iMessage Has a Massive Security Flaw. Here’s How To Protect Yourself

As it turns out, Apple's lofty claims of security may be somewhat unfounded. A researcher recently revealed a major problem with iMessage, one which could put your business at risk.

In the business sector, Apple has built much of its iOS brand on the fact that iPhones are inherently more secure than Android devices. This is due at least in part to the fact that Apple has built a closed, guarded ecosystem to Android’s more open one. We’ve already seen evidence on more than one occasion to suggest that rumors of Apple’s superior security are greatly exaggerated. 

Today, we’re adding one more story to that pile. 

A report released mid-July revealed a massive security flaw in Apple’s iMessage software, one which allowed remote access to data on the phones of 36 different people, almost exclusively reporters and executives. Speaking to Business Insider, one researcher referred to the security flaw as a blinking red five-alarm problem. It would be nice if he were being hyperbolic. 

The software reportedly used in the hack was a tool known as Pegasus, created by cyber intelligence agency The NSO Group. The organization, for its part, has flatly denied the allegations in a statement published on its website.  It even went so far as to state that it is considering a defamation suit. 

Apple, meanwhile, responded to the report by noting that the tool used in the attacks would, in a real-world scenario, be so sophisticated that it would cost millions of dollars to develop. He asserted that the attack is by no means a threat to the majority of Apple’s users. He then followed up by reasserting Apple’s commitment to security in its ecosystem. 

Whether or not the report is indeed accurate, it should serve as a sobering wakeup call for anyone still complacent about iOS security. At the end of the day, it doesn’t matter what devices your business uses. The same security controls must be applied to them regardless. 

This includes: 

  • Endpoint management that allows for full visibility into and control over your mobile infrastructure.
  • Where relevant, secure containers to separate work and personal data.
  • File-centric security that allows a business to retain control of sensitive data even beyond the perimeter.
  • Enforced security policies such as password requirements, training, acceptable use, etc. 

At the end of the day, the biggest enemy of cybersecurity is and always will be complacency. Your business should never count on the fact that it’s using a particular operating system to protect critical assets. And you should always remember that no matter what security controls you have in place, no matter what measures you’ve opted to take, no system is 100% secure.