Bring your own device (BYOD) is a challenge for most organizations. Even if you are doing a great job of applying security patches for your workstations and servers, hackers have more ways in. If you are like many, you have employee-owned smart phones connecting every day to check email (and more?). For BYOD, we just got a big reminder of how high the stakes can be.
iOS is the operating system running on iPhones and iPads and the most recent update, 9.3.5, was released on August 25. iOS 9.3.5 fixes three giant zero-day vulnerabilities. A zero-day vulnerability is a bug that, when discovered, is already being used to attack systems “in the wild”. This trio, a.k.a. “Trident”, was discovered by The Citizen Lab, sourced at the Munk School of Global Affairs at the University of Toronto. The Citizen Lab performs “research that monitors, analyzes, and impacts the exercise of political power in cyberspace”.
Trident is a set of exploits potentially created by the NSO Group, an Israeli “cyber war” company that profits from cyber weaponry, such as their “exclusive” commercial spyware tool Pegasus. They are owned by Francisco Partners Management, based in the US.
According to Bruce Schneier, CTO at Resilient Systems, an IBM company:
iOS vulnerabilities are expensive, and can sell for over $1M. That we can find one used in the wild and patch it, rendering it valueless, is a major win and puts a huge dent in the vulnerabilities market.
If you allow BYOD or have deployed mobile devices within your organization, how confident are you that you are applying patches? If you aren’t sure, find out. It’s not a major win for you if you don’t update!