Security Bits Logo no alpha channel

Security Bits – 5 October 2019

Followup

  • Bluetooth permissions on iOS
  • CloudFlare’s Warp VPN has Finally been Released — blog.cloudflare.com/…, nakedsecurity.sophos.com/… & www.imore.com/…
    • Note that VPNs can provide encryption and anonymization, but they don’t have to. Depending on how they are configured they can provide one, or the other, neither, or both! In this case, WARP provides encryption, but not anonymization. I.e., when using WARP VPN your source IP address will not be hidden, but your traffic will be encrypted from your machine as far as Cloudflare’s VPN servers.
    • There is a free version which has some limitations, and a paid version which offers much faster speeds.
  • The Siri grading (human review) kerfuffle:
  • The continuing rollout of DNS over HTTPS (DoH):
    • 🇺🇸 US ISPs are very worried by Google’s moves to switch to DoH, and have written a letter to House Judiciary Committee asking them to investigate. The letter is concerned that Google is changing people over to their infrastructure, which is not true, and that DoH makes it impossible for them to track their users like they do now. (Editorial by Bart: IMO this proves the need for DoH to be rolled out ASAP, DNS really is being abused by our ISPS to invade our privacy!) — arstechnica.com/…
  • Malicious Lightning cables:
    • This threat is becoming more real as the hacker who prevented his home-made cable at a recent security conference is moving to mass production. The cables are being sold as tools for security testers, but there is no evidence there will be any controls in place to prevent their sale to malicious actors, so we all need to learn to be wary of cables offered to us by others — nakedsecurity.sophos.com/… & www.imore.com/…

Security Medium 1 — The Checkm8 iOS Device Bootloader Bug

A veteran of the jail breaking community has released details of a bug in the low-level boot loader used by iOS devices with SOCs (Systems on a Chip) from the A5 up to and including the A11.

That means the following iOS devices are affected:

  • iPhones from the iPhone 4S up to an including the iPhone X
  • iPad generations 2 to 7 (inclusive)
  • iPad Mini generations 1 to 4 (inclusive)
  • iPad Pro generation 1 & 2
  • iPod Touch generations 5 to 7 (inclusive)

That means the following newer iOS devices are not affected:

  • iPhone XS, iPhone XR, and iPhones 11
  • iPad Air generation 3
  • iPad Mini generation 5
  • iPad Pro generation 3

A boot loader is a very low-level component that starts the process of booting a device. It’s so low-level it can’t even be patched with a firmware update. The only possible protection would be some sort of work-around in higher level firmware, but the security researcher who found the bug does not believe that’s possible in this case.

From a security point of view, one of the vital tasks performed by the iOS boot loader is the validation of the digital signature of the OS it is about to load. This is what prevents iPhones from running OSes not digitally signed by Apple, i.e. what protects users from malicious OSes being installed by attackers, and, from people running un-signed OSes on their own devices, i.e. from jail breaking.

The good news is that this low-level bug is only exploitable while the phone is tethered to a computer, so physical access is needed, and more importantly still, the exploit is not persistent, so the device has to be tethered each time it boots to keep an un-signed OS running.

Another very important point to note is that the ability to install un-signed OSes does not in any way bypass the protections offered by the secure enclave and the biometrics and cryptographic keys it protects. This means this vulnerability can’t be used to break into a locked device.

It’s also important to note that what the security researcher released is an exploit, not a functional product of any kind. It was immediately obvious that this is the kind of vulnerability that’s ideally suited to form the basis of a jailbreaking tool, so unsurprisingly, one has already been released!

This is a big deal for jail breakers, because it means they should now have a reliable jailbreak that Apple can’t block with a future iOS update, but, it probably has surprisingly little impact on the rest of us.

The biggest danger this exploit presents is to high-value targets who might be subject to state-sponsored surveillance, industrial espionage, or high-level cyber crime. For example civil rights campaigners or lawyers, government workers, officials, or elected representatives, and C-level executives in large corporations. The danger would be that if any of these people lost physical control of their phone it could be silently jail broken and malware could be installed without their knowledge. For these people, the simplest protection is to upgrade to more modern iOS devices that are not affected, or, to reboot their device each time it is removed from their presence. TBH, each new iteration of Apple hardware adds more advanced security protections, so upgrading is good advice to high-value targets regardless of this bug’s existence!

Ironically this bug might actually make regular folks more secure! How? By making it easier for security researchers to explore the innards of iOS and responsibly report any vulnerabilities they find to Apple.

Bottom line — high value targets should consider upgrading their iOS devices to ones running the most modern SOCs, and the rest of us should carry on with our lives without setting our proverbial hair on fire 🙂 🧯

Links

Notable Security Updates

Notable News

  • Security researchers have uncovered a flaw in PDF’s encryption specification, and have named it PDFex. The bottom line is that PDF encryption is less secure than we thought, so it should not be relied on to protect sensitive documents, we’ll need to wrap our own encryption around our sensitive PDFs before emailing them etc. — nakedsecurity.sophos.com/…
  • Facebook has deleted ‘tens of thousands’ of apps for data abuse as part of its investigations into the Cambridge Analytica scandal — nakedsecurity.sophos.com/… & daringfireball.net/…
  • The UK, US & Australian governments have jointly written to Facebook asking them to halt their rollout of end-to-end encryption, or at least give them a backdoor — www.imore.com/… & www.macobserver.com/…
  • TikTok Bans Political Ads in U.S. and EU — www.macobserver.com/…
  • The ECJ (European Court of Justice) has released two potentially confusing rulings affecting tech companies:
    1. Ruling on a case brought by Google, the ECJ rules that the so-called right to be forgotten does not extend outside the EU. The ruling does make is clear that Google must make efforts to hide affected search results from EU visitors, regardless of the Google domain they use to access the content (google.fr -v- google.com etc.), but Google do not have to block the results for locations outside the EU — nakedsecurity.sophos.com/…
    2. In a case brought against Facebook by an Austrian politician the ECJ has rules that European courts can order companies to completely remove content found to be illegal from their systems, including duplicates or near-duplicates of the illegal material
  • Google provided a good illustration of why Apple’s System Integrity Protection (SIP) is a good idea, and why you should leave it enabled – a bug in Google’s auto-updater deleted system files MacOS needs to boot, but SIP prevented the deletions. Affected Macs with SIP disabled became unbootable, while Macs with SIP were just fine — tidbits.com/…
  • 🇺🇸 The Voting Village hacker challenge at the Defcon security conference has shown that US voting machines are easy to hack — nakedsecurity.sophos.com/…
  • The OpenID Foundation has confirmed that Sign In With Apple is compatible with the OpenID standard, and have praised Apple for addressing all the security and compatibility issues they’d raise earlier in the summer during the beta process. They still point to some non-security-related room for improvement, but there could be privacy implications to some of their quibbles with SIWA, so Apple may choose not to implement some or all of these suggestions — www.macobserver.com/… & www.imore.com/…
  • DuckDuckGo conducted a survey of US adults (the population in general, not DuckDuckGo users) and found that almost 4 out of 5 had taken some kind of pro-active action to protect their privacy on social media, by deleting accounts, tweaking settings, or reducing usage. Almost a quarter had deleted a social media profile due to privacy concerns (Editorial by Bart: it seems the recent privacy scandals are having an effect on regular folks in the real world after all) — spreadprivacy.com/…

Suggested Reading

Suggested Listening

  • 🎧 A fascinating exploration of a years-long campaign of hacking into supposedly friendly countries by the UK’s GCHQ that was uncovered when their malware was detected within the Belgian ISP Belgacom (now Proximus). Why Belgacom? They provide services to EU institutions based in Belgium: Darknet Diaries Ep 48: Operation Socialist — overcast.fm/…
  • 🎧 The first series of Sleepwalkers is now complete (there is a second one in the works). This 10-part miniseries takes a frank look at both the dangers and opportunities offered by AI, and highlights the fact that whether we like it or not, AI is happening, and we need to start making decisions about how we’re going to regulate and manage an AI-rich world. This is not a doom-and-gloom show hyping all the negatives to try scare you, it’s a balanced look at the real dangers, and, the very real opportunities AI brings: Sleepwalkers — www.sleepwalkerspodcast.com
  • 🎧 An interesting interview with Microsoft president Brad Smith exploring the big question “how do we ensure our astonishing technological advances are harnessed for good, not harm?” — HARDtalk: President of Microsoft – Brad Smith — overcast.fm/…

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published.

Scroll to top