Category Archives: iOS

Cybersecurity News for the Week Ending April 1, 2022

How Many Times Do I Need to Say – Crypto is Software, Software Has Bugs, Your Money is at Risk

Decentralized Finance platform (DeFi) Revest Finance said that it lost $2 million due to a software bug and, oh yeah, (a) the can’t recover the funds, (b) they do not have the money to cover the losses and(c) they don’t have insurance to cover the hack. Unless we eliminate the software, we cannot eliminate all bugs. Credit: The Record

Russia Faces Internet Outages Due to Equipment Shortages

One of Russia’s tech unions says that Russian ISPs run the risk of Internet outages as the value of the Ruble goes down and foreign companies won’t sell them parts or new equipment. Right now the government is saying that is the Internet providers’ problem, but if it turns into widespread outages, they are likely to change their tune. Credit: Bleeping Computer

Cryptocurrency was Fun While it Lasted

EU Parliament committees have voted to require crypto exchanges to verify the identity of self-hosted wallets, meaning the end of anonymity for crypto transactions. The US Treasury (FinCEN) has also suggested that we do that, but it has not yet appeared in a bill. That means that the bad guys will need to do peer to peer crypto, minus the exchanges to deal in criminal activities. While this is harder than using exchanges, it is far from impossible. Given that the whole purpose (beside speculating) of crypto is to commit fraud, identifying yourself is probably not high on user’s wish lists. Credit: Vice

Senate Asks Companies About Hackers Creating Fake Warrants

Recently I wrote that hackers have figured out the the government’s search warrant process is as secure as, say, a screen door. Now that the facts have been outed and likely even more hackers will use that fact to steal even more data, a couple of Senators have started asked questions. That is a long way from Congress actually doing anything useful about it, but at least it is a start. Don’t expect anything to happen because it is a hard problem to fix. Credit: Brian Krebs

Apple Fixes More Mac, iPhone Zero Days

In case you haven’t noticed, the last 12 months have not been Apple’s friends when it comes to zero-day bugs. This week Apple patched two more that are actively being exploited in the wild and affect iPhones, iPads, iWatches and Macs. The versions you are looking for are iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively. Credit: Bleeping Computer

Apple iOS in the Doghouse Again

iOS devices running 14.7 through 15.2 – basically all devices – are subject to a denial of service attack that forces the user to do a factory reset, wiping all of the user’s data.

If the user logs in to iCloud to restore the data, the denial of service attack will replay once the data is restored, resulting in a “rinse and repeat” cycle.

Apple was told about the bug last August but has not mitigated it. As a result, the researcher who discovered it has publicly disclosed it and created a proof of concept app to demonstrate it.

Apple has repeatedly said that they would fix it, but have not.

The bug is related to the Homekit software, which does home automation and, apparently, it does not matter whether you are doing any home automation or not. If the hacker manages to create a device name of more than 500,000 characters, which can be done in a number of ways, the iDevice goes into cardiac arrest.

For more technical details on how the attack works, read the article at the link.

Since all good attacks need a catchy name, this one is called DoorLock.

Apple did quietly create a partial mitigation in 15.1, if you know about it and use it. The attack creates a device name of more than 500,000 characters, causing the iDevice to go belly-up. There is a way to limit the device name length, but it is not set by default (why?). My guess is that maybe a half dozen Apple employees have set this to protect themselves.

One bright spot is that the hacker would either need to have access to your “home” or get you to manually accept an invitation to one. The second seems easier than the first, using a pretty vanilla social engineering scam.

If you don’t have your data backed up, you are, as they say, in a world of trouble.

There is a way, if you know what is going on, to mitigate the “rinse and repeat” loop to restore your data from iCloud, so all is not lost, but it could be very stressful.

You are now warned Credit: Bleeping Computer

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

How Many Images Are Required to Unlock Your iPhone?

Many people have moved to facial recognition to unlock their iPhone, mostly because it is easy.

Researchers wanted to know how secure that is.

For those people who use their face to authorize payments, the problem is, maybe, a bit more serious.

Researchers at Tel Aviv University harnessed deep fakes and that magic word, AI, to figure out what three of the leading facial recognition software packages are looking for.

Then they created a deep fake to look like that.

They created less than a dozen of these deep fake images – nine to be exact.

Then they tested these nine fake images against a publicly available database of faces called Labeled Faces in the Wild.

Those nine computer generated faces were considered a match for 40 to 60% of the faces in that database, depending on which software package was being tested.

NINE matched over 13,000.

While this was a research project and some of the systems could be programmed to reject the flat images, all that means is that the researchers would need to create 3D versions of those nine. Not a high bar to meet.

Researchers say that with more test data they could do even better.

Does this mean that facial device verification is useless?

No, it doesn’t. What it means is that it is a relatively low security authentication mechanism.

Each person needs to decide what an appropriate level of risk/security is for them.

Likely, for most consumers, facial recognition is probably sufficient.

Remember that facial recognition is different than iris or retina scans. They use completely different technologies, are much more expensive and complex and are highly secure.

We have seen similar problems with consumer-grade fingerprint scans.

All of these vendors have to deal with how long a consumer is willing to wait for his or her device to unlock and how many false “failures” that consumer is willing to tolerate.

Credit: Cybernews

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN

Apple MAY Join Many Others in Separating Security Patches from System Upgrades

Since the beginning of Apple-time (or is it i-time?), Apple has always bundled security fixes into iOS upgrades. This means that a user could not install a security update without also upgrading the OS. In general, Apple has always forced users to upgrade their iPhones and other mobile devices. This tends to make Apple products more secure because a higher percentage of the users are on the current version of the OS.

This is different than, say, Microsoft, who will push out monthly security patches even though they might only add new features once or twice a year.

According to 9to5Mac, Apple may be planning to separate security fixes from feature upgrades in the next version of iOS.

Of course, sometimes, Apple may release a new version of their OS just to patch a bug, but users never know what else might be bundled inside that upgrade.

But there is a new setting in the software update menu called “Install Security Updates”.

It could be that this is only a feature to install emergency fixes, something that has become more common at Apple as their software becomes more complex.

It also appears that if a user installs a security update they may have to uninstall it prior to installing a version upgrade. If this turns out to be true, this would be very unlike Apple and this makes it harder for users to stay current.

iOS 14.5 is going to be a big deal. One feature in it is that checks for fraudulent web sites will be run through Apple’s servers to protect user privacy and that could, possibly, break things or slow things down. This new update also requires users to opt-in to data sharing.

iOS 14.5 is expected to be released officially in a couple of months. Credit: The Hacker News