Business

Apple security flaw allows hackers to fully control iPhones, iPads and Macs

Apple disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.

Intruders can impersonate device's owner and run any software in their name

A hand holds an iPhone.
An Apple iPhone 13 is displayed on their first day of sale, in New York, on Sept. 24, 2021. Apple disclosed serious security vulnerabilities on Wednesday for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices. (Richard Drew/The Associated Press)

Apple has disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.

Apple released two security reports about the issue on Wednesday, although they didn't receive wide attention outside of tech publications.

Apple's explanation of the vulnerability means a hacker could get "full admin access" to the device. That would allow intruders to impersonate the device's owner and subsequently run any software in their name, said Rachel Tobac, CEO of SocialProof Security.

According to the security reports, the vulnerabilities impacted Apple's WebKit, which is the engine that powers the Safari web browser and other browsers on iOS; and the kernel, Apple's core computer operating system.

Security experts have advised users to update affected devices — the iPhone6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running MacOS Monterey. The flaw also affects some iPod models.

Apple did not say in the reports how, where or by whom the vulnerabilities were discovered. In all cases, it cited an anonymous researcher.

WATCH | Why tech companies are ditching passwords:

Apple, Google, Microsoft want to ditch passwords to improve security

3 years ago
Duration 2:04
Tech giants Apple, Google and Microsoft have announced they're working on implementing passwordless sign-on technology, allowing users to more securely log into mobile, desktop and browser apps using their smartphones without a standard password.

Commercial spyware companies such as Israel's NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets' smartphones, siphons their contents and surveils the targets in real time. 

In July 2021, Apple released a similar security point that said that a flaw in its security design was being "actively exploited." Again, an anonymous researcher was credited for the discovery.

NSO Group has been blacklisted by the U.S. Commerce Department. Its spyware is known to have been used in Europe, the Middle East, Africa and Latin America against journalists, dissidents and human rights activists.

Security researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company has previously acknowledged similarly serious flaws and, in what Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had been exploited.

WATCH | Serious security flaw exposed:

Apple urging users to update devices due to security flaw

2 years ago
Duration 2:06
Apple is warning customers to update the software on their iPhones, iPads and Mac computers due to a security flaw that could allow hackers to take control of their devices.

"Yes, hackers, threat actors can take control of devices," said Daniel Tobok, the CEO of Toronto-based cybersecurity firm Cypfer, in an interview with CBC News. 

The devices most vulnerable to targeted attacks are the ones that aren't up-to-date on security patches, which is about 18 per cent of devices globally, according to Tobok.

Apple reveals security flaws more or less on an annual basis, particularly after the flaws have been detected by what Tobok calls "threat actors," or hackers.

Typically, hackers will gain access to a device and then change its passwords so that the user is locked out of their own phone or laptop. But it's extremely difficult for users to detect when their device has been compromised, he said.

"When you have a super power, privileged user on the phone, they could potentially do things without you even noticing," Tobok said. "This is really one of the dangers of having a device that is compromised because, unlike Hollywood, you don't see icons flashing and you don't see your red lights bleeping." 

"You're really not aware because what the threat actors are doing is moving very quietly, just exfiltrating your data or leveraging your phone as a hub for committing another potential crime."

WATCH | Security flaw shows how tech can be weaponized:

People coming to grips with device vulnerability, says cybersecurity analyst

2 years ago
Duration 5:35
Ritesh Kotak, a cybersecurity analyst, says the recent security flaw discovered in Apple devices demonstrates how any kind of personal information placed on electronic devices is vulnerable and can be 'weaponized.'

With files from CBC's Nisha Patel