Security Bits — 9 January 2022

Feedback & Followups

• Log4Shell (Log4J):
  • Log4Shell-like security hole found in popular Java SQL database engine H2 — nakedsecurity.sophos.com/…
  • 🇺🇸 FTC threatens “legal action” over unpatched Log4j and other vulns — nakedsecurity.sophos.com/…
• 🇬🇧 Meta (né Facebook) have decided to appeal the recent ruling by the UK Competition & Markets Authority (CMA) to the Competition Appeal Tribunal — www.macobserver.com/…
  • Facebook-owner Meta sets out grounds for UK appeal on Giphy — www.reuters.com/…
• As expected, in the wake of Pegasus, other grey-ware companies are coming under scrutiny: Saudi Human Rights Activist, Represented by EFF, Sues Spyware Maker DarkMatter For Violating U.S. Anti-Hacking and International Human Rights Laws — www.eff.org/…

Deep Dive — The NoReboot iOS Bug

First off — don’t panic, the sky is not falling, but, an interesting new approach to attacking iOS devices has emerged — fake it till you make it (kinda).

TL;DR — you’re not likely to fall victim to this vulnerability unless you’re a very high profile target, and even then this is not a bug that lets malware in, but that lets malware that got in some other way do more bad things. The best defence is not to let malware in the first place by keeping your devices patched!

Attacking iOS devices is hard, and even when you break through one layer of security, you don’t get very far because Apple have adopted a defence in depth strategy. To start doing malicious things on iOS devices usually requires bypassing multiple security systems, so attackers need to chain multiple exploits together to get anywhere.

Attackers don’t just want to run malicious code on your devices once, they want to keep it running as long as possible, so, they want to make alterations to your copy of iOS so their malicious software will get re-started on reboot. The jargon for this is persistence.

Persistence on iOS is hard — very hard. This is because one of Apple’s most tested and yet most successful layers of protection is iOS’s secure boot process. Altered versions of iOS simply will not boot! This is why rebooting an iOS device regularly is a great defence against spyware — if someone does manage to hack your device once, when you reboot, things will be back to normal. Even Pegasus couldn’t survive a reboot!

That’s what makes the new NoReboot vulnerability so interesting — the attack doesn’t actually solve the persistence problem, it fakes it by blocking actual reboots and replacing them with fake reboots.

The attack exploits a bug in the iOS shutdown sequence to interrupt and halt the process, and then proceed to make the phone appear to shut down without actually shutting down. The screen goes blank, calls don’t come through, and there are no notifications or haptics. It looks and feels to a human like the device is powered down. But, it’s actually running, and the malicious code can keep doing its thing. I can of course simulate iOS booting up, and then let you continue to use your still malware-infested phone as before. You can watch a video demonstration of this in action here thanks to Marianne in our Slack.

Note that this attack can only work as part of a chain. Before malware can make use of this approach to achieve persistence by faking a reboot, malware has to already be running on the system! This means that the best defence against attacks like these remains the same — keep your devices patched so malware can’t easily get in the first place!

Also note that Apple are almost certain to fix the vulnerability allowing malware to hijack the shutdown/reboot event, making this attack impossible, at least without discovering a whole new way to intercept the reboot process.

Links

• ‘NoReboot’ is an iOS Bug That Can Fake a Shutdown to Trick You — www.macobserver.com/…

Worthy Warnings

• 🇺🇸 T-Mobile USA suffered another data breach, and this time it seems to be fewer people much worse affected — victims either had their account data leaked, their SIM swapped, or both. The company is refusing to give even the most basic details, like how many users were affected, they will only say it was “a very small number of customers”, and is not explaining what happened, or how the weakness has been addressed — www.macobserver.com/… & www.bleepingcomputer.com/…
  • Editorial by Bart: this refusal to be transparent is a massive red flag IMO, if I were to have been a customer, I would no longer be!
• Take Note: there’s a bug in iOS that causes Messages to intermittently send read receipts even when it’s configured not to. There’s no clarity yet on the details, but if you depend on read receipts not being sent, stop using Messages until this gets patched! — www.imore.com/…
• Be Aware: there’s a half-patched bug in iOS that allows any person or app with the rights to add or alter HomeKit devices in a home you are a member of to hard-crash your iOS devices (they’ll need a full factory reset to recover). The bug is triggered by device names many thousands of characters long. Apple have patched the iOS Home app to stop long names being entered, but not addressing the underlying bug, so a person with an older version of iOS, or an app using the HomeKit API can still trigger the bug. Until this gets patched, only grant apps and people you trust access to your Home, and only accept access to Homes from people you trust. — nakedsecurity.sophos.com/…
• Instagram copyright infringement scams – don’t get sucked in! — nakedsecurity.sophos.com/…

Notable News

• 🇺🇸 This years’ NDAA (National Defense Authorization Act) has been signed into law, and it contains some cybersecurity changes — www.nextgov.com/…
  • CISA mandated to update their incidence response plan biennially (every other year) and to work with private and government agencies to build an exercise program to test it
  • The National Guard is mandated to provide cyber security support services for critical infrastructure
  • A grant program is being established in DHSS to foster cybersecurity collaboration between the public and private sectors
  • Existing collaborations between CISA and the private sector are formalised
  • Somewhat controversially, the participation of the private sector remains voluntary, even though there were bi-partisan calls for mandatory disclosure rules

Top Tips

• How to Use Two-Factor Authentication for Your Apple ID and iCloud Account – The Mac Security Blog — www.intego.com/…

Excellent Explainers

• Apple have released a white-paper describing Private Relay in greater detail than they have before — www.apple.com/… (PDF)
• 🎧 Ken Ray expertly illuminates the details of Apple’s new Legacy Contacts feature: Checklist 261: Apple and Legacy Contacts — overcast.fm/…
• An excellent explainer of the morality of cryptocurrency, and the problems with both proof of work and proof of stake: Blockchain: Explaining the Negative Backlash Over Mozilla’s Crypto Donation Option — www.macobserver.com/…
• Off-topic: A superb explainer on all the complexities of USB: USBefuddled: Untangling the Rat’s Nest of USB-C Standards and Cables — tidbits.com/…

Interesting Insights

• An impressive breakdown of the malware that attacked Macs in 2021: Objective-See’s Blog — objective-see.com/…

Just Because it’s Cool 😎

• A fun bit of nerdy detective work into a very odd date bug triggered by entering the year 2022: Honda cars in flashback to 2002 – “Can’t Get You Out Of My Head” — nakedsecurity.sophos.com/…

Palate Cleansers

• iPhone 13 Pro and Pro Max Teardown Wallpapers — www.ifixit.com/…
• 🎦 A free full documentary by the Verge: Springboard: the secret history of the first real smartphone — youtube.com/…
• 🎧 Podcast Recommendation: Malicious Life by Cybereason — malicious.life
• 🎧 A podcast recommendation from Dave Hay in the NosillaCast Slack community: The Hackers — www.bbc.co.uk/…
• 🎧 A podcast recommendation from Allison – by NosillaCastaway Jill McKinley Start With Small Things

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.