CERT-In Flagged High Risk in Apple Products Days Before 'Alert' Messages, Oppn's Snooping Charges

Union minister for communications and IT Ashwini Vaishnaw said an advisory by CERT-In was sent regarding the vulnerabilities in Apple products on October 27 that asked for immediate updation of the systems. While speaking about the alleged snooping allegation by the opposition, the minister cited Apple’s latest statement on the matter and said that an investigation by CERT-In has been ordered.

The CERT-In advisory specifically points out the severity of these vulnerabilities, categorising them as “High”. The affected software include various Apple products, such as:

• Apple iOS Versions prior to 17.1 and iPadOS versions prior to 17.1
• Apple iOS Versions prior to 16.7.2 and iPadOS versions prior to 16.7.2
• Apple iOS Versions prior to 15.8 and iPadOS versions prior to 15.8
• Apple macOS Sonoma versions prior to 14.1
• Apple macOS Ventura versions prior to 13.6.1
• Apple macOS Monterey versions prior to 12.7.1
• Apple tvOS versions prior to 17.1
• Apple watchOS versions prior to 10.1
• Apple Safari versions prior to 17.1

In the same advisory, CERT-In stated that these identified vulnerabilities pose a substantial risk, potentially allowing an attacker to access sensitive information, execute arbitrary code, bypass security restrictions, cause denial of service (DoS) conditions, bypass authentication, gain elevated privileges, and perform spoofing attacks on the targeted system.

While the CERT-In advisory does not directly address the recent allegations of “state-sponsored” hacking, its issuance coincides with these concerns.

Meanwhile, Apple has issued a response to allegations made by opposition leaders, who received messages warning them of “state-sponsored” attackers attempting to access their devices. The tech giant stated that it “does not attribute the threat notifications to any specific state-sponsored attacker” and suggested that some of these notifications might be false alarms.

In a brief statement, Apple referred to its technical support page, highlighting the complexity of detecting state-sponsored attackers. Apple emphasised that such attackers tend to be well-funded and sophisticated, and the process of detecting their activities relies on threat intelligence signals that are often imperfect and incomplete.

Therefore, it said: “It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behaviour to evade detection in the future.”

The company’s statement followed a series of screenshots posted by multiple opposition Members of Parliament, including Shashi Tharoor, Priyanka Chaturvedi, and Mahua Moitra, who had received the warning messages from threat-notifications @ apple.com.