Update your iPhone – remote control holes revealed by researchers

Google Project Zero researcher Natalie Silvanovich has just published a fascinating blog articleentitled The Fully Remote Attack Surface of the iPhone.

This work, carried out by Silvanovich and research colleague Samuel Groß, was also the topic of a presentation she gave at this year’s Black Hat conference in Las Vegas.

Silvanovich’s article is technical but not overly so, making it well worth a look even if you don’t have any formal coding experience.

Notably, she reminds us all how easy it is to open up software to remote attacks, even if that software isn’t what you’d conventionally think of as server-side code, and even if it’s running on a device that you wouldn’t think of a server.

By the way, despite the revelatory nature of the article and her talk, there’s no need to panic.

At least, you don’t need to be too worried if you’ve already applied the latest Apple updates, because the holes that Silvanovich is now talking about in detail are already patched.

If you haven’t brought your iPhone up to iOS 12.4 yet, do it now! 
Settings → General → Software Update is the quick way to check.

How to secure workloads in AWS, Azure and GCP

Download Guide

To explain.

An exploit that gives RCE, short for remote code execution, does exactly what its name suggests – by doing something unexceptionable, and without seeing any warnings, even well-informed users can be tricked into giving crooks access to their device.

A fully remotable exploit is even worse, because there’s no need for users to do anything except have their devices turned on and running normally.

LEARN MORE ABOUT VULNERABILITIES

Other ways to listen: download MP3, play directly on Soundcloud, or get it from Apple Podcasts.)

A booby-trapped website that crashes and takes over your browser gives the crooks RCE.

Likewise, before Microsoft turned off AutoRun by default for USB devices, the proverbial USB-stick-in-the-card-park attack was considered a reliable way to achieve RCE because the chosen malware typically launched as soon as someone plugged in the booby-trapped USB key.

There wasn’t any sort of Are you sure? or [Cancel]/[OK] popup to sound a warning and give you a chance to head off the malware.

But even though visiting a web page or plugging in a USB device isn’t a difficult bridge for crooks to talk you into crossing, those attacks aren’t quite the holy grail of RCE, because some user engagement is needed.

A fully remote attack “just happens”, like the infamous Internet Worm of 1988, or the super-widespread SQL Slammer virus of 2003.

Those attacks sent network data that your computer was deliberately listening out for – no trickery required to get a foot in the door – but that your computer mishandled.

This allowed the crooks to package executable code inside their data packets and to achieve RCE in an entirely unattended and automatic way.

One of the Internet Worm’s attack methods, for example, exploited badly-configured email servers on which debugging mode was incorrectly enabled.

If you’d inadvertently left the debug option turned on, emails laid out in a certain way were treated as commands to execute (!), not as messages to be passed on, so the email server ran the malware immediately after accepting it.

The worm’s emails were directly dangerous without any user ever needing to receive them, let alone to open them or extract and run attachments from them.

Phones ≠ Servers

You might imagine that devices such as mobile phones, which generally don’t operate as servers themselves, would largely be immune to this sort of fully remote attack.

After all, you don’t generally run a mail server or a SQL server on your phone, and even if you wanted to, Apple probably wouldn’t let that sort of software into the App Store.

Even if you were to jailbreak your phone to install server software, your ISP might not allow incoming network connections to reach your phone at all, even if you were willing to accept them.

But, as Silvanovich reminds us, phones are all about messaging, and there are many sorts of message that we expect to be told about even before they arrive in full.

(An incoming call is the most obvious example: we expect the phone to ring, and the calling line’s number to be extracted and displayed, not only before we tap any icon to accept the call but also even when our phone is at the lock screen.)

In other words, even though we think of phones as network clients rather than network servers, there are plenty of client-side apps that download, process, act upon and display data that came from an arbitrary outside source.

We’re not just talking about things like automatic software or anti-virus updates that come from a known, trusted and well-regulated service, but also about content such as text messages or emails that were carefully and maliciously crafted by an unknown, untrusted and deliberately malicious creator.

Silvanovich identified five main application areas of interest on the iPhone, covering iOS subsystems that are specifically designed to fetch, process and tell you about incoming content: SMS, MMS, Visual voicemail, email and iMessage.

In the end, the researchers didn’t find any exploitable holes in SMS or MMS, perhaps because these subsystems are rather old-school and therefore have functionality that is both well-understood and somewhat limited.

But the others weren’t so robust.

As you can imagine, the more features, the more message types, the more different options, the more plugins and the more file formats an app suports, the more likely it is for a bug to exist in handling unusual, little-known or malevolently crafted files.

For example, you’d expect image processing software that can only display old-school BMP files (simple structure and plain, uncompressed data) to be less likely to crash on weird files than software that can handle 72 different image files with varying levels of complexity.

The more code you need to write to process incoming data and to handle all the possible variations, the harder it is to get it right; the harder it is test throroughly; the more likely it is to contain subtle bugs; and the longer it will take for every possible path through the maze of code to get tried out when handling real data in the real world.

Simply put, we say that its attack surface area is larger.

More code, more bugs

Although Silvanovich and Groß did find vulnerabilities in Visual voicemail and in the iOS’s email-handling system, these weren’t terribly significant.

But via iMessage they found at least eight security holes, listed by their CVE numbers: CVE-2019-8624, -8663,-8661, -8646, -8647, -8662, -8641 and -8660. (That’s the order in which they are covered in the article, which is why they are not in numeric sequence here.)

Note that even though Apple lists CVE-2019-8661 as patched in its latest iOS security advisory, the Googlers haven’t disclosed details of this one yet because they don’t think Apple’s update has fully fixed the problem yet.

What to do?

• Get the latest iOS update if you haven’t yet. Many or most of the bug numbers listed above become irrelevant once you’ve applied the patches.
• Get the next update as soon as it comes out. It sounds as though Apple is still working on CVE-2019-8661, and that Google is giving the company some more time to knock the bug on the head completely.
• Less is more. If you are a programmer yourself, beware of writing code that does more than it needs to, or that itself depends on so many other modules or plugins that you can’t easily vouch for the whole thing, no matter how confident you are that your code is bug-free.

via Sophos

Read more »

AMONG SMARTPHONES, ANDROID DEVICES ARE THE MOST COMMONLY TARGETED BY MALWARE, FINDS REPORT

(Last Updated On: December 7, 2018)

According to the latest Nokia Threat Intelligence Report 2019, Android devices are the most commonly targeted by malware. In mobile networks, Android devices were responsible for 47.15% of the observed malware infections, Windows©/ PCs for 35.82%, IoT for 16.17% and Apple’s iPhones for less than 1%.

Malware, Device breakdown 2018, source Nokia Threat Intelligence Report 2019

In the smartphone sector, the vast majority of malware is currently distributed as trojanized applications. The user is tricked by phishing, advertising or other social engineering into downloading and installing the application. The main reason that the Android platform is targeted, is the fact that once side-loading is enabled, Android applications can be downloaded from just about anywhere. In contrast, iPhone applications are for the most part limited to one source, the Apple Store.

Report also noted that Windows/PCs continue to be a target for malware infection. These Windows/PCs are connected to the mobile network using USB dongles and mobile Wi-Fi devices or simply tethered through smartphones. They are responsible for 36% of the malware infections observed. This is because these devices are still a popular target for professional cybercriminals who have a huge investment in the Windows malware ecosystem.

According to the report, IoT devices now make up 16% of the infected devices observed. This is mostly the result of IoT botnet activity. These bots actively scan for vulnerable victims using an increasingly rich suite of attacks. In networks where devices are routinely assigned public facing internet IP addresses we find a high IoT infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

The report also found that Android malware samples continue to grow in 2018. Nokia Threat Intelligence Lab now has close to 20 million Android malware samples. This is an increase of 31% since last year.

Of the top 20 malware infections detected in fixed residential networks in 2018, the majority still focus on the traditional Windows/PC platform, however 5 of the top 20 target IoT and 3 target Android.

In 2018 the average percentage of devices infected each month was 0.31%. The peak month was June with 0.46% due to an increase in activity of Android.Adware.Adultswine, malware that displays ads from the web that are often highly inappropriate and pornographic, attempts to trick users into installing fake “security apps” that also serve ads and entices users to register for premium services with hiddenexpenses. It is very persistent and difficult to uninstall.

The report also stessed the emergence of new IoT botnet variants in 2018. In particular – Fbot, which is a Satori related botnet that has two major distinguishing features. It spreads by scanning for devices that have the default Android Debug Bridge (ADB) port open. Very few Androids phones have this port open, but apparently some smart TVs and other Android based IoT devices have been deployed accidentally with this debug port open.

Read more »

Malware Attacks Exploit Open Source MDM Software to Compromise iPhones and Apps

Thirteen iPhone users in India fell victim to malware attacks that exploited open source mobile device management (MDM) software to break into corporate devices.

In July 2018, security researchers from Cisco’s Talos security division discovered a campaign that has been running since 2015, using at least five applications. Two of these apps conducted phony tests on the devices, while others sent SMS messages back to the attackers and extracted location data and other information.

Why MDM Deployments May Be at Risk

The attackers were able to change passwords, revoke certificates and replace apps like WhatsApp and Telegram with malicious versions either by gaining physical access to the iPhones or by using social-engineering tactics.

These attacks come at a time when large enterprises are working harder than ever to provide a safe way for employees to access corporate networks via their mobile devices. Most organizations use MDM tools to do just that, but the threat actors behind the malware attacks exploited these systems to trick users into accepting malicious certificates.

Similar to opening a phishing email, this essentially gave remote management access to the attackers. While the researchers reported no immediate financial repercussions, they noted that switching out various mobile apps would enable cybercriminals to gather priority data from users or their employer.

Establish Security Policies to Limit Malware Attacks

While some data may be stored locally on a mobile device, IBM Security experts emphasize that security professionals can limit the impact of these malware attacks by establishing strong security policies to lock down access to the corporate network. According to a January 2018 IBM white paper, such policies could include setting up specific windows of availability for certain applications and data, as well as a passcode to protect the MDM app itself.

Read more »

Mobile Security—How Secure Are Your Mobile Devices, Actually?

Derlusca / Pixabay

Whether it’s searching embarrassing symptoms or letting curiosity win and checking out the latest photo leak, we all get up to some questionable things online from time to time—things we wouldn’t want our boss or maybe even friends to know. We aren’t ones to judge, but if you think that in this day-in-age you’re just as safe (or safer) doing all that on your smartphone as your PC, you might want to reconsider.

For example, a recent study examining 10,000 mobile devices in the UK and the US, showed that 40 of the 50 top porn sites were susceptible to software that may harm your phone badly. Another security report issued by Nokia in March 2017, revealed a new all-time high in mobile device infection rates—a stunning 400 percent increase over last year!

Spyware that exposes your text messages, contact lists, GPS coordinates and other data that you’d rather kept to yourself, hits both Android and iOS-run devices. Yet another sort of malicious software threatening your mobile security is the one that may brick your phone dead until you pay the ransom—just like the nefarious WannaCry which compromised a boatload of PCs earlier this year. This kind of threat is getting more intense because you no longer have to be a skilled cyber-criminal to create malware—yep, they have an app for that, too!

Don’t be naïve though—mobile malware isn’t some sudden retaliation for watching porn or clicking ridiculous content advertisements. Most of the time you are installing it yourself along with your apps (or even in fake system updates, like this one)!

What Google Says About Mobile Security Risk

According to Android Security Chief, less than 0.001 percent of Android apps ’cause harm and evade runtime defenses’. So, does this mean Android is practically invincible? Not quite. First of all, these numbers are based on Google’s (the Android’s creator, ICYDK) data solely. Google can only obtain such information from the “Verify App” feature. If you don’t use it, you’re not included in these statistics—so that percentage is woefully misleading Plus, we also must consider that Google doesn’t provide information on how many apps in the store appeared to be infected to the independent researchers. We just have to take the company’s word for it.

They Can’t Bite Into your Apple. Or Can They?

OK, so Android safety is doubtful, but what about iOS? We’ve all heard that all things Mac are virus-proof, but is your iPhone under lock and key? Apple fans’ first argument would be that iOS, unlike Android, is a closed system. One may assume quite another reason, though. What makes the iOS devices safer than the ones that run Android is quite obvious: a market share. Out of the total amount of mobile devices, 85% are Android-powered and only 14,7% run iOS. Which means, 85% of hackers’ efforts are precisely focused on Android, whereas iOS luckily picks up the scraps. iPhones are not without chinks in the armor, however. Here’s a 25-page long list of iPhone’s vulnerabilities.

Shared Insecurity

One good thing about the smartphone exploiters is that they believe we’re all equal—whether you boast a new iPhone or use a humble Android-run smartie, you have one thing in common: your phone can be compromised. So let’s zero in on how the bad (and also good) guys run shady operations through your devices without you having a clue.

Fake apps. Yep, not only are the news fake nowadays. Half of the top-50 apps in Google Play have evil twins, the Economist says. Hackers mimic popular applications, tweaking their names a bit (like, “MyGoogleTranslate” instead of “Google Translate”) to lure you into installing them. Then they steal your data or even mine cryptocurrency with your phone! Now, as Black Friday and X-mas madness are coming, we may also see the rise of the fake shopping apps that steal your credit card numbers. Apple’s App Store survived an infestation with hundreds of them the last year!

Malvertising. This summer, the conspiracy theories-themed site visitors (instant tip: Don’t be one!) got their Android-run phones infested with an unremovable app showing annoying ads. The app’s installation was triggered by clicking on fake ads posted on the abovementioned site. An even more curious event befell iPhone users. A fake advert posing as an iOS update tricked users into . . . physically destroying their phones! (The story in a nutshell: The hoax ad promised to make your iPhone waterproof.)

Sometimes, though, even the good guys can do you bad!

Sensitive info stealing. Even totally legitimate Android and iOS apps may sell your private data. Actually, here’s an article claiming that 7 out of 10 apps do it. This applies in particular to health apps, because your health info is a treasure (for insurance companies among others).

GPS tracking. This summer, iPhone users freaked out after finding that a popular iOS app was selling their location data to the third parties. It’s especially ironic, taking into account that some two years earlier Apple’s Tim Cook roasted Google for selling users’ GPS info to advertisers!
Read more at http://www.business2community.com/mobile-apps/mobile-security-secure-mobile-devices-actually-01943538#G9fFqJ7BU6KS3VWu.99

So you understand the risk. Now, let’s look at some popular mobile security facts and tips.

Mobile Security FAQ

Can I be totally safe by switching from smartphone to an old push-button cell phone?

Well, it’s definitely much safer to use an old “dumb” flip-phone without an internet connection. But it’s not totally safe. Even those old “candy-bars” have code in them—and any code can be broken into.

What is the most advanced way to protect my smartphone?

One of the recent hypes in the tech world is biometric security. Applied to smartphones, this means user authentication by fingerprint, face, or even by cardiogram. It can be used to unlock your phone and authorize payments. Biometric security is extremely hard to hack; however, it has its pros and cons.

Does installing only the paid apps guarantee 100% security?
It’s definitely safer to install paid VPNs and anti-viruses. On the other hand, it’s not a rule of thumb. While there are trusted and totally free apps like StopAd (Microsoft certified), there are some hidden catches in many paid applications as well.

How to Really Protect Your Mobile Security

So what can you do in order to ensure full mobile safety? Locking your devices in the microwave and putting a tin-foil hat on are the only ways to be totally secure. There are less radical ways though.

• We hate to break it to you, but you better stop browsing adult sites on your phone.
• Install apps only from authorised markets and credible developers.
• Update your operating system regularly to make sure all the flaws are patched.
• Do not root your phone.
• Remove any apps you’re not using. Every app is a potential problem—the fewer you have, the safer you’ll be.
• Next time you’re about to click “install”, be sure to think twice. Consider what exactly does that application require permission for? Your mic, camera, media files, bank account, etc.? In other words, don’t be a dupe—the human factor is the main vulnerability exploited against you both in PC and mobile realm (as well as IRL, BTW.)
• Read the terms of use for goodness sake! At least jump around in the text searching for the words like “third parties”, “data”, “behavior” and the like to make sure you aren’t willingly allowing the app to sell your sensitive info.
• To avoid being tracked, iPhone users may disable the “Find My iPhone” function (this way it isn’t possible to track your device—even if it’s stolen). Users may also enable apps using GPS only when they’re active (you can do this in the apps’ settings).

Last but not least, security is an integral part of comfort. StopAd’s Android version has most everything StopAd desktop boasts—it blocks all the ads on your device. If you use an iOS-run device, you may want get started and try StopAd for Safari.

Read more at http://www.business2community.com/mobile-apps/mobile-security-secure-mobile-devices-actually-01943538#G9fFqJ7BU6KS3VWu.99

Read more »

Update your iPhone to avoid being hacked over Wi-Fi

It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched.

As we mentioned last week, the recent iOS 10.3 and macOS 10.12.4 updates included numerous fixes dealing with “arbitrary code execution with kernel privileges”.

Any exploit that lets an external attacker tell the operating system kernel itself what to is a serious concern that ought to be patched as soon as possible – hesitation is not an option.

After all, it’s the kernel that’s responsible for managing security in the rest of the system.

Sophos Home

Free home computer security software for all the family

Learn More

Take this analogy with pinch of salt, but an exploit that gives a remote attacker regular user access is like planting a spy in the Naval corps with a Lieutenant’s rank.

If you can grab local administrator access, that’s like boosting yourself straight to Captain or Commodore; but if you can own the kernel (this is not a pun), you’ve landed among the senior Admiral staff, right at the top of the command structure.

So make sure you don’t miss the latest we-didn’t-quite-get-this-one-out-last-time update to iOS 10.3.1:

iOS 10.3.1

Released April 3, 2017

Wi-Fi

Available for: iPhone 5 and later, 
               iPad 4th generation and later, 
               iPod touch 6th generation and later

Impact:        An attacker within range may be able to 
               execute arbitrary code on the Wi-Fi chip

Description:   A stack buffer overflow was addressed 
               through improved input validation.

CVE-2017-6975: Gal Beniamini of Google Project Zero

This is rather different from the usual sort of attack – the main CPU, operating system and installed apps are left well alone.

Most network attacks rely on security holes at a much higher level, in software components such as databases, web servers, email clients, browsers and browser plugins.

So, attacking the Wi-Fi network card itself might seem like small beer.

After all, the attacks that won hundreds of thousands of dollars at the recent Pwn2Own competition went after the heart of the operating system itself, to give the intruders what you might call an “access all areas” pass.

Nevertheless, the CPU of an externally-facing device like a Wi-Fi card is a cunning place to mount an attack.

It’s a bit like being just outside the castle walls, on what most security-minded insiders would consider the wrong side of the moat and drawbridge.

But with a bit of cunning you may be able to position yourself where you can eavesdrop on every message coming in and out of the castle…

…all the while being ignored along with the many unimportant-looking peasants and hangers-on who’ll never have the privilege of entering the castle itself.

Better yet, once you’ve eavesdropped on what you wanted to hear, you’re already on the outside, so you don’t have to run the gauntlet of the guards to get back out to a place where you can pass your message on.

What to do?

As far as we know, this isn’t a zero-day because it was responsibly disclosed and patched before anyone else found out about it.

Cybercrooks have a vague idea of where to start looking now the bug that has been described, but there’s a huge gap between knowing that an exploitable bug exists and rediscovering it independently.

We applied the update as soon as Apple’s notification email arrived (the download was under 30MB), and we’re happy to assume that we’ve therefore beaten even the most enthusiatic crooks to the punch this time.

You can accelerate your own patch by manually visiting Settings | General | Software Update to force an upgrade, rather than waiting for your turn in Apple’s autoupdate queue.

via nakedsecurity

Read more »