Security

Google Project Zero blog:

We want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple’s Security Engineering and Architecture (SEAR) group for collaborating with us on the technical analysis.

And:

Recently, however, it has been documented that NSO is offering their clients zero-click exploitation technology, where even very technically savvy targets who might not click a phishing link are completely unaware they are being targeted. In the zero-click scenario no user interaction is required. Meaning, the attacker doesn’t need to send phishing messages; the exploit just works silently in the background. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defense.

And:

The ImageIO library, as detailed in a previous Project Zero blogpost, is used to guess the correct format of the source file and parse it, completely ignoring the file extension. Using this “fake gif” trick, over 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats, remotely exposing probably hundreds of thousands of lines of code.

There’s a lot of detail here, fascinating if understanding exploits is your thing. But bottom line, a fake GIF is used to Trojan horse image processing code into life, and that code does the bad work, no clicks required.

Most importantly:

Apple inform us that they have restricted the available ImageIO formats reachable from IMTranscoderAgent starting in iOS 14.8.1 (26 October 2021), and completely removed the GIF code path from IMTranscoderAgent starting in iOS 15.0 (20 September 2021), with GIF decoding taking place entirely within BlastDoor.

Make sure you (and the folks you support) update to the latest and greatest.

See also: After US ban and Apple action, Pegasus spyware maker NSO running out of cash.

Krebs on Security:

The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website.

And:

When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number.

And:

Apple’s Lost Mode doesn’t currently stop users from injecting arbitrary computer code into its phone number field — such as code that causes the Good Samaritan’s device to visit a phony Apple iCloud login page.

And this bit of espionage history:

If this sounds like a script from a James Bond movie, you’re not far off the mark. A USB stick with malware is very likely how U.S. and Israeli cyber hackers got the infamous Stuxnet worm into the internal, air-gapped network that powered Iran’s nuclear enrichment facilities a decade ago. In 2008, a cyber attack described at the time as “the worst breach of U.S. military computers in history” was traced back to a USB flash drive left in the parking lot of a U.S. Department of Defense facility.

There clearly seems to be a phishing opportunity here. Guessing that Apple could add code to the firmware to prevent the injection of code to an AirTag phone number. No matter, good to be aware of this sort of attack.

Reed Albergotti, Washington Post:

Many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they’re owed. Ultimately, they say, Apple’s insular culture has hurt the program and created a blind spot on security.

“It’s a bug bounty program where the house always wins,” said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple’s bad reputation in the security industry will lead to “less secure products for their customers and more cost down the line.”

And:

In interviews with more than two dozen security researchers, some of whom spoke on the condition of anonymity because of nondisclosure agreements, they point to Apple’s rivals for comparison. Facebook, Microsoft and Google publicize their programs and highlight security researchers who receive bounties in blog posts and leader boards. They hold conferences and provide resources to encourage a broad international audience to participate.

And:

Most of them pay more money each year than Apple, which is at times the world’s most valuable company. Microsoft paid $13.6 million in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year, Krstić said in his statement. He said that number is likely to increase this year.

This is a long article, filled with bug bounty stories, many of them anonymously told. Hard to truly know whether this is the squeaky wheel getting all the attention, or something more problematic. But read the article (here’s an Apple News link if you don’t have access to WaPo).

Definitely reads like Apple puts less money into bug bounties, shines less of a light onto bug researcher efforts and successes than its competitors.

J. Glenn Künzler, Sonny Dickson blog:

Earlier this week, news broke of a strange networking issue that can permanently disable all WiFi activity on iOS devices. It’s currently known to affect iOS 14 only, and can cause quite a mess. The news was originally revealed by reverse engineer Carl Schou (via BleepingComputer (story sourced via MacTrast), and while there was originally very little information revealed about the issue or how it functions, we decided to put our research hats on and see what we could discover.

This all started with this tweet:

https://twitter.com/vm_call/status/1405937492642123782

Don’t try this at home. But a fascinating bug.

If you find this interesting, follow the headline link to watch J. Glenn Künzler try his hand to work through what’s going on.

Sami Fathi, MacRumors:

Despite previous attempts to put the situation at rest, some iCloud users continue to experience spam calendar invitations, causing their calendars to be filled with random events.

And:

Victims are targeted in various ways. The most common method is by receiving a normal iCloud calendar invitation through their calendar app.

Interacting with the invitation, including declining, accepting, or choosing “Maybe,” lets the spammer know that the email is valid, so it can continue to be targeted.

Other users are targeted through web pop-ups on potentially malicious or adult websites.

If you find yourself subscribed to a spam calendar event, check out the video below, which Apple Support posted a few weeks ago. Also, check out this Apple support document, which basically says the same thing as the video.

Kartikay Mehrotra, Bloomberg:

As Apple Inc. was revealing its newest line of iPads and flashy new iMacs on Tuesday, one of its primary suppliers was enduring a ransomware attack from a Russian operator claiming to have stolen blueprints of the U.S. company’s latest products.

Then, about an email exchange with the hackers:

REvil then delivered on its promise to publish data it believes to be Apple’s proprietary blueprints for new devices. The images include specific component serial numbers, sizes and capacities detailing the many working parts inside of an Apple laptop.

A pretty significant security lapse. If those images became public, I wonder how significant the harm would be. A leg up for competitors trying to copy Apple designs? Or more of an annoyance, since the products have been announced, and will ship soon, available to be taken apart and examined firsthand?

Washington Post:

The iPhone used by a terrorist in the San Bernardino shooting was unlocked by a small Australian hacking firm in 2016, ending a momentous standoff between the U.S. government and the tech titan Apple.

At the time, the general consensus was that the FBI was using an Israeli security firm, well known for this sort of smartphone break-in.

Azimuth Security, a publicity-shy company that says it sells its cyber wares only to democratic governments, secretly crafted the solution the FBI used to gain access to the device, according to several people familiar with the matter.

And:

The identity of the hacking firm has remained a closely guarded secret for five years. Even Apple didn’t know which vendor the FBI used, according to company spokesman Todd Wilder. But without realizing it, Apple’s attorneys came close last year to learning of Azimuth’s role — through a different court case, one that has nothing to do with unlocking a terrorist’s device.

And:

Apple has a tense relationship with security research firms. Wilder said the company believes researchers should disclose all vulnerabilities to Apple so that the company can more quickly fix them. Doing so would help preserve its reputation as having secure devices.

And:

But many security researchers say it’s legitimate to sell these flaws to democratic governments. And the ability of government agencies to unlock iPhones has also spared Apple from direct conflict with these governments. For instance, by unlocking the terrorist’s iPhone, some say, Azimuth came to Apple’s rescue by ending a case that could have led to a court-ordered back door to the iPhone.

I do think it’s true that this solution took the heat off Apple, turned down the dial on Congress’ efforts to force Apple to create a backdoor to the iPhone. But as has been proven time and time again, there’s just no way a back door created for law enforcement would not end up in the hands of black hat hackers.

I do agree with Apple’s take, that researchers should disclose all vulnerabilities to Apple so they can release patches.

The Washington Post story is a fascinating read. Here’s a link to the Apple News version of the article.

Sami Fathi, MacRumors:

Starting with iOS and iPadOS 14.5, Apple will proxy Google’s “Safe Browsing” service used in Safari through its own servers instead of relying on Google as a way to limit which personal data Google sees about users.

And:

Apple relies on Google’s “Safe Browsing,” a database/blocklist of websites crawled by Google of websites that it deems to be suspected phishing or scam.

And:

While Google doesn’t know which specific URL you’re trying to visit, it may collect your IP address during its interaction with Safari. Now on iOS/iPadOS 14.5, that’s no longer the case. As confirmed by the Head of Engineering for WebKit, Apple will now proxy Google’s Safe Browsing feature through its own servers instead of Google as a way to “limit the risk of information leak.”

Good move.

Sam Curry:

Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.

And:

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

Most importantly:

As of October 6th, 2020, the vast majority of these findings have been fixed and credited. They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours).

This is a fascinating read, filled with detail. Work like this finds the vulnerabilities before they can be used against us. There’s also a bit of insight on Apple’s bug bounty program.

Lily Hay Newmman, Wired:

College student Peter Dantini discovered the notarized version of Shlayer while navigating to the homepage of the popular open source Mac development tool Homebrew. Dantini accidentally typed something slightly different than brew.sh, the correct URL. The page he landed on redirected a number of times to a fake Adobe Flash update page. Curious about what malware he might find, Dantini downloaded it on purpose. To his surprise, macOS popped up its standard warning about programs downloaded from the internet, but didn’t block him from running the program. When Dantini confirmed that it was notarized, he sent the information on to longtime macOS security researcher Patrick Wardle.

And:

The campaign is distributing the ubiquitous “Shlayer” adware, which by some counts has affected as many as one in 10 macOS devices in recent years. The malware exhibits standard adware behavior, like injecting ads into search results. It’s not clear how Shlayer slipped past Apple’s automated scans and checks to get notarized, especially given that it’s virtually identical to past versions. But it’s the first known example of malware being notarized for macOS.

Interesting how this stuff gets discovered. All this time and it’s still in the wild. So much so, that it slipped past Apple’s scanners and got notarized.

Filipe Espósito, 9to5Mac:

One of the major security enhancements Apple has brought to its devices over the years is the Secure Enclave chip, which encrypts and protects all sensitive data stored on the devices. Last month, however, hackers claimed they found a permanent vulnerability in the Secure Enclave, which could put data from iPhone, iPad, and even Mac users at risk.

Good explainer. A few key points:

• This vulnerability is permanent. Because the Secure Enclave is embedded in the processor and not patchable, it cannot be fixed on a specific device.
• That said, Apple has fixed the design itself, starting with the A12. So if you’ve got a device with an A7 through A11, that issue exists on your device.
• The good news? To take advantage of the exploit, a hacker would need physical access to your device.

Here’s a list of devices that have the Arm A12. If you’ve got one of these, or newer, you’ve got the fix in place:

• iPhone XS and XS Max
• iPhone XR
• iPad Mini (5th generation)
• iPad Air (2019, 3rd generation)

Los Angeles Times:

Federal agents seized a cellphone belonging to a prominent Republican senator on Wednesday night as part of the Justice Department’s investigation into controversial stock trades he made as the novel coronavirus first struck the U.S., a law enforcement official said.

And:

The seizure represents a significant escalation in the investigation into whether Burr violated a law preventing members of Congress from trading on insider information they have gleaned from their official work.

On the Apple side:

A second law enforcement official said FBI agents served a warrant in recent days on Apple to obtain information from Burr’s iCloud account and said agents used data obtained from the California-based company as part of the evidence used to obtain the warrant for the senator’s phone.

I’m curious what part of Burr’s iCloud account the FBI got access to. Was it iCloud Drive? Was it iCloud backup (perhaps Burr’s backup was not set to be encrypted)?

From Apple’s iCloud security overview:

iCloud secures your information by encrypting it when it’s in transit, storing it in iCloud in an encrypted format, and using secure tokens for authentication. For certain sensitive information, Apple uses end-to-end encryption. This means that only you can access your information, and only on devices where you’re signed into iCloud. No one else, not even Apple, can access end-to-end encrypted information.

For a clue on what information might have been available to the FBI, take a look at Section III of Apple’s Legal Process Guidelines (H/T Mike Wuerthele, AppleInsider).

Bit of a rabbit hole there, but an interesting read. Seems clear the FBI got what they needed.

Ryan Pickren:

This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads). ​> Hackers could then use their fraudulent identity to invade users’ privacy. This worked because Apple lets users permanently save their security settings on a per-website basis. ​> If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom.

And:

I reported this bug to Apple in accordance with the Security Bounty Program rules and used BugPoC to give them a live demo. Apple considered this exploit to fall into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category and awarded me $75,000.

If this sort of thing concerns you, put a post-it over your Mac and Mac display cameras.

The proposal is embedded in this GitHub repository. Easy read, short and clearly written.

From the linked ZDNet explainer:

Apple engineers have put forward a proposal today to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.

And:

The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with an URL. This is done by adding the login URL inside the SMS itself.

The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction.

Basically, the goal is to automate the process, to have your device enter the code automatically, rather than you having to copy and paste it. Seems to me, in the past when this standardization was raised, there was a security concern about taking the human out of the middle of this process. Was that concern unfounded?