SecuringAV: The iPhone Spyware Vulnerability

iPhone SpywareWhat YOU Can Do To Prevent Hackers From Hijacking Your Smart Device’s Microphone  

For each column in this series, rAVe writer Paul Konikowski takes a deeper dive into a recent security event or data breach, shedding light on supply chain vulnerabilities, infrastructure and cyber-physical security.

OMG, did you watch the Apple “Unleashed” stream? No, not the September event, the October one. Did you hear about the new Macbook Pro? Are you getting the new iWatch? 

Did you update all of your Apple devices to iOS 14.8, MacOS 11.6 and/or WatchOS 7.6.2 so foreign governments can’t hijack your camera microphone using spyware?

You didn’t? Well, do it now. Go ahead; I will wait. Then, I will tell you why… 

On Monday, Sept. 13, 2021 (the day before the September Apple Event), Apple issued a software update to fix a critical flaw in its iPhone, iPads, MacBooks and iWatches. The zero-day hardware bug had allowed foreign governments to eavesdrop on up to 1.65 billion Apple products. The products have been vulnerable since at least March of 2021, six months before the security update. 

Did they actually spy on everyone, all the time, for six months? Probably not — but they could have, and NONE of those users would have had to click or open anything. It’s called a zero-click remote exploit.

The story is that an Israeli spyware company, the NSO Group, exploited a previously unknown (aka zero-day) vulnerability and created spyware called Pegasus that could hijack your smartphone camera and microphone, record messages, texts, emails and calls (even those sent via encrypted messaging and phone apps like Signal) and send them back to NSO’s clients at governments around the world.

OK, PK, I updated my iPhone. Now what does this have to do with AV? 

If you haven’t noticed, the Apple iPad has made its way into corporate meeting rooms, often used as a control surface. In more recent years, the BYOD trend has driven the touch panel from the table to an app on the user’s phones. Unpatched iPhones and iPads can be hacked, allowing foreign governments to record conversations. Yet, most of those iPads which are acting as huddle room control panels will never be updated with the proper security patches. “If it ain’t broke, don’t fix it” is the attitude most AV integrators take about security. And people wonder why I have trouble sleeping at night.

Ok, so let’s say your iPads and iPhones ARE updated regularly with security updates, good job! But didn’t the Pegasus attack go unnoticed for six months and required no clicks? How do we know there is not another spyware lurking on our tablets or phones, possibly immune to the recent patch?

Since we don’t know what we don’t know, and we don’t know if we are being spied on until we detect the spyware. We should take a multi-layered security approach, also known as a Defense-In-Depth approach. If one layer of security/privacy is breached, the other layers of security will help to prevent full access to the devices. Following the ZeroTrust tenants, we should assume our phones are being breached all the time — even on a daily basis. Therefore, we need to learn to physically or electronically disable our microphones and cameras when not in use.

So how do you stop someone from hijacking your laptop or smart device camera and/or microphone? 

Many people put tape or a post-it-style sticky note over their laptop cameras. Some are worried that their employers are spying on them, while others are worried they may accidentally turn their cameras on without realizing it. Electrical tape or paper Sticky Notes both work well to block the device camera view.

What about microphones? You can’t just tape over your phone microphone if you plan to use it as a phone. And sound also can travel through paper.

Enter the Mic Lock line of adapters. These third-party adapters plug into your iPhone, USB-C or mini-TRS and essentially trick the device into thinking a new microphone has been plugged into it. The device switches itself to the Mic Lock, where it hears nothing. You can easily test it with a trusted friend on the other end.

While no one likes little dongles, these adapters are well built, cheap and most importantly, they work. They also help to stop Siri or social media sites from listening when you don’t want them to. No more seeing ads about things you just conversed about. It’s time to take back our privacy — and our microphones. These Mic Locks are not the end-all solution, but they are a part of my Defense-in-Depth approach to AV.