iOS 11 security risks: time to question the BYOD policy

One of main pillars of digital transformation is the use of mobile devices for business needs, yet this exposes organisations to digital risk.
In the case of iOS 11, a lack of risk-oriented thinking by Apple has put corporate data, accessed by iPhone users on a daily basis, in close reach of ransom-hungry hackers.

One of the more worrisome vulnerabilities discovered in the recent iOS 11 release involves the redesigned control center, which includes a switch that turns Bluetooth and Wi-Fi configurations on and off. It was discovered that the switch doesn’t actually disconnect either Bluetooth or Wi-Fi, putting users at risk for open connection attacks.

>See also: Mobile devices are hindering IT departments and costing companies

Indeed, control over Wi-Fi and Bluetooth settings is crucial for controlling exposure to risk, and with Apple’s assertions that constant connectivity is essential for features such as AirDrop, AirPlay, and Apple Watch, it seems that users are now tasked with scrutinising mobile technology companies.

In order to confront this challenge, organisations that encourage the use of BYOD should adopt systems that identify and control device vulnerabilities, including threat detection for all endpoints, so they are able to regain control and visibility. This allows for early identification of vulnerable endpoints that could jeopardize the entire organisation.

In addition, personal Internet of Things devices that run on iOS 11 could now have CISOs/CIOs questioning their BYOD policies.

>See also: 3 ways to manage BYOD for a modern workforce

Devices such as Apple TVs, Apple Watches and FitBits that communicate with the iOS 11 operating system could put sensitive organisational information stored on the corporate network at risk because their Bluetooth and Wi-Fi connectivity cannot be shut off.

Apple asserts that this feature was “intentional” to allow for ease in connecting over AirPlay and sharing files over AirDrop, however, the fact that these devices are always connected makes them an easy target for gateway IoT attacks.

Once hackers gain access to the wireless network or Bluetooth connectivity point through the constantly-connected IoT devices, they can easily access cloud-shared data and files on the corporate network, take these files ransom and request a pay out from the hacked organisation.

>See also: Containerisation: the winning strategy for BYOD mobility

Therefore, CISOs should consider not only the security of their Wi-Fi and Bluetooth configurations, but also their BYOD policies that may allow employees to use personal IoT devices and Apple phones with the latest iOS 11 version installed.

Finally, Apple is now forcing all users to use two factor authentication. According to Apple, the move from two-step verification (not required of users) to two-factor authentication is intended to improve the user experience.

In addition, instead of keeping a private verification key on hand, trusted devices will display authentication codes automatically whenever a user signs in.

>See also: Enterprise security in the connected devices age

Some users are already expressing frustration with this shift, from verification codes still being sent to old devices (a huge problem for those with stolen devices), and denial of service following failed attempts at entering a verification code.

Ultimately, two-factor authentication will make Apple devices safer in terms of privacy, but there are still a lot of bugs to fix before this new feature can be 100% trusted.

 

Sourced by Juda Thitron, VP R&D at Portnox

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...