Privacy News Broken Mirror: iPhone Mirroring at Work May Expose Employees’ Personal Information

lokamoka820

Level 23
Thread author
Mar 1, 2024
1,289
As deployments of macOS 15.0 Sequoia and iOS 18 continue, Sevco discovered a major systemic privacy bug whereby the applications from a user’s personal iPhone may become part of the company’s software inventory via a new Apple feature known as “iPhone Mirroring.”

In short, the applications on an employee’s personal iPhone may be exposed to their corporate IT department.

For iPhone users, this Apple bug is a major privacy risk because it can expose aspects of their personal lives that they don’t want to share or that could put them at risk. This could include exposing a VPN app in a country that restricts access to the internet, a dating app that reveals their sexual orientation in a jurisdiction with limited protections or legal consequences, or an app related to a health condition that an employee simply does not want to share. The consequences of such data exposure may be severe.

For companies, this bug represents a new data liability from potentially collecting private employee data. If this bug is not addressed, it may lead to violation of major privacy laws such as CCPA, potential litigation, and federal agency enforcement.

Sevco has notified Apple, who has identified the root cause and is working on a fix. We have also notified several enterprise software vendors where Sevco, Apple, and the vendor have common customers and we have confirmed the issue. We have also notified our customers that have collected or have the potential to collect private employee data.

In the immediate term:
  • Employees should not use iPhone Mirroring on work computers
  • Companies should communicate to employees that they should avoid using iPhone Mirroring on work computers (this may be a legal or regulatory requirement)
  • Companies should identify any enterprise IT systems that collect software inventory from Macs and work with those vendors to mitigate the risk until a patch is available
We expect Apple to patch macOS before long based on our conversations with them. When a patch becomes available, companies will need to apply the patch to stop collecting private employee data. After the patch is available, Sevco recommends that companies purge any mistakenly collected employee data to eliminate liability risk.
 

SpiderWeb

Level 13
Verified
Top Poster
Well-known
Aug 21, 2020
609
It is actually doing the opposite. Apple services travel through their own separate end to ebd encrypted VPN that not even Apple has access to your data. They call it stateless data processing:


Essentially the reason is because of services like iMessage, Find My Device and Apple Notarization which require uninterrupted access.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top