{"id":25404,"date":"2022-03-06T13:15:33","date_gmt":"2022-03-06T21:15:33","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=25404"},"modified":"2022-03-06T13:15:33","modified_gmt":"2022-03-06T21:15:33","slug":"sb-2022-03-06","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/03\/sb-2022-03-06\/","title":{"rendered":"Security Bits \u2013 06 March 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>A little sting in the tail of that disgraceful threat by the Missouri Governor to prosecute a journalist for noticing personal data leaked in HTML source code of a government site \u2013 it was the Governor&#8217;s own office that was responsible for the affected site&#8217;s security \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2022\/02\/report-missouri-governors-office-responsible-for-teacher-data-leak\/\">Report: Missouri Governor\u2019s Office Responsible for Teacher Data Leak \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Social Media Developments:\n<ul>\n<li>Meta is responding to their recent loss in daily users by hobbling Instagram&#8217;s time limit feature \u2014 <a href=\"https:\/\/www.imore.com\/facebooks-solution-lost-revenue-make-instagram-even-more-addictive\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/tumblr-does-what-twitter-wont-lets-you-pay-rid-it-ads\">Tumblr does what Twitter won&#8217;t \u2014 lets you pay to rid it of ads \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1f7;&#x1f1fa; A digital war has broken out between social media companies and the Russian government:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/russia-limiting-access-meta-services-because-it-wouldnt-let-country-lie\">Russia is limiting access to Meta services because it wouldn&#8217;t let the country lie \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/meta-barring-russian-state-media-running-ads-its-platforms\">Meta is barring Russian state media from running ads on its platforms \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitter-begins-labeling-tweets-link-russian-state-affiliated-media\">Twitter begins labeling tweets that link to Russian state-affiliated media \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/netflix-says-it-wont-carry-likely-russian-propaganda-channels-despite-local-laws\">Netflix says it won&#8217;t carry likely Russian propaganda channels despite local laws \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/google-yanks-two-kremlin-backing-news-channels-youtube-across-europe\">Google yanks two Kremlin-backing news channels from YouTube across Europe \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-kicks-rt-and-sputniks-suspected-russian-propaganda-pages-its-platform\">Facebook kicks RT and Sputnik&#8217;s suspected Russian propaganda pages off its platform \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-responds-russian-invasion-ukraine-pulls-rt-sputnik-apps-and-disables-apple-maps-features\">Apple responds to the Russian invasion of Ukraine, pulls RT &amp; Sputnik apps and disables Apple Maps features in Ukraine \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/spotify-closes-russia-office-removes-state-sponsored-content\">Spotify closes Russia office, removes state-sponsored content \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/alphabet-cease-google-ad-sales-russia\">Alphabet suspends Google ad sales in Russia \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/russia-blocks-twitter-and-facebook-putin-tightens-his-grip-information\">Russia blocks Twitter and Facebook as Putin tightens his grip on information \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/paypal-suspends-services-russia-condemns-ukraine-invasion\">PayPal suspends services in Russia, condemns Ukraine invasion \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/minecraft-removed-app-store-russia\">Minecraft removed from App Store in Russia \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/surfsharks-new-fake-news-alert-system-warns-russian-invasion-misinformation\">Surfshark&#8217;s new fake news alert system warns of Russian invasion misinformation \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.imore.com\/russians-flocks-vpn-apps-state-censorship-tightens\">How Russians are flocking to VPN apps as state censorship tightens \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Apple&#8217;s Other AirTag Problem<\/h2>\n<p>We&#8217;ve discussed how Apple&#8217;s AirTags have built-in protections from abuse in quite a few recent segments. In summary \u2014 AirTags have better anti-stalking protections than any other trackers, and they&#8217;re making news because the protections work and actually alert victims that they&#8217;re being tracked and because Apple makes good click-bait. AirTags have had protections from day one, but Apple are continuing to expand and improve them.<\/p>\n<p>A second story has been simmering away under the hood for a few months now, and it&#8217;s not gotten nearly as much attention because it&#8217;s literally more hidden and more difficult to understand and explain. A subset of the security community has been focusing their attention on the networking protocols that power AirTags and other compatible Apple and third-party trackable devices \u2014 Apple&#8217;s <em>Find My<\/em> Network.<\/p>\n<p>Fundamentally, there are many aspects of the Find My Network that are extremely well designed, and have stood up well to scrutiny, but some weaknesses have been found around the edges.<\/p>\n<p>Let&#8217;s start with the good news \u2014 Apple have developed a cryptographically enforced system that allows devices to be tracked in a privacy-protecting way. All the location pings are protected by regularly cycling keys and identifiers that are derived from a private key that&#8217;s securely stored in your iPhone&#8217;s secure enclave. Without the private key, it&#8217;s impossible to identify which location pings are from your tracker, let alone read their contents. Apple can&#8217;t track your AirTag, the people around your AirTag who&#8217;s phones are relaying its location pings can&#8217;t track your air tag, and neither can someone eves-dropping on messages being relayed within the <em>Find My<\/em> network. None of this has been broken \u2014 only you can track your AirTag&#8217;s location.<\/p>\n<p><em><strong>Note:<\/strong> (The only thing Apple can do is tell law enforcement which Apple ID matches which serial number, hence they can help find the owner of a tracker in the physical possession of the police.)<\/em><\/p>\n<p>So what cracks have been found?<\/p>\n<p>One of the leading security researchers in this field is Fabian Br\u00e4unlein from Berlin. A few months ago he managed to find a way to piggyback messages of his own on the <em>Find My<\/em> network which he humourously dubbed <em>Send My<\/em>. The bandwidth is <em>really<\/em> small though, about 20 bits per second (20 baud), and the latency is huge, about an hour! But, in theory, at least, an attacker could exfiltrate a small amount of very valuable data uncovered in a hack through the <em>Find My<\/em> network. This would be a very difficult to detect <em>backchannel<\/em> and would bypass firewalls and other existing DLP (Data Leak Protection) solutions. Because the bandwidth is so low this wasn&#8217;t really a practical attack, it was more of an intellectual badge of honour than anything else. The biggest take-away was that while Apple have done a good job securing the legitimate traffic on their network, they haven&#8217;t prevented the network being abused to transmit other data.<\/p>\n<p>The week before last Br\u00e4unlein returned with details of a new and much more significant problem, which he&#8217;s dubbed <em>Find You<\/em>. Again, no legitimate use of the networks has been compromised in any way \u2014 attackers can&#8217;t break the encryption, de-anonymise AirTags, inject false data, or anything like that. But, Br\u00e4unlein found a way of building his own tracking hardware that can participate in the <em>Find My<\/em> network and successfully report location data to its owner, but without ever being noticed by Apple&#8217;s existing stalking protections. In other words, <strong>he has developed a truly stealthy AirTag<\/strong>.<\/p>\n<p>The way it works is really quite clever \u2014 he&#8217;s developed a single hardware device that can switch between thousands of logical identities in a predictable way. Remember, a simplified description of how AirTags work is that the tracker has a public key, and its owner has the matching private key. The AirTag uses the public key to encrypt its location pings, and only the matching private key can identify and decrypt the location pings to read the actual locations.<\/p>\n<p>The hardware the Br\u00e4unlein created stores thousands of public keys, and he has all the matching private keys. The firmware on his custom tracker is programmed to switch between all its public keys in a random-seeming but predictable way. This means that Br\u00e4unlein can always use the appropriate private key to decrypt the location pings his device is sending, but to every other device on the <em>Find My<\/em> network, his one device appears as thousands of separate trackers.<\/p>\n<p>In effect, it&#8217;s like having a stack of two thousand AirTags taped into one big ball, with only one of them having battery power at any one time. Each one is using the network legitimately, with all the privacy protections in place and working correctly.<\/p>\n<p>How does having a virtual ball of AirTags get around the stalker protections?<\/p>\n<p>To know if an AirTag is following you, you need to remember every AirTag you&#8217;ve seen recently and count how long each stays near you. When the number for any specific AirTag crosses a threshold, a warning is triggered. You can only keep a count for so many <em>recently seen<\/em> tags, and you have forgotten each seen device when there have been no more sightings of it for some amount of time. The virtual ball of AirTags can change identity so often that it either overflows the number of counters iPhones keep, or, has such long cycles that each counter has been timed out before it&#8217;s seen again, or both.<\/p>\n<p>Basically, by changing identity more often than Apple&#8217;s algorithms can currently handle, iPhones are not noticing that they&#8217;re being followed.<\/p>\n<p>Apple may need to consider adding some kind of authentication into the network which stops pings from unauthorised private keys being relayed on the work at all \u2014 this would stop both the piggy-backing and identity switching attacks, but that may be easier said than done. Apple could also deal with the virtual ball of AirTags problem by tweaking their algorithm and storing more IDs for longer in their cache of <em>recently seen<\/em> tags.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Br\u00e4unlein&#8217;s description of his stealth tracker: <a href=\"https:\/\/positive.security\/blog\/find-you\">Find You: Building a stealth AirTag clone \u2014 positive.security\/\u2026<\/a><\/li>\n<li>A more Human-friendly explanation: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/23\/apple-airtag-anti-stalking-protection-bypassed-by-researchers\/\">Apple AirTag anti-stalking protection bypassed by researchers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/03\/05\/firefox-patches-two-in-the-wild-exploits-update-now\/\">Firefox patches two in-the-wild exploits \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A Critical Emergency Patch to a very popular WordPress Plugin: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/02\/22\/wordpress-backup-plugin-maker-updraft-says-you-should-update\/\">WordPress backup plugin maker Updraft says \u201cYou should update\u201d\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2022\/02\/russia-sanctions-may-spark-escalating-cyber-conflict\/\">Russia Sanctions May Spark Escalating Cyber Conflict \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Security researchers reverse-engineered Samsung&#8217;s implementation of <em>TrustZone<\/em> (the Android equivalent of Apple&#8217;s <em>Secure Enclave<\/em>), and found they MIS implemented some of the cryptography, allowing the private keys to be extracted. Patches are available for newer phones, but for older phones, assume full disk encryption is broken (because it effectively is) and respond accordingly:\n<ul>\n<li><a href=\"https:\/\/www.itpro.co.uk\/security\/encryption\/362957\/samsung-galaxy-devices-vulnerable-cryptographic-key-hack\">100 million Samsung Galaxy devices vulnerable to cryptographic key hack \u2014 www.itpro.co.uk\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2022\/03\/04\/samsung-encryption-flaw\">Samsung Encryption Flaw in Over 100 Million Recent Phones \u2014 daringfireball.net\/\u2026<\/a> <\/li>\n<\/ul>\n<\/li>\n<li>NVIDIA have confirmed that they have been the victim of an unusual kind of ransomware attack \u2014 the attackers claim to have stolen 1TB of industrial secrets, and are threatening to release them unless NVIDIA update their drives to remove the anti-crypto-mining they added to their gaming GPUs to stop the crypto miners buying all the stock and freezing the gamers out:\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/nvidia-confirms-data-breach\/\">Nvidia Confirms Data Breach From Ransomware Attack \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/03\/02\/ransomware-with-a-difference-derestrict-your-software-or-else\/\">Ransomware with a difference: \u201cDerestrict your software, or else!\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/nvidia-data-breach-exposed-credentials-of-over-71-000-employees\/\">NVIDIA data breach exposed credentials of over 71,000 employees \u2013 www.bleepingcomputer.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f3a7; As part of their response to the Joe Rogan\/Spotify disinformation controversy, the Spotify-owned <em>Science VS<\/em> podcast has continued to publish shows on their pre-Spotify public feed that use science to directly address the issues. Their first such episode examined the actual science around COVID19, and all the ways the Joe Rogan show got it very very wrong indeed, but their most recent one is very relevant to this segment \u2013 they examined the measured effectiveness of different approaches to fighting mis and dis-information online: <a href=\"https:\/\/overcast.fm\/+Tr3-FXr_k\">Science VS: Misinformation \u2013 What Should Our Tech Overlords Do? \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. A little sting in the tail of that disgraceful threat by the Missouri Governor to prosecute a journalist for noticing personal data leaked in HTML source code of a government site \u2013 it was [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4570,46,156,4927,5096,50,569,3443],"class_list":["post-25404","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-airtags","tag-apple","tag-facebook","tag-meta","tag-russia","tag-security","tag-security-bits","tag-ukraine"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=25404"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25404\/revisions"}],"predecessor-version":[{"id":25406,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25404\/revisions\/25406"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=25404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=25404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=25404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}