There is an interesting article HERE that describes the new security features of iOS7 and Mavericks. It also asks some interesting questions that still need answering.
As seen on the Hacker news, there is currently a way to bypass the iPhone lock screen (iPad with SIM too?) running iOS 6.1.x
I had to change the steps listed in “The Hacker news” slightly for it to work:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen, by pressing the power button
-Go to passcode screen, by pressing the home button
-Keep pushing down the power button …1…2…3…seconds and before showing the slider “turn off”…tap the emergency call button and …voilá!
-Then without releasing the power button press the home button and let go…
From there you gain full access to the phone application and can change/add/delete contact, as well as use the phone to make phone calls but you cannot stop a call you started with that technic.
Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.
The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.
Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB) was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan (OSX/Flashback.A) was found by Intego using a similar exploit mechanism but with a different payload, this time it was more complex and disabling some security settings on the infected systems as well as attempting to inject some code in running processes to ultimately leak personal information.
Both Trojans had a relatively low success rate, as it relied either on the user to download a file and run it, or… for an attacker to adapt some kind of “EvilGrade” attacks where DNS MIT attacks could be leveraged to intercept legitimate software update requests and replace the update status answers with the need to upload the Mac Trojans.
However, a few days ago another variant surfaced. As mentioned by Intego, this latest threat to Mac Users is more of a “drive-by-download” threat than a “Trojan”. What it means is that malware can be pushed onto a Mac computer just by visiting a compromised site, it does not require for the user to take any actions such as entering their passwords or confirming for a new software to be installed. The compromise happens silently!
As a result, the infection rate is much stronger: More than half a million Mac users! and the impact is much worse: it will leave the victim’s computer vulnerable to be remotely commanded as part of a Botnet.
To check if your mac has been infected you can follow those STEPS.
It could be considered as the first major security crisis to affect the Mac OSX, one that will have the first major exposure in the media (BBC, CNN, FORBES, etc) and one, I hope, that will pave the way for Apple to rethink their security strategy (although I have very little hope!). The fact this Java vulnerability was known a couple of months ago and that Oracle had provided a patch since the 14th of February does not play in Apple’s favor. By wanting to control everything (including Java updates) Apple is playing with fire when it comes to IT Security. This is hardly surprising, although I am very tempted to say “I told you so, HERE and HERE“, I will just echo the ZDnet article I mentioned at the beginning, this security mess is the result of Apple being in denial with the IT security landscape and the threats that every computer and user faces regardless of the Operating System they are on.
This state of denial is also exploited by the “Trojan” itself as it will apparently not install if it finds some software that could be used to analyse it and therefore not target a computer belonging a user that may be aware that there is more to security than a slogan “I am a Mac, I am secure”
It all started with some findings published by Trevor Exkhart on his website a few weeks ago.
He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.
The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.
This is what I would call, the Facebook syndrome!
The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.
This is not what you would say from a software that logs all the key pressed on your device…
Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!
One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.
So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!
They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.
As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).
Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.
Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids’: no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.
All this has generated an increasing level of noise and attention:
- Apple made a statement that although they were not using that software from some time, they will remove it completely in a future iOS update;
- a US Senator, Al Franken, who had previously voiced some privacy concerns about location tracking, has requested CIQ for some explanation;
- The Register has asked CIQ for comments, and will post an update whenever they get a response.
- The BBC is running a story on their website stating that CIQ has been installed on other 140 Millions devices!
- The Guardian is reporting that, apparently, UK carriers do not use CIQ, I wouldn’t be surprised if we soon learn otherwise…
- The latest response from CIQ can be seen here
As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…
A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.
I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.
Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!
If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?
So I have three final comments to make:
- Mobile device companies are like any others, they want users’ personal information, but unlike others, they have full control of the device you discuss you life on.
- Opting for usage statistics, should be just that, an optional choice! and it should be made clear that it could result in extra cost, especially when roaming!
- If CIQ data consumption is also hidden from mobile OS(es) statistics then this is an extra hidden cost to the user
There has recently been an increase in blackhat attention to Apple products.
It would seem that what has been predicted for some time is about to be tested:
that one of the main reason for Mac/OSX to be more secure than windows is because it did not get the same attention from hackers.
This had to happen, and I believe that the time is right.
Indeed, Apple products are gaining more and more market shares and their hippy/cool image is being eroded by both their very strict view of the world and exponantial user base growth.
(On a non security related note, one could wonder how long can Apple be seen as different/cool if everyone has their product!)
And a few days ago it was discovered (as expected) that the defenses Apple brought to fight back are not really working, furthermore is has also started to change name as it latest iteration is now called Mac Shield.
Another sign of increased hacking activity is the availibility, for the first time, of a hacking framework being sold on closed underground forums, the Weyland-Yutani BOT
It allows users to inject payload through Firefox exploits on MAC, but there is already a plan to extend the scope of that framework to target iOS devices and through Chrome/Safari as well
This is certainly not good news for Apple customers, but it will be interesting to see how this develops from now on and if Apple’s claim that their OS are more secure than the competition is proven true… or not!
My prediction? it isn’t true and we should be seeing much more damaging security breach/issues stories related to Apple product this year.
With the rise in popularity of Apple products there is also an increasing interest from hackers and security professionals.
The well oiled speech from Apple and their fan is that apple products are more secure than the competition. Especially around the Mac OS X, which does not need Anti-Viruses, does not get malware, etc.
But is this actually true? and even if it is today, will it always remain so?
I do not think so.
You could argue they are just surfing on the Apple computer market share increase, but then you would forget that some MAC OS X trojans are being seen around, for example, SOPHOS recently discussed a new MAC OS X trojan: BlackHole RAT which may be currently distributed along pirated MAC software on Torrents.
Added to that, the fact that Apple does not get security right all the time. The recent 62 bugs that have been fixed in the latest Safari Update (5.0.4) is a reminder of that. A further reminder is the results from the pwn2own contest which is taking place now, today, a French team managed to hack even the latest patched up version of Safari. This was the first browser to be hacked at that competition… it took a mere 5 seconds.
While some articles are reassuring about Apple stance on security, like this one, others are more critical, like this very interesting interview of some famous Mac hackers. What is also interesting is that one of those hackers was also referenced in the “nice” article :)
So here you have it:
- An increased interest from hackers,
- A platform, which as with any IT platform, has and always will have vulnerabilities/bugs.
- An Apple security stance and practises which can be questionable
Apple claims to be taking security seriously but Apple being Apple they also seem to be very close minded on how they implement it, who they listen to and what security controls are really important for their users. Time will tell if they are right, but for once, I am ready to bet against Apple. At the very least I do not believe they have the right attitude. What may work very well for design and “user experience” is different about security. A closed and arrogant security approach never work very well, for long.
Therefore, I wouldn’t be surprised if we see a global security scare regarding Apple products within a couple of years… I would even bet before the end of this year!
What pushed me to write this article in the first place is that I am myself a Mac user and a couple of days ago I noticed a constant noise from my Mac hard-disk, after doing some basic troubleshooting like closing all applications, stopping all the network services I use and run the background there was still some hard-disk activities… I could not identify an obvious bad process, but again, it is not like windows where you can use tools such asHijackthis and their online database to identify known bad processes (or if there is, I don’t know it!)
Then I looked at the Network section of the Activity Monitor and could see a constant small download of data, when I disabled the computer wifi, the activity stops and when I reenabled the wifi card, the downloads started again… so what was triggering this?
I am sure I am showing my rusty Unix skills, as I could have probably find a command to show me all processes using the network interface and link this back to an application name. But I didn’t do so.
Instead, I looked at the traffic through Wireshark and although I could see some HTTP traffic activities, none of the destination IP looked suspicious. (A good article to configure your network interface for MAC OS is available HERE, you will need to scroll down through the headings errors on the page)
I did not have enough time or instant knowledge for investigating further, so instead, for the first time I ran an anti-virus software on my MAC! It did find 4 issues but I think it was related to some windows archives.
Therefore so far, I found nothing and it could be nothing (a scheduled maintenance job, etc). .
If this was happening on a Windows machine I would be much more worried, but then I would also have much more confidence in the security tools I could use to detect a potential malware.
What it meant for me though, is the realisation that I should stop blindly trusting the level of security of my computer just because it is a MAC… and that I should probably start to use the command line a bit more as well as using some security controls/technologies I would normally use in a windows environment.