Category Archives: Apple

Apple iOS in the Doghouse Again

iOS devices running 14.7 through 15.2 – basically all devices – are subject to a denial of service attack that forces the user to do a factory reset, wiping all of the user’s data.

If the user logs in to iCloud to restore the data, the denial of service attack will replay once the data is restored, resulting in a “rinse and repeat” cycle.

Apple was told about the bug last August but has not mitigated it. As a result, the researcher who discovered it has publicly disclosed it and created a proof of concept app to demonstrate it.

Apple has repeatedly said that they would fix it, but have not.

The bug is related to the Homekit software, which does home automation and, apparently, it does not matter whether you are doing any home automation or not. If the hacker manages to create a device name of more than 500,000 characters, which can be done in a number of ways, the iDevice goes into cardiac arrest.

For more technical details on how the attack works, read the article at the link.

Since all good attacks need a catchy name, this one is called DoorLock.

Apple did quietly create a partial mitigation in 15.1, if you know about it and use it. The attack creates a device name of more than 500,000 characters, causing the iDevice to go belly-up. There is a way to limit the device name length, but it is not set by default (why?). My guess is that maybe a half dozen Apple employees have set this to protect themselves.

One bright spot is that the hacker would either need to have access to your “home” or get you to manually accept an invitation to one. The second seems easier than the first, using a pretty vanilla social engineering scam.

If you don’t have your data backed up, you are, as they say, in a world of trouble.

There is a way, if you know what is going on, to mitigate the “rinse and repeat” loop to restore your data from iCloud, so all is not lost, but it could be very stressful.

You are now warned Credit: Bleeping Computer

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

How Many Images Are Required to Unlock Your iPhone?

Many people have moved to facial recognition to unlock their iPhone, mostly because it is easy.

Researchers wanted to know how secure that is.

For those people who use their face to authorize payments, the problem is, maybe, a bit more serious.

Researchers at Tel Aviv University harnessed deep fakes and that magic word, AI, to figure out what three of the leading facial recognition software packages are looking for.

Then they created a deep fake to look like that.

They created less than a dozen of these deep fake images – nine to be exact.

Then they tested these nine fake images against a publicly available database of faces called Labeled Faces in the Wild.

Those nine computer generated faces were considered a match for 40 to 60% of the faces in that database, depending on which software package was being tested.

NINE matched over 13,000.

While this was a research project and some of the systems could be programmed to reject the flat images, all that means is that the researchers would need to create 3D versions of those nine. Not a high bar to meet.

Researchers say that with more test data they could do even better.

Does this mean that facial device verification is useless?

No, it doesn’t. What it means is that it is a relatively low security authentication mechanism.

Each person needs to decide what an appropriate level of risk/security is for them.

Likely, for most consumers, facial recognition is probably sufficient.

Remember that facial recognition is different than iris or retina scans. They use completely different technologies, are much more expensive and complex and are highly secure.

We have seen similar problems with consumer-grade fingerprint scans.

All of these vendors have to deal with how long a consumer is willing to wait for his or her device to unlock and how many false “failures” that consumer is willing to tolerate.

Credit: Cybernews

I Remember When Apple Was A Privacy-Focused Company

Apple is about to announce a new feature.

They are going to start scanning everyone’s iPhone for banned content. Seriously.

It uses neural networks and machine learning, so I am sure it will be cool.

According to respected cryptography professor Matthew Green, it is going to scan everyone’s devices for child porn (now referred to as Child Sexual Abuse Material or CSAM).

Historically, the industry hashed known CSAM material and looked for exact matches. But if someone changes a single pixel, it no longer matches, hence the use of machine learning.

Apple, apparently, already scans users’ iCloud backups since Apple refused to encrypt them. They did that at the request of police. Who want to be able to easily search your backups.

This is just the next step, right?

And CSAM is bad (fair, it is).

I am sure that Russia or China. Or the United States. Will never ask Apple to search a phone for ANYTHING else.

Pinky promise.

And guess who the guinea pigs are?

United States users. Probably because the U.S. has no national privacy law, no national privacy rights. So they don’t have to deal with breaking those pesky laws.

Welcome to 1984. Only a little bit late.

Pre-crime comes next year, no doubt.

I am glad I am an Android user.

Credit: The Register

Security News for the Week Ending June 18, 2021

Security Company Founder Charged with Hacking Georgia Hospital

An indictment unsealed this week in a Northern District of Georgia court accuses Vikas Singla, 45, with 18 separate counts of aiding and abetting a 2018 cyber attack against the Gwinnett Medical Center in Georgia. According to his LinkedIn profile, he is (or maybe now was) the COO of Atlanta based Securolytics. It is not clear what he did, but the feds say that he aided and abetted the attack. Credit: SC Magazine

Energy Secretary Says Adversaries Have Ability to Shut down US Power Grid with Cyberattacks

Maybe this story is a no-big-deal in light of the Colonial Pipeline attack, but Energy Secretary Jennifer Granholm said that US adversaries already are capable of using cyber intrusions to shut down the US power grid. This is something that security professionals have been saying for a long time and in light of the almost half dozen attacks on water, oil and support infrastructure in the last couple of months, this is not a big surprise. Credit: Fox8

China Crackdown Continues

The FCC approved a plan this week to ban approvals for Chinese telecom equipment from companies deemed a threat to US national security. This includes, potentially, revoking the approval of equipment and apps already in use. This continues the pressure on China started in the last administration. Credit: Verdict

Apple Not Happy With Proposed Requirement for Competition

Europe is trying to force some competition in the Apple app store and, given the amount of money that represents to Apple, they are not happy. They say that it would harm consumer’s privacy. Informed consumers could make a choice under those circumstances. Would a consumer be willing to trade some personal data in exchange for getting an app for free or at a reduced cost? Apple thinks it is their job to answer that question for their customers; the EU disagrees. Actually, Apple thinks it is their job to be a monopoly. Stay tuned. Credit: The Register