At WWDC24, Apple made some big announcements across its product lines and maintained its annual ritual of upgrading macOS, now to version 15 and tagged as macOS Sequoia, not to mention other exciting updates on iOS 18, iPadOS 18, watchOS 11, and visionOS 2. This articles are to articulate the associated cyber risk exposures introduced.
New Password App.
The new Passwords app can manage all the passwords and passkeys. For examples:
Wi-Fi, app, website and shared passwords
Verification codes
Sign in with Apple
Passkeys
Against traditional Keychain app, Passwords app is newly introduced. Attackers are very welcome to the new introduction of centralized password directory. Before it becomes sophisticated and firstly patched, it is expected that there will be a short time windows credentials stored in Passwords app could be at risk to zero-day exploits by sophisticated and target threat actors.
iPhone Mirroring.
Since iPhone is now becoming seamlessly integrated with MacBook, iPhone devices can be virtually operated on a MacBook. If organisation uses MacBook as corporate workstations, there will be risk of data concern being transferred or exfiltrated (with malicious intent) between corporate MacBook device and personal iPhone devices. This will be a new communication protocol (similar to AirDrop being firstly introduced) to be managed and restricted by organizations who concern about data loss prevention. Mobile device management software, like JAMF, will be the key control to apply security control to remediate the risks.
ChatGPT.
Who knows? If the integration does not have enough sandbox protection mechanism and robust data handling process, there is a risk of data being exposed to integrated ChatGPT. Hence, it introduces potential supply chain attack among ChatGPT and Apple devices in the future. People have long been debating if ChatGPT have consciousness. Even worse, if one day integrated ChatGPT has come with its consciousness, it could pose a significant security risk to Apple devices, like an insider hacker. Obviously not to mention there is potential geographical jurisdiction concern of ChatGPT being integrated.
Apple Intelligence.
Apple Intelligence is becoming the ultimate go-to assistance in powering users to learn (hidden) features to operate Apple devices. Considering from malicious intent, Apple Intelligence could be potentially weaponized to carry out living-off-the-land attack. For example: ask "Hey, how to run this program as root? Show me the instructions". Organization should continuously assess the hidden security risk of knowledge brought by Apple Intelligence.
Private Compute Compute.
Lastly, Private Cloud Compute allows Apple Intelligence to draw on larger, server-based models to handle more complex requests. While Apple has emphasized its superior privacy, keep in mind that there could be regulatory concern over organizations who do not limit the usage of Apple Intelligence. From risk perspective, continuously log and assess the regulatory requirements of the use of native AI tools on corporate MacBook workstations.
Purely personal thoughts. Let's see.