Category Archives: Apple

Beware of Shady Repair Shops

A report presented this month at the 2017 Usenix Workshop on Offensive Technologies was pretty offensive – and not in the way they meant in the workshop title.

Offensive security is what spies do – go out and attack a system.

The report demonstrated a proof of concept attack that would work if someone took their phone into some repair place.  The attack, works by surreptitiously inserting hardware, say behind a replacement for a cracked screen, that “added” a few “features”.

They demonstrated putting these hacked screens into two Android phones – an Huewai and a Nexus – but they say the attack will work with iPhones as well.

This attack works because the manufacturers assume a trust boundary, meaning that they trust that the hardware has not been compromised.  In this case, that trust is broken.

In reality, this is nothing new.  Stories abound of PC and Mac repair places inserting extra software and sometimes even hardware into a computer to be able to monitor it.  There was a big dust-up a year or two ago when it was discovered that some repair technicians were being paid by the FBI to feed them information from computers in for repair.

In this case, the modified screen would be able to read the keyboard, capture screen patterns (for pattern screen locks), install malicious apps and take pictures and send them to the hacker.

All this for about ten bucks in parts.

The problem occurs because you lose control of the device – phone, tablet or computer – when you leave it with the repair person.

They say that this particular attack is so subtle that it is unlikely to be detected, even by another repair technician unless he or she knows what to look for.

The researchers say that there are some inexpensive countermeasures that manufacturers can add, but there is really nothing that you can do yourself.

They say that this attack could easily scale up to be done to a lot of phones and, of course, would also scale down to targeted phones.

As a user, the only thing that you can do is choose your repair center wisely.  If you can use a manufacturer’s repair center, that is probably less risky.  If not, then do your homework and check out the place and also ask them how they vet the individuals working on your device.

Great – something else to worry about.

For more details about the hack, see the article in Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Don’t Turn on WiFi on Your Phone Until You Patch it

An interesting vulnerability was just announced that affects both Apple and Google/Android phones.  That is something that is very unusual.

The bug is tied to a part of all cell phones called the baseband processor.  It is the part of the phone that controls the radios inside your phone.  In this case, the chip is the Broadcom 43xx family of chips.  According to Broadcom this chip can control your cellular radio, WiFi, Bluetooth and FM radio all on one chip.

Unfortunately, researchers found a bug in the WiFi code that would allow an attacker to take over the baseband processor and from there, the entire phone.

The reason this affects both Apple and Android phones is that this chip is used by almost everyone.  From iPhone 5s to the newest Android phones, they are all impacted.

Apple just released iOS 10.3.3 (which may or may not have been downloaded to your iPhone yet) and Google just released an Android patch in the July updates.  Unlike Apple devices, Android users have to wait for manufacturers to pick up Google’s fixes and test them and then wait again for carriers to make them available.  The only users who do not have to wait are Google branded Android phone users.  Those users get their patches directly from Google.

What can you do?

Three answers.

If you are an Apple user, download iOS 10.3.3 and install it.  Done!

If you are a user who is running a relatively new version of the Android OS on your phone AND your phone manufacturer/carrier is actively releasing updates, you should install the July update as soon as it is available.  That might be 30 days or more.

If you are running an older version of the Android OS and/or your carrier/phone vendor is not releasing security updates, you are kind of out of luck.  Turn off your WiFi and DO NOT TURN IT ON EVER AGAIN.  This is probably. for most people, time to get a new phone.

Why, you say, am I so aggressive about this?

The report is that you only have to be within radio range of the WiFi access point which is trying to attack you in order to be compromised.  You DO NOT need to connect to that access point.  You do not need to open a web browser.  You do not need to install an app.  You do not need to click on a link.  All you need to do is be near a rogue WiFi access point – which could easily be hidden in someone’s backpack.

So, for now, until you have installed the patch, if you can, leave WiFi off.  If you can’t, then only turn it on when you have to.

We will know more after the researcher presents his findings at Blackhat later this month, but at least from what we have heard, this don’t not affect Windows or Mac computers, only mobile devices. But, stay tuned;  this is not the end of the story.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Google vs. Banking Bots – The Bots Are Winning

The BankBot trojan is managing to keep Google Engineers on their toes.  The trojan sits, literally, on top of existing banking apps and captures your user name and password.

The initial target was Russian banks.  Then it was “improved” to include UK, Austria, Germany and Turkey.  Who knows what the next version will target.

The creators of this malware have been creative enough to foil Google’s software, called Bouncer, into thinking these are legitimate apps.

A handful of apps have been found that deploy this malware and they have all been taken down – but not before thousands of downloads were made.

BankBot can also steal credentials for Facebook, Youtube, WhatsApp, Uber and other apps.

BankBot can also intercept SMS messages often used in two factor authentication.  THIS is why NIST, has deprecated the use of SMS for two factor authentication.  Too easy to compromise.

In the source article below, there is a list of 424 banking apps that BankBot is targeting.  That is a large number of apps for one piece of malware to target.

One reason we may be seeing this more internationally than in the U.S. is that older versions of Android did not do as good a job of protecting against rogue apps “writing over” legitimate apps on the screen, which is how this malware works.  The user thinks they are typing into the real app because that is what they see, but in reality, the rogue app, sitting on top of the real app is what the user is entering their password into.

This points to another issue.  While Apple is very good about forcing users to upgrade to the current version of iOS, the Android market is fragmented and there is no one company in control.

Within six months of release, Android phones become “obsolete” and companies often stop patching them within a year or two of that release.  Users that continue to use those old Android phones don’t get patches and when those phones are compromised, personal and corporate data on those phones are also compromised.  Silently!

Right now there is a very nasty bit of malware that targets the Broadcom Wi-Fi chip.  It can even work if Wi-Fi is turned off.  Both Apple and Google have patched this in March (Apple) and April (Google), so if you have not installed a major OS upgrade this month, your phone is and will continue to be vulnerable to this attack on the Broadcom Wi-Fi firmware.  This is only one example of a recent attack vector that obsolete phones will remain vulnerable to.

The moral of the story is that companies and individual users of both Android and Apple phones and tablets have to come to grips with the fact that even though those devices still work, if the manufacturer and/or  distributor (like Apple or Verizon) stop supporting those devices, it is time to replace them.  Sorry.  It is a matter of security.  That is no different than the need to upgrade from Windows Vista (which is also not supported), even though it is functioning.  No support = much higher risk of compromise.

In places outside the U.S., old phones running obsolete, non-supported versions of the Android and Apple OSes are commonplace.  As is malware.  And trojans. And security breaches.

This week Apple got caught trying to silently end support for the iPhone 5 in the newest version of their OS.  They changed their mind when they were outed,  but make no mistake – the next version of iOS will likely NOT support the iPhone 5 and at that point, iPhone users are in the same boat as Android users running version 2,3,4 or 5 of the Android OS.

While you may not like this – if you are running one of these unsupported OSes, you either need to figure out if there is an upgrade path, buy a new device (AND DO NOT GIVE THAT OLD DEVICE TO ANYONE – unless, perhaps, you want to give it to someone you really, really don’t like) or stop using that device for anything sensitive like email or online commerce or banking.

Consider yourself warned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.

Facebooktwitterredditlinkedinmailby feather

Not a Great Week For Apple Users

UPDATE:  Apple says that a preliminary assessment of the most recent Wikileaks document dump shows old, fixed flaws for iPhone and Mac.  Some of the documents released had a date of 2008, so that those flaws are fixed is not completely surprising.  I am sure that Apple is continuing to review those documents.  Unlike the first Wikileaks dump where they still haven’t given Apple the data needed to figure out whether those flaws are still working, in this dump Apple, apparently, had enough information to figure out how the attack worked, so they could tell if they had fixed it.  Wikileaks tactics may be to dribble out information from the oldest (and likely least valuable because they fixed) vulnerabilities to the newest ones (likely not fixed), so no computer vendor should relax just yet.

A group of hackers is threatening to wipe the devices of more than 600 million Apple users on April 7th using hacked Apple account passwords.

According to the hackers 220 million of the credentials have been verified to work.

Initially, the hackers asked for $75,000 in Bitcoin or Etherium, but they have raised that “request” to $150,000.

Apparently, Apple has told them that they don’t pay bad guys.

It is not clear what Apple’s plan is.

One thing that the could do is force everyone to turn on two factor authentication, but that would cause a wee bit of chaos.  Alternatively, they could force a billion users to change their passwords between now and April 7.  No big deal.  RIGHT!

As a user, I would say it is every person for themselves and we would suggest a couple of things:

  1. Change your password.  Now!
  2. Enable two factor authentication.  Yes, it is a little bit extra work, but probably worthwhile
  3. Make backups of your Apple devices and store them offline and disconnected from the net.

It is possible that Apple has a plan.  It is also possible that the hackers are lying, but there is (or was) a video on YouTube showing someone testing accounts with passwords not hidden behind ****s and that demonstrates some degree of reality.

Changing your password alone MAY NOT be sufficient if the hacker has a way inside Apple to obtain changed passwords.

This is all speculative, but assuming that you don’t want to wake up on April 7th to a wiped device, planning ahead seems like a good idea.

The second Apple news story of the week is that WikiLeaks posted more information about the CIA hacking tools and there are details of compromised iPhones and Macs that were hacked in the distribution channel before the original buyers ever saw them in a way that even doing a factory reset would not remove (i.e. a hack of the firmware itself).

The hack the story talked about required physical access to the devices, but knowledgeable people have told me that hacking which requires them to have physical access and implanting hardware is so last year, so we can assume that the CIA has upgraded this capability to allow them to do the same thing without needing physical access.

Why would the CIA want to hack iPhones instead of Android phones?

Well first, why would you assume this is INSTEAD rather than IN ADDITION TO Androids?  Likely they can deal with either.

Second, the likely reason for going after Apple devices is not that they are more or less secure, but rather that they are status symbols in many parts of the world.  That means that people that the CIA is interested in knowing a lot about are likely iPhone/Mac users.  There are other reasons too, but that one is probably good enough.  If you are interested in the details, read the WikiLeaks Post.  It is pretty fascinating.

What that means is that Apple users are now in the cross hairs and who knows what the boys and girls from “The Company” might be looking at.  Just sayin’.  I would say, in general, they are not looking at U.S. citizens unless they have a reason.

So for those people who thought Apple devices were immune from hacking, I would say that you are probably in the same boat as the rest of us.  Sorry.

Information for this post came from Mac World and WikiLeaks.

Facebooktwitterredditlinkedinmailby feather

1 Million (Likely More) Google Accounts Compromised by Gooligan

I am not sure what rock I have been hiding under, but somehow I missed this item.

About two months ago, the security company Checkpoint revealed a new Android malware family called Gooligan.

The malware can attack about 74% of Android phones world wide.  The good news, if there is any,  is that it only works (today) on old, obsolete, versions of the Android OS.  Specifically, it works on Version 4 (Ice cream sandwich, Jelly bean and Kit kat) and Version 5 (Lollipop), but not Version 6 (Marshmallow) or Version 7 (Nuggat).

Many phone manufacturers dump support for a phone as soon as the next bright shiny object comes along to distract them, so, except in a few circumstances, whatever version of the Android OS came on the phone is what it will die with, years later.

This is somewhat different than iPhones in that there are far fewer models.  However, when Apple decides to end-of-life a phone model, the user has two choices – live with the fact that there are no more security patches for that iPhone or buy a new phone.

So in a sense, there is not a huge difference in this respect between Apple and Google.

Users on the other hand have paid off the phone and don’t want to buy a new one until they have to or can’t resist.

The problem is that if you are using a phone with known vulnerabilities and which your phone provider has decided to stop upgrading, you are walking around with a potentially large hole in your security net.

In the case of the Gooligan malware, hackers pay app developers to insert their malicious payload inside otherwise good apps.  Typically, these are apps that are distributed from shady app stores and not Google Play.

Once the app runs, it downloads more malware after contacting its command and control server.

The newly downloaded malware is customized for the version of the Android OS that you are running and “Roots” the phone, giving it super-human powers.

Once the malware has super-human powers, it downloads more malware- in this case to steal your Google account information and security tokens, install more apps (to get ad revenue and improve the app’s reputation) and install adware.  Of course, at this point, it could do anything it wants to including “bricking” (killing) the phone.  Bricking it isn’t in the hacker’s best interest because they want to have the phone be a zombie to do the hacker’s bidding whenever it wants it to.

Google has been working with the researchers to try and protect users – even to the point of suspending user’s access to Google services until they securely change their password, but if phone vendors don’t cooperate, it is hard.

It appears that most of the affected phones are in Asia with some in Europe and only a small number (about 20 percent) in the United States.

What this means is that both Apple and Android users need to understand that just because a phone can make and receive calls does not mean that it is a smart thing to keep using it.

For Android users, if you are not running Marshmallow or Nuggat today, it might be time to buy a new phone.  And, while some shiny new top of the line $800 phone might be cool, there are many much cheaper phones available.  And almost all carriers (including Apple) will lease you a phone on a monthly payment plan.

For companies who allow users to BYOD, those companies should consider a policy to not allow users who are using unsupported versions of the Android and Apple OSes to access corporate resources, including email.  Doing so puts the entire corporate network at risk.

One question to phone vendors – Apple or Android – is how long they will commit to issuing patches on a phone you are considering buying.  That length of time is when you have to buy a new phone, again, to stay secure.  If they don’t have an answer you like, look for a different phone or a different carrier.  If people don’t vote with their wallets, the carriers will ignore the issue.

I never said that improved security will make you popular.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather