Security Bits Logo

Security Bits – 8 Feb 2019

🇯🇵 A Correction — Japan is not the next Australia!

Last time I briefly mentioned a story about the Japanese government working on proposals to subject foreign companies to their laws. I had only speed-read the article, and assumed it was about defeating users privacy, but I actually had it 180° reversed! Japan wants to do a GDPR, and force foreign companies to obey its pro privacy laws!

The story: Japan Wants Foreign Tech Companies to Follow its Privacy Laws — www.macobserver.com/…

Followup

Security Medium 1 — The Group FaceTime Bug

A teenager discovered a very serious bug in Apple’s new Group FaceTime. The bug was easy to trigger and allowed an attacker to remotely enable the microphone on a victim’s iOS device or Mac. There were also reports that the camera could be activated remotely too. To trigger the bug and attacker would simply have to start a FaceTime call to the victim, then, before the victim answers the call, add a third person to the call. The third person can be anyone, even a second copy of the attacker themselves!

The technical details underlying the problems have not been detailed, but the most plausible explanation I’ve seen is that there was a bug in the code that handed a call over from regular FaceTime to Group FaceTime, and that it omitted a check to see if the call had actually been accepted in the original regular FaceTime call before enabling the mic in the new Group FaceTime call.

It initially appeared that Apple responded promptly — shortly after the story broke in the media Apple took Group FaceTime offline to prevent attacks, and promised it would release a security update shortly thereafter. That has now happened, and the service is back online.

It later emerged that the mother of the teenager who made the discovery tried desperately to bring the problem to Apple’s attention for a week, but did not succeed.

Apple have since met with the family in person, accepted the teenager into their bug bounty program so they can pay him a bounty, and promised to improve their vulnerability reporting procedures.

Links:

Security Medium 2 — Facebook & Google Abuse Apple’s Enterprise Developer Program to Spy on ‘Volunteers’

Apple provides a program to enterprises that allows them to bypass the iOS app store and effectively side-load apps onto devices used by their employees. Apple issue the company a certificate that they then use to sign their apps. Any iOS device with a matching configuration profile installed can then run these private apps.

To enter the program enterprises have to sign a legal contract with Apple, and part of that contract stipulates that apps delivered via this program are only for use by employees, and can’t be distributed to customers.

This week it emerged that FaceBook had been using this program to distribute a special copy of their officially discontinued VPN product Onavo to volunteers aged between 13 and 35 in exchanged for gift vouchers worth about $20 per month. The app included a custom root certificate so it could do SSL/TLS interception.

We can’t know what FaceBook was actually recording, but the technologies they employed gave them the ability to record every packet of data sent between the users phones and the internet, regardless of whether or not the connection was secured. The level of access this app gave FaceBook is almost impossible to over-state. Could a non-technical adult really give informed consent to this level of tracking? How about a 13 year old?

It has since emerged that users were forced to sign an NDA preventing them from disclosing the app’s existence. Also, on signup, users were not informed they would be sharing data with FaceBook until after they complete the initial signup process, front-companies were used during the initial steps.

When the news was reported, Apple revoked FaceBook’s enterprise certificate, killing all their internal apps. After some (presumably tense) negotiations, a new certificate was issued to them, and they could then re-build and re-distribute their compliant internal apps.

Google was also found to be doing something similar, though a little more transparently and a little less egregiously, and they quickly put their hands up and apologised. Their cert was deleted too, but a new one was generated for them much more quickly.

Finally, according to Leo on Security Now, both apps are still available on the Android platform!

Links:

Security Medium 3 — KeySteal

A security researcher has released a video demonstrating an attack against Apple’s Keychain. The video appears to show that a rogue app can exfiltrate passwords from the keychain. As a protest against the fact that Apple does not have a macOS bug bounty program, the researcher has not shared how the bug works either publicly or directly with Apple.

For now, there’s no need to worry about this bug, but a frantic race has now been kicked off between Apple and cyber criminals to see who can re-discover this bug the quickest. So, it’s possible that this will develop into a real danger in the future.

Links:

Notable Security Updates

Notable News

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top