Security Bits – 5 October 2019

Followup

• Bluetooth permissions on iOS
  • A nice article explaining some of the most common legitimate reasons apps me request BlueTooth access: Here’s why so many apps are asking to use Bluetooth on iOS 13 — www.theverge.com/…
• CloudFlare’s Warp VPN has Finally been Released — blog.cloudflare.com/…, nakedsecurity.sophos.com/… & www.imore.com/…
  • Note that VPNs can provide encryption and anonymization, but they don’t have to. Depending on how they are configured they can provide one, or the other, neither, or both! In this case, WARP provides encryption, but not anonymization. I.e., when using WARP VPN your source IP address will not be hidden, but your traffic will be encrypted from your machine as far as Cloudflare’s VPN servers.
  • There is a free version which has some limitations, and a paid version which offers much faster speeds.
• The Siri grading (human review) kerfuffle:
  • Apple has started hiring for in-house reviewers — www.imore.com/…
• The continuing rollout of DNS over HTTPS (DoH):
  • 🇺🇸 US ISPs are very worried by Google’s moves to switch to DoH, and have written a letter to House Judiciary Committee asking them to investigate. The letter is concerned that Google is changing people over to their infrastructure, which is not true, and that DoH makes it impossible for them to track their users like they do now. (Editorial by Bart: IMO this proves the need for DoH to be rolled out ASAP, DNS really is being abused by our ISPS to invade our privacy!) — arstechnica.com/…
• Malicious Lightning cables:
  • This threat is becoming more real as the hacker who prevented his home-made cable at a recent security conference is moving to mass production. The cables are being sold as tools for security testers, but there is no evidence there will be any controls in place to prevent their sale to malicious actors, so we all need to learn to be wary of cables offered to us by others — nakedsecurity.sophos.com/… & www.imore.com/…
    

Security Medium 1 — The Checkm8 iOS Device Bootloader Bug

A veteran of the jail breaking community has released details of a bug in the low-level boot loader used by iOS devices with SOCs (Systems on a Chip) from the A5 up to and including the A11.

That means the following iOS devices are affected:

• iPhones from the iPhone 4S up to an including the iPhone X
• iPad generations 2 to 7 (inclusive)
• iPad Mini generations 1 to 4 (inclusive)
• iPad Pro generation 1 & 2
• iPod Touch generations 5 to 7 (inclusive)

That means the following newer iOS devices are not affected:

• iPhone XS, iPhone XR, and iPhones 11
• iPad Air generation 3
• iPad Mini generation 5
• iPad Pro generation 3

A boot loader is a very low-level component that starts the process of booting a device. It’s so low-level it can’t even be patched with a firmware update. The only possible protection would be some sort of work-around in higher level firmware, but the security researcher who found the bug does not believe that’s possible in this case.

From a security point of view, one of the vital tasks performed by the iOS boot loader is the validation of the digital signature of the OS it is about to load. This is what prevents iPhones from running OSes not digitally signed by Apple, i.e. what protects users from malicious OSes being installed by attackers, and, from people running un-signed OSes on their own devices, i.e. from jail breaking.

The good news is that this low-level bug is only exploitable while the phone is tethered to a computer, so physical access is needed, and more importantly still, the exploit is not persistent, so the device has to be tethered each time it boots to keep an un-signed OS running.

Another very important point to note is that the ability to install un-signed OSes does not in any way bypass the protections offered by the secure enclave and the biometrics and cryptographic keys it protects. This means this vulnerability can’t be used to break into a locked device.

It’s also important to note that what the security researcher released is an exploit, not a functional product of any kind. It was immediately obvious that this is the kind of vulnerability that’s ideally suited to form the basis of a jailbreaking tool, so unsurprisingly, one has already been released!

This is a big deal for jail breakers, because it means they should now have a reliable jailbreak that Apple can’t block with a future iOS update, but, it probably has surprisingly little impact on the rest of us.

The biggest danger this exploit presents is to high-value targets who might be subject to state-sponsored surveillance, industrial espionage, or high-level cyber crime. For example civil rights campaigners or lawyers, government workers, officials, or elected representatives, and C-level executives in large corporations. The danger would be that if any of these people lost physical control of their phone it could be silently jail broken and malware could be installed without their knowledge. For these people, the simplest protection is to upgrade to more modern iOS devices that are not affected, or, to reboot their device each time it is removed from their presence. TBH, each new iteration of Apple hardware adds more advanced security protections, so upgrading is good advice to high-value targets regardless of this bug’s existence!

Ironically this bug might actually make regular folks more secure! How? By making it easier for security researchers to explore the innards of iOS and responsibly report any vulnerabilities they find to Apple.

Bottom line — high value targets should consider upgrading their iOS devices to ones running the most modern SOCs, and the rest of us should carry on with our lives without setting our proverbial hair on fire 🙂 🧯

Links

• New ‘unpatchable’ iOS exploit could lead to permanent jailbreak for iPhone 4s to iPhone X — 9to5mac.com/…
• Unpatchable bug in millions of iOS devices exploited, developer claims — arstechnica.com/…
• New exploit could lead to permanent jailbreak on iPhone X and older — www.imore.com/…
• Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer — arstechnica.com
• From the Editor’s Desk: Congratulations jailbreakers! Checkm8 lives — www.imore.com/…
• New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips — www.zdnet.com/…
• Checkm8, the iPhone 4s to iPhone X bootrom exploit, explained — www.imore.com/…
• Checkm8 jailbreak and AltStore put cracks in Apple’s walled garden — nakedsecurity.sophos.com/…

Notable Security Updates

• Microsoft rushes out fix for Internet Explorer zero-day — nakedsecurity.sophos.com/…
• Apple patch just about everything, and not just once — support.apple.com/…
  • iOS & iPadOS have been updated multiple times to address both bugs and security vulnerabilities. The latest version is 13.1.2.
    • The series of patches includes a fix for a permissions problem that granted 3rd-party keyboards more access to user data than they should have gotten — www.imore.com/…
    • The fixes also included a patch for the last of a series of bugs presented at the Black Hat conference a few weeks ago — nakedsecurity.sophos.com/…
    • As well as patching iOS 13, Apple also patched iOS 12 which is now at 12.4.2, so there is some additional protection for older devices too.
  • WatchOS for modern watches has been updated to version 6.0.1, but Apple also updated watchOS 5 to 5.3.2 so Series 1 & 2 watches get some security updates too — Apple releases watchOS 5.3.2 for Apple Watch Series 1 and Series 2 — www.imore.com/…
  • macOS has been updated to 10.14.6, and Mojave, Sierra & High Sierra have been updated with Supplemental Update 2
• WhatsApp for Android has been updated to patch a critical remote code execution bug — nakedsecurity.sophos.com/…

Notable News

• Security researchers have uncovered a flaw in PDF’s encryption specification, and have named it PDFex. The bottom line is that PDF encryption is less secure than we thought, so it should not be relied on to protect sensitive documents, we’ll need to wrap our own encryption around our sensitive PDFs before emailing them etc. — nakedsecurity.sophos.com/…
• Facebook has deleted ‘tens of thousands’ of apps for data abuse as part of its investigations into the Cambridge Analytica scandal — nakedsecurity.sophos.com/… & daringfireball.net/…
• The UK, US & Australian governments have jointly written to Facebook asking them to halt their rollout of end-to-end encryption, or at least give them a backdoor — www.imore.com/… & www.macobserver.com/…
• TikTok Bans Political Ads in U.S. and EU — www.macobserver.com/…
• The ECJ (European Court of Justice) has released two potentially confusing rulings affecting tech companies:
  1. Ruling on a case brought by Google, the ECJ rules that the so-called right to be forgotten does not extend outside the EU. The ruling does make is clear that Google must make efforts to hide affected search results from EU visitors, regardless of the Google domain they use to access the content (google.fr -v- google.com etc.), but Google do not have to block the results for locations outside the EU — nakedsecurity.sophos.com/…
  2. In a case brought against Facebook by an Austrian politician the ECJ has rules that European courts can order companies to completely remove content found to be illegal from their systems, including duplicates or near-duplicates of the illegal material
• Google provided a good illustration of why Apple’s System Integrity Protection (SIP) is a good idea, and why you should leave it enabled – a bug in Google’s auto-updater deleted system files MacOS needs to boot, but SIP prevented the deletions. Affected Macs with SIP disabled became unbootable, while Macs with SIP were just fine — tidbits.com/…
• 🇺🇸 The Voting Village hacker challenge at the Defcon security conference has shown that US voting machines are easy to hack — nakedsecurity.sophos.com/…
• The OpenID Foundation has confirmed that Sign In With Apple is compatible with the OpenID standard, and have praised Apple for addressing all the security and compatibility issues they’d raise earlier in the summer during the beta process. They still point to some non-security-related room for improvement, but there could be privacy implications to some of their quibbles with SIWA, so Apple may choose not to implement some or all of these suggestions — www.macobserver.com/… & www.imore.com/…
• DuckDuckGo conducted a survey of US adults (the population in general, not DuckDuckGo users) and found that almost 4 out of 5 had taken some kind of pro-active action to protect their privacy on social media, by deleting accounts, tweaking settings, or reducing usage. Almost a quarter had deleted a social media profile due to privacy concerns (Editorial by Bart: it seems the recent privacy scandals are having an effect on regular folks in the real world after all) — spreadprivacy.com/…

Suggested Reading

• PSAs, Tips & Advice
  • Buying a new laptop? Here’s how to secure it — nakedsecurity.sophos.com/…
• Notable Breaches & Privacy Violations
  • ⭐️ DoorDash reveals 4.9 million accounts affected by server breach — www.imore.com/…
  • ⭐️ ‘Words With Friends’ Data Breach Affects 218 Million — www.macobserver.com/…
  • ⭐️ Vimeo sued for storing faceprints of people without their say-so — nakedsecurity.sophos.com/…
  • Ex-Yahoo engineer pleads guilty to hacking 6,000 accounts — nakedsecurity.sophos.com/…
• Notable IoT Vulnerabilities
  *
• News
  • ⭐️ Twitter’s new DM abuse filter is rolling out to everyone — www.imore.com/…
  • Apple restricts old adblocking tech — nakedsecurity.sophos.com/…
  • iOS and macOS users served up 1 Billion popups thanks to Chrome and Safari exploits — www.imore.com/…
  • Google News:
    • ⭐️ Google brings Incognito mode to Maps — nakedsecurity.sophos.com/…
    • Google will move their password checker from a plugin into the core browser in an up-coming release. The change is already in the early beta versions — nakedsecurity.sophos.com/…
    • Google made thousands of deepfakes to aid detection efforts — nakedsecurity.sophos.com/…
    • Google pulls more fake adblockers from Chrome Web Store — nakedsecurity.sophos.com/…
    • ‘Fleeceware’ Play store apps quietly charging up to $250 — nakedsecurity.sophos.com/…
    • 🇬🇧 U.K. lawsuit against Google over iPhone privacy reinstated — www.imore.com/…
  • Facebook News:
    • Facebook will not fact-check politicians — www.bbc.com/…
    • If Elizabeth Warren Wins Mark Zuckerberg Will Sue the Government — www.macobserver.com/…
  • Outlook on the web bans a further 38 file types — nakedsecurity.sophos.com/…
  • 🇺🇸 White House Blocks Audit of its Offensive Hacking Strategy — www.macobserver.com/…
• Opinion & Analysis
  • ⭐️ Why Apple Asks for Your Passcode or Password with a New Login (and Why It’s Safe) — tidbits.com/…
  • ⭐️ 🇬🇧 A no-deal Brexit may trigger a data disaster, and UK companies don’t have a clue — www.wired.co.uk/…
  • Social media manipulation as a political tool is spreading — nakedsecurity.sophos.com/…
• Propellor Beanie Territory
  • ⭐️ TL;DR if you’ve installed the WordPress plugin Rich Reviews, delete it ASAP and make sure your site has not been hacked — Hackers are infecting WordPress sites via a defunct plug-in — nakedsecurity.sophos.com/…
  • ⭐️ Cloudflare, Chrome, and Firefox Launch HTTP/3 — www.macobserver.com/…
  • Exim suffers another ‘critical’ remote code execution flaw — nakedsecurity.sophos.com/…
  • Could EarEcho change the way we authenticate our phones? — nakedsecurity.sophos.com/…

Suggested Listening

• 🎧 A fascinating exploration of a years-long campaign of hacking into supposedly friendly countries by the UK’s GCHQ that was uncovered when their malware was detected within the Belgian ISP Belgacom (now Proximus). Why Belgacom? They provide services to EU institutions based in Belgium: Darknet Diaries Ep 48: Operation Socialist — overcast.fm/…
• 🎧 The first series of Sleepwalkers is now complete (there is a second one in the works). This 10-part miniseries takes a frank look at both the dangers and opportunities offered by AI, and highlights the fact that whether we like it or not, AI is happening, and we need to start making decisions about how we’re going to regulate and manage an AI-rich world. This is not a doom-and-gloom show hyping all the negatives to try scare you, it’s a balanced look at the real dangers, and, the very real opportunities AI brings: Sleepwalkers — www.sleepwalkerspodcast.com
• 🎧 An interesting interview with Microsoft president Brad Smith exploring the big question “how do we ensure our astonishing technological advances are harnessed for good, not harm?” — HARDtalk: President of Microsoft – Brad Smith — overcast.fm/…

Palate Cleansers

• Transparent USB Data Blocker on Amazon
• How Allison feels when doing her Programming By Stealth homework: Cat’s 6th attempt to jump on the counter

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.