Security Medium 0 (more of a Followup) — 3rd-party Parental Control Apps Return to iOS
Editorial by Bart: I’ve seen some very lazy reporting on this story, and I think the context and nuance are important, hence giving this apparently simple story the ‘Security Medium’ treatment.
To understand what happened this week, it’s important to cast our minds back to the very start of this story, and follow the events through from there to the present.
* As best as I (Bart) can piece together from all the reporting, this all started back in April 2018 when Apple became aware of the potential for parental control apps to abuse Mobile Device Management (MDM) APIs to compromise user privacy.
* During the remainder of 2018 Apple first investigated the potential issue and then started to contact developers asking them to stop using MDM for parental control. Having given developers some time to comply with those requests, Apple then began removing apps that did not alter their behaviour from the store. Without MDM many of the features these apps offered were not possible on iOS, so many developers refused to comply, and it seems that in December of 2018 Apple did a large purge of MDM-using parental control apps.
* In April of 2019 the story first gained wide-spread notice when the NYT ran a very sensationalistic story claiming Apple removed the apps to prevent competition with the ScreenTime feature built into iOS. The story did not provide any evidence to support its claims, but being a negative story about Apple it inevitably went viral. (Editorial by Bart: the claims made by the NYT never made any sense because when you try follow the money you soon find there’s nothing to follow! Apple don’t monetise ScreenTime in any way, no subscription or paid upgrade to get extra features, nothing! If anything, Apple lose money on ScreenTime because it costs them developer time to create and maintain the feature, but it has no associated revenue stream.)
* Apple responded to the NYT piece by pointing out that MDM was not intended for this use, and that it posed a real danger when used in this way. MDM was designed to allow organisations to centrally manage and control devices they own, it was not designed to allow app developers manage and control apps owned by app customers or their children!
* One of the less-covered small announcements from WWDC was that Apple had updated their rules for the use of MDM. MDM could be used for parental control-type apps going forward, but under strict supervision from Apple. The apps would have to confine themselves to a sub-set of what the MDM APIs can theoretically do, and they would be subject to extra scrutiny from Apple during the app store approval process.
* This week, the first such app, OurPact, successfully made its way through that extended review and returned to the iOS App Store
Links:
- Apple reinstates parental control app OurPact to App Store — www.imore.com/…
- OurPact returns to App Store, reviving debates about Apple’s impartiality — arstechnica.com
Security Medium 1 — Zoom & Ringcentral on the Mac
Note: The focus of this story has been Zoom because it’s a very popular service, but the security researcher who found the bugs believes the *Ringcentral app by the same company is also vulnerable, though there does not appear to be a proof of concept for that app.*
This week security researchers announced that they had found serious security vulnerabilities in the Mac client for the popular Zoom video conferring service. As well as installing the client their installer also installed a local web server app.
Officially, this web server served two functions — it allowed the Zoom app to bypass the confirmation screen Safari 12 introduced before allowing apps access to users webcam, and, it would re-install the app automatically should the user try to join a Zoom call without having the app installed.
Zoom considered both of these behaviours to be features that enhanced the user experience, and defended the web server’s existence. Even before we get it to the fact that the web server had vulnerabilities, let’s first look at whether this behaviour is ethical even if the web server was perfectly coded and did not contain any bugs or vulnerabilities.
I would argue strongly that it’s not. Firstly, there was no informed consent. Users were not told that installing the Zoom client once installed a service that would remain running permanently, even after the app was un-installed, and that that permanently running service would grant webcam access automatically without confirmation from the user from that point forward. Users were also not clearly informed that this web service would act as a silent re-installer that would re-add and app they explicitly removed without even getting a confirmation from them. Speaking purely for myself (Bart), I consider this to be malicious behaviour. When an installer asks you to enter your password to grant it admin access we are trusting that that installer not to do anything more than it told us it would, and this installer clearly violated that trust. I can’t trust a company that could conscience such a move, so I’ve added Zoom to my personal naughty list, and am (probably) permanently boycotting them — maybe they can somehow re-earn my trust, but I can’t imagine how they could do that if I’m honest!
So, even if the web server was perfectly coded, I would consider it malware, but, it was not! There were two problems with this web server:
- The web server was not limited to only accepting connections from the local device. There are legitimate reasons for apps to use a local web server, for example, it can enable inter-app communications between a helper app or plugins and a main app, but these kinds of local web servers are usually set up to only accept connections from the special
localhostIP address127.0.0.1which can only be accessed from on the device itself. Zoom didn’t do that, so other users on the same LAN could interact with the web server. As best as I can tell, the only reason the web server would not generally be globally accessible is that most people use NAT routers, and a side-effect of NAT is that it acts as a one-way-valve on users internet connection. Security researchers were able to demonstrate that anyone who can talk to the web server can trigger a silent re-install of the Zoom app. - Any website in the world could host a link that when clicked on would cause the local web server to launch Zoom, auto-join a meeting, and, if the users had no pro-actively changed the apps settings, auto-enable their webcam. So, you click on a link, and a few seconds later, your webcam is broadcasting your image to a call controlled by an attacker!
Security researchers tried to work with Zoom to address these issues responsibly, but since Zoom didn’t agree the web server itself was fundamentally a security vulnerability, that didn’t work out, and the researchers went public with their findings, including proof of concept examples.
Zoom initially responded with an update that addressed some of the bugs in the web server, but did not tackle the fundamental issue of the server’s existence, or its persistence even when the Zoom app is uninstalled. They also didn’t address the bypassing of the Safari 12 confirmation dialogue since they saw that as a feature, not a bug, and said so publicly.
We feel that this is a legitimate solution to a poor user-experience problem, enabling our users to have faster, one-click-to-join meetings
This initial response didn’t go down well with the broader internet community, and Zoom were soon forced to back-peddle!
Zoom developed a second update that completely removes the web server and adds a menu option for uninstalling the app.
Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service.
While the big public argument was going on, engineers at Apple were busy responding to the situation through their process for dealing with a Mac malware outbreak, and prepared and pushed out a silent MacOS update that removed the web server. Apple have included an emergency auto-update feature that checks in with Apple daily as part of MacOS for many years now, and while they have used it on a few occasions before, they use it very sparingly. If you’re not comfortable with Apple pushing emergency security updates automatically, you can disable the behaviour from the Advanced window in the Software Update preference pane (I would not recommend doing this BTW).
So, if you want to use Zoom, install their latest update.
If you have never used Zoom, there’s nothing for you to do, but if you did use it once, and don’t want to use it in future, the advice I’m seeing most commonly from experts I trust is that you should install the latest update, and then remove the app. You could also just remove the app and trust Apple to clean up the web server if you prefer.
Links:
- The original post by the security researchers: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! — medium.com/…
- Major Zoom vulnerability could allow websites to hijack your Mac’s webcam — 9to5mac.com/…
- Zoom flaw could force you into a meeting, expose your video feed — nakedsecurity.sophos.com/…
- Zoom and RingCentral Exploits Allow Remote Webcam Access — tidbits.com/…
- The Zoom Desktop App Lets Any Website Take Over Your Mac’s Camera. Here’s What To Do About It. — www.buzzfeednews.com/…
- Apple has pushed a silent Mac update to remove hidden Zoom web server — techcrunch.com/…
- Here’s How to Protect Yourself Against the Zoom Zero Day — www.macobserver.com/…
Security Medium 2 — 25 Million Android Devices Infected with Agent Smith Malware
Security researches from the cyber-security firm Check Point have released details of a massive malware campaign that has successfully infected 25 million Android devices around the world, 300 thousand of them in the US.
The malware was primarily distributed via 3rd-party app stores in China, and was able to spread by using a vulnerability in Android that allowed it to hijack legitimate apps as they updated themselves. The result would be a fully functional version of very popular apps like WhatsApp and Opera that also contained the malware. The malware could then use all the permissions the user had granted their host app.
It’s not clear whether all the vulnerabilities exploited by the malware have been patched, but at least one of them was patched as far back as 2017. The fact that Android malware can spread widely in 2019 using a bug that Google patched in 2017 speaks volumes about how far Google still has to go to get their updates distributed widely and promptly.
Another particularly note-worthy details discovered by the researchers is that until recently there were apps in the official Google Play store with dormant versions of this malware. The dormant copies of the malware would have been brought to life had those behind the campaign paid for an ad with a specific trigger word to be displayed by infected apps. While over 10 million infected but dormant apps were downloaded from the Play store, it does not appear the trigger word was ever sent to wake them up.
The researchers give three pieces of advice to Android users:
- Keep your phone patched! (Editorial by Bart: if you can’t, you really do need to get a new phone!)
- Only download apps from the Play Store
- Run an ad blocker because “Ad blockers aren’t just to block ads”. The researchers point out that ads have a long history of being used to trigger exploits within legitimate apps, and in this case, they could have been used to activate malware downloaded from the Google Play store!
One final silver lining here is that the attackers chose to use their powerful malware for ad fraud. This means infected users simply saw more ads or the wrong ads, and the attackers effectively stole money from ad networks rather than the owners of the infected phones. However, the big cloud within that silver lining is the fact that the same techniques could have been used to hijack banking apps and steal actual money directly from end-users!
Links:
- Check Point’s article detailing their findings: Agent Smith: A New Species of Mobile Malware — research.checkpoint.com/…
- Malicious apps infect 25 million Android devices with ‘Agent Smith’ malware — phys.org/…
Notable Security Updates
- Patch Android! July 2019 update fixes 9 critical flaws — nakedsecurity.sophos.com/…
- Two zero days and 15 critical flaws fixed in July’s Patch Tuesday — nakedsecurity.sophos.com/… & Patch Tuesday Lowdown, July 2019 Edition — krebsonsecurity.com/…
Notable News
- Security researchers have found that Orvibo Smart Home Devices log an astonishing amount of information and send it back to Orvibo across the internet. Worse, the database that stores literally billions of these logs is not secured so is publicly accessible. The log entries include usernames, email addresses, passwords, and precise locations. There appears to be no way to safely use Orvibo products (Editorial by Bart: if you have one of these devices I think the only way to be safe is to bin them and replace them with alternatives from more trustworthy brands 🙁):
- The original report from security researchers: Orvibo Smart Home Devices Leak Billions of User Records — www.vpnmentor.com/…
- IoT vendor Orvibo gives away treasure trove of user and device data — nakedsecurity.sophos.com/…
- 🇨🇳 China Is Forcing Tourists to Install Text-Stealing Malware at its Border — www.vice.com/… (Editorial by Bart: yet another reason to use only burner devices when travelling to China 🙁)
- Facebook has announced that it’s updating its ranking algorithms to down-rank quackery (outlandish medical claims) — www.macobserver.com/… & nakedsecurity.sophos.com/…
- Apple temporarily turns off Walkie Talkie to fix eavesdropping bug — www.imore.com/…
- 🇺🇸 The Federal Elections Commission have made it clear that political campaigns can accept discounted cybersecurity services without them being considered campaign donations. This could make a very real difference in keeping the 2020 election more secure — krebsonsecurity.com/…
- 🇺🇸 The Federal Trade Commission (FTC) has reportedly approved a roughly $5Bn settlement with Facebook to end a long-running investigation into their uses of personal data. Facebook had set this money aside in their last earnings report, so markets did not punish the company, instead, the stock went up, presumably because they got off ‘lightly’. (Editorial by Bart while this would be a massive fine for most companies, for Facebook this is just a drop in the ocean. I agree with John Gruber’s summation that to Facebook ‘$5 billion is just the cost of doing business’ 🙁) — daringfireball.net/…
- Related Opinion: Facebook’s $5 billion FTC fine is an embarrassing joke — www.theverge.com/…
> Here’s another way to say it: the biggest FTC fine in United States history increased Mark Zuckerberg’s net worth.
> What lesson would you learn from that? Would anyone?
- Related Opinion: Facebook’s $5 billion FTC fine is an embarrassing joke — www.theverge.com/…
- GDPR begins to bite!
Suggested Reading
- PSAs, Tips & Advice
- ⭐️ The complete list of alternatives to all Google products — www.techspot.com/…
- ⭐️ Apple Turns Off Back to My Mac for Everyone — www.macobserver.com/…
- ⭐️ For those of you who own their own domains, this short six-page report from the UK’s NCSC (National Cyber Security Centre) is well worth a read, concise, simple, sensible advice for protecting your domain from hijacking and other forms of abuse: https://www.ncsc.gov.uk/news/ongoing-dns-hijacking-and-mitigation-advice — www.ncsc.gov.uk/…
- Notable Breaches & Privacy Violations
- ⭐️ Amazon Alexa keeps your data with no expiration date, and shares it too — www.cnet.com/…
- ⭐️ Google employees are eavesdropping, even in your living room, VRT NWS has discovered — www.vrt.be/… & Hey, Google, why are your contractors listening to me? — nakedsecurity.sophos.com/…
- ⭐️ 🇯🇵 7-Eleven Japanese customers lose $500,000 due to mobile app flaw — www.zdnet.com/…
- ⭐️ Scary Granny zombie game slurps credentials, spawns phishing attack — nakedsecurity.sophos.com/…
- Dating app Jack’d fined $240K for leaving private photos up for a year — nakedsecurity.sophos.com/…
- MongoDB Database Exposed 188 Million Records — www.macobserver.com/…
- Notable IoT Vulnerabilities
- News
- ⭐️ Security researchers have found that many Android apps ignore users decisions not to grant permission to access certain kinds of data directly, and instead use various techniques to try infer the information in other ways and capture and share it regardless — nakedsecurity.sophos.com/…
- Apple Releases App Store Government Removal Requests — www.macobserver.com/…
- iOS 13 will automatically silence spam and unknown callers using Siri intelligence — 9to5mac.com/…
- Apple tests Face ID and Touch ID sign-in for iCloud․com on iOS 13 and macOS Catalina betas — 9to5mac.com/…
- 🇬🇧 TikTok investigated (again) over how it handles children’s data and safety — nakedsecurity.sophos.com/…
- Cyberattack lands ship in hot water — nakedsecurity.sophos.com/…
- Firefox to include tracker blocking report feature — nakedsecurity.sophos.com/…
- Facebook’s Libra Cryptocurrency:
- 🇺🇸 House Democrats Ask Facebook to Stop Libra Cryptocurrency — www.macobserver.com/…
- 🇺🇸 Fed chief calls for Facebook to halt Libra project until concerns addressed — www.reuters.com/…
- 🇬🇧 Bank of England’s Carney warns Libra: ‘This is not learning on the job stuff’ — uk.finance.yahoo.com/…
- Related Opinion Piece: Nipping Libra in the Bud — mondaynote.com/…
- Opinion & Analysis
- An interesting look at why the infamous Conficker botnet never wreaked the havoc it so easily could have: The Worm That Nearly Ate the Internet — www.nytimes.com/…
- IT pros: we’re understaffed, under-resourced and under pressure — nakedsecurity.sophos.com/…
- 🇬🇧 NHS and Amazon: what is the real cost of this partnership? — privacyinternational.org/…
- Propellor Beanie Territory
- ⭐️ OpenPGP experts targeted by long-feared ‘poisoning’ attack — nakedsecurity.sophos.com/…
- ⭐️ The OpenID Foundation have written an open letter to Apple pointing out what they describe as some weaknesses in Apple’s Sign in with Apple protocol, as well as some ways in which Apple’s protocol differs from theirs (OIDConnect). They go on to request that Apple change Sign in With Apple so it uses OIDConnect. (Editorial by Bart: given that one of the incompatibilities being highlighted is that SIWA does not provide the API calls for the receiving sites/apps to get user details, and that privacy is a core feature for SIWA, I don’t think Apple are interested in being compatible with OIDConnect. Some of the concerns about weaknesses Apple’s design seem reasonable, and hopefully Apple can address them, while the service is still in beta) — nakedsecurity.sophos.com/…
- iOS URL Scheme Susceptible to Hijacking — blog.trendmicro.com/…
- Backdoor discovered in Ruby strong_password library — nakedsecurity.sophos.com/…
Suggested Listening
- 🎧 A good description of the Zoom issue, the OpenID Foundation’s open letter to Apple regarding Sign in With Apple, and the major GDRP fines that made the news this week — The Checklist Episode 145: Zooming on Through — overcast.fm/…
- 🎧 You’ve probably heard the term dark pattern as a term for commonly used design patterns that are designed to harm rather than help users. This episode of Reply All digs into one particularly egregious example of a dark pattern that’s resulting in many Americans needlessly paying Intuit for a service they’re entitled to get for free because of a deal the company struck with the US government. Reply All Episode 144: Dark Pattern — overcast.fm/…
- 🎧 Reply All are on a real roll ATM, their next episode gives a very revealing insight into one of the darker sides of our modern world — the abuse of platforms like YouTube for bullying and harassment. Reply All Episode 145: Louder — overcast.fm/…
Palate Cleansers
- In Honor of Apollo 11, Orbitrack is Free on July 20th — www.macobserver.com/…
- 🎧 Given the NosillaCast’s focus on accessibility, I think listeners will really enjoy this recent 99% Invisible episode: 99% Invisible Episode 360: The Universal Page — overcast.fm/…
Note: When the textual description of a link is part of the link it is the title of the page being linked to when the text describing a link is not part of the link it is a description written by Bart.