Apple Security 2020: The Year in Review
Posted on by Kirk McElhearn
As we all know, 2020 was an exceptional year. No one expected the global turmoil we have seen, but this hasn’t stopped people from working with computers. If anything, the fact that so many people work from home means that they need to have extra protection from malware, vulnerabilities, and other security threats.
These threats can be classified in several types. There is malware, which is intentionally malicious, that comes and goes according to the whims of cybercriminals. Then there are vulnerabilities that are discovered, when hackers find weaknesses in operating systems and apps. These vulnerabilities are generally patched as soon as possible, but there is always a period when users are at risk.
There are data breaches, where companies have their databases accessed, revealing potentially sensitive user data, which can be exploited to steal identities. There are scams, such as phishing, that flourish regularly. And there are privacy issues that arise, as user data is subverted, often by companies who hope to leverage this data to make money.
2020 saw all of these issues, with a rise in Mac malware, increased risk to users working from home on unsecure computers, and more. Here’s an overview of the year in Apple security, and you can listen to some episodes of the Intego Mac Podcast which discuss these issues.
Malware
Mac malware has a long history; we published an article this year tracing this history back to 1982. A report early this year showed that 10% of Macs are infected with malware, most of it OSX/Shlayer, which Intego discovered in 2018.
What’s striking is that this malware is often delivered in the form of a fake Adobe Flash Player installer. This continues a long line of malware disseminated in this form, going back to Flashback, which Intego discovered back in 2011. But Flash Player has been on its last legs for years, ever since Steve Jobs came out against the software in 2010. It will soon be officially dead: Adobe will no longer update the software after the end of 2020. Flash Player hasn’t been provided on Macs by default for years, and there is very little Flash content still around, so if you ever see a web page suggesting you install Flash Player, just say no.
New Mac ransomware, EvilQuest, was discovered in June, after circulating on BitTorrent sites, hidden in pirated copies of some popular software, such as Ableton, Little Snitch, and Mixed In Key 8. Ransomware encrypts your personal files and instructs you to make a payment – usually in Bitcoin – to be able to access them. But in this case, the malware creators didn’t provide an e-mail address or any other way to contact them, so it is unclear how they would know who paid them and therefore how to help that person decrypt their files.
Another discovery in June was malware that was actively spreading through malicious results in Google searches. This new malware was a variant of OSX/Shlayer, another fake Flash Player installer, and it was showing up on web pages that you might see with Google search results.
In August, XCSSET was discovered. This malware seemed to primarily target app developers, and can exploit zero-day vulnerabilities, hijack browsers, steal passwords, take screenshots, and exfiltrate data.
In October, we saw new malware ported from Windows – something that is uncommon – called GravityRAT and IPStorm. While this is not the first time malware has been ported from Windows to Mac, it is still a bit surprising, and shows that malware creators are increasingly interested in targeting Macs.
Finally, Apple’s system of "notarizing" software, to ensure that it is from a registered developer and does not contain malware, was usurped in August. And again in October. And again in December.
We have a detailed article about what to do if you think you have malware on your mac.
Scams, phishing, and data breaches
Extraordinary times lead to worries and concerns, and cyber criminals are taking advantage of this. A lot of fake news about the coronavirus is spreading, and one series of emails contained a link to a deceptive Microsoft Word document that, when opened by an unsuspecting victim, attempts to disable the built-in malware protection on Windows computers, and then attempts to download Windows malware. We haven’t seen anything specifically targeting Macs, but this is certainly a time when you need to be vigilant.
Data breaches are a serious threat. In some cases, user names and passwords are leaked, underscoring the need to use unique, secure passwords for each service. In others, more data may be leaked, including credit card numbers, social security numbers, and more, which could lead to identity theft. On the Intego Mac Podcast, we discussed what to do if your data has been leaked.
Vulnerabilities and exploits
Vulnerabilities in both software and hardware are regularly discovered, and can be found by security researchers or by malicious hackers. Some of these vulnerabilities are serious, and may be patched by security updates quickly; but sometimes, hardware vulnerabilities are difficult to mitigate.
In October, security researchers discovered serious vulnerabilities in Apple’s T2 chip, which includes a "secure enclave coprocessor that secures Touch ID data and provides the foundation for new encrypted storage and secure boot capabilities."
This vulnerability is serious, but most users needn’t worry. If you’re a politician, activist, journalist, government employee, someone with access to highly sensitive information or trade secrets, or if you travel internationally to certain countries, you’re more likely to be targeted by a sophisticated threat actor. Otherwise, you’re probably safe.
A Messages exploit allows users to send messages to users with false headlines attached to links to web pages. While the stories themselves may not be false, it’s easy to send any headline when sharing a link on Messages. If a user clicks the link, they’ll see the real headline, but many users may just see the fake headline and think it is true. Intego first covered this flaw in 2018, and we were surprised, especially in the run-up to the US presidential election, that Apple had still not fixed this issue.
Privacy and security risks
The pandemic has changed the world, and has affected the way many people work. Working from home is now common for many people, and this introduces new risks. The rise of teleconferencing – 2020 will be remembered as the Year of Zoom – has made people aware of the importance of protecting their personal data.
Early in the year, as Zoom became the tool of choice for home workers to communicate with others, it was revealed that the software had many security and privacy issues. The company has made a lot of changes to the software to address these issues, but this sort of window open into your home comes with risks.
While this didn’t affect average users, the Great Twitter Hack of 2020 was notable for its targeted attack on a number of high-profile Twitter users. CEOs and politicians had their accounts compromised, tweets were posted for a cryptocurrency scam, and some users’ direct messages were accessed. All this shows how we cannot trust apps and services with highly sensitive data if their systems are not secure.
That six-digit passcode…
An interesting discovery was made in August. A user’s iPhone was stolen, his bank account was siphoned, and purchases were made on Apple’s App Store, even after the user locked the phone using Find My iPhone. This case highlights the fact that there are tools that can discover a six-digit passcode pretty quickly, fast enough to be able to change the Apple ID password, deactivate Find My iPhone, and much more.
This highlights just how vulnerable these personal devices are. Our phones contain so much data, and provide access to so many services, that it makes sense to change your passcode and make it more secure.
New Apple security and privacy features
Not everything about Apple security this year was negative. The company released new operating systems, which contained a number of useful new security and privacy features. Apple’s focus on privacy is at the heart of macOS Big Sur and iOS 14, through four principles: data minimization, on-device intelligence, security, and transparency and control.
One key feature is the new Safari Privacy Report. Combined with Safari’s robust tracker blocking, this report tells you what websites are following you around, and helps you understand where your privacy is being violated.
And the rest
There were plenty of other security and privacy issues affecting Apple products this year. To keep up to date with all the security news around Apple products, check out The Mac Security Blog regularly, and subscribe to the Intego Mac Podcast.