Last week, Citizen Lab revealed an exploit 1 affecting “all iPhones, iPads, Macs, and Apple Watches” which allowed an attacker to take complete control of a device simply by sending an iMessage (Apple’s proprietary encrypted message format) to the device. Worse, it was being exploited in the wild by NSO Group, a notorious Israeli firm known mostly for selling surviellence software to such charming states as Saudi Arabia and sharing the blame 2 in the murder of Jamal Kashoggi.
Just today, immediately after the release of a new major version of Apple’s iOS, a “disgruntled researcher”, fed up with Apple’s bug bounty program, released the details of another exploit, this one allowing access to user data “without supplying a passcode or other form of authentication.” 3
In other words, iPhones are not secure. Right? Well, of course, it’s a little more complex than that.
Think, for a moment, about the security of your home. If you’re an American, you probably have a lock and a deadbolt on your external access doors. You might even have an alarm system which detects a door or window opening and alerts you, your neighbors, and maybe even the police.
None of these things will stop someone from stealing your laptop. If someone wants a laptop, they might see the deadbolt on your door, or the sign out front saying “ARMED RESPONSE”, and go rob someone else, but if someone wants your laptop - if your computer contains the nuclear launch codes, or a review copy of The Elder Scrolls VI - they’ll pick the lock, or break a window, or come in through the skylight.
If you’re in a position to expect this kind of thing, you might hire a bodyguard, or live on the twenty-fifth floor, or store your laptop in a safe. That exposes you to new risks, though - what if your bodyguard doesn’t like you, or your high-rise catches fire, or you forget the code to your safe?
Threat modelling is the process of deciding which of these risks are worth spending time and money to mitigate - which are most likely, which are most devastating, and which are easy to avoid. This is pretty intuitive to most people in the physical realm, but somehow all that common sense goes out the window when it comes to data security.
Traditional Digital Threats
We live in the era of omnipresent data security threats, often in the form of ransomeware - software that renders the contents of a computer inaccessible and holds it (and, thus, any possible productive use of that machine and its data) for ransom. Indeed, a recent Cisco whitepaper 4 estimates ransomware alone as a $20 billion industry, with average ransoms - and remediation costs - in the hundreds of thousands.
These are important factors for individuals as well - ransomware can affect personal computers, and of course the constant scam attempts, botnet drive-by exploits, and cryptocurrency mining malware that are the reality of life on the Internet can’t be discounted.
This is a reasonable start to a threat model for most people. Thus, the question becomes not “Is my iPhone secure?", but “Is my iPhone secure against financially motivated criminal actors who are not specifically targeting me?
The answer to that question is probably, yes. Apple’s review system does a decent job of keeping out-and-out malicious apps out of the App Store, and by preventing users from “sideloading” non-App Store software, they are able to catagorically avoid a huge swath of potential security problems.
Sadly, that’s not the end of the story.
Advanced, Persistent Threats
Advanced persistent threats, or “APT”, are something of a buzzword in the cybersecurity community, but it’s a genuinely useful concept. An APT is a threat actor that’s willing and able to delve deeply into a particular program, device, or service and create custom exploits and malware to target individuals or groups. Whereas a ransomware crew or the author of a cryptocurrency mining malware might take advantage of a known flaw in an old version of Word or iOS, APTs will take the time to find as-yet-undiscovered flaws in the latest versions, opening up the field for massive exploitation or allowing them to attack an individual or small group without getting detected.
An intelligence service like that of the US, China, or Saudi Arabia can be an APT; similarly, large criminal groups have the ability to do this kind of intensive research and use it for financial gain. The NSO Group flaw mentioned above, sold to governments around the world, is a typical APT tool - and clearly, your iPhone isn’t inherently secure against such things.
That said, the infrastructure to make it so is in place. That flaw has been patched, and up-to-date iPhones are no longer in danger from that particular technique. That’s much better than the state of security against the other kinds of threat.
Perhaps the best-known vendor threat - and part of the reason I decided to pick on the iPhone - is Apple itself. Apple is a large, powerful company, but it is a company, not a soverign nation. Similarly, Microsoft, Google, and other major tech companies are subject in at least some part to the whims of the nations in which they operate. While Apple famously refused to build custom bypass software for the FBI in the case of the San Bernardino shooter’s iPhone 5, this was not a principled stand against government overreach. Apple themselves said that they often help law enforcement and have no problem with doing so.
The complete control of users’ devices that helps Apple’s kit defend you against the common malware discussed above also makes it nearly impossible for you to defend “your” iPhone against Apple. Indeed, recently, Apple propsed the implementation of an automatic snitching software which would scan photos and messages on a user’s device for illicit content. 6 While the initial plan would scan only photos uploaded to iCloud, and would look only for child exploitation material, the system was deeply flawed, in that it could easily produce false positives - that is, marking perfectly fine images as illicit. 7 In addition, because the database is controlled by Apple and derived from government sources, it would have opened an additional avenue of surviellance, with much reduced oversight, for both.
As an iPhone user, it’s essentially impossible to defend yourself against decisions like this. Perhaps the only defense is to simply choose not to use an iPhone, as Steve Jobs himself told those of us who like to enjoy non-PG-13 material. 8 But even that is not always enough.
Sometimes, the decisions of a few major organizations are so impactful as to change the lives of tens of thousands. Wars, tax hikes, and climate change are great examples of systemic threats - but in recent years, Apple, Google, MasterCard, and PayPal have become some of the prime movers and shakers in the business of ruining everyone’s day.
In 2018, Apple decided that Tumblr’s CSAM screening system (which was very similar to the one they themselves proposed recently) was insufficient, and removed their app from the App Store. 9 This lead to Tumblr instuting a site-wide adult content ban, eventually spelling the decline of the site. It’s not as if Tumblr was a perfect social platform - far from it - but it was a haven for many artists and creatives, especially LGBTQ+ people and people of color, because of its robust community building features and relatively straightforward timeline view.
Similarly, the legal sex work-focused site OnlyFans was nearly forced to shut its doors to its most lucrative and prolific creators because its payment card processors simply decided they didn’t like that kind of thing. 10
These systemic threats are beyond the reach of any user; especially on an Apple device, your favorite - or most important - app could be banned for any reason, or no reason at all, and neither you nor the app’s creator would have any real recourse outside of suing some immensely wealthy company. Even decisions made by companies you’ve never done business with can completely change your digital landscape.
Security is contextual. Your iPhone is pretty secure against common cyberattacks, but it’s meaningless to ask if the latest gadget is “secure”. Consider the factors in play, and what you’re actually afraid of. If you’re a “normal” user, take a look at what you really rely on Apple, Google, etc. for, and think about what you’d do if they decided to ban or stop supporting those use cases, as they so often do. 11 If you’re an activist, lobbyist, or politician, you might want to consider a somewhat stricter security posture, perhaps even going so far as to use a series of burner phones or using a non-smart phone.
We are none of us ‘secure’ from all the ravages of the world; everything is intertwined, and the only way to answer that question is to understand how your needs and fears are tied to the complex web of interactions that affects everyone in this global community.
Whittaker, Zack, “Apple patches an NSO zero-day flaw affecting all devices”, 13 September 2021 at TechCrunch ↩︎
Falconer, Rebeca, “Israeli firm won’t say if it sold spyware linked to Khashoggi killing”, 25 March 2019 at Axios ↩︎
Khalili, Joel, “Disgruntled researcher exposes iPhone lockscreen bypass”, 21 September 2021 at TechRadar ↩︎
Ackerly, Rachel, “The cost of ransomware attacks: Why and how you should protect your data”, 10 August 2021 at Cisco Umbrella ↩︎
Byford, Sam, “Read Apple’s Response to the FBI’s San Bernardino iPhone hack”, 28 March 2016 at The Verge ↩︎
“Apple Must Abandon its Surviellance Plans” from the EFF ↩︎
“The Problem with Perceptual Hashes” from Kuederle, Oliver ↩︎
Schofield, Jack, “Wikipedia’s porn purge, and cleaning up for the iPad”, 12 May 2010 at The Guardian ↩︎
Porter, Jon, “Tumblr was removed from Apple’s App Store over child pornography issues”, 20 November 2018 at The Verge ↩︎
Versai, Anna, “Why Did OnlyFans Reverse its Decision to Ban Porn?", 20 September 2021 at Technowize ↩︎
Killed by Google ↩︎