720-891-1663

Return to client alerts

Almost Every Apple Device Vulnerable Due to Supply Chain Bug

Just to be clear, this is not a cyber attack. It is a plain old bug. One that was available for a decade. And still is. APPLE CANNOT PATCH THIS. They, technically, could delete vulnerable apps off your phone or computer, but that is risky business and lawsuit territory.

CocoaPods is an open source dependency manager used in over three million applications. Multiple vulnerabilities in it would allow a hacker to insert malicious code into many popular iOS and macOS apps, according to researchers.

CocoaPods is a tool that developers use to manage software dependencies for the Swift and Objective-C programming languages.

The problem is two-fold:

  1. There is nothing the users can do to mitigate the risk other than to update software when updates are available.
  2. Supply chain risk is a huge problem which is not receiving enough attention. This bug is not due to something the user did; not something the developer did directly; rather is it something that the tool maker that developers use didn’t discover and fix the bug for a decade.

Do or did or when did nation state hackers know about this and have they been exploiting it for a decade?

Don’t know, but they know about it now. They will quickly figure out which apps are vulnerable and work very hard to exploit them. For some applications, the developers have long ago moved on and they will never be patched. And, the users will never be told that they are vulnerable.

And, even though I sound like a broken record –

Open source does not mean secure! It doesn’t mean that it is not secure either. It is software and it has bugs. If it is well maintained the developers MAY find out about the bug sooner rather than later, but a piece of open source software used in three million applications sounds like a pretty mainstream app and they didn’t discover the issue for a decade. That doesn’t mean that hackers didn’t know about it for 9 years, 11 months and 30 days.

For companies, demanding software bills of materials for applications could help their IT or security team to at least know which apps that they use are vulnerable. That is a start.

If you need help with this, please contact us.

Credit: Computing