Security firm Check Point has demonstrated an Apple vulnerability in the industry-standard SQLite database format which can be exploited. Speaking at Def Con 2019, the company showed the technique being used to manipulate Apple’s iOS Contacts app. Searching the Contacts app under these circumstances can be enough to make the device run malicious code.
“SQLite is the most wides-spread database engine in the world,” said the company in a statement. “It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite.”
Read the full story on Apple Insider.
Analyst Take: Apple has long enjoyed a reputation of having the most secure devices. Part of this had to do with the relatively small number of devices employed (Mac vs. PC), and part of it also seemed to be related to the company having an extremely rigid quality control philosophy that meant flaws in hardware and vulnerabilities in software were weeded out before devices were brought to market, and if by some unknown reason they made it to market they were fixed quickly.
The vulnerability discovered here adds another black eye to Apple’s growing list of woes that now further damages its secure reputation.
Perhaps one of the most alarming things about the discovery is that the hack was exploited because of a KNOWN bug allowing using 4-year old vulnerabilities in SQLite, to force an application to run malicious code. Check Point showed how the contacts app could be forced to shutdown, but this was the G rated addition as the same code could easily have been used to steal passwords.
Before panic takes over on this one, I want to point out that for this particular vulnerability to be exposed at this time, someone would have to have access to the physical device, which obviously makes it a lot less scary for the 1.4 billion or so iPhones and iPads that are effected by this issue. However, like many security flaws, they can certainly morph into something worse, so I’m watching Apple closely on this one to see how they react now that it has been exposed. Continuing to leave a known issue like this unsettled is not a good reflection on Apple. It’s also worth noting that Apple has recently seen security flaws in iMessage that don’t require device access meaning this isn’t necessarily an isolated event.
I believe the days of Apple having a massive gap from the competition in virtually anything technology related are over. Security and privacy , which have enjoyed a relatively sterling reputation among consumers, have been exposed over the past several weeks. It’s critical for Apple to get these areas in order as the last thing the company needs is a massive hack or data breach to cement their reputation as the same as others when it comes to security.
Time will tell, very soon.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.
More analysis from Futurum Research: