Category Archives: iOS

Apple iOS Quicksand Vulnerability Revealed

Now that Apple is becoming a more mainstream IT player rather than just a consumer electronics vendor, hackers are starting to take more notice.  Appthority, an application risk analysis and mitigation firm has announced Quicksand, an iOS vulnerability that allows malicious apps or anyone who can get physical access to an iOS device to steal credentials and then exfiltrate corporate data.

As a “good guy”, they worked with Apple to develop a patch which Apple has released with iOS 8.4.1 .  Anyone who is running a version of iOS older than that is vulnerable.

Unfortunately, it is estimated that, especially in the corporate environment, 70% of the users are running old, outdated versions of iOS.

In addition, many companies, especially smaller ones, do not have any corporate mobile device management solution deployed.  As a result, these companies not only do not have a way to push critical patches such as this to their mobile users, but often they do not even know how many devices are out there accessing corporate resources , never mind knowing what operating system, application software or version those the devices are running.

As companies become more dependent on mobile devices (mostly phones and tablets), they need to deploy the tools that can manage those devices.

Alternatively, they can fly blind.  An analogy would be driving your car on the highway, blindfolded.  Generally, that does not produce good outcomes.  Based on the number of breaches we are seeing, neither do current corporate mobile device management practices produce good results.

For a while it looked like Apple was immune to the issues that we were seeing in the PC world.  My opinion was that as long as Apple was a bit player, the hackers chose to ignore them.  Now Apple is in the hacker’s crosshairs – just like Microsoft, Google and every other large software developer.

And users and businesses need to adjust to the new reality.





Information for this post came from PRNewsWire.  PRNewsWire, in an interesting twist of fate, was in the news last week as a hackee instead of a reporter.

Crazy iOS Security Flaw Allows Hackers To Crash Any iOS 8 Device

Researchers at the RSA conference this week disclosed an interesting iOS hack that would allow an attacker to put an iPhone into an endless reboot loop with no way for a user to get out of it.

The attacker would need to set up a bogus WiFi hotspot near the target iPhone.  This hotspot can even force the iPhone to connect to it.  Then it sends the iPhone bogus SSL certificates which force it into an endless reboot loop.  The user cannot even power off the phone since no cell phone really has a power switch any more – merely a button that tells the software that it should power the phone off. But since the phone is busy endlessly rebooting, it will ignore that request.

I think, but the article does not say, that if you leave the radius of the hotspot you should be able to regain control of your phone.

An interesting attack would be to deploy some of these hotspots, which could easily be hidden in a briefcase, at an airport, or other public venue.  It would disable all iPhones within a couple hundred yard radius and if you have several of them strategically located, the range could be quite large.

The researchers have told Apple about the problem, but as of yet, there is no comment from Apple, never mind a fix.

iPhone/iPad user’s turn in the SSL bug spotlight

For those of you who read the security news, you know that this last 12 months has brought an amazing number of SSL bugs to the surface (see a few of my blog posts here and here and here).  Now iPhone and iPad users have their turn to deal with an SSL bug.

The bug, in an open source toolkit used by developers to connect to the web called AFNetworking, disabled validation of SSL certificates that iApps received from a server.  What that means is that any old certificate would be just fine.  One from your bank.  Or a hacker.  Or anyone else.

If I can get on my soapbox for just one minute, this is another example of software supply chain issues just like the Lenovo/Superfish bug.  The developer (Uber is one, for example), used a third party library.  In this case, they may have tested the heck out of it – or not.  When they first started using it, it was reasonably secure.  Then they came out with an update that was not secure. Now Uber’s app is vulnerable.  Worse yet, even if Uber did test the updated app, it is unlikely that they would have tested for the condition that made this app vulnerable.  The software supply chain problem is not going away any time soon.

The good news is that the bug didn’t exist for long.  The bug was created with the software release dated Feb 9, 2015 and fixed with a release dated March 26, 2015 – a period of about six weeks.

Now the bad news.  There are over 100,000 apps in the iStore that use this library.  However, we only have to deal with ones that were updated during this period (technically, this may not really be true because a developer could download the affected library during this window and not update it before releasing it outside this window, but this is the best indicator we have) – that represents about 20,000 apps.  Next we have to narrow it down to which, of the 20,000, used the SSL features of AFNetworking.  That is only about a thousand apps.

Now the badder news – or maybe gooder.  The affected apps include ones from Yahoo, Microsoft, Uber, Citrix and others.  Which means while over a million downloads were affected, those big companies will likely read the newspaper and update their apps quickly.

SourceDNA has created a web site where you can enter a developer name (such as Microsoft) and see what apps they have and if they are affected.  This means that you have to enter each developer’s name and read the results – a time consuming effort.  What would be much nicer is if someone would write an app to look at what is installed on your iDevice and tell you what is affected.  That I have not found yet.  Still, it is better than nothing.  The website for SourceDNAs lookup is here.

For more details, see this article in ITWorld.

Apple iOS Users Are Target Of Massive Espionage Campaign

It is being reported by several sources (see here) that iPhone and iPad users are being targeted as part of a massive cyber espionage campaign that is being linked, at least by one firm, to Russia.

Operation Pawn Storm is using a specially crafted iOS app to quietly steal text messages, contact lists, location information, WiFi status, a list of installed apps and to record voice conversations.

Trend Micro researchers believe that this app is a second phase attack – installed on systems that the attacker has already breached by some other mechanism, perhaps a phishing email, for example.

While Trend is not saying that Russia is behind this, FireEye, another security firm, is calling out Russia and says that it has been very difficult to attribute, but they are now convinced that it is Russia behind the attack.

Since the attack vector is unknown, it is hard to give advice on what not to do. Trend Micro says that at least some of the targets are U.S. defense contractors such as SAIC and ACADEMI (AKA Blackwater).


Masque Attack – All Your iOS Apps Belong to Us

FireEye , a security research firm, recently disclosed an interesting attack against iOS devices.  Apparently, iOS allows a rogue iPhone app to replace a genuine iPhone app.  Once that rogue app is now installed, it can do anything the real app could do – PLUS send a copy of your banking credentials Moscow or Kiev or someplace.

The reason this works is that Apple relies on something called a bundle identifier, but iOS does not verify that the new app is signed with the same certificate as the old app.

Another problem is that the way the attack works, it can tell you that it is installing an update to Angry Birds (does anyone play that any more?) but under the covers it is replacing the genuine version of the GMail app with a rogue version.  You have no reason to be suspicious of the behavior of the GMail app, so you are not likely to notice minor differences that the rogue GMail app might introduce.

Interestingly, Microsoft has a similar but different problem their code signing certificates – not verifying things to a sufficient degree.  You would think people would learn.  Sometimes not.

In Apple’s defense, this only works if you load apps from a source other than the Apple store – say by way of clicking on a link in a spear phishing attack and then saying that it is okay to install the new app.  But the bad guys are clever, so if the attack is done right, it will be very convincing.

The US Department Of Homeland Security’s CERT issued an alert today that confirms the details of FireEye’s press release.

Read the article in the link above for more details, but it is a very interesting situation and being wary is a REALLY good idea.  This is not a “The World Is Ending” attack, but it certainly could do some damage.

Mitch Tanenbaum

iOS devices safe – well sort of

It was reported yesterday that there are undocumented services in iOS that allow  someone to bypass all of Apple’s security and encryption features.  The researcher did not say that  either Apple or the NSA were using these features, but….

The researcher, Jonathan Zdziarski, reported his findings at the HOPE/X conference in New York.  According to Zdziarski, the data collected is of a personal nature and the hooks to do this are not documented in any Apple documentation.

Apparently, once a device has been booted in iOS 7, the data can be accessed, even if the device is locked.

The researcher claims that several forensic software firms, such as Cellbrite and Elcomsoft either have discovered these features or were informed about them and may be using them to suck data  out of your device.

Now here is the really interesting question —

Is Apple the only vendor that has this form of back door – whether it be accidental or on purpose?

I, for one, are not going to say that Apple is in bed with the Feds, but it will be interesting to hear what their response to this is.  No response, in my opinion, is tantamount to admitting they did this on purpose.  If they say “trust us”, DO NOT.