While Apple may have garnered some excitement with the release of its new devices earlier this month, Apple has also gained the attention of security researchers with the launch of iOS 11 and the Apple Watch.
The Apple’s iOS 11 update included eight CVEs that patched vulnerabilities in iBooks, Mail MessageUI, Messages, MobileBackup, Safari, and Webkit.
The update included a patch for a memory corruption issue in Mail MessageUI that could have allowed a denial of service if it processes a maliciously crafted image as well as an inconsistent user interface in both Safari and Webkit that could have led to address bar spoofing if a user were to visit a malicious site, according to a Sept. 19 post.
The iOS update also patched a MobileBackup error which allowed unencrypted backups despite a requirement to perform only encrypted backups as a result of a permission issue. In addition to patching a few security flaws, a new intentional feature in the update may leave some users at risk according to some researchers.
Apple introduces a redesigned control center to quickly access common settings that includes a toggle to switch on or off a devices Bluetooth and Wi-Fi settings, the only problem is that the feature doesn’t actually disconnect either service. Instead the feature only disconnects users from their current Bluetooth or Wi-Fi accessories but both connections will still be available.
The reasoning behind the feature is to continue to allow services such as AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to Apple, however, some argue that this could leave users with a false sense of security and could expose them to attacks that leverage open connections such as BlueBourne.
The features can still be completely disabled through the device but users must go through there settings instead of through the control panel. Apple Watch Series 3 hasn’t even hit the shelves yet but early reports and an admission by Apple may suggest the device will come out of the box with an increased security risk.
The device noted for its new LTE connectivity features is reportedly having a hard time connecting to LTE networks and is instead connecting to unauthenticated Wi-Fi networks.
The company said in a comment to the Verge “that when Apple Watch Series 3 joins unauthenticated Wi-Fi networks without connectivity, it may at times prevent the watch from using cellular. We are investigating a fix for a future software release.”
This is the first time Apple has acknowledged an issue with the smartwatch just after pre-orders, and right before it officially ships. The potential for insecure devices has prompted security researchers to call for legislation regulating the security of IoT devices in as well as other cybersecurity measures.
“IoT devices lack security by design, and they also don’t offer the option to upgrade or apply patches,” AlienVault Security Advocate Javvad Malik told SC Media. “Additionally, manufacturers often choose convenience (e.g., using default credentials in their appliances) over implementing proper security measures, which is a flagrant violation of best practices in product development.
Malik added that many vendors simply aren’t willing to put in the extra effort to ensure security unless it’s required and that as a result governments around the world need to take an active role in IoT security and put pressure on these manufacturers to do the right thing for consumers.
“Safety legislation and compliance requirements around IoT is an absolute must, or the market will continue to be flooded with vulnerable IoT devices,” he added.