Your Apple Gadgets Could Be Hackable—Here's How to Protect Them

Your Mac and iOS devices might not be as secure as you think. 

The cybersecurity company Trellix recently shared their discovery of new, significant bugs on iOS and MacOS. Apple has reportedly moved to squash the bugs. But the new research has opened the possibility that malicious actors could sidestep the security features on some Apple devices. 

"Hackers are moving faster than ever, and individuals and organizations must update their software regularly or risk falling victim to a cyber attack," Andrew Obadiaru, the Chief Information Security Officer at Cobalt.io, told Lifewire in an email interview. 

Bugs ‘R Us

Apple has long been known as a company that takes security seriously. Still, potentially dangerous bugs occasionally creep into the company's software. The Trellix Advanced Research Center vulnerability team said it discovered a large new class of bugs that allow bypassing a security measure known as code signing to carry out unapproved actions on both macOS and iOS.

"These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user's messages, location data, call history, and photos," Austin Emmitt, a security researcher with Trellix, wrote on the company's blog. 

Chris Bluvshtein, a privacy expert at VPNOverview.com, said in an email to Lifewire that Apple has stringent restrictions around what software can run on devices. On the other hand, Android allows third-party app downloads, which is why Android malware is more common. The new vulnerabilities are known as 'zero-click,' which means you don't need to click on them to cause problems. 

The vulnerabilities get around the fact that part of Apple's security measures involves all apps being signed by an Apple developer certificate. Apps are also limited in their actions—effectively being kept within their sandbox. It makes it difficult for hackers to introduce malicious code that can exploit the operating system's software or access other unauthorized apps or services on the phone or computer.

The newly uncovered vulnerabilities allow attackers to bypass this cryptographic signing process and run malicious code out of its ring-fenced security sandbox. "Worryingly, these are zero-click exploits—victims don't even need to click on a link to be affected," Bluvshtein said. 

Bluvshtein said the problem first surfaced in September 2021 and was patched by Apple, but related vulnerabilities that use the same approach are still being discovered. Current macOS software (macOS Ventura 13.2.1) does not contain fixes for these two vulnerabilities. Apple is aware of the potential exploits, but for now, even devices running the latest macOS could be at risk.

"Unfortunately, zero-click exploits are nigh-on impossible to defend against, even when following the advice above," Bluvshtein said. "That's why they're commonly used against high-profile targets, and even by government intelligence services to monitor targets."

Don't worry too much about the bugs, though. "The vulnerabilities that were disclosed, though noteworthy, show how layered defenses are so critical to maintaining good security posture," Michael Covington, the vice president of portfolio strategy at the tech firm Jamf, which specializes in Apple devices, said in an email to Lifewire. "And the response from Apple also shows how critical vendor responsiveness is to the process."

Protecting Yourself

Even though Apple is expected to patch the newly discovered vulnerabilities soon, experts say users should take precautions to ensure the security of their devices. 

Only use trusted applications from the App Store, Bluvshtein said. "While you can't install custom apps from elsewhere, there have been historical examples of apps gathering more data than they should or performing malicious actions," he added.

Bluvshtein said that you shouldn't trust unknown devices when connecting your phone.
"Your iPhone will ask you whether to trust a computer when connecting via USB," he added. "Better yet, don't connect your phone at all unless it's your own computer."

Also, follow the ubiquitous advice not to click on links or even open messages from unknown senders if you don't know who sent them and for what purpose. "Just delete them," Bluvshtein said.

Make sure to keep your Apple devices up to date with the latest available operating system software, Bluvshtein suggested. Turn on automatic downloads to ensure that you don't miss security updates. 

"For everyday users, these kinds of attacks are unlikely to be common, and security researchers constantly work to find them before hackers do," Bluvshtein said. "So, monitor your devices for security patches, and install them as soon as they land."