Category Archives: iOS

Beware of Shady Repair Shops

A report presented this month at the 2017 Usenix Workshop on Offensive Technologies was pretty offensive – and not in the way they meant in the workshop title.

Offensive security is what spies do – go out and attack a system.

The report demonstrated a proof of concept attack that would work if someone took their phone into some repair place.  The attack, works by surreptitiously inserting hardware, say behind a replacement for a cracked screen, that “added” a few “features”.

They demonstrated putting these hacked screens into two Android phones – an Huewai and a Nexus – but they say the attack will work with iPhones as well.

This attack works because the manufacturers assume a trust boundary, meaning that they trust that the hardware has not been compromised.  In this case, that trust is broken.

In reality, this is nothing new.  Stories abound of PC and Mac repair places inserting extra software and sometimes even hardware into a computer to be able to monitor it.  There was a big dust-up a year or two ago when it was discovered that some repair technicians were being paid by the FBI to feed them information from computers in for repair.

In this case, the modified screen would be able to read the keyboard, capture screen patterns (for pattern screen locks), install malicious apps and take pictures and send them to the hacker.

All this for about ten bucks in parts.

The problem occurs because you lose control of the device – phone, tablet or computer – when you leave it with the repair person.

They say that this particular attack is so subtle that it is unlikely to be detected, even by another repair technician unless he or she knows what to look for.

The researchers say that there are some inexpensive countermeasures that manufacturers can add, but there is really nothing that you can do yourself.

They say that this attack could easily scale up to be done to a lot of phones and, of course, would also scale down to targeted phones.

As a user, the only thing that you can do is choose your repair center wisely.  If you can use a manufacturer’s repair center, that is probably less risky.  If not, then do your homework and check out the place and also ask them how they vet the individuals working on your device.

Great – something else to worry about.

For more details about the hack, see the article in Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Google vs. Banking Bots – The Bots Are Winning

The BankBot trojan is managing to keep Google Engineers on their toes.  The trojan sits, literally, on top of existing banking apps and captures your user name and password.

The initial target was Russian banks.  Then it was “improved” to include UK, Austria, Germany and Turkey.  Who knows what the next version will target.

The creators of this malware have been creative enough to foil Google’s software, called Bouncer, into thinking these are legitimate apps.

A handful of apps have been found that deploy this malware and they have all been taken down – but not before thousands of downloads were made.

BankBot can also steal credentials for Facebook, Youtube, WhatsApp, Uber and other apps.

BankBot can also intercept SMS messages often used in two factor authentication.  THIS is why NIST, has deprecated the use of SMS for two factor authentication.  Too easy to compromise.

In the source article below, there is a list of 424 banking apps that BankBot is targeting.  That is a large number of apps for one piece of malware to target.

One reason we may be seeing this more internationally than in the U.S. is that older versions of Android did not do as good a job of protecting against rogue apps “writing over” legitimate apps on the screen, which is how this malware works.  The user thinks they are typing into the real app because that is what they see, but in reality, the rogue app, sitting on top of the real app is what the user is entering their password into.

This points to another issue.  While Apple is very good about forcing users to upgrade to the current version of iOS, the Android market is fragmented and there is no one company in control.

Within six months of release, Android phones become “obsolete” and companies often stop patching them within a year or two of that release.  Users that continue to use those old Android phones don’t get patches and when those phones are compromised, personal and corporate data on those phones are also compromised.  Silently!

Right now there is a very nasty bit of malware that targets the Broadcom Wi-Fi chip.  It can even work if Wi-Fi is turned off.  Both Apple and Google have patched this in March (Apple) and April (Google), so if you have not installed a major OS upgrade this month, your phone is and will continue to be vulnerable to this attack on the Broadcom Wi-Fi firmware.  This is only one example of a recent attack vector that obsolete phones will remain vulnerable to.

The moral of the story is that companies and individual users of both Android and Apple phones and tablets have to come to grips with the fact that even though those devices still work, if the manufacturer and/or  distributor (like Apple or Verizon) stop supporting those devices, it is time to replace them.  Sorry.  It is a matter of security.  That is no different than the need to upgrade from Windows Vista (which is also not supported), even though it is functioning.  No support = much higher risk of compromise.

In places outside the U.S., old phones running obsolete, non-supported versions of the Android and Apple OSes are commonplace.  As is malware.  And trojans. And security breaches.

This week Apple got caught trying to silently end support for the iPhone 5 in the newest version of their OS.  They changed their mind when they were outed,  but make no mistake – the next version of iOS will likely NOT support the iPhone 5 and at that point, iPhone users are in the same boat as Android users running version 2,3,4 or 5 of the Android OS.

While you may not like this – if you are running one of these unsupported OSes, you either need to figure out if there is an upgrade path, buy a new device (AND DO NOT GIVE THAT OLD DEVICE TO ANYONE – unless, perhaps, you want to give it to someone you really, really don’t like) or stop using that device for anything sensitive like email or online commerce or banking.

Consider yourself warned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News: Apple, Microsoft and Lastpass

A few short items today.

First, Lastpass, one of the two password managers that I like (the other is Keepass) has been hit with three different security bugs in the last couple of weeks.  This is due to the fact that Google Project Zero security researcher Tavis Ormandy has put Lastpass in his sights.  The first two bugs were each patched within a day of Tavis’ disclosure to Lastpass, which compared to many other companies, is pretty amazing.  The third one has not been fixed yet and Tavis says that is a fundamental architectural issue and cautioned Lastpass to take some time and fix it right.  Lastpass automatically updates it’s software, so as soon as the patches are available, they will be installed across the entire user base.

These bugs highlight the conflict between security and convenience.  All of the bugs are related to integrating Lastpass into the browser so that users can have it automatically push userids and passwords to a website’s login page.   If you did not do the browser integration, then none of these compromises would work.  Keepass does not have any browser integration so it is not susceptible to these types of attacks.  The downside of not integrating it is that users have to look up and type or copy/paste the passwords manually, which, of course, is not so convenient.

I absolutely still recommend password managers and if you are on the overly paranoid side, disable Lastpass’s browser integration until these issues are resolved.

On the Microsoft front, they run a web site called Docs.com, which they bill as a way to showcase your documents.  While no bugs were found, by default, documents uploaded to Docs.com, but not those created in Office 365, DEFAULTED to public viewing.  With this setting search engines indexed the files  and a number (like thousands) of very sensitive documents like passports, password lists, medical records and other documents were exposed.

After this was publicly revealed Microsoft made a change to the site.  While uploaded documents are still public by default, you get a huge warning telling you that and it pushes you down on the page where you can easily change that setting – but only for that document.

This means that the user needs to pay attention and make sure that the permissions on documents are what they want them to be.  Why the permissions on Office 365 documents are different than on uploaded documents is still a mystery to me.  Seems like you should set it to default to private and make people intentionally share it if that is there intention, but that is not what Microsoft is doing right now.

This is a reminder to all users of cloud storage systems such as Box, Dropbox, Google Drive and others to make sure that the privacy settings on documents are what they expect.  In many cases, if you send someone a link to a document, then anyone who has access to the link can open the document.

Finally, Apple just released IOS 10.3.  To dispel the myth that Apple is a superhero, the list of bugs is pretty long.  Apple, while very security conscious, still uses human beings to program their software (as far as I know) and humans make mistakes.  If you have not installed the  new version, you should as attackers use these announcements to exploit vulnerabilities in non-updated software.  A partial list of the count of bugs fixed by category includes:

  • Accounts -1
  • Audio -1
  • Carbon -1
  • CoreGraphics – 2
  • CoreText –  3
  • Data Access -1
  • Font Parser – 3
  • HomeKit – 1
  • Http Protocol -1
  • ImageIO – 4
  • iTunes Store – 1
  • Kernel – 8
  • Keyboards – 1
  • Safari -4
  • Safari Reader – 1
  • Safari View Controller – 1
  • Security – 4
  • Webkit – 17 (this is the basis of Safari)

And a bunch of others.

As you can see, this fixes bugs all over the operating system, not just in one area.

This is not a dig at Apple , just a reminder that you really do need to make sure that your Apple (and other) devices stay updated.

Information for this post came from Steve Gibson at Gibson Research.  If you are not familiar with Steve’s security podcast, I highly recommend it, but it is a bit geeky.

Facebooktwitterredditlinkedinmailby feather

Google Adds Easy iOS Management Option for G-Suite Users

For those Google G-Suite (AKA Google Apps and Google Apps for Work) users, Google has released a new option for managing iPhones and iPads.

What is great about it is that it does NOT require installing an agent on the phone or pad.

Google calls it the Basic Mobile Management option for iOS and it allows G-Suite administrators to manage iOS devices without having to install an agent or a profile.

It allows administrators to enforce screen locks or passwords on the devices including the minimum or maximum number of characters in a password and the expiration period.

It can also force a factory reset after too many failed login attempts.

Administrators can wipe the entire device if it is lost or stolen or just G-Suite data if the user is leaving the company.

The software allows an administrator to see all of the devices connected to their domain which is certainly a nice feature.

Administrators will be able to set up corporate accounts on the devices similarly to setting up personal accounts.

Google does offer a more robust product, advanced mobile management, for users that want even more features, but for a lot of companies. Basic will be sufficient.

Curiously, this only works on non-Google (Apple) devices.  Users have to install an agent on Android devices to do the same thing.

Google Mobile Management is available at no extra charge for G-Suite users.

Information for this post came from eWeek and Google Support and G-Suite admin help.

 

Facebooktwitterredditlinkedinmailby feather

iPhone Bug Allows Users To Bypass Lock Screen

First the good news – you have to have physical control of the iPhone in order to make this hack work.  Now the bad news  – there is more than one YouTube video describing how to do it.

Too bad the FBI didn’t see the videos before they tried to get Apple to unlock the San Bernadino phone.  On the other hand, The New York City DA says he has hundreds of phones that he would like to unlock, so maybe this could be useful.

The bug affects all iPhones and  iPads running iOS 8 or later, including the most current release.

Right now, what the hackers have shown is limited access to the devices, but they say that they will release new videos after Apple fixes these bugs telling how you could use the bug to gain access to a user’s contacts and home screen – at that point pretty much owning the device.

One more thing – it only works if Siri is on.  It seems like Siri SHOULD go completely dark if the phone or pad is locked, but apparently, Siri ALWAYS listens.

I am not going to go in excruciating detail on how to use the hack – for that you can just go to YouTube, but at a high level, the steps are:

  1. Ask Siri Who Am I to get the device’s phone number.  The attacker then calls the device and presses the message icon like he or she was going to send the caller a message.
  2. Tell Siri to turn on VOICE OVER.  Again, in my opinion, Siri should not respond if the phone is locked, but it does.
  3. Double tab the message TO name field while pressing some random key.  This apparently is the crux of the bug.  Doing this unlocks the TO field, allowing you access to the address book and photos.
  4. The attacker can even create a new contact now if he or she wants to.

I hope Apple considers this a high priority fix because if you can use this bug to get to the home screen, it is a big problem.

It seems like we are seeing more Apple hacks lately.  I think this is, in part, because Apple keeps adding features to iOS, not necessarily because people want them but because they have to justify a new version of the OS in order to keep up with the Jones.  More features means more complexity and complexity is the enemy of security.

As I said, if you want more details, go to YouTube, but it seems to me that Apple’s mystique as being uncrackable is developing some cracks.  That doesn’t mean that it isn’t good, it just means that it is not perfect.  With very few exceptions, software is not perfect – it is just too hard to do.

 

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

iPhone Hack Exposes Camera, Microphone, Texts, Even Passwords

When is a hack not a hack?  When an Israeli company sells it as a feature.  The company, NSO Group, sells the software, to governments among others.

The software allows the attacker to:

  • Control the camera
  • Listen to the microphone
  • Track the phone’s location
  • Intercept text messages
  • Intercept emails
  • Download the calendar data
  • Download your contacts
  • Record phone calls and messages from WhatsApp and Viper
  • Access iMessage, Gmail, Facebook, Skype and Line apps
  • And even extract passwords from the keychain

So much for iPhones being secure.

The software exploits three unknown or zero day bugs; Apple released patches for iOS 9 and iOS 10 beta this week.  iOS 9 users should be on version 9.3.5.

The attack is called Trident since it uses three zero day bugs.

It appears that governments used the software to target journalists and human rights workers.  Given this is a business for NSO, who knows who they went after.  I assume they had to sell many copies to stay in business.

The software gets loaded via text message.  YUP!  The attacker sends the victim a text message that looks like it came from The Red Cross or a news organization or even a tech company (Apple, perhaps).  If the user clicks on the link in the message, it is, as they say, game over.

NSO pleaded ignorance, of course.  They say that their customers sign a piece of paper that says that they are going to use it legally.

Sure, we will work with that.  First, how would NSO ever know if they used it illegally.  Second, what would they do if they did know – sue the government.  No, the piece of paper is cover fire in case they get outed, like it appears that they did last week.

One interesting part of this story is that the software uses 3 zero day exploits.  That is like Stuxnet – which by the way, also came from Israel, supposedly.  Using three zero days at once is very risky because if you get outed you lose three very valuable assets, not just one or two.  And zero days are hard to come by.  At least we think they are.  Maybe not?!

So for all you iPhone users, install the patches right away.

Information for this post came from CNN.

 

[TAG:ALERT]

Facebooktwitterredditlinkedinmailby feather