The XcodeGhost malware attack that allegedly affected 128 million iOS users is an excellent illustration of the kind of sophisticated attack all users should get ready to defend against as platforms become inherently more secure.
Designer label malware
XcodeGhost was an intelligent exploit that presented itself as a malware-infested copy of Xcode made available via websites targeting Chinese developers. Developers in the region downloaded it because it was easier to get than the real code because local networks wereunreliable.
Software built using these copies of Xcode was injected with malware, but at such a low level and so far behind Apple’s perimeter level of trust that many subverted apps made it past the App Store review process. And so the infection wormed its way into more than 4,000 apps, and onto the devices of millions of users.
Previously confidential internal Apple emails revealed in a recent court case suggested that roughly 128 million customers wound up being affected.
More recently, we saw a similar attempt to seed developers with subverted versions of Xcode called XcodeSpy. And last year, we saw an attempt to infect the Apple ecosystem using GitHub repositories as vessels for bandit code.
There have also been attempts to exploit iOS vulnerabilities to stage man-in-the-middle attacks in which hackers hijack communications between managed iOS devices and MDM solutions.
Cracking into capital
Why do hackers go to such trouble developing these complex attacks? For the money, they know that Apple’s devices are seeing growing use across the world’s most profitable enterprises.
Trend Micro warns: “Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse.”
When most of the Fortune 500 firms use Macs, iPads, and iPhones, it’s no surprise hackers are paying attention to the platforms. (They are just as likely to seek out vulnerabilities in IoT devices, Wi-Fi, and broadband provisions, and will always seek out those forgotten Windows servers in dusty backrooms.
During the pandemic, we’ve also seen increasing attempts to exploit vulnerabilities, with phishing and ransomware exploits on the increase. Developing hacks at this level of sophistication is expensive, which is why most successful attacks appear to emanate from nation states and highly organized gangs.
These groups are already using the same security tools your company is likely to use – if only to identify and exploit vulnerabilities within them, or (in the case of XcodeGhost and derivatives), build them in.
Safe as houses
The truism in security preparedness today is that you don’t think about if your security will be subverted – you accept that it probably will be. Instead, you think about what to do when your security is undermined.
[Also read: 12 security tips for the ‘work from home’ enterprise]
That means putting plans in place to protect systems during and after an attack, ensuring staff are security aware, and making certain you develop a workplace culture supportive enough that employees aren’t fearful of coming forward if an action they take puts the system at risk.
Does the sheer number of people affected by XcodeGhost reveal an Apple security problem? Not really, because it’s a given that attempts against its platforms will be constant — and within that context some will make it through. And, of course, Apple responded swiftly once the problem was identified.
That’s the right approach. We know attacks will happen and must have mitigation in place when they do. One of Apple’s best ways to inhibit such attacks is to manage distribution via the App Store. It isn’t perfect, but it works most of the time.
Preparation is better than cure
We know standard perimeter security models no longer work. We know security incidents will happen, meaning good practice is to make it hard for those events to take place and to act decisively when they do.
Perhaps Apple was irresponsible for not revealing the number of people affected by the attack? I don’t think so because Apple cleared this mess up.
It is important to note that in this case the exploit wasn’t really used for anything more malicious than device fingerprinting – though this could have chilling repercussions in China.
Up next?
So, what’s the lesson here? Attacks are becoming more sophisticated, more targeted, and more dangerous as a result. They are also becoming more expensive, which means most people are unlikely to be attacked – but if you are an enterprise, an NGO, or a dissident voice, you should be concerned.
How to harden iOS device security
Here are a few steps you should always take to harden device security:
- If you receive a new device, update your OS.
- Always install security updates.
- Never jailbreak your device.
- Enable automatic app update downloads.
- Enable remote wipe and encrypt device backups.
- Set a complex passcode and ensure your device will erase data if too many passcode attempts are made.
- Turn off Location Services and disable Lock Screen access to Control Center.
- Don’t download apps unless you really need them.
- Regularly audit and delete unused apps.
- Set your App permissions to the minimum.
- If you use Safari or any browser, enable fraud warnings, disable form autofill, block third-party cookies, and turn on do not track.
- To mitigate network security issues, turn off AirDrop, Bluetooth, and Personal Hotspots when not in use, and forget Wi-Fi networks unless you utterly trust them.
- Stay up to date with the latest security news as it relates to your industry.
- Read Apple’s Platform Security guide.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2021 IDG Communications, Inc.
