The Mystery of the Apple Zero-Day Vulnerability CVE-2023-38606

Security Now podcast logo with blue background and title in white stating TWIT SECURITY NOW

I just finished listening to the analysis by Steve Gibson in Security Now episode 955, and it is very interesting. No surprises actually at all, but it does put things more in perspective and out in the open. Unless Apple actually spills the beans, which is most certainly not going to happen (and possibly legally they may not be able to anyway), we will not know for sure why this happened.

The technical explanation in the podcast is worth listening as it gives context as to why this was no ordinary accidental vulnerability that was discovered. It also explains quite clearly why this was not a debugging back door as Apple claimed. The very final conclusion is rather chilling, though: A new such vulnerability could be introduced in newer models, and we cannot be certain that there is actually a Plan B and C backdoor that still exists.

The end discussion included a possibility that China and/or Russia may have mandated such a backdoor to be put in place, but they have also started to ban the use of the iPhone by their own officials as far back as two years ago. If this were the case, two other possibilities then exist: Apple as a US company could not be legally mandated not to mention what had happened, and secondly that Apple products are no safer than any Android products and maybe worse off if it were an OEM introducing secure back doors.

Marketing hype about security and privacy seem a bit thin now, given the type of vulnerability this is. In fact, it would have put many other countries and governments at their ease by believing what was being claimed.

Even if the claims about the backdoors being put in place for Russia/China, I’m pretty sure that the US legislation around the Patriot Act and the CLOUD Act would have allowed this to have been kept away from the US NSA. Those Acts place a muzzle over any US owned company too, so that they are not allowed to mention or report any such access.

So, it is all very interesting and the facts are we will probably never know who or why, and we can now safely assume that all mobile devices are insecure by nature and due to their complexity (no surprises). What we don’t know, just has not been discovered yet. We also cannot trust any government to not spy on its own citizens, or other governments (including their own allies) – again so surprises at all as we’ve seen the evidence over the last 10 years of this as well.

But, I did find this analysis very fascinating, as it just demonstrated the depth and extent that these measures actually go to. We live in intriguing times as we have also been learning last year we cannot trust video and images that we see posted online. All this makes the 20th Century censorship, propaganda, and spying look like nursery school stuff. Today’s propaganda and spying is extremely technical, and is being performed by nation level actors. Citizens have very little hope of figuring out for themselves what is what with all the deflection going on.

See https://twit.tv/shows/security-now/episodes/955