Security

Motherboard:

Hackers have been breaking into iPhones allegedly using a powerful spy tool sold to governments and taking advantage of a previously unknown vulnerability in the popular messaging app WhatsApp.

The hacking tool, as well as the WhatsApp exploit, were made by the infamous Israeli hacking and surveillance tool vendor NSO Group, according to The Financial Times, which first reported the story on Monday.

And:

“The simple reality is there are so many 0-day exploits for iOS,” Stefan Esser, a security researcher that specializes in iOS, wrote on Twitter. “And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.”

And:

As of today, there is no specific tool that an iPhone user can download to analyze their phone and figure out if it has been compromised. In 2016, Apple took down an app made by Esser that was specifically designed to detect malicious jailbreaks. Moreover, iOS is so locked down that without hacking or jailbreaking it first, even a talented security researcher can do very little analysis on it.

Not clear to me if that “0-day exploits” comment is true. After all, if you don’t have the tools to break in, how would you know. But the article does make interesting points. Are there exploit-detecting tools running behind the scenes on iOS, reporting back to Apple if anything is amiss? Or is it more like, the vault is so secure we don’t need guards?

NFC World:

Apple will expand the iPhone’s NFC chip reading capabilities before the end of 2019 so that it can be used to read data stored in security chips like those used in passports, according to comments made by the UK government.

And:

The iPhone’s NFC functionality is currently restricted so that it is only able to read NDEF data, so the UK government has been unable to make its EU Exit app available to EU citizens with an iPhone.

The app is available currently on Android devices only.

And:

“I’m also pleased to confirm that Apple will make the identity document check app available on their devices by the end of the year,” says Home Secretary Sajid Javid.

NFC tag reading was added to Apple Watch and iOS with the release of iOS 11. This appears to be expanding the type of tags iOS can read so the UK government can use an iOS app to verify identities.

[VIDEO] Joanna Stern got a hacker to try to break into her various webcams. The video is embedded in the main Loop post.

Is putting tape over your webcam justified, or more like putting on a tinfoil hat? I’m in the former camp.

Clearly, keeping up with your various system updates will throw plenty of roadblocks in the way of a hacker, but plenty of people don’t do this.

Reuters:

Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards.

That outside firm was Nardello & Co. From the Nordello web site:

Nardello & Co. is a global investigations firm with experienced professionals handling a broad range of issues including the FCPA/UK Bribery Act and other corruption-related investigations, civil and white collar criminal litigation support, asset tracing, strategic intelligence and political risk assessment, computer forensics and reputational due diligence.

Digging a bit more, this seems to fall into their Digital Investigations & Cyber Defense Division, headed by Mark Ray. From Mark Ray’s page:

Mark was a Director in PricewaterhouseCoopers’s Incident Response practice and led the firm’s US Cyber Threat Intelligence Center. Prior to joining PwC, Mark had a distinguished career as a Special Agent with the FBI’s Cyber Division, where he led several of the FBI’s most preeminent criminal and national security cyber investigations.

Impressive CV. Wondering where this goes from here. Bloomberg sticking to their guns?

As a reminder, here’s a link to the original Bloomberg article that started this all.

Benjamin Mayo, 9to5Mac:

We haven’t quite yet worked out the pattern or the cause but we have received many reports of users waking up to find that their Apple ID has been locked, and plenty more are complaining on social media.

And:

You will know if your account has been locked because iOS will present an alert in settings that says some Apple ID settings must be updated.

I’ve seen lots of reports of people complaining about being locked out of their Apple ID accounts. Not clear if this is related to a single security event, such as a particularly widely spread phishing scheme or a security break-in, or if this is some internal issue at Apple.

A couple of links associated with Apple’s updated privacy portal:

• This Apple support document will walk you through the process of getting a copy of the data associated with your Apple ID account.

• This is the link to your privacy portal page. Log in with your Apple ID, do the two-factor dance, and grab a copy of your updated data.

• This article by Rene Ritchie is an interesting read: Apple’s updated privacy site and why it matters.

A snippet:

Apple, as a matter of company policy, believes privacy is a fundamental human right. From Tim Cook at the very top to engineers on the front line, this belief permeates Apple and drives the company’s product development process every bit as much as the technology itself. As much as Apple is designing for experience and for accessibility, the company is also designing for security and privacy.

The more I read, the more I learn about the big tech companies, I do believe this about Apple, and I do believe Apple is the only company of the majors that has this commitment.

Oleg Afonin, ElcomSoft:

Activation Lock, or iCloud Lock, is a feature of Find My iPhone, Apple’s proprietary implementation of a much wider protection system generally referred as Factory Reset Protection (FRP). Factory Reset Protection, or “kill switch”, is regulated in the US via the Smartphone Theft Prevention Act of 2015. The Act requires device manufacturers to feature a so-called “kill switch” allowing legitimate users to remotely wipe and lock devices. The purpose of the kill switch was to discourage smartphone theft by dramatically reducing resale value of stolen devices.

According to Apple, “Activation Lock is a feature that’s designed to prevent anyone else from using your iPhone, iPad, iPod touch, or Apple Watch if it’s ever lost or stolen. Activation Lock is enabled automatically when you turn on Find My iPhone. … Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.”

Follow the headline link, nice explainer.

This is the actual letter Apple sent to Congress calling the recent Bloomberg account of compromised servers and a spy chip untrue.

This is interesting both for the content of the letter (it’s short, an easy read) and the fact that you are seeing a copy of the actual letter.

Glenn Fleishman, TidBITS:

Many Web sites and apps now offer two-factor authentication (2FA), which requires you to enter a short numeric code—the so-called second factor—in addition to your username and password. These temporary codes are either sent to you via text message or are generated by an authentication app. In iOS 12 and macOS 10.14 Mojave, Apple has streamlined entering such codes when sent via an SMS text message, reducing multiple steps and keyboard entry to a single tap or click.

I explain just below how this new feature works, but I also want to raise a caution flag. SMS is no longer a reliable way to send a second factor because it’s too easy for even small-time attackers to intercept those messages.

Read the article, especially the section titled “It’s Easy to Hijack SMS Codes”.

From this morning’s Bloomberg report titled The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

And:

One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

Apple’s response to Bloomberg:

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote. “We remain unaware of any such investigation,” wrote a spokesman for Supermicro, Perry Hayes. The Chinese government didn’t directly address questions about manipulation of Supermicro servers, issuing a statement that read, in part, “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.” The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment.

And another Apple reply, from this CNBC article:

Apple has issued strong denials of the report, stating: “We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”

The Bloomberg article is a fascinating read. Scary possibilities, and amazing that someone figured this out.

Kevin McCoy, USA Today:

The knockoff power adapters and chargers, which Apple says could cause electrical shocks, allegedly traveled from a manufacturer in Hong Kong to Amazon.com, with stopping points at the Brooklyn location and New Jersey electronics companies.

And:

From outward appearances, the Apple-like products seemed genuine.

However, the chargers and adapters lacked adequate insulation and had improper spacing between the high voltage and low voltage circuits, creating risks of overheating, fire or electrical shocks, Apple charged in a 2016 federal court lawsuit. The case ended with confidential settlements in late May.

And:

Twelve of 400 fake iPhone adapters tested in a study unrelated to those in Apple’s lawsuit were so badly constructed that they posed “a risk of lethal electrocution to the user,” U.S.-based safety standards leader UL warned.

When I first came across this article, I was pretty sure Amazon would be part of the equation. In addition to the obvious safety hazard issues, I also wonder if there are some counterfeits with embedded malware, just waiting for an unsuspecting device to be plugged in. One reason I zealously guard the USB bricks that come in the iPhone and Apple Watch boxes.