Security Bits Logo

Security Bits – US Customs Epic Security Fail, Can Cellebrite Unlock Any iPhone

Spectre/Meltdown Update

Security Medium 1 — 🇺🇸 CBP’s Epic Security Fail

In response to a letter from US Senators Ron Wydon & Claire McCaskill, US Customs & Border Patrol (US CBP) have admitted that they don’t have the tools to read ePassports securely, but that they do none-the-less electronically read ePassports.

Let’s get this out of the way up front — I’m having trouble finding the words to express how catastrophically stupid I think this is! It takes a shocking amount of talent to be this inept when it comes to trivially simple security principles and technologies.

Now that I’ve got that off my chest, let’s look at the specifics.

The concept of an ePassport is very simple. As well as the printed pages, ePassports have an electronic chip embedded in their cover that contains a digital copy of the information printed on the pages. The digital information can be quickly read with a computer with the the appropriate reader attached. The idea is to make it easy for border agents and governments to track who’s entering and leaving their country. This is not a US-specific system, but the US did push very hard for it to be adopted quickly in the aftermath of the 2001 World Trade Centre & Pentagon attacks.

Obviously, it’s critically important that the integrity of the data on that chip be protected. It’s not hard to write some bits to a chip, so it is trivial for a nefarious person to alter the bits on the chip inside their passport. However, that kind of alteration should be trivial to detect, and should literally set off alarm bells! Unsurprisingly, the designers of the ePassport system thought of that, and implemented such protections.

The mechanism very simple — the information on the passport is cryptographically signed. The data is hashed, and that hash then encrypted with the private key of the issuing government’s key-pair. Each government that issues passports publishes their public key to all the others. To verify that a passport hasn’t been tampered with, simply decrypt the hash of the data (i.e. the digital signature) with the relevant government’s public key, hash the data read from the passport, and compare the two. If the hashes match, the passport data has not been altered since it was issued, and if they don’t, it has! 🚨🚓⚠️

If you think this sounds very familiar, and indeed very elementary, you’d be correct! This is how HTTPS works, so your browser can manage to do this each and every time you visit a secure page! The cliché this is security 101 literally applies here. When I taught a course on Information Processing at Maynooth University I covered this stuff in my first lecture on data security. This isn’t complicated, difficult, or obscure in any way!

So, what’s been going on in the US?

Well, CBP have been digitally reading ePassports because that’s so much easier than expecting border agents to manually enter the passport numbers into databases etc.. But the software they have been using, and continue to use today does not validate the digital signatures, because in fact, it can’t — it lacks that basic feature!

Because ePassports are more secure than paper passports, they’re more trusted, but because the US is failing to actually test the validity of the information, they are putting more trust in something which is in effect less secure because their tools are utterly unfit for purpose.

Links:

Security Medium 2 — Can Cellebrite Unlock Any iPhone?

The controversial Israeli hacking firm Cellebrite have started to advertise the unlocking of all models of iPhone running iOS versions from 5 to 11 inclusive as a service for their customers. If that name sounds familiar to you, it’s probably because it has been connected to the FBI’s cracking of the iPhone 5C in the San Bernardino terrorism case in the US.

You’ll see it reported in the media that Celebrate can unlock any iPhone, but that’s not actually what they’re claiming they can do, and ultimately, we have no way of knowing what they can and can’t do.

All we know is that they are offering an unlocking service for all iPhones since encryption was introduced, and that you have to send the phone to them to have it unlocked. If they succeed they will then send you the data, or the unlocked phone back.

Reading between the lines of the very small amount of information that’s known, it seems probable that the success rate is not 100%, but whether it’s 1% or 99% we just don’t know. We also don’t know how they are unlocking at least some modern iPhones.

The most plausible speculation I’ve heard is a rumour within the security community that Cellebrite have found a way to bypass the auto-destruct after 10 failed password attempts feature, hence, opening the devices up to brute force attack. At that point devices with weak passwords can be cracked, while those with strong passwords probably still can’t. Just to stress again, this is a plausible theory, it is not an established fact.

Links:

Notable Security Updates

  • Apple have patched their OSes (macOS, iOS, watchOS & tvOS) against the Telugu bug — tidbits.com/…
  • Drupal have released critical security patches for versions 7 & 8 of their popular open source CMS — www.drupal.org/…

Notable News

  • Facebook have clarified that the abuse of SMS numbers provided for 2FA for notifications that we reported on last time was a bug, and that they are fixing it — tidbits.com/…
  • Facebook fixed a bug that leaked information about page owners via email — nakedsecurity.sophos.com/…
  • Telegram fixed a bug that abused unicode text direction markers to disguise file extensions, making it much easier to trick users into running a malicious file — nakedsecurity.sophos.com/…
  • Despite what some media reports claimed, it doesn’t seem that Skype has a security flaw that Microsoft are refusing to fix. Microsoft say it was fixed month ago — www.theregister.co.uk/…
  • Google has published details of a zero-day bug in Edge that Microsoft has not been able to fix yet. Thankfully it’s the kind of bug that’s not exploitable on its own, it needs to be paired with another vulnerability to be exploited. It’s still safer to avoid Edge for now though — nakedsecurity.sophos.com/…
  • Security researcher Troy Hunt has released an updated version of his Pwned Passwords API which allows website owners to check passwords users are trying to set against known commonly exploited passwords, hence preventing their use — www.troyhunt.com/…
  • Apple have announced that they will be making changes to the security of iTunes that will render the service un-usable on obsolete OSes including Windows XP, Windows Vista, and the original Apple TV (the one that looks like a squished G4 MacMini) — www.imore.com/…
  • Followup 🇨🇳 Apple are not just being forced to host Chinese iCloud data in China, but also the matching decryption keys — www.macobserver.com/…
  • Followup 🇺🇸🇮🇪 We’ve been following Microsoft’s long-running fight with the US DOJ over a US warrant to hand over data stored in Ireland for a few years now. Microsoft won, but the DOJ appealed to the US Supreme Court (SCOTUS), who took up the case. SCOTUS heard oral arguments in the case this week. Keep an eye out for their judgement later this year, either way, it’s a really big deal for US tech companies, and users of those companies all over the globe —
    nakedsecurity.sophos.com/…
  • Followup 🇺🇸 late last year I linked to a warning from Brian Krebs about insufficient validation for signups to Informed Delivery, a new service being offered by the USPS where they scan your mail and email it to a specified address before they deliver it. Krebs is now reporting that the USPS have responded to the criticism by sending postal notifications to an address when the service is activated against that address. This should nip any abuse in the bud — krebsonsecurity.com/…

Suggested Reading

Palate Cleansers

  • Naked Security have just started a series aimed at demystifying Machine Learning, something which is going to have a big impact on all our lives in the next few decades — nakedsecurity.sophos.com/…

Leave a Reply

Your email address will not be published.

Scroll to top