Apple vulnerability: Urgent update is just the latest in battle between iPhone owners and hackers
Apple’s announcement of a major vulnerability in the iPhone, and an urgent update to fix it, could panic anyone who uses one.
Users of iPhones, iPads and Macs have been urged to install the fix as soon as they can, to ensure they are not targeted by a hack that already appears to have been used on some people.
The danger posed by such a vulnerability is high, even if the fix is simple. And the effects of it could be disastrous, even if most people will never know it existed.
It is the latest major flare-up in an ongoing battle for control and entry into iPhones. On one side stand the hackers – often employed by governments – who are constantly searching for a way into the device; on the other is Apple, security experts, and iPhone owners themselves.
It is far from the first time that Apple has released an urgent security update of this kind. But the latest one is less common in that Apple has disclosed that it might already have been exploited – there have only been a handful examples of such attacks throughout the iPhone’s history.
There will, however, almost certainly be more. Any device that is connected to the internet is a potential target for hackers, and there is never such thing as perfect security forever.
However, for most, fixing the problem is simple enough: users can download and install the update, which patches up the vulnerability, and are back to being as secure as they can be.
But for Apple and its most high-risk customers, that is just the latest in an ongoing battle to try and keep users safe. For those hackers themselves, it is a rare and valuable success in that fight.
Hackers are constantly looking for bugs of this kind, so that they can be sold on. Probably the most famous example is Pegasus, a piece of spyware that is thought to have been used by a number of governments and allows for access into iPhones – at which point hackers are able to read people’s messages, follow their location, and listen and watch them through their microphone and camera.
Such powerful software was only made possible because there is a whole marketplace for finding such bugs. If a hacker finds a significant problem like the one addressed in the new software update, they have the option of selling it on to spyware companies – those spyware companies can then weaponise it and sell it on to organisations such as nation states, which are able to deploy them on dissidents or other enemies.
To try and counter that market for vulnerabilities, technology companies offer “bug bounties” – payments that aim to incentivise security researchers to hand over any bugs to the companies responsible, rather than to sell them on to people aiming to use them for cyber attacks.
In the past, Apple has been criticised for both the value and the efficiency of its bug bounty programme, with researchers arguing that they should be given more and that problems are not followed up quickly enough. But Apple offers a considerable amount of money for bugs: ranging from $100,000 for finding a way around the iPhone’s lock screen or getting iCloud account data, all the way up to $1 million for the most profound bugs, which let people into the deepest parts of the phone without even touching it.
Apple’s list of security updates makes clear how often those problems are found, and how damaging they can be. The latest update was released on Wednesday and was credited to an anonymous researcher – who will presumably have made a considerable amount from finding it – but before that there has been a critical security update issued almost once per month in 2022.
It can be hard to know how significant these attacks precisely because Apple and other technology companies keep that information secret, to ensure that they cannot be used. If Apple were to disclose the nature of the attack, they might also give hackers a clue about how to use it.
“For the protection of our customers, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” it writes on its website. It is also a stipulation of the bug bounty programme that hackers must not talk about the problem before it has been addressed.
Even with these updates, however, the iPhone cannot remain entirely secure. Hackers are always looking for ways into devices, and sometimes they find them; no device can be perfectly secure, something that even Apple itself has recognised in its updates.
Last month, Apple announced the introduction of “Lockdown Mode”. Its existence is a recognition of the fact that there will always be some tension between useful features on phones and total security, and that is not always a way of having both.
When a user switches on that mode, it makes clear that the phone will “not function as it usually does”. It also makes clear that it is only meant for those that are likely to be personally targeted by such attacks.
“Lockdown Mode is an extreme, optional protection that should only be used if you believe you may be personally targeted by a highly sophisticated cyberattack,” it reads. “Most people are never targeted by attacks of this nature.”
