Open thread: smartphone security

There are masses of important recent news stories on the topic of smartphone security. I have been filing them below posts like this one, this one, and this one, but they really deserve a spot of their own.

First news story: Micro Systemation makes software that allows people to bypass the 4-digit lock code on an iPhone in seconds. This could be important for people crossing borders, people who get arrested at political protests, etc.

Author: Milan

In the spring of 2005, I graduated from the University of British Columbia with a degree in International Relations and a general focus in the area of environmental politics. In the fall of 2005, I began reading for an M.Phil in IR at Wadham College, Oxford. Outside school, I am very interested in photography, writing, and the outdoors. I am writing this blog to keep in touch with friends and family around the world, provide a more personal view of graduate student life in Oxford, and pass on some lessons I've learned here.

45 thoughts on “Open thread: smartphone security”

  1. Can Apple give police a key to your encrypted iPhone data? Ars investigates

    Does Apple have a backdoor that it can use to help law enforcement bypass your iPhone’s passcode? That question became front and center this week when training materials (PDF) for the California District Attorneys Association started being distributed online with a line implying that Apple could do so if the appropriate request was filed by police.

    As with most things, the answer is complex and not very straightforward. Apple almost definitely does help law enforcement get past iPhone security measures, but how? Is Apple advising them using already well-known cracking techniques, or does the company have special access to our iDevices that we don’t know about? Ars decided to try to find out.

    http://arstechnica.com/apple/news/2012/04/can-apple-give-police-a-key-to-your-encrypted-iphone-data-ars-investigates.ars

  2. UK Police Roll Out On-the-Spot Mobile Data Extraction System

    http://yro.slashdot.org/story/12/05/16/2357251/uk-police-roll-out-on-the-spot-mobile-data-extraction-system

    “The Metropolitan Police has rolled out a mobile device data extraction system to allow officers to extract data ‘within minutes’ from suspects’ phones while they are in custody. ‘Ostensibly, the system has been deployed to target phones that are suspected of having actually been used in criminal activity, although data privacy campaigners may focus on potentially wider use.'”

  3. Apple Releases IOS Security Guide

    “Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn’t been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple’s first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what’s in the new Apple guide has been discussed in presentations and talks by researchers. ‘Apple doesn’t really talk about their security mechanisms in detail. When they introduced ASLR, they didn’t tell anybody. They didn’t ever explain how codesigning worked,’ security researcher Charlie Miller said.”

  4. Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit. As part of an effort to identify potential weaknesses in smartphone platforms, the team was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel.

    http://it.slashdot.org/story/12/07/02/219234/prototype-clickjacking-rootkit-developed-for-android

  5. Leave Your Cellphone at Home

    Earlier this year in Wired, writer and intelligence expert James Bamford described the National Security Agency’s plans for the Utah Data Center. A nondescript name, but it has another: the First Intelligence Community Comprehensive National Cyber-security Initiative Data Center. The $2 billion facility, scheduled to open in September 2013, will be used to intercept, decipher, analyze, and store the agency’s intercepted communications—everything from emails, cell phone calls, Google searches, and Tweets, to retail transactions. How will all this data be stored? Imagine, if you can, 100,000 square-feet filled with row upon row of servers, stacked neatly on racks. Bamford projects that its processing-capacity may aspire to yottabytes, or 10^24 bytes, and for which no neologism of higher magnitude has yet been coined.

    To store the data, the NSA must first collect it, and here Bamford relies on a man named William Binney, a former NSA crypto-mathematician, as his main source. For the first time, since leaving the NSA in 2001, Binney went on the record to discuss Stellar Wind, which we all know by now as the warrantless wiretapping program, first approved by George Bush after the 2001 attacks on the twin towers. The program allowed the NSA to bypass the Foreign Intelligence Surveillance Court, in charge of authorizing eavesdropping on domestic targets, permitting the wholesale monitoring of millions of American phone calls and emails. In his thirty years at the NSA, Binney helped to engineer its automated system of networked data collection which, until 2001, was exclusively directed at foreign targets. Binney left when the organization started to use this same technology to spy on American citizens. He tells of secret electronic monitoring rooms in major US telecom facilities, controlled by the NSA, and powered by complex software programs examining Internet traffic as it passes through fiber-optic cables. (At a local event last week, Binney circulated a list of possible interception points, including 811 10th Avenue, between 53rd & 54th St., which houses the largest New York exchange of AT&T Long Lines.) He tells of software, created by a company called Narus, that parses US data sources: any communication arousing suspicion is automatically copied and sent to the NSA. Once a name enters the Narus database, all phone calls, emails and other communications are automatically routed to the NSA’s recorders.

  6. Just a day after the alleged leak of 12 million Apple UDID’s, both Apple and FBI have denied the story that Anonymous, a global hacking community, gained access to the files by hacking into an FBI laptop through a Java vulnerability. Earlier this morning the FBI claimed that, even though the agent cited in Anonymous’s story is an actual FBI operative, neither he nor anyone else in the agency has or has had access to Apple device information. This afternoon Apple followed up on the FBI’s statement, with an unidentified Apple representative claiming that, ‘The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.’ It should also be noted that while the hackers claim to have accessed 12 million UDID’s, only 1 million were publicly released. The Apple representative who made the previous statements also said that, ‘Apple has replaced the types of identifiers the hackers appear to have gotten and will be discontinuing their use.’ Even though neither Anonymous nor the FBI/APPLE will admit where the data actually came from, it does appear that at least some of the leaked UDID’s are legit and can be tied back to current, privately owned devices. So far no information besides the devices UDID, DevToken ID, and device name has been released, however the original hackers claimed that some devices were tied to details as exact as phone numbers and billing addresses.”

  7. “Spyware is no longer the primary concern with unwanted software on mobile devices. According to mobile security firm Lookout, most mobile malware performs ‘toll fraud’ — billing victims using premium SMS services. The problem is very geographically-dependent, worst in areas with weak SMS regulation, particularly China, Ukraine, and Russia, where users are 10,000 times more likely to have malware on their phones than users in Japan, for example. Other risks include mobile ads surreptitiously uploading personal data, as well as apps that download other malware without users knowing. The full report is available.”

  8. Your Cellphone is Covered in Spiders; Pragmatic Android Security

    from Cooper Quintin

    This is a presentation I gave at Hope Number 9 in NYC on July 14, 2012. I discuss the security and privacy concerns in Android and other smartphone platforms and present steps that even a non technical user can take to help secure their smartphone. I mostly focus on android in this talk but there is some iPhone talk as well.

    The slides and additional notes are Free and Open Source and can be found and remixed here: github.com/cooperq/spiders

  9. Some phones can be pwned by sending two SMS messages to them

    Security researcher Karsten Nohl has shown that if you send some mobile phones an SMS that appears to originate with the phone company, the phone will SMS back an error message containing sensitive info about its SIM. With this info, you can send another SMS that terminally compromises the phone, giving the attacker the ability to listen in on calls, read texts, and impersonate the phone’s owner. He disclosed the vulnerability to the GSM association early, and on August 1 he’ll present his work at Black Hat in Las Vegas. At the root of the problem is a reliance on an older, compromised form of crypto, DES

  10. Though rare, more toxic mobile malware can collect personal data and contact lists, monitor keystrokes, track a phone’s location or even take photographs or video of users and their surroundings. It can then transmit this booty back to servers run by organised crime for extortion, identity theft, scams or phishing trips. Even more worryingly, thanks to improvements in “near-field communication”, phones are beginning to morph into wallets—with all the necessary links to bank accounts and credit cards—so users can make incidental payments at stations, convenience stores and elsewhere merely by waving their phone near a terminal. Cybercrooks must be rubbing their hands in glee.

  11. Silent Circle’s Blackphone Exploited at Def Con

    Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com’s linked report: “However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities.” Case reacts via Twitter to the crowing: “Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only “secure” because it has few users and little value as a target.”

  12. Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere

    Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela’s Merkel’s phone.

    Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.

  13. Apple’s iOS App Store suffers first major cyber attack

    Apple Inc said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.

    The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.

    It is the first reported case of large numbers of malicious software programs making their way past Apple’s stringent app review process. Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc.

    The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.

  14. Smurfs vs phones: GCHQ’s smartphone malware can take pics, listen in even when phone is off

    “Dreamy Smurf is the power management tool which means turning your phone on and off with you knowing,” he said.

    “Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you – even if your phone is switched off because they’ve got the other tools for turning it on.

    “Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.”

    Mr Snowden also referred to a tool known as Paronoid Smurf.

    “It’s a self-protection tool that’s used to armour [GCHQ’s] manipulation of your phone. For example, if you wanted to take the phone in to get it serviced because you saw something strange going on or you suspected something was wrong, it makes it much more difficult for any technician to realise that anything’s gone amiss.”

  15. Users eager to get their hands on the new Nintendo mobile gaming app Pokemon GO, downloading unofficial copies of the game are opening themselves up to hackers who are circulating malicious versions of the Android APK. A remote access tool (RAT), known as DroidJack (or SandroRAT), has been added to some APK files, allowing third parties to gain full control over the users’ mobile devices. Permissions granted to the dodgy app include; directly calling phone numbers, reading phone status’ and identities, editing and reading text messages, sending SMS messages and recording audio.

    https://it.slashdot.org/story/16/07/11/1757210/infected-pokemon-go-apk-carries-dangerous-android-backdoor

  16. Baseband vulnerability could mean undetectable, unblockable attacks on mobile phones

    The baseband firmware in your phone is the outermost layer of software, the “bare metal” code that has to be implicitly trusted by the phone’s operating system and apps to work; a flaw in that firmware means that attackers can do scary things to your hone that the phone itself can’t detect or defend against.

    Now, a CERT advisory confirms an earlier report of a vulnerability in Qualcomm’s baseband firmware, which is very widely deployed. Any patch for this vulnerability will have to be installed on billions of end points, many of them in hard-to-reach places, which means that attackers will be well-served by any work they do to exploit this vulnerability.

  17. Meeting Cellebrite – Israel’s master phone crackers

    It’s an Israeli company that helps police forces gain access to data on the mobile phones of suspected criminals.

    Cellebrite was in the headlines earlier this year when it was rumoured to have helped the FBI to crack an iPhone used by the San Bernardino shooter.

    Now the company has told the BBC that it can get through the defences of just about any modern smartphone. But the firm refuses to say whether it supplies its technology to the police forces of repressive regimes.

    Last week Cellebrite was showing off its technology to British customers. I was invited to a hotel in the Midlands, where police officers from across the UK had come to see equipment and software that first extracts data from suspects’ phones, then analyses how they interact with others.

  18. Poisoned wifi signals can take over all Android devices in range, no user intervention required

    Vulnerabilities in the Broadcom system-on-a-chip that provides wifi for many Android devices mean that simply lighting up a malicious wifi access point can allow an attacker to compromise every vulnerable device in range, without the users having to take any action — they don’t have to try to connect to the malicious network.

    Iphones are also vulnerable to the attack, but Apple issued a patch for them on Monday.

  19. People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens — one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 — can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a “trust boundary.”

  20. A Hardware Privacy Monitor for iPhones

    Andrew “bunnie” Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone’s operating system has been compromised. They call it an Introspection Engine, and their use model is a journalist who is concerned about government surveillance

    Our introspection engine is designed with the following goals in mind:

    Completely open source and user-inspectable (“You don’t have to trust us”)

    Introspection operations are performed by an execution domain completely separated from the phone”s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)

    Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)

    Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)

    Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor” — state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)

    As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)

    Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)

    Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)

  21. Fake apps are often stuffed with malicious code. Academics from a research group, SerVal, at the University of Luxembourg, estimate that around a fifth of all Android app-based malware is hidden in fake apps. The malware facilitates various money-making schemes. The most egregious are designed to steal the passwords that unlock users’ bank accounts. But it is more common for scams to profit from ordinary advertising, particularly on Android devices, says Eliran Sapir of Apptopia, a tech firm. Adverts in the smartphone’s web browser get quietly replaced by similar ones chosen by the fake-app developer.

    Developers can make much more money with fake apps than through legitimate means, reckons Mr Sapir. On dark-web forums, hackers and small-time digital advertisers offer developers around $1 per user per year to inject their apps with malicious code. In theory, a single app with 15,000 users (about a tenth of all apps have this many) could bring in roughly $1,250 per month. Most legitimate apps make about $1,000 per month, according to a survey from InMobi, a mobile-advertising company.

  22. The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients. The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

    The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut. “People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,” said EFF Director of Cybersecurity Eva Galperin. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

  23. The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems. Once inside, the spyware, produced by Israel’s NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab. It found that between October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France. The examination was unable to reveal what was collected. But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials.

    https://apple.slashdot.org/story/21/07/19/1527218/despite-the-hype-iphone-security-no-match-for-nso-spyware

  24. Citizen Lab is reporting on two zero-click iMessage exploits, in spyware sold by the cyberweapons arms manufacturer NSO Group to the Bahraini government.

    These are particularly scary exploits, since they don’t require to victim to do anything, like click on a link or open a file. The victim receives a text message, and then they are hacked.

    https://www.schneier.com/blog/archives/2021/09/zero-click-iphone-exploits.html

    Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits

    https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/

  25. Spain said that Pedro Sánchez, the prime minister, the current defence minister and a former foreign minister, had all been victims of Pegasus smartphone spyware. More than 60 people associated with the Catalan separatist movement were previously known to have been targets. Spanish intelligence is suspected of bugging the separatists, and Morocco of bugging the government.

    https://www.economist.com/the-world-this-week/2022/05/07/politics

  26. Technology is being used to make life hell for uppity hacks. New tools make it easier to spy on them. Investigations last year found Pegasus eavesdropping software had been slipped into the mobile phones of almost 200 journalists, to read their messages, track them and identify their sources. Social media can be used to harass reporters. A survey found almost three-quarters of female journalists have endured online abuse. This is scariest when it is organised, and has the tacit backing of the ruling party. In India, for example, critics of the prime minister, Narendra Modi, face torrents of death and rape threats from Hindu nationalist trolls, who sometimes publish their addresses and incite vigilantes to visit them.

    https://www.economist.com/leaders/press-freedom-is-under-attack-it-needs-defenders/21809133

Leave a Reply

Your email address will not be published. Required fields are marked *