Feedback & Followups
- Allison was sceptical that Google really would move to eliminate 3rd-party cookies in 2024, but they put a little wood behind the proverbial arrow this week: Google is phasing out ad personalization for some AdSense products — www.bleepingcomputer.com/…
- We now have confirmation that the 23andMe breach was as bad as we feared: 23andMe confirms hackers stole ancestry data on 6.9 million users — techcrunch.com/…
- Related: 23andMe is updating its TOS to force binding arbitration with a limited opt-out window — stackdiary.com/… & 23andMe updates user agreement to prevent data breach lawsuits — www.bleepingcomputer.com/… (Editorial by Bart: and confirmation of my gut feeling form the start of all this that we are dealing with a company that is user hostile and slimy)
- It briefly looked like there would be an actually safe and secure way for Android users to access the iMessage network, but it very quickly fell apart, and while the company say they will restore access, it seems inevitable to me that they will loose this cat-and-mouse game:
- A nice description of how the service worked, and why it was safe to use: Beeper Mini for Android sends and receives iMessages, no Mac server required — arstechnica.com
- Android iMessage app Beeper mini isn’t working, and Apple probably killed it — appleinsider.com/…
- Apple confirms it blocked Beeper Mini citing security risks — appleinsider.com/…
Deep Dive 1 — A Raft of Un-Patched Vulnerabilities
The remarkable thing about the last two weeks worth of new is the sheer amount of un-patched vulnerabilities that were published (probably not a coincidence the Black Hat Europe conference was held recently).
What all these vulnerabilities have in common is that we need to be aware that these risks now exist, and there is no patch yet, so we need to made pro-active choices to accept the risks or alter our behaviour. Thankfully, for all these vulnerabilities I think it is perfectly reasonable for regular home users to choose to accept these risks and carry on as they were, but those who work with sensitive data, in sensitive industries, or who are likely to be targeted by powerful attackers need to think much more carefully.
Two Bluetooth Problems
The first Bluetooth related problem to make the news is a collection of vulnerabilities that have been collectively named BLUFFS. These vulnerabilities can be used to break the security of Bluetooth connections by allowing an attacker to inject their device into the middle of a Bluetooth connection, i.e. classic Adversary in the Middle (AiTM) attacks (formerly poorly named Man in the Middle as if there were human males instead of devices doing the eves dropping!).
The problems are with the Bluetooth spec itself, not with any particular implementation, so the problem affects all Bluetooth devices that support versions 4.2 to 5.4 (the latest) of the spec.
The solution is for vendors to update their firmware/drivers so as to stop supporting the problematic parts of the spec. That’s going to take time, and lots of devices will never get fixed.
The saving grace here is that attackers need to be within Bluetooth range to use these attacks, so the average person’s exposure is very low.
If you’re in any way at risk, you need to avoid sending any sensitive data across Bluetooth. Bluetooth headsets are an obvious exposure to this risk, so consider switching to a wired headset until BLUFFS has been dealt with. Another approach would be to turn off bluetooth when you’re in public.
You can read more about BLUFFS here: New BLUFFS attack lets attackers hijack Bluetooth connections — www.bleepingcomputer.com/… & New Bluetooth flaws could let an attacker steal wireless communications — appleinsider.com/…
Just a few days ago an entirely separate Bluetooth bug emerged, but it has no cool name, so it’s just known as CVE-2023-45866. This bug is a more traditional implementation problem rather than a problem with the spec itself, so vendors will be able to fix it, but it seems they’re not in any hurry to do so. For now, the problem exists in Android, iOS, Linux & macOS.
The bug lets an attacker bypass authentication to silently pair a malicious device with the target device and have that device be seen by the victim OS as a keyboard, allowing the attackers to literally inject code!
ATM this even works against iPhones with Lockdown mode enabled!
As with the other Bluetooth bug, the attacker needs to be within Bluetooth range, so the only defence for at-risk people until patches are released is to turn off Bluetooth while out and about in public places.
Note that the keystrokes are not invisible, so just watching out for mystery characters appearing is probably enough of a defence for most!
Read more: New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices — thehackernews.com/… & If you’re using a Magic Keyboard, you’ve opened up an attack vector — appleinsider.com/…
LogoFAIL — A flaw in Many UEFI Firmwares
Security researchers found that many motherboard vendors ship UEFI firmware that bundles out of date versions of image processing libraries, and that persistent malware can be loaded into these computers this a malicious logo file.
Unfortunately the problem is wide-spread:
“The flaws affect all major IBVs (Independent BIOS Vendors) like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread.”
(I’ve not see Apple listed as affected anywhere.)
What makes these attacks extra dangerous is that cryptographic protections like Secure Boot & Intel Boot Guard don’t include logo files in their integrity checks, so this malware won’t trigger any boot errors, and because the malware is in the firmware, it will survive even a nuke-and-pave reinstall of the OS.
While vendors will patch these problems and issue driver and firmware updates, older boards are unlikely to get fixed, and very few users actually apply updates for their motherboards, so there are likely to be many vulnerable PCs for a long time.
To trigger this bug an attacker needs to get malware to run on the targeted PC to write the malicious logo into UEFI’s storage area, so the best defence is definitely prevention — good old AV and common sense to stop any malware from running, and to stop you from being tricked into installing a Trojan are the best we can do to protect ourselves, at least for now.
More information: LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks — thehackernews.com/…
SLAM Another Speculative Execution Bug, This One Affecting Future CPUs!
At this stage another speculative execution bug hardly seems like news, but this one is a little special in that it exploits a very new technology that’s only just begun to be rolled out on a few AMD CPUs, and has yet to be released on Intel CPUs.
The fix seems to be for app developers to avoid the vulnerable feature in the parts of their code that handle secure content. A lot of speculative execution fixes rely on developers/compilers to avoid certain optimisations in sensitive parts of their code, while allowing other parts of their code to benefit from the speedups offered by speculative execution.
For now, it’s developers and OS vendors that need to worry about this, not regular users, but it is noteworthy that there is still no end insight to this problem.
Read more: New SLAM attack steals sensitive data from AMD, future Intel CPUs — www.bleepingcomputer.com/…
5Ghoul 5G Bugs in Qualcomm & MediaTek Chips
A collection of bugs have been found in popular 5G chips that could allow an attacker to disconnect victims from 5G. Some of the bugs cause the 5G chips to lock up until the device is rebooted, others cause the chips to downgrade the user to 4G, which has lots of known weaknesses.
At least for now, none of the attacks can trigger any kind of remote code execution, so this is just denial of service. As we know, attacks only get better over time, so remote code execution could become possible in future, but for now, this is most likely to be nothing more than an inconvenience.
Read more: New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips — www.bleepingcomputer.com/…
AutoSpill Password Manager Bug in Android
All password managers that use the built-in Android APIs for password manager can be tricked into leaking passwords by malicious apps. This includes big-name password managers like 1Password and LastPass, Keepass & Keeper.
The vendors are all working on workarounds, and there is sure to be a fix in Android itself soon too, but for now, there is no fix.
The key point is that this flaw can only be attacked by malware running on the device, so the best protection from having malware steal your password is not to install the malware on your device in the first place!
Read more: AutoSpill attack steals credentials from Android password managers — www.bleepingcomputer.com/…
Deep Dive 2 — A Whole New Spying Vector
Thanks to a public letter from Oregon Senator Ron Wyden, we now know that the US government has been forcing Apple & Google to hand over push notification data to US law enforcement, and to do so under a gag order because the program was secret.
The metadata around push notifications can be very revealing, with one of its biggest features being its ability to link supposedly anonymous IDs on other services to an Apple ID, and hence, to a specific person.
Apart from us now knowing this is happening, the second biggest outcome is that Apple and Google are now freed from the gag order because there is no secret to keep anymore, and both have promised to include details of these kinds of requests in future transparency reports.
One interesting detail is that Apple and Google had differing policies around these requests — Apple just required a subpoena, which does not always need approval from a judge, but Google required a court order, which does.
Links:
- US senator: Govts spy on Apple, Google users via mobile notifications — www.bleepingcomputer.com/…
- Apple admits to secretly giving governments push notification data — arstechnica.com
- Senator’s paranoia opens door for Apple to speak out on government censorship — appleinsider.com/…
- Apple Requires Only a Subpoena to Turn Over Push Notification Tokens to Law Enforcement; Google Requires a Court Order — daringfireball.net/…
❗ Action Alerts
- Google Chrome emergency update fixes 6th zero-day exploited in 2023 — www.bleepingcomputer.com/…
- Other Chromium-based browsers like Edge & Brave also vulnerable: www.intego.com/…
- Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws — thehackernews.com/… & WebKit Zero-Day Vulnerabilities Prompt iOS 17.1.2, iPadOS 17.1.2, macOS 14.1.2, and Safari 17.1.2 — tidbits.com/…
- If you’re running OwnCloud on your NAS, be sure it’s patched: Hackers start exploiting critical ownCloud flaw, patch now — www.bleepingcomputer.com/…
- If you have a Zyxel NAS, bet sure it’s patched: Zyxel warns of multiple critical vulnerabilities in NAS devices — www.bleepingcomputer.com/…
- As soon as your vendor lets you patch your Android phone, do it: December Android updates fix critical zero-click RCE flaw — www.bleepingcomputer.com/…
Worthy Warnings
- WordPress security specialists WordFence are warning of a new spear-phishing tactic being directed at WordPress site owners – fake emails pretending to be from ‘The WordPress Security Team’ warning you of a supposed vulnerability in a plugin, and offering a download link to a malicious plugin which installs a backdoor to allow the hackers completely take over the site — www.wordfence.com/…
Notable News
- A wrong-headed and factually inaccurate meme spread like wild-fire on US law enforcement social media warning users of fictitious dangers in the latest iOS: NameDrop is safe and convenient — www.cultofmac.com/… & Push Back on NameDrop Privacy Insinuations — tidbits.com/…
- An example of the positive security and privacy benefits AI can bring: Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails — thehackernews.com/…
-
- Editorial by Bart: these are just guidelines, so nowhere near all that’s needed, but these things need to start somewhere, and this is a decent start, so I find a lot of the criticism too pessimistic.
- Example Criticism: New multi-national AI security guidelines are toothless and weak — appleinsider.com/…
- A nice pair of security & privacy updates from Meta:
Palate Cleansers
- From Bart: An episode of the Computer podcast from RedHat that seems very relevant to the NosillaCast audience – advice on how to keep learning: Compiler: Continuing Education — overcast.fm/…
- From Allison: 1984 Radio Shack commercial – a “fully portable cell phone for only $2500!” In 2023 dollars that would be $7400. www.tiktok.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |
[…] Security Bits — 10 December 2023 […]