Tag Archives: apple

iOS Backdoors

In the last few days there has been an increasing noise related to some iOS backdoors. Apple does not deny they exist, but contests how they can be used.

This is not new, and the security researcher who presented his findings did highlight that, it is likely related to methods being used by certain forensic software sold to law enforcement.
What is “concerning” is the following:
– These backdoors are actively maintained and developed by Apple, how much more data will they allow to be extracted from iOS device in future;
– Those backdoors provide access to SMS, Contact, and other potential sensitive data on the phone; they also allow to bypass full disk encryption. This highlight the fact that unless you phone is off, the data on your phone is no longer encrypted per say, but only protected by access control (PIN);
– If it can be used by law enforcement, it can be used by “greyer” parties too

A few links to get further:
Summary of this story

Zdziarski presentation, detailed and very informative

Apple response, not surprising and not really addressing the points of concert

Apple Security in the Enterprise

There is a good document from the UK government describing the different security features available in Apple Mac OS X 10.8 and the ones you should consider if using a Mac as an enterprise end point:

OS X 10.8 UK Gov security guidance document. 

In light of all the noise created by the NSA and GCHQ surveillance programs you might be tempted to dismiss governments’ position and view when it comes to IT Security. However, I found that document quite good and high level enough to be understood by mid-level management at least :)

They do refer to an MDM solution for some of the controls without specifying which one, so I assume they are referring to a OS X Server Profile Management solution as described by Apple HERE.

New iPhone 5S Fingerprint reader, a step in the right direction!

Apple has just announced two new models of iPhones, one of them is the iPhone 5S which comes with a fingerprint reader. Like others I believe this is no silver bullet, but it is a step in the right direction in terms of helping the masses to secure their iPhones.

There are two main areas of potential security failures:
– Fingerprints can be copied and once compromised you can’t “change” for new ones;
– The Fingerprint reader security implementation will be very important, any defects or flawed could be exploited to gain unauthorised access.

Apple may not be the first company to provide an embedded fingerprint reader into their phones, but like it did for tablets and smartphones, it will be the company that will popularise its usage and set the direction for others to follow. This is likely to be emulated and we will soon see fingerprint reader probably everywhere.
Why?
Because it is actually a very convenient way to unlock/authenticate, it is very user-friendly if done right and somewhat secure/unique (as long as they are not compromised). It means users will love it, and prefer that way of authenticating over having to remember a very long password or a different one for each system they need to authenticate too. It makes sense for some kind of password safe to be release at some point, either by Apple or a 3rd party, that would leverage the use of a fingerprint reader to authenticate users to all their systems. In the background you would still be using long, random and unique passwords but as a user, all you would be asked for is to select which website/system you want to sign on and to authenticate with your fingerprint so it accesses that secret password for you and uses it to log you in.

All this is great, and I would love to use such a system. But as fingerprint readers become more and more popular and especially more and more available, so will be the points of failure…
If every device has a fingerprint “read-er”, every device could also act as a fingerprint “captur-er”!
And your precious fingerprints could be compromised through malware or social engineering by leveraging features like guest access, micro-payments, fun apps that pretend to predict your future by reading the shape of your fingerprints, etc.

More importantly, due to the very nature of smartphones today that are using “touch technology”, users’ fingerprints will be left all over the device’s touch screen. It means if someone steal your smartphone, they also steal the very information they need to gain access, your fingerprints. The challenge then becomes about “lifting” those fingerprints from the touch screen to re-use them.

Also, the more popular fingerprint readers become and the more embedded their usage will be in how the masses authenticate to different systems. It means, it will be increasingly attractive for attackers to target such means of authentication. There is already a hacking challenge that will do just that: Hackers iPhone5s bounty.

What Apple has just done is providing an answer to a problem people are increasingly aware off, protecting your password whilst making it simpler to authenticate in the process. This is bound to catch on.

To conclude, in the short term, this will be a huge security set-up for most people, “normal” people who do not handle state/corporate secrets. In the medium to long term, this may actually backfire, because fingerprint alone is no security silver bullet. However, combining fingerprint authentication with more traditional mechanisms such as passcodes or passwords might actually provide extra security through embedded dual factor authentication.

Nonetheless, well done Apple for aiming in the right direction!

A new iOS 6.1 hack

As seen on the Hacker news, there is currently a way to bypass the iPhone lock screen (iPad with SIM too?) running iOS 6.1.x

I had to change the steps listed in “The Hacker news” slightly for it to work:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen, by pressing the power button
-Go to passcode screen, by pressing the home button
-Keep pushing down the power button …1…2…3…seconds and before showing the slider “turn off”…tap the emergency call button and …voilá!
-Then without releasing the power button press the home button and let go…

From there you gain full access to the phone application and can change/add/delete contact, as well as use the phone to make phone calls but you cannot stop a call you started with that technic.


YouTube Direkt

Apple in Denial

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB) was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan (OSX/Flashback.A) was found by Intego using a similar exploit mechanism  but with a different payload, this time it was more complex and disabling some security settings on the infected systems as well as attempting to inject some code in running processes to ultimately leak personal information.

Both Trojans had a relatively low success rate, as it relied either on the user to download a file and run it, or… for an attacker to adapt some kind of “EvilGrade” attacks where DNS MIT attacks could be leveraged to intercept legitimate software update requests and replace the update status answers with the need to upload the Mac Trojans.

However, a few days ago another variant surfaced. As mentioned by Intego, this latest threat to Mac Users is more of a “drive-by-download” threat than a “Trojan”. What it means is that malware can be pushed onto a Mac computer just by visiting a compromised site, it does not require for the user to take any actions such as entering their passwords or confirming for a new software to be installed. The compromise happens silently!

As a result, the infection rate is much stronger: More than half a million Mac users! and the impact is much worse: it will leave the victim’s computer vulnerable to be remotely commanded as part of a Botnet.

To check if your mac has been infected you can follow those STEPS.

It could be considered as the first major security crisis to affect the Mac OSX, one that will have the first major exposure in the media (BBC, CNN,  FORBES, etc) and one, I hope, that will pave the way for Apple to rethink their security strategy (although I have very little hope!). The fact this Java vulnerability was known a couple of months ago and that Oracle had provided a patch since the 14th of February does not play in Apple’s favor. By wanting to control everything (including Java updates) Apple is playing with fire when it comes to IT Security. This is hardly surprising, although I am very tempted to say “I told you so, HERE and HERE“, I will just echo the ZDnet article I mentioned at the beginning, this security mess is the result of Apple being in denial with the IT security landscape and the threats that every computer and user faces regardless of the Operating System they are on.

This state of denial is also exploited by the “Trojan” itself as it will apparently not install if it finds some software that could be used to analyse it and therefore not target a computer belonging a user that may be aware that there is more to security than a slogan “I am a Mac, I am secure”


YouTube Direkt

 

Carrier IQ, an interesting story of deception or what we could call the Facebook syndrome

It all started with some findings published by Trevor Exkhart on his website a few weeks ago.

He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.

The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.

This is what I would call, the Facebook syndrome!

The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.

This is not what you would say from a software that logs all the key pressed on your device…

Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!

One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.

So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!

They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.

As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).

Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.

Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids': no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.

All this has generated an increasing level of noise and attention:

As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…

A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.

I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.

Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!

If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?

So I have three final comments to make:

  1. Mobile device companies are like any others, they want users’ personal information, but unlike others, they have full control of the device you discuss you life on.
  2. Opting for usage statistics, should be just that, an optional choice! and it should be made clear that it could result in extra cost, especially when roaming!
  3. If CIQ data consumption is also hidden from mobile OS(es) statistics then this is an extra hidden cost to the user
Now, where have I kept my 10 years old beloved Nokia 8210?
UPDATE, 12th of December 2011: CarrierIQ has responded to the issues discovered by Trevor through a 19 pages document. Not sure I find it very convincing.

Turning point for Apple Products Security

There has recently been an increase in blackhat attention to Apple products.
It would seem that what has been predicted for some time is about to be tested:
that one of the main reason for Mac/OSX to be more secure than windows is because it did not get the same attention from hackers.

This had to happen, and I believe that the time is right.
Indeed, Apple products are gaining more and more market shares and their hippy/cool image is being eroded by both their very strict view of the world and exponantial user base growth.
(On a non security related note, one could wonder how long can Apple be seen as different/cool if everyone has their product!)

This gives every reasons for hackers to take their attention to Mac OSX and iOS.
Recently a fake anti virus software for MAC was discussed on the excellent Intego blog and many other sites

And a few days ago it was discovered (as expected) that the defenses Apple brought to fight back are not really working, furthermore is has also started to change name as it latest iteration is now called Mac Shield.

Another sign of increased hacking activity is the availibility, for the first time, of a hacking framework being sold on closed underground forums, the Weyland-Yutani BOT
It allows users to inject payload through Firefox exploits on MAC, but there is already a plan to extend the scope of that framework to target iOS devices and through Chrome/Safari as well

This is certainly not good news for Apple customers, but it will be interesting to see how this develops from now on and if Apple’s claim that their OS are more secure than the competition is proven true… or not!

My prediction? it isn’t true and we should be seeing much more damaging security breach/issues stories related to Apple product this year.

Apple Security

With the rise in popularity of Apple products there is also an increasing interest from hackers and security professionals.

The well oiled speech from Apple and their fan is that apple products are more secure than the competition. Especially around the Mac OS X, which does not need Anti-Viruses, does not get malware, etc.

But is this actually true? and even if it is today, will it always remain so?

I do not think so.

A number of security vendors have started to offer some anti-virus for Mac: Sophos, McAfee, ClamXav, to name a few!

You could argue they are just surfing on the Apple computer market share increase, but then you would forget that some MAC OS X trojans are being seen around, for example, SOPHOS recently discussed a new MAC OS X trojan: BlackHole RAT which may be currently distributed along pirated MAC software on Torrents.

Added to that, the fact that Apple does not get security right all the time. The recent 62 bugs that have been fixed in the latest Safari Update  (5.0.4) is a reminder of that. A further reminder is the results from the pwn2own contest which is taking place now, today, a French team managed to hack even the latest patched up version of Safari. This was the first browser to be hacked at that competition… it took a mere 5 seconds.

While some articles are reassuring about Apple stance on security, like this one, others are more critical, like this very interesting interview of some famous Mac hackers. What is also interesting is that one of those hackers was also referenced in the “nice” article :)

So here you have it:
– An increased interest from hackers,
– A platform, which  as with any IT platform, has and always will have vulnerabilities/bugs.
– An Apple security stance and practises  which can be questionable

Apple claims to be taking security seriously but Apple being Apple they also seem to be very close minded on how they implement it, who they listen to and what security controls are really important for their users. Time will tell if they are right, but for once, I am ready to bet against Apple. At the very least I do not believe they have the right attitude. What may work very well for design and “user experience” is different about security. A closed and arrogant security approach never work very well, for long.

Therefore, I wouldn’t be surprised if we see a global security scare regarding Apple products within a couple of years… I would even bet before the end of this year!

What pushed me to write this article in the first place is that I am myself a Mac user and a couple of days ago I noticed a constant noise from my Mac hard-disk, after doing some basic troubleshooting like closing all applications, stopping all the network services I use and run the background there was still some hard-disk activities… I could not identify an obvious bad process, but again, it is not like windows where you can use tools such asHijackthis and their online database to identify known bad processes (or if there is, I don’t know it!)

Then I looked at the Network section of the Activity Monitor and could see a constant small download of data, when I disabled the computer wifi, the activity stops and when I reenabled the wifi card, the downloads started again… so what was triggering this?

I am sure I am showing my rusty Unix skills, as I could have probably find a command to show me all processes using the network interface and link this back to an application name. But I didn’t do so.

Instead, I looked at the traffic through Wireshark and although I could see some HTTP traffic activities, none of the destination IP looked suspicious. (A good article to configure your network interface for MAC OS is available HERE, you will need to scroll down through the headings errors on the page)

I did not have enough time or instant knowledge for investigating further, so instead, for the first time I ran an anti-virus software on my MAC! It did find 4 issues but I think it was related to some windows archives.

Therefore so far, I found nothing and it could be nothing (a scheduled maintenance job, etc). .

If this was happening on a Windows machine I would be much more worried, but then I would also have much more confidence in the security tools I could use to detect a potential malware.

What it meant for me though, is the realisation that I should stop blindly trusting the level of security of my computer just because it is a MAC… and that I should probably start to use the command line a bit more as well as using some security controls/technologies I would normally use in a windows environment.

Lastly for some basic but good security tips on Mac OS X, you can see the 3 articles that Sophos published on their security blog: Part 1, Part 2 and Part 3