ASD Advice on Apple Release of iOS 7

Download ASD Broadcast: ASD Advice on Apple Release of iOS 7 (PDF), 16 October 2013

Introduction

On 18 September 2013, Apple announced the official release of iOS 7. As per usual practice, iOS 6 will no longer be available for download as a result.

Details

ASD is currently evaluating iOS 7. In the interim, ASD advises the following:

  1. Upgrade to iOS 7. Even though iOS 7 is not yet evaluated, this version does provide security enhancements. This is consistent with ASD’s advice to install the latest versions of software and patch operating system vulnerabilities as communicated in the Australian Government Information Security Manual and Strategies to Mitigate Targeted Cyber Intrusions.
  2. Implement the current iOS Hardening Configuration Guide for iOS 7. The existing guide is applicable to iOS 7. ASD will release an updated guide for iOS 7 as soon as possible. The updated guide will contain additions in response to new features, rather than wholesale changes to the existing advice.
  3. Take interim steps to address new security risks. Until the updated guide is published, ASD recommends:
    1. Enable supervised mode on all devices and do not allow pairing with non-Configurator hosts.
    2. Disable the Airdrop feature.
    3. In the case of new Apple iPhone 5s, disable Touch ID and follow ASD’s existing passcode advice for iOS devices.
    4. Disable Control Centre from the lock screen.
    5. Disable Notification Centre from the lock screen.
    6. Disable Today View from the lock screen.
    7. Be aware that Virtual Private Network (VPN) behaviour has changed in iOS 7. If your agency is currently using the VPN at PROTECTED, please contact ASD for specific advice relevant to your deployment and refer to the Further Information section of this document.

Further information

Details on the release of iOS 7 can be viewed on the Apple iOS website. Information regarding the security content of iOS 7 can be found at support.apple.com/kb/HT5934.

For further information regarding the changes to configuration profile restrictions and the new triggering rules for the iOS 7 VPN On-Demand payload, refer to Apple’s Configuration Profile Reference.

Review the Australian Government Information Security Manual, Strategies to Mitigate Targeted Cyber Intrusions and iOS Hardening Configuration Guide (PDF).

Contact

Note: The Australian Signals Directorate, formerly known as the Defence Signals Directorate, was renamed in the 2013 Defence White Paper.

Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.