Security Bits Logo no alpha channel

Security Bits – 8 September 2019

Followup

  • Apple draws a line under the ‘Siri Grading’ kerfuffle with a a public letter apologising for not reaching their own high standards, explaining how Siri protects user privacy, and outline some changes to how grading will be carried out in future — www.apple.com/…
    • Apple send as little as possible data to Siri, using on-device processing as much as possible.
    • Apple sends the fuzziest location data it needs to Siri when answering location-related questions (they gave the example that for sports enquiries they only send the city, but for requests for nearby stores they send more precise location).
    • Apple use a per-device random ID to tag Siri questions so the answers can get routed back to the users, never a usable identifier like an Apple ID or a phone number.
    • The only reason Apple store any Siri data is to train Siri.
    • Apple kept both computer-generated transcripts and audio recordings tagged with this random identifier for 6 months, then, they removed the association with that identifier if they stored the data longer.
    • Apple will continue to store the computer generated transcripts for all Siri users like before, but will only store audio recordings of users who explicitly opt-in.
    • All grading will be performed by Apple Employees.

Security Medium — Project Zero’s ‘iOS Hack’ Report

Google’s Project Zero security team made big news when they released extremely in-depth research on a collection of exploit chains they had found in the use in the wild to deploy spyware onto iOS devices.

As best as I can tell, these are the facts:

  • The malware was extremely sophisticated, requiring multiple separate exploits to be chained together to form a chain leading to root access. This is because iOS has many layers of security, so it’s extremely unlikely a single exploit can get you past all the protections at once.
  • Despite the malware’s complexity, it was not able to permanently write itself into the phones, it could only make a home for itself in RAM, so a reboot flushed it out.
  • The start of all the chains was mobile Safari, meaning exploitation was via a booby-trapped web page. The same vulnerabilities were present in Chromium, and hence many other Chromium-derived browsers (I’m only talking about the vulnerabilities at the start of the chain here).
  • Hardware protections in the most modern iPhones (iPhone X, iPhone XS & iPhone XR) thwarted the exploit chains.
  • Apple fixed the vulnerabilities within six days of being told about them by Google, but they had already started to work on a fix four days earlier when they had learned about them from another source (we don’t know who, maybe Apple themselves, maybe other security researchers).
  • These vulnerabilities were patched in February this year.
  • Google’s report focused on the technical details of the vulnerabilities, not their use, and provided very little context to help the world understand the implications of these attacks.
  • The malware was found on low-volumes sites of interest to a target group of people — so-called watering hole attacks. (With phishing you go after your victims, with watering hole attacks you lay in wait in a place your target will come anyway, like a predator waiting for dinner at a watering hole!)
  • Google claim the attack lasted two years, Apple dispute this saying it was just two months, and that it was much more targeted than Google implied.
  • Google neither named the attacker not the target, but independent reporting assigns blame to the Chinese Government, and puts the attacks into the larger context of their on-going targeting of the minority Uyghur (pronounced wee-ger) Muslim community. This larger campaign has also exploited different vulnerabilities in other OSes like Android and Windows to target the Uyghur community.

Google’s research is available for all to read (when they call it a deep dive they are not kidding!), as is Apple’s response.

Bart’s Thoughts

  • The fact that it takes complex exploit chains to break into iOS is reassuring. Security is never absolute, it’s always a balance between the value of breaking in, and the cost of breaking in. Fort Knox needs to spend enough on security to make it more expensive to break in than the gold within would be worth. The same is true of my house. My house has very little value, so I get to spend much less than the US military does 🙂 I’m reassured that Apple have succeeded in building an OS that it takes a lot of time and effort to exploit. Better still, even a large nation state was not able to get a permanent foothold into iOS, a reboot flushed the infestation!
  • The speed of Apple’s response is also reassuring. Remember, all software has bugs, because all software is written by humans, and all humans make mistakes! What matters is not whether or not exploits exist, but how they’re responded to.
  • I really wish Project Zero had provided appropriate context around the release of their extremely high-quality technical work. iOS is too important to just put stuff like this out without the context needed to understand the implications. Also, Google has an obvious vested interest, so while I don’t believe there was any conspiracy here (nerds being really proud of their great work and not groking the way it would be reported on seems an adequate explanation to me), I get why lots of people are jumping to conclusions that this was all somehow a ploy by Google to give Apple a black-eye in the lead up to next week’s iPhone event.

Links

Note: we now know that many of the early headlines make claims Apple explicitly refutes. For completeness, I have left the original headlines as they were, the more up-to-date information appears in the headlines further down the list as more details emerged.

Notable Security Updates

Notable News

  • Underlining just how insecure SMS is, attackers were able to abuse SMS to post Tweets as Twitter CEO Jack Dorsey. Twitter have shut down their SMS gateway in response, and will be selectively re-opening it only in countries that rely heavily on SMS, and then, only when carriers have put steps in place to prevent a recurrence of this exploit. Twitter have also announced a plan to review their 2FA approach since it uses SMS — techcrunch.com/…, nakedsecurity.sophos.com/… & nakedsecurity.sophos.com/…
  • Google News:
    • 🇪🇺 The people behind the Brave browser accuse Google of using so-called ‘push pages’ to attempt to circumvent the GDPR. They have passed their research on to the Irish Data Protection Commissioners (because Google’s EU business is HQed in Ireland) — brave.com/…
    • 🇺🇸 The FTC have fined YouTube $170M for breaching COPPA (the Children’s Online Privacy Protection Act) after they were caught telling regulators they had no minors on the site so were not subject to COPA, while simultaneously telling potential ad buyers they were “today’s leader in reaching children age 6-11” and “unanimously voted as the favorite website for kids 2-12”. As well as the fine, YouTube have to make changes to their site to come into compliance with COPPA — nakedsecurity.sophos.com/…
    • Google have expanded their Android bug bounty program to cover 3rd-party apps with more than 100M installs (i.e. they will use their money to pay to make popular Android apps more secure) — nakedsecurity.sophos.com/…
    • Google launches an open-source version of its differential privacy library — techcrunch.com/…
  • Providing a timely reminder to be wary of romance scams online, the US DOJ has charged 80 in relation to a global scam targeting businesses, the elderly, and women — nakedsecurity.sophos.com/…
  • Facebook News:
    • Facebook: ‘Technical error’ let strangers into Messenger Kids chats — nakedsecurity.sophos.com/…
    • Security researchers found a database containing personal information about 419M Facebook users online. The DB appears to date back to the time before Facebook closed off their APIs. The DB contained 133M phone numbers — www.engadget.com/… & nakedsecurity.sophos.com/…
    • Facebook have lost control of the private key used to sign one of their Android apps. While they have updated the app, they are being criticised for their lack-luster response, and the key is being used maliciously to digitally sign malware as if it were an official Facebook apps — nakedsecurity.sophos.com/…
    • Facebook are replacing their ‘tag suggestions’ privacy setting with a new ‘facial recognition’ privacy setting (Editorial by Bart: I’m not a Facebook users, so this is a little outside my wheelhouse, but this seems like an improvement to me) — nakedsecurity.sophos.com/…
    • 🇺🇸 In the run-up to the 2020 US elections, Facebook have tightened their rules for political ads. Organisations will need to verify their identity before they can place political ads on Facebook — www.theverge.com/…
  • Scammer Successfully Deepfaked CEO’s Voice To Fool Underling Into Transferring $243,000 — gizmodo.com/…
  • IAB Labs, part of the Interactive Advertising Bureau, an ad industry group, have proposed an alternative to tracking prevention that they say will respect privacy. The idea revolves around a single anonymous centrally managed token that all supporting sites promise to respect (Editorial by Bart: the proposal promises not to link a name to your token, but the idea is that you will have one token for all your browsing on all your devices. That token will inevitably hoover up so much tracking data that it will be trivial to-anonymise people. The idea of this being centrally managed by the ad industry is horrifying to me, even if we ignore their obvious conflict of interest, this central authority will be a massive target because all tracking will be controlled by it!) — www.cnet.com/…
  • Security researchers tested the perennial conspiracy theory that apps like Facebook are constantly listening to you through your phone, and then advertising at you based on things you say near your phone. The good news — nope, talking around a phone does not change the ads. The bad news, this means that these companies can show you spookily appropriate ads purely based on the quality of the profile they build up on you! — www.bbc.com/…

Suggested Reading

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published.

Scroll to top