An iPhone warning has been issued by security researchers, after they found a “major systemic privacy bug in iOS 18 and macOS 15.0 Sequoia.”

In the research, titled “Broken Mirror: iPhone Mirroring at Work May Expose Employees’ Personal Information, security software firm Sevco Security says it has “discovered a major systemic privacy bug whereby the applications from a user’s personal iPhone may become part of the company’s software inventory via a new Apple feature known as “iPhone Mirroring.”

In case you aren’t familiar, iPhone Mirroring is a new feature that requires macOS Sequoia, iOS 18 and Apple Silicon that aims to enable a more seamless user experience between a person’s phone and laptop.

The iOS 18 bug means the applications on an employee’s personal iPhone may be exposed to their corporate IT department, Sevco says. “For iPhone users, this Apple bug is a major privacy risk because it can expose aspects of their personal lives that they don’t want to share or that could put them at risk.”

“This could include exposing a VPN app in a country that restricts access to the internet, a dating app that reveals their sexual orientation in a jurisdiction with limited protections or legal consequences, or an app related to a health condition that an employee simply does not want to share,” the researchers say.

When Sevco saw personal iOS applications reported as installed on Mac devices, it assumed this was a one-off bug in its processing or an upstream customer inventory provider. “As we dug in, we recognized it was not a glitch — personal iOS apps were indeed being reported on Mac devices from multiple upstream software vendors at multiple customers. This issue was something new and systemic.”

The consequences of this data exposure may be severe, the researchers say. For companies, this bug represents a “new data liability from potentially collecting private employee data,” which could violate privacy laws such as CCPA, potential litigation, and federal agency enforcement, they warn.

I have contacted Apple for comment on this issue and will update this article if the iPhone maker responds.

Apple iPhone Mirroring Bug — What’s The Risk?

That’s all well and good, but what’s the actual risk of this iOS 18 bug to the user? Not huge, if you are already being careful with your privacy at work. “If you don’t trust your employer, I certainly would not recommend using any personal device in work capacity, and vice-versa,” says Sean Wright, head of application security at Featurespace.

At the same time, he points out, your employer already deals with your personal data including your bank details and address. “So it’s important to keep that in mind when determining how much of an issue this really is. Sure they could tell what apps you have installed and used, but the reality is most in the organization are not going to be interested.”

If anything the iOS 18 bug will be more of a problem for employers as they now need to determine what software is on work devices and what is not, says Wright.

Another important consideration to take into account is, many organizations will have not switched to macOS 15.0 Sequoia yet, Wright says.

Finally, and perhaps most crucially, Wright asks: “How many people are actually going to use this functionality on their work laptop, or even be able to? Those already untrusting of their employers are highly unlikely to do so. So while this is an interesting finding, I view the risks as low — and for most people is not even going to be an issue.”

New iPhone Privacy Bug — When Will It Be Fixed?

Even so, Apple will need to fix this iOS 18 bug to ensure no privacy violations take place.

Sevco says it has notified Apple and the iPhone maker is working on a fix. It claims it has also notified several enterprise software vendors where Sevco, Apple, and the vendor have common customers and these have confirmed the issue.

For now, Sevco advises employees to refrain from using iPhone Mirroring on work computers.

“Companies should identify any enterprise IT systems that collect software inventory from Macs and work with those vendors to mitigate the risk until a patch is available.”

“We expect Apple to patch macOS before long based on our conversations with them. When a patch becomes available, companies will need to apply the patch to stop collecting private employee data. After the patch is available, Sevco recommends that companies purge any mistakenly collected employee data to eliminate liability risk,” the researchers say.

The researchers have provided technical details about how to reproduce the bug and also detailed a time line. Sevco reported the bug to Apple on Sept 27 and the iPhone maker acknowledged receipt within an hour. By Sept 30 Apple confirmed it had reproduced the issue. On Oct 3, Apple confirmed intent to address the issue in an update coming soon.

On Tuesday, Sevco published the blog. The more astute among you may notice that this timeline is a little rapid for dislosing security bugs in software. The best practice is 30 days to allow a tech giant to fix a flaw.

Sevco says it has its reasons for the shorter timeframe: “While typical responsible disclosure timelines are usually at least 30 days, we’ve decided to release this information now because we are watching the number of people and companies impacted grow with every day that passes. The biggest risk in this situation is to individuals in a potentially compromising situation and their best defense is their own awareness.”

But what’s also important to note is, Sevco is a vendor, and it wants to sell security services, so take that into account when assessing your risk.

However, the bug is legit and worth noting if you use Macs in an enterprise setting — or if you are an employee who uses their personal device at work.

But as Wright points out, a lot of companies using Macs won’t even have upgraded to the latest version yet — and the same goes for many iPhone users updating to iOS 18.

Share.
Exit mobile version