The iPhone warning was issued by security researchers after discovering a “significant systemic issue.” … [+]
Security researchers have issued an iPhone warning after discovering a “critical systemic privacy bug in iOS 18 and macOS 15.0 Sequoia.”
In a study titled “Broken Mirror: iPhone mirroring at work could compromise employees’ personal information,” security software company Sevco Security found that “a user’s personal iPhone application “We have discovered a significant systemic privacy bug that could potentially become part of the company’s applications.” Software inventory via a new Apple feature known as iPhone Mirroring. ”
For those who aren’t familiar, iPhone Mirroring is a new feature that requires macOS Sequoia, iOS 18, and Apple Silicon and is intended to create a more seamless user experience between your phone and laptop. Masu.
A bug in iOS 18 means applications on an employee’s personal iPhone could be exposed to a company’s IT department, Sevco said. “For iPhone users, this Apple bug is a significant privacy risk, as it could expose or put at risk aspects of their private lives that they may not want to share.”
“This includes the publication of VPN apps in countries with restricted internet access, and the release of dating apps that reveal sexual orientation in jurisdictions with limited protection or legal repercussions. “This could include publishing apps related to health conditions that employees simply don’t care about or want to share,” the researchers say.
Sevco saw a personal iOS application reported installed on a Mac device and believed this was a one-time bug in its own processing or upstream customer inventory provider. “Upon further investigation, we discovered that this was not a bug; in fact, multiple customers and multiple upstream software vendors were reporting personal iOS apps on Mac devices. It was new and systematic.”
The impact of this data breach could be severe, researchers say. For companies, the bug represents “new data responsibilities due to the possibility of collecting personal data of employees,” potentially violating privacy laws such as the CCPA, potential litigation, and enforcement by federal agencies. they warn.
We’ve reached out to Apple for comment on this issue and will update this article if we hear back from the iPhone maker.
Apple iPhone mirroring bug — what are the risks?
That’s all well and good, but what is the actual risk to users from this iOS 18 bug? If you’re already concerned about privacy at work, it’s not that big of a deal. “If you don’t trust your employer, we never recommend using your personal devices for work, and vice versa,” says Sean Wright, Head of Application Security at Featurespace.
At the same time, he points out that employers are already handling personal data such as bank account details and addresses. “So it’s important to keep that in mind when determining how much of a problem this really is. You can, but the reality is that most people in your organization aren’t interested.”
Rather, the bugs in iOS 18 will be more of a problem for employers. That’s because you need to determine what software is and isn’t on your work devices, Wright said.
Another important consideration is that many organizations have not yet switched to macOS 15.0 Sequoia, Wright says.
Finally, and perhaps most importantly, Wright asks: People who don’t already trust their employer are very unlikely to do so. So while this is an interesting finding, I think the risk is low and probably won’t even be a problem for most people. ”
iPhone’s new privacy bug — when will it be fixed?
Still, Apple needs to fix this iOS 18 bug to prevent privacy violations from happening.
Sevco has notified Apple and the iPhone maker said it is working on a fix. The company claims it has also notified Sevco, Apple, and multiple enterprise software vendors with whom the vendor has mutual customers, and that these vendors have confirmed the issue.
At this time, Sevco advises employees not to use iPhone mirroring on their work computers.
“Companies should identify the enterprise IT systems that collect software inventory from Macs and work with those vendors to reduce risk until patches are available.”
“Based on our conversations with Apple, we expect to patch macOS in the near future. When a patch becomes available, businesses can apply it to limit the collection of personal data of their employees. Once the patch is available, Sevco recommends that businesses erase any employee data that was collected in error to eliminate the risk of liability. ” say the researchers.
The researchers provided technical details on how to reproduce the bug and also detailed a timeline. Sevco reported the bug to Apple on September 27, and the iPhone maker acknowledged receipt within an hour. Apple confirmed that the issue had been reproduced by September 30th. On October 3, Apple confirmed its intention to address this issue in an upcoming update.
On Tuesday, Sevco published a blog. If you are smart, you may find that this schedule is a little faster for ironing out security bugs in your software. Best practice is for large technology companies to take 30 days to fix defects.
Sevco says there is a reason for this short period of time. “While the typical responsible disclosure timeline is typically at least 30 days, we have decided to release this information now as we observe the number of people and businesses affected increasing with each passing day. I did.” The greatest risk in this situation is that the individual is in a potentially dangerous situation, and the best defense is one’s own awareness. ”
However, it’s important to note that Sevco is a vendor and wants to sell you security services, so take that into consideration when assessing your risk.
However, this bug is legitimate and worth noting if you use a Mac in a corporate environment or are an employee using a personal device for work.
But as Wright points out, many companies using Macs probably haven’t even upgraded to the latest version yet. And the same is true for many iPhone users updating to iOS 18.
