Even Apple can’t escape change forever.

The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices.

While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for Apple, applications and appropriate device protection.

The DMA: Taking a Bite Out of Apple

While the DMA doesn’t come into full force until March 6, 2024, many organizations are acting now to minimize disruption, and Apple is among them. The company is apparently on track to allow users to download and install third-party app stores on their iOS devices. Apple is on the hook to comply with changes to cable connections. By 2024, the company will add USB-C ports to all iPhones.

Breaking the locks on digital gatekeeping offers benefits for both application developers and end-users. From the developer’s perspective, using a third-party app store to sell their software lets them avoid commissions taken by Apple, which can be up to 30% of user payments per app. From the user side, being able to go outside the iOS app ecosystem offers both more choice and more control. Instead of waiting for Apple to vet and approve new software, users could find versions of their favorite apps already for sale on third-party marketplaces or available directly for download.

The Risks of Removing Gatekeepers

Not surprisingly, Apple executives aren’t exactly thrilled about the shift, calling software sideloads “a cyber criminal’s best friend”.

Some of their concern is motivated by a desire to retain control over application distribution and the revenue it brings. However, they do have a point. The closed-loop nature of iOS has long been a selling point for Apple, which claims that it reduces security risk. The claim does have some merit: recent data found that 10 months after the release of Android OS version 12, 30% of federal employees were still running older, less secure versions. In the case of iOS 15, this number was just 5%. For the most part, the difference comes from control. Apple’s oversight of devices means updates are harder to avoid, while Android provides greater choice, but potentially greater risk.

However, the shift to third-party app stores and sideloaded software impacts Apple’s ability to deliver consistent security. For example, apps downloaded from non-iOS stores may include critical security vulnerabilities or even malware. If attackers can fool on-device security scans, they may be able to compromise user devices.

Since Apple won’t have any monetary stake in these apps, the company may not make protection a priority. This could offer a potential side benefit for Apple; they won’t have to spend money on third-party security, and if users get burned by rotten apps, they may come back to the iOS tree.

How Security Teams Can Prepare

Whether you see the shift to open digital borders as good or bad, change is coming. As a result, security teams are well served taking time to prepare. Here are three approaches to help bolster iOS security post-change:

Ban Third Party App Stores and Sideloading

One approach is banning both third-party app stores and sideloading on business-owned iOS devices and enforcing this policy with mobile device management (MDM) tools.

While this will provide a measure of security, it also comes with potential drawbacks. First is the pushback from staff, especially if they use personal devices to work from home or while traveling. By blocking third-party app stores on personal devices, businesses may discover that staff simply stop using these devices for work, in turn reducing total productivity.

There’s also the case of useful apps that are available sooner on third-party app stores than through official channels. A total ban means companies are waiting longer to access features or functions that could improve operations.

Leverage Additional Security Tools

Another approach is leveraging additional security tools such as next-generation web application firewalls (NGFWs) and AI-driven behavior analysis to evaluate the potential risk of third-party apps or sideloaded software. If these tools detect a problem, they can prohibit downloads. If the software is all clear, they can permit installation.

The key here is follow-up. Even if apps appear legitimate and pass initial scans, this doesn’t guarantee safety. As a result, continuous monitoring is critical to ensure both user devices and business networks remain protected.

Create New Security Guidelines

IT teams may also want to consider creating new guidelines around where users can download apps when they can sideload software and what steps they need to take to reduce total risk.

For example, teams might analyze popular app store options and only allow access to a select few based on what they offer and what (if any) security policies they have in place. Companies can also make it mandatory for staff to inform IT staff about any new downloads on their device. They might give teams a chance to analyze the apps for risk. Companies also need to lay out clear consequences if rules around app downloads aren’t followed.

Worth noting? There’s no hard-and-fast rule here. With regulations in flux, organizations need to find approaches to third-party apps and sideloading that balance device security with user autonomy and control.

From Closed Loops to Open Borders

The days of closed-loop iOS stores are ending in the EU. But with increased choice comes a higher risk of getting a malicious app that wreaks havoc on user devices — and potentially puts businesses at risk.

To reduce the chance of compromise, IT teams should consider a three-pronged approach. This should include banning shady app stores and sideloading, using additional security tools to detect potential problems and creating new security guidelines to provide clear roles and responsibilities for users.

The post Third-Party App Stores Could Be a Red Flag for iOS Security appeared first on Security Intelligence.

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity.

Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk.

To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a forum with both government leaders and private companies to assess both current and emerging EV threats. While the discussion didn’t delve into creating cybersecurity standards for these vehicles, it highlights the growing need for EV roadmaps that help reduce cyber risk.

Lighting Strikes? The State of Electric Adoption

EV sales in the United States are well ahead of expert predictions. Just five years ago, fully electric vehicles were considered niche. A great idea in theory, but lacking the functionality and reliability afforded by traditional combustion-based cars.

In 2022, however, the tide is turning. According to InsideEVs, demand now outpaces the supply of electric vehicles across the United States. With a new set of tax credits available, this demand isn’t going anywhere but up, even as manufacturers struggle to improve the pace of production.

Part of this growing interest stems from the technology itself. Battery life increases as charging times fall, and the EV market continues to diversify. While first-generation electric vehicle makers like Tesla continue to report strong sales, the offerings of more mainstream brands like Ford, Mazda and Nissan have helped spur consumer interest.

The result? The United States has now passed a critical milestone in EV sales: 5% of new cars sold are entirely electric. If the sales patterns stateside follow that of 18 other countries that have reached this mark, EVs could account for 25% of all cars sold in the country by 2025, years ahead of current forecasts.

Positive and Negative — Potential EV Issues

While EV adoption is good for vehicle manufacturers and can ease reliance on fossil fuels, cybersecurity remains a concern.

Consider that in early 2022, 19-year-old security researcher David Colombo was able to hack into 25 Teslas around the world using a third-party, open-source logging tool known as Teslamate. According to Colombo, he was able to lock and unlock doors and windows, turn on the stereo, honk the horn and view the car’s location. While he didn’t believe it was possible to take over and drive the car remotely, the compromise nonetheless showed significant vulnerability at the point where OEM technology overlaps third-party offerings. Colombo didn’t share his data immediately; instead, he contacted TelsaMate and waited until the issue was addressed. Malicious actors, meanwhile, share no such moral code and could leverage this kind of weakness to extort EV owners.

And this is just the beginning. Other possible cyber threat avenues include:

Connected vehicle systems

EV systems such as navigation and optimal route planning rely on WiFi and cellular networks to provide real-time updates. If attackers can compromise these networks, however, they may be able to access key systems and put drivers at risk. For example, if malicious actors gain control of the vehicle’s primary operating system, they could potentially disable key safety features or lock drivers out of critical commands.

Charging stations

Along with providing power to electric vehicles, charging stations may also record information about vehicle charge rates, identification numbers and information tied to drivers’ EV application profiles. As a result, vulnerable charging stations offer a potential path to exfiltrated data that could compromise driver accounts.

Local power grids

With public charging stations using local power grids to deliver fast charging when drivers aren’t at home, attackers could take aim at lateral moves to infect car systems with advanced persistent threats (APTs) that lie in wait until cars are plugged in. Then, malicious code could travel back along power grid connections to compromise local utility providers.

Powering Up Protection

With mainstream EV adoption looming, it’s a matter of when, not if, a major cyberattack occurs. Efforts such as the ONCD forum are a great starting point for discussion about EV security standards. However, well-meaning efforts are no replacement for effective cybersecurity operations.

In practice, potential protections could take several forms.

First is the use of automated security solutions to manage user logins and access. By reducing the number of touchpoints for users, it’s possible to limit the overall attack surfaces that EV ecosystems create.

Next is the use of security by design. As noted by a recent Forbes piece, new vehicles are effectively “20 computers on wheels,” many of which are embedded in hardware systems. The result is the perfect setup for firmware failures if OEMs don’t take the time to make basic security protocols — such as usernames and passwords that aren’t simply “admin” and “password”, and the use of encrypted data — part of each EV computer.

Finally, there’s a need for transparency across all aspects of EV supply, design, development and construction. Given the sheer number of components in electric vehicles which represent a potential failure point, end-to-end visibility is critical for OEMs to ensure that top-level security measures are supported by all EV hardware and software components.

Getting from Here to There

As EVs become commonplace, a cybersecurity roadmap is critical to keep these cars on the road up to operator — and operational — safety standards.

But getting from here to there won’t happen overnight. Instead, this mapping mission requires the combined efforts of government agencies, EV OEMs and vehicle owners to help maximize automotive protection.

The post Defensive Driving: The Need for EV Cybersecurity Roadmaps appeared first on Security Intelligence.