Apple iMessage flaw stokes concerns over iPhone sandbox security

News by Rene Millman

Flaws allowing remote exploits on iOS calls into question effectiveness of platform security for those users who have not yet upgraded to iOS 12.4 - sandbox deemed 'defeatable'.

Most iPhone and iPad users have not yet upgraded to iOS 12.4 leaving them exposed to a bug that could allow hackers to remotely exploit devices.
The flaws exposed by Google’s Project Zero last week could let an attacker view images, notes, and documents stored on an iPhone without any interaction from the victim. 
According to a blog post by researchers at Wandera, this vulnerability "calls into question the integrity of iOS sandboxing, which is one of the most significant fundamentals of the entire iOS security model".
Dan Cuddeford, senior director of systems engineering at Wandera, said that there "is a general mentality that iOS devices are secure so security software is not required, but the reality is, the sandbox that is built into iOS can be defeated".
"This iMessage exploit has similar implications to a jailbreak in that the weakness in iMessage exposes the file space on the device, which could include pictures, videos, notes, pdfs, etc," he said.
He added that in testing, the results of the exploit varied and the spoils of the data dump depended on the state of the victim’s device.
"For a persistent, malicious actor who knows the iOS file system well, and knows what they’re looking for, it is likely they could gain access to sensitive files outside of iMessage due to the sandbox compromise," he added.
Cuddeford added that security leaders need to work together to ensure patches are in place before easily executable exploits are made available to the public.
Naaman Hart, cloud services security architect at Digital Guardian, told SC Media UK that it is unlikely that a company will turn around and replace all their devices for something more secure.
"The general view should be that mobile devices aren’t trusted and unless you can adequately ring-fence them with mobile device management they shouldn’t be allowed near sensitive information," he said.
"Bear in mind that we’re effectively talking about cloud-based texting here similar to WhatsApp and other messaging apps.  These methods have no place in anything other than basic communication so even when exposed they should not be transmitting anything more than watercooler conversation.  If they are communicating more than that then I’d suggest the companies involved need to look at restricting their use."
Dr Guy Bunker, CTO at Clearswift, told SC Media UK that the first thing organisations need to ascertain is how big is the problem. "This is not just about company-owned phones, but BYOD as well," he said. 
"The company then needs to decide its risk position. This can be to do nothing or to stop the use of iOS devices completely. There may be a mid-point where some users are able to use corporate devices only," said Bunker. "As with any IT, there needs to be constant updating when patches are released to keep users and the organisation safe. This also needs to be applied to BYOD as well."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews