Your Apple device could be hacked if not updated: CERT advisory

If you are an Apple Watch, TV or Mac user, there is some bad news for you. Security researchers have found two serious vulnerabilities in these three products that could enable hackers to take control of your devices and use them for nefarious purposes.

The three products are wildly popular across the world, not just because of their features but also because Apple gadgets are regarded as status symbols. In particular, there is a sharp uptick in the smartwatch business in India, as the number of increasingly fitness-conscious Indians goes up by the second, and crores of Indians use Apple watches. The tech giant’s Mac systems and TVs, too, are massively sought after.

In two advisories issued on Thursday and Friday, the Indian Computer Emergency Response Team (CERT-In), which is the Central cyber security agency for India, has warned about serious vulnerabilities in all these three products.

In Thursday’s advisory, CERT-In warned of multiple vulnerabilities in the Mac operating system and the vulnerabilities were classified as ‘critical’, which is the most serious rating in cyber security parlance.

“Multiple vulnerabilities have been reported in the Apple Mac OS which could be exploited by a remote attacker to execute arbitrary code, bypass security restrictions and cause denial of service conditions on the targetted system,” the advisory stated.

‘Execution of arbitrary code’ means that a hacker could run any commands or code of their choice on a target device after gaining control of the device using the vulnerability. In simpler words, a hacker would take over the vulnerable device and make it do anything they want.

In the second advisory issued on Thursday, the CERT-In warned of a vulnerability that affects all the three products. This vulnerability, like the first one, also lets a hacker execute arbitrary code on the hacked devices. Given the sheer number of Apple watches, TVs and Macs in use currently, a hacker could have millions of devices at their disposal.

Apple has released patches for both the vulnerabilities, which can be installed by downloading the latest updates to the products. However, what makes the matter even more serious is that, by Apple’s own admission, these vulnerabilities might have already been exploited by hackers.

“Apple is aware of a report that this issue may have been actively exploited,” Apple said in a statement regarding the two vulnerabilities on its official website.

Both the vulnerabilities were reported to Apple by private cyber security researchers who wished to remain anonymous. There exists an understanding in the cyber security community according to which, whenever a researcher finds a vulnerability in any product, it is communicated to the manufacturer first. The researcher then waits for a period of time before making his or her research public. This is done to give the manufacturer ample time to release patches for the vulnerabilities.

Users of the three products are advised to immediately download the latest software updates in order to avoid falling prey to hackers.

What it means for the end user

A hacker could hack your device and gain access to all your private information stored on these devices.

This stolen information could be used to steal your money, send out virus-laden emails to your contacts and post malicious content on social media through your accounts.

Information like names, addresses and PAN and/or Aadhaar card numbers can be combined to make a complete set of identity documents. These sets are in high demand on the dark web, as criminal and terrorist elements use them to create forged identity documents.

A hacker could simply choose to hack millions of devices and create a whole network of ‘bots’ or hacked devices, which is called a botnet. These botnets are used for an advanced form of cyberattack, where millions of devices ping a single server at the same time, causing it to crash. This type of attack is called a Distributed Denial of Service (DDOS) attack, as it denies a service to its customer. For example, causing the servers of a city’s railway system to crash by a DDOS attack would leave thousands of commuters in the lurch.