Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

Update Your OS for Security: AirDrop Vulnerability Affects iOS 8.4.1

A new AirDrop vulnerability affecting iOS 8.4.1 (the most recent version until today, when iOS 9 becomes available for update on your Apple devices) has been reported by security researcher Mark Dowd.

Reported to Apple just over a month ago, the security vulnerability allows an attacker to install malicious apps on iPhones and Macs over AirDrop, the Bluetooth-enabled file sharing feature. Attacks can be launched on a device, even if the lockscreen is enabled.

This is pretty serious, since it allows anyone in range of an attacker with Airdrop enabled to install the malware, even if the user didn’t accept the offered file. The user would have to have AirDrop set to allow connections from anyone and not just his/her contacts.

Dowd bypassed the code-signing protections on iOS by using his Apple enterprise certificate to create a profile for his test app that let it run on any device - he was able to suppress the prompt that normally displays to a user, asking him/her if they trust the app.

Then he installed an enterprise provisioning profile on the device and marked it as trusted, according to Threatpost. And then, the attacker can write files to any location on the file system, known as a directory traversal attack. Signing an app allows it to do things such as read contacts, get location information, use the camera and more. Anyone could search for users within AirDrop range, like in a coffee shop or airport, and install malicious apps on their phones or laptops.

The bug hasn’t been patched yet by Apple, but iOS 9 (released today) does include a mitigation for the vulnerability. According to Forbes, Apple added a sandbox to AirDrop, preventing people from writing files to arbitrary locations on a compromised device.

iOS 9 improvements include security, battery life and more user experience intelligence. If you’re near Detroit, you’re supposed to be able to download it by 1PM ET. While much attention is drawn to the new features included in operating system updates, the security side is equally important, as lagging on OS updates can leave your users and organization susceptible to known vulnerabilities.

In an analytical report based on our Duo database, 91 percent of users didn’t update to iOS 8.4.1. within the week following its release - that means they didn’t get the patches for over 70 critical documented vulnerabilities in the update.

iOS Security Updates

Based on our data, we estimate that 20 million iPhones are running on hardware that can’t even receive security updates, which presents huge risks to enterprise IT environments. We also found that half of all iPhones in use today are running iOS 8.3 or lower, meaning they’re missing updates that address over 100 known vulnerabilities. That includes two major vulnerabilities, Ins0mnia and Quicksand, which can allow an attacker to steal data, like your usernames and passwords.

Running Outdated iOS

Getting visibility is the first step toward shifting a larger focus on mobile device and endpoint security. To get intel into what version of OS your users are running on their devices used to log into your company network, we designed Duo Access to track and report detailed device data to an administrative dashboard.

Find out not only what OS your users are running, but if they have any other outdated plugins or software that could put your organization at risk of a known exploit like the AirDrop vulnerability. Also, you can use the data to ensure everyone updates on a timely basis, and contact any stragglers that still run iOS 8.4.1.

Learn more about Device Insight and Policy & Controls.