Majority of iPhone users have yet to update iOS in wake of Pegasus discovery

September 6, 2016 | FedScoop

“[Though] warnings are issued and emphasized, most users are generally lackadaisical [with updates],” said one former CIA intelligence officer.

When news broke last month that three dangerous software vulnerabilities in Apple’s mobile operating system were discovered, the Cupertino, Calif.-based electronics giant sounded the alarm and quickly pushed out a software update to its customers.

Apple’s concern, however, is apparently not shared by a majority of its customers, according to new data collected by San Francisco-based data analytics firm MixPanel.
In spite of the vulnerability revelations, just 14 percent of the world's iPhones downloaded the security patch, MixPanel told Business Insider. MixPanel relied on “partners sharing the version of iOS people are using to download their apps” to get an accurate estimate of updated iPhones.

Security experts tells FedScoop they aren’t surprised by the poor download rates though, instead they fully expected it.

“The fact that 86 percent of the iPhone users do not download the appropriate fixes to these hacks and attacks is not only not surprising, but rather, very much in line with the general lack of situational awareness of most users,” said DHR International's security expert Peter Metzger.

The iOS vulnerabilities were originally discovered by a research team comprised by digital rights watchdog CitizenLab and mobile security firm Lookout.

"[Optional, remote downloads] are only partially effective. Consumers need to pay closer attention to these updates when issued, particularly updates addressing severe security issues. An automatic download, i.e., a push system, would achieve better results [than Apple's current procedure]," said Elad Yoran, a former cybersecurity adviser to the FBI and Department of Homeland Security.

Evidence suggests the three iOS zero-day exploits were rolled into a single cyber weapon codenamed Pegasus — capable of remote surveillance and exporting photos, messages and other data. The weapon was reportedly used by the United Arab Emirates government to target a human rights advocate. The report further found it was engineered by an Israeli defense contractor known as the NSO Group.

“[Though] warnings are issued and emphasized, most users are generally lackadaisical [with updates],” said Metzger, a former CIA intelligence officer and security consultant to the intelligence community.

Pegasus is nearly impossible to detect and will enable broad access to a victim’s iPhone data. To break into an iPhone, running iOS 9.3.5 or later, hackers only need a victim to tap a link embedded in a text message once.

"This number [86 percent non-download for the patch] is surprisingly high, but not shocking," said Yoran, now a venture capitalist who invests in cybersecurity startups. "It speaks to why we should have a system of forced downloads when important security updates are released. Also, this issue is compounded in BYOD [bring your own device] environments because individuals’ failure to download patches can place sensitive organizational data at risk."

At the moment, about 88 percent of iPhones are running iOS 9 or later, while the remaining 12 percent run some iteration of iOS 8 or older, according to Apple’s app development website. The developer website, however, does not differentiate between different versions of iOS 9 — so as a result, it’s unclear exactly how many customers downloaded version 9.3.5.