One in the kernel of Apple’s operating system (iOS) and another in its Webkit [3]. Both the iOS and Webkit flaws were due to a lack of sufficient memory bounds checking. Certain areas of memory should be off-limits to change. The problem here, particularly as it affected Apple’s iOS, leveraged a lack of “bounds checking” to write memory outside the original scope, resulting in greater system access if hackers were to find and exploit the vulnerability.

Such a privilege (or limit of who can use or access the device) escalation is a huge issue due in part to the idea that, if remote code execution is possible because of such a vulnerability, this type of access could result in a bad actor taking control of a device – the whole device – much like MDM. This means the bad guys could use such expanded access to see what happens when someone uses their device, including facial recognition, any apps (banking, health, &all that fun data), location, messages MFA requests), viewing contacts lists, Outlook emails, Slack messages, any processes via company authenticator apps (Microsoft Authenticator, Okta, etc.), and potentially even access to the microphone and camera. In short, they could snoop on all the things you as a user, but also as an employer, don’t want to have out there.

4 essential steps: Taking action to protect your business

So, what should your business do to avoid falling victim to these Apple (and of course other systems) issues now and perhaps other upcoming vulnerabilities disclosed in the future? Here are a few key steps for creating significant road-blocks to would-be bad actors:

  1. Take a hard look at how much your employees use personal devices for business. Did you intend to provide, and do you want that remote access capability? Do you understand the risks associated with mobile device use? Do you have more than just password protections on such remote access? If not, any secondary or multiple authentication steps need to be considered, if not enforced and audited.
  2.  Talk to your IT and/or security teams to determine how your company is protecting or monitoring access to business applications. James McDonagh, Information Security Officer of PCM in Denver, Colorado, suggests asking or verifying if the company has employed the use of authenticator applications such as Okta or Microsoft Authenticator to prevent SMS hijacking. Has the company deployed MDM/MAM tools such as Intune to help monitor and verify access? Can your team see who/when/where access is coming from? NO? If not, go to #1, then revisit #2 until you can.
  3.  If your business is using mobile applications like Google Drive or Slack to allow employees to access business information remotely via their personal devices, verify with your security or IT team that those applications are being reviewed for unauthorized activity. By enabling conditional access policies on employee identities, IP restrictions can be enforced to prevent hackers from gaining access outside of known locations. If you have such monitoring capabilities, anything out of the ordinary should be flagged and reviewed.
  4.  Lastly, and in my opinion, most importantly, are you educating employees about the risks of using mobile devices and mobile applications for work (which usually are minimal), the need for good cyber-hygiene (professionally and personally), as well as what to do when things go sideways? Do your employees understand the sensitivity and confidentiality of the data being accessed? If not, training simple issues such as avoiding public Wifi (Starbucks), properly logging off the network (a lot to unpack there), as well as maintaining different passwords for work and home (at least) can go a long, long way to minimizing your end-user risks.

As noted at the outset, vulnerabilities such as those disclosed by Apple should not be a surprise – they should be expected, and will occur across all your platforms, software and employee groups. Hackers are more likely to target a CEO and CFO given their oversight, but if they can hack into a director’s iPhone, they may gain more than enough access to do the work they want to do.

In my humble and likely naïve opinion, one of the best ways to mitigate, perhaps almost end (gasp) abuse of such technical vulnerabilities, is to change the culture of how we approach our online activity – internally as a workforce but more importantly as a society.  Be it Apple, Google, etc., no system is 100% secure, despite our collective, cognitive dissonance as to that fact. I started with a well-worn and eye-roll-inducing adage, so I’ll end with one, too: Security and compliance are not a sprint, but a marathon. The better we can train, the better this race will end.

Jenifer Shahan McIntosh is an attorney/shareholder at the FBFK Law Firm and has more than 20 years of data privacy & security expertise. She can be reached at: jmcintosh@fbfk.law.

 


[1] https://www.zippia.com/advice/cell-phones-at-work-statistics/#Company_Policy_On_Cell_Phones_At_Work_Statistics

[2] Apple confirmed in-the-wild exploitation of the vulnerabilities in two different advisories warning about code execution flaws in fully patched iPhone, iPad and macOS devices:  CVE-2022-32894 (kernel) – An application may be able to execute arbitrary code with kernel privileges.  An out-of-bounds write issue was addressed with improved bounds checking.  Apple is aware of a report that this issue may have been actively exploited; and CVE-2022-32893 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution. An out-of-bounds write issue was addressed with improved bounds checking.  Apple is aware of a report that this issue may have been actively exploited.

[3] “WebKit is the web browser engine used in Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux. The project’s primary focus is content deployed on the World Wide Web, using standards-based technologies such as HTML, CSS, JavaScript and DOM. However, the developers also want to make it possible to embed WebKit in other applications, and to use it as a general-purpose display and interaction engine.”