Category Archives: Apple

Apple is Trying to Catch up With Windows

Update: Apparently if you are running macOS 10.13 and apply the patch to fix the root problem and then upgrade to 10.13.1, that patch gets undone, so you have to reapply the patch.  In addition, the patch does not take effect unless you reboot.  Just another bit of the mess.

The Mac OS has generally been considered a secure operating system, but lately Apple has been trying to imitate their friends from Redmond and not in a good way.

The first MacOS bug found recently is a new bug.  Linux and Unix administrator accounts are called ROOT, unlike Windows and other operating systems which call the account ADMIN or ADMINISTRATOR.  Apparently in the current version of MacOS, High Sierra, if you entered the user name of ROOT with no password, you got an error message, but if you entered it a second time with no password, it let you in with full administrative permissions.

Initially, people thought that this exploit required that you have local access to the computer, but it turned out that if you had remote access turned on as many or most corporate computers do, the attack would work remotely as well.

Apparently the OS detected there was no ROOT account and created one with no password.  The quick fix was to create a ROOT account with a complex password.

Apple quickly created a fix that was automatically and silently installed (I guess that is both good and bad), but that fix broke some other things and Apple had to release a fix to the fix.  That second fix had to be manually installed and required some advanced gyrations on the part of the user.

The good news was that Apple was able to fix the bug quickly once they were told about it.  The bad news is that if a user’s PC was compromised before the installed the patch – which statistically is possible but unlikely – then the only solution is to wipe the disk and start over.

But this was only the start of last month’s problems for Apple.

The second MacOS bug, which also granted users unlimited ROOT access had been around for at least a decade (sound like Windows again?), maybe two decades. or more.

The person who found it was neither a professional hacker nor a professional security researcher, but rather a self titled hobbyist.  This means that other people (and not the well intentioned ones) could have known about it for 20 years or more.

The bug was in the IOHIDF family of software.  This software has been a problem child in the past.  The hobbyist who discovered it released a proof of concept for all of the hackers to follow at the same time he announced the bug.

As of 17 hours ago, Apple had yet to comment on it, but I assume that their engineers are busy working on how to fix it.

Right now it counts as an 0-day, and a nasty one.  0-days are bugs that were not (publicly) known about prior to the announcement.  Except that in this case, it was probably known about by others, such as the Chinese, Russians or American spies and possibly exploited – maybe for many years.

For a while, Apple computers seemed to be immune to bugs.  I don’t think that is necessarily because the software is super secure, but rather because it is a niche player with a small market share (less than 8 percent according to NetMarketShare).  As other operating systems were attacked and started fixing bugs, MacOS became the next target of opportunity.

So, in this case, one bug is fixed, albeit a bit bumpily and the other is still open.

Happy New Year Mac users!

Information for this post came from CNet, The Guardian and BetaNews.

 

Facebooktwitterredditlinkedinmailby feather

Hackers Fool iPhone FaceID for $150

It usually doesn’t take very long.  Whether it is fooling the fingerprint reader or jailbreaking an iPhone, it often comes within hours of a new device or software release.  Maybe, in this case, it says that Apple did good because it took a week to break Face ID.

On the other hand, it only took about $150 to do it.

Wired spent thousands trying to create 3D masks and were unable to fool it,  but some hackers in Vietnam it on a budget.

In Apple’s defense, they did have to spend about 5 minutes videoing the subject to get good data, but if you are going after a politician or a celebrity, getting 5 minutes of HiDef video will not be a problem.

The first thing they did is take the video and make a 3D printed frame for the attack.

Next they added a silicon nose.

Finally, they 2D printed (like on a piece of paper) the user’s eyes and attached them to the mask,

In the demo, when they uncovered the mask, the iPhone X unlocked.

So much for security on your $1,000 phone.

Probably, for the average person, the level of security FaceID provides is adequate.

But remember, the iPhone X is a status symbol, not a phone.  Who is going to buy them are business executives on expense accounts and politicians using other people’s money.   Those are great targets for the bad guys and worth, for sure, spending $150 to compromise their phone.

In fairness to Apple, the researchers have not revealed enough details to enable people to recreate this.

In fairness to the researchers, they have presented previous hacks of Lenovo and Toshiba facial recognition at Black Hat.

So, depending on your level of concern regarding the security of your phone, a good old password is likely best.  Make it reasonably long and avoid the glitz.

For the billionaires who buy an iPhone X, you might want to reconsider your proclivity for convenience over security and steer clear of FaceID.

Your call.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather

Beware of Shady Repair Shops

A report presented this month at the 2017 Usenix Workshop on Offensive Technologies was pretty offensive – and not in the way they meant in the workshop title.

Offensive security is what spies do – go out and attack a system.

The report demonstrated a proof of concept attack that would work if someone took their phone into some repair place.  The attack, works by surreptitiously inserting hardware, say behind a replacement for a cracked screen, that “added” a few “features”.

They demonstrated putting these hacked screens into two Android phones – an Huewai and a Nexus – but they say the attack will work with iPhones as well.

This attack works because the manufacturers assume a trust boundary, meaning that they trust that the hardware has not been compromised.  In this case, that trust is broken.

In reality, this is nothing new.  Stories abound of PC and Mac repair places inserting extra software and sometimes even hardware into a computer to be able to monitor it.  There was a big dust-up a year or two ago when it was discovered that some repair technicians were being paid by the FBI to feed them information from computers in for repair.

In this case, the modified screen would be able to read the keyboard, capture screen patterns (for pattern screen locks), install malicious apps and take pictures and send them to the hacker.

All this for about ten bucks in parts.

The problem occurs because you lose control of the device – phone, tablet or computer – when you leave it with the repair person.

They say that this particular attack is so subtle that it is unlikely to be detected, even by another repair technician unless he or she knows what to look for.

The researchers say that there are some inexpensive countermeasures that manufacturers can add, but there is really nothing that you can do yourself.

They say that this attack could easily scale up to be done to a lot of phones and, of course, would also scale down to targeted phones.

As a user, the only thing that you can do is choose your repair center wisely.  If you can use a manufacturer’s repair center, that is probably less risky.  If not, then do your homework and check out the place and also ask them how they vet the individuals working on your device.

Great – something else to worry about.

For more details about the hack, see the article in Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Don’t Turn on WiFi on Your Phone Until You Patch it

An interesting vulnerability was just announced that affects both Apple and Google/Android phones.  That is something that is very unusual.

The bug is tied to a part of all cell phones called the baseband processor.  It is the part of the phone that controls the radios inside your phone.  In this case, the chip is the Broadcom 43xx family of chips.  According to Broadcom this chip can control your cellular radio, WiFi, Bluetooth and FM radio all on one chip.

Unfortunately, researchers found a bug in the WiFi code that would allow an attacker to take over the baseband processor and from there, the entire phone.

The reason this affects both Apple and Android phones is that this chip is used by almost everyone.  From iPhone 5s to the newest Android phones, they are all impacted.

Apple just released iOS 10.3.3 (which may or may not have been downloaded to your iPhone yet) and Google just released an Android patch in the July updates.  Unlike Apple devices, Android users have to wait for manufacturers to pick up Google’s fixes and test them and then wait again for carriers to make them available.  The only users who do not have to wait are Google branded Android phone users.  Those users get their patches directly from Google.

What can you do?

Three answers.

If you are an Apple user, download iOS 10.3.3 and install it.  Done!

If you are a user who is running a relatively new version of the Android OS on your phone AND your phone manufacturer/carrier is actively releasing updates, you should install the July update as soon as it is available.  That might be 30 days or more.

If you are running an older version of the Android OS and/or your carrier/phone vendor is not releasing security updates, you are kind of out of luck.  Turn off your WiFi and DO NOT TURN IT ON EVER AGAIN.  This is probably. for most people, time to get a new phone.

Why, you say, am I so aggressive about this?

The report is that you only have to be within radio range of the WiFi access point which is trying to attack you in order to be compromised.  You DO NOT need to connect to that access point.  You do not need to open a web browser.  You do not need to install an app.  You do not need to click on a link.  All you need to do is be near a rogue WiFi access point – which could easily be hidden in someone’s backpack.

So, for now, until you have installed the patch, if you can, leave WiFi off.  If you can’t, then only turn it on when you have to.

We will know more after the researcher presents his findings at Blackhat later this month, but at least from what we have heard, this don’t not affect Windows or Mac computers, only mobile devices. But, stay tuned;  this is not the end of the story.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Google vs. Banking Bots – The Bots Are Winning

The BankBot trojan is managing to keep Google Engineers on their toes.  The trojan sits, literally, on top of existing banking apps and captures your user name and password.

The initial target was Russian banks.  Then it was “improved” to include UK, Austria, Germany and Turkey.  Who knows what the next version will target.

The creators of this malware have been creative enough to foil Google’s software, called Bouncer, into thinking these are legitimate apps.

A handful of apps have been found that deploy this malware and they have all been taken down – but not before thousands of downloads were made.

BankBot can also steal credentials for Facebook, Youtube, WhatsApp, Uber and other apps.

BankBot can also intercept SMS messages often used in two factor authentication.  THIS is why NIST, has deprecated the use of SMS for two factor authentication.  Too easy to compromise.

In the source article below, there is a list of 424 banking apps that BankBot is targeting.  That is a large number of apps for one piece of malware to target.

One reason we may be seeing this more internationally than in the U.S. is that older versions of Android did not do as good a job of protecting against rogue apps “writing over” legitimate apps on the screen, which is how this malware works.  The user thinks they are typing into the real app because that is what they see, but in reality, the rogue app, sitting on top of the real app is what the user is entering their password into.

This points to another issue.  While Apple is very good about forcing users to upgrade to the current version of iOS, the Android market is fragmented and there is no one company in control.

Within six months of release, Android phones become “obsolete” and companies often stop patching them within a year or two of that release.  Users that continue to use those old Android phones don’t get patches and when those phones are compromised, personal and corporate data on those phones are also compromised.  Silently!

Right now there is a very nasty bit of malware that targets the Broadcom Wi-Fi chip.  It can even work if Wi-Fi is turned off.  Both Apple and Google have patched this in March (Apple) and April (Google), so if you have not installed a major OS upgrade this month, your phone is and will continue to be vulnerable to this attack on the Broadcom Wi-Fi firmware.  This is only one example of a recent attack vector that obsolete phones will remain vulnerable to.

The moral of the story is that companies and individual users of both Android and Apple phones and tablets have to come to grips with the fact that even though those devices still work, if the manufacturer and/or  distributor (like Apple or Verizon) stop supporting those devices, it is time to replace them.  Sorry.  It is a matter of security.  That is no different than the need to upgrade from Windows Vista (which is also not supported), even though it is functioning.  No support = much higher risk of compromise.

In places outside the U.S., old phones running obsolete, non-supported versions of the Android and Apple OSes are commonplace.  As is malware.  And trojans. And security breaches.

This week Apple got caught trying to silently end support for the iPhone 5 in the newest version of their OS.  They changed their mind when they were outed,  but make no mistake – the next version of iOS will likely NOT support the iPhone 5 and at that point, iPhone users are in the same boat as Android users running version 2,3,4 or 5 of the Android OS.

While you may not like this – if you are running one of these unsupported OSes, you either need to figure out if there is an upgrade path, buy a new device (AND DO NOT GIVE THAT OLD DEVICE TO ANYONE – unless, perhaps, you want to give it to someone you really, really don’t like) or stop using that device for anything sensitive like email or online commerce or banking.

Consider yourself warned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather