NC #572 Apple did not Admit to Planned Obsolescence, PRC & Hardcore History

This show is guest-hosted by Bart Busschots. The show starts with a little rant about how Apple did not accidentally admit to practicing Planned Obsolescence, no matter what the tabloid press (or Irish radio) say. Allison teleports in from the past with an interview with PRC from CES 2016, Bart recommends the Hardcore History podcast, and finally, Bart does a solo Security Bits.


itunes
mp3 download

Hi, this is Bart standing in for Allison.

Blog Posts

Security Bits

Cell Phone Security is Fatally Broken

US TV show 60 Minutes shone a bright spotlight on a problem that security researchers have been trying to highlight for some time now – the back-end communication channel Cell Carriers around the work use to communicate with each other is fundamentally broken.

The reason it is possible to send an SMS message from one cell carrier to another, and the reason it is possible to take your cellphone with you from country to country, is that all the cell carriers exchange information with each other using a back-end protocol called SS7 (Signalling System No. 7).

This protocol is old, and lacks authentication. If you get onto this network, every signal you send will be believed by the receiving carrier. One of the things you can do with the SS7 protocol is specify that voice and SMS traffic to a given phone number should be proxied by a given server – voi-la, an instant Man-in-the-Middle attack!

The only piece of information an attacker needs to intercept all your voice calls and SMS messages, and to track your physical location in real time is your cellphone number.

The 60 minutes program demonstrated these facts in dramatic fashion with the help of senator Ted Lieu, a US senator who has been working hard on the security question – introducing a bill to ban state bills banning encryption. 60 minutes explained what they were going to try do, then bought a brand new iPhone and gave it to Senator Lieu. They then gave only the cellphone number for that phone to their hackers in Germany. From Germany, the hackers were able to intercept all the senator's calls and SMS messages, and play them back to him, and, show him his physical movements.

Clearly, SS7 needs to be replaced with something less fundamentally broken! The big problem is that this archaic technology cannot be removed until ALL carriers support a new system. There is a new system that some carriers support, but it remains backward-compatible with SS7, and hence vulnerable. The backwards-compatibility cannot be disabled until all carriers have upgraded. That is likely to take years.

The bottom line is that you must assume anyone could be listening to your cellphone conversations, and that anyone can read your SMS messages. The biggest concern I see here is that a lot of 2-factor auth uses SMS messages. This does not make that kind of 2-factor useless, it is still an extra hoop to jump through, but, it does mean that if a site offers me the choice between SMS-based 2FA and Authenticator-based 2FA, I'm gonna choose the latter.

Finally – there is a little extra controversy because it appears that intelligence agencies have known about this flaw for years, and not moved to get it fixed. This has put everyone in every society around the world at risk from cyber crime. Many (me included), consider this deeply immoral – endangering us all in the name of protecting us is dumb!

Links:

Quicktime for Windows

Last week we mentioned that there were bugs in QT for Windows, and that they were not going to be patched – hence, that everyone should delete the app ASAP.

At the time we did not have direct word from Apple that they really had abandoned it – well, now we have that word. Apple confirmed to the WSJ that QT for Windows is deprecated.

The problem is, Apple have not told their USERS about this decision! Apple distributed this software to millions of people, who assumed Apple would have their back. Apple have just abandoned these people to their lot. Regular people have gotten not hint what so ever that they need to remove this software. Worse still, Windows users have been telling me that it is still being offered to them through Apple's software updater. When I checked Apple's website on Monday it was still being offered as a download.

Thankfully, when I went to get that link for the show notes today (Saturday), they have added a note to the top of the download page saying that QT for Windows is "no longer supported by Apple". Unfortunately, there is no text there that makes it clear to regular human beings that ignoring the warning is dangerous!

IMO Apple should have released an un-installer for QT through their software update process to help ordinary people understand that they need to remove QT, and why.

I consider abandoning software in such a user-indifferent way to be deeply irresponsible, and utterly counter to Apple's professed support for security. I think Apple are serious about security, they are just have a colossal blind spot when it comes to software vulnerabilities. Apple have a LONG history of not patching problems promptly. For example, right now, all Mac developers have a vulnerable version of GIT on their Macs that was patched by everyone else two months ago.

This blind spot leaves Apple dangerously exposed to criticism that their court fights are just for show – if they really cared about security they would do the simple stuff, and they consistently fail to do that.

This blind spot also leaves the door ajar for a massive and reputation destroying malware attack against Mac users. It hasn't happened yet, and it may never happen, but Apple cannot say they have don their best to prevent it, because they simple have not.

Links:

Encryption War Updates

  • Apple tells NYC court that the DOJ has not proved they need Apple's help unlocking iPhones – nakedsecurity.sophos.com/…
  • Apple & the FBI testify before congress again – http://www.imore.com/apple-fbi-head-back-congress-another-encryption-fight
    • Apple confirm they were asked for their source code by the Chinese government, but they refused to hand it over – fortune.com/…
  • Tech companies send an open letter to Senators Burr and Feinstein expressing 'deep concerns' over their anti-encryption bill – www.imore.com/…
  • At a security conference in London, FBI director Comey says the FBI paid a lot for the San Bernardino iPhone hack – "More than I will make in the remainder of this job, which is seven years and four months for sure" – Comey's salary is public information, so if you do the math, that gives you a number greater than $1.3M – arstechnica.com/…
  • The DOJ pulls the plug in the NYC case – they sat someone gave them the passcode so they don't need Apple's help anymore – www.imore.com/…
  • the FBI try to spin finding nothing on the San Bernardino iPhone as a valuable finding – www.macobserver.com/…

Important Security News

  • Latest Android security report shows that only 70.8% of Android phones are running a version of Android that Google is releasing patches for – that leave a whopping 29.2% of Androids for which Google are not even creating patches. Of the 70.8%, those are devices that COULD get patched, but only if the manufacturers and carriers play ball – nakedsecurity.sophos.com/…
  • Documents released by the UK government in response to a lawsuit filed by Privacy International show that the US are by no means alone in spying on innocent citizens at a truly industrial scale. The documents also show a staggering lack of safeguards – arstechnica.com/…
  • Intego are warning of a SMS phishing campaign targeting iPhone users – www.intego.com/…

Suggested Reading

Ending

Remember to send in reviews for Allister to use when he guest-hosts next week – you can send them to Allison at podfeet.com.

Leave a Reply

Your email address will not be published.

Scroll to top