Lily Hay Newman posted an August 7, 2019 article in WIRED.com, with the title above. She begins, “when you think about how hackers can break into your smartphone, you probably imagine it would start with clicking on a malicious link in a text, downloading a fraudulent app, or some other way you accidentally let them in. It turns out that’s not necessarily so — not even on the iPhone, where simply receiving an iMessage could be enough to get you hacked,” Ms. Newman wrote.
“At the Black Hat security conference in Los Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich presented multiple, so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device,” Ms. Newman wrote. “And while Apple has already patched five of them, a few have yet to be patched.”
“These can be turned into the sort of bugs that will execute code, and be able to be eventually used for weaponized things like accessing your data,” Silvanovich said. “So, the worst-case scenario is that these bugs are used to harm users.”
Ms. Newman notes that “Slivanovich worked on the research with fellow Project Zero member Samuel GroB, got interested in interaction-less bugs because of a recent, dramatic WhatsApp vulnerability that allowed nation-state spies by compromising a phone just by calling it — even if the recipient did not answer the call.”
“But, when she looked for similar issues in SMS, MMS, and visual voicemail, she came up empty,” Ms. Newman wrote. “Slivanovich had assumed that iMessage would be a more scrutinized and locked-down target; but, when she started reverse engineering and looking for flaws, she quickly found multiple exploitable bugs.”
“This may be because iMessage is such a complex platform that offers an array of communication options and features,” Ms. Newman noted. “It encompasses Animojis, rendering files like photos and videos, and integration with other apps — everything from Apple Pay, to iTunes, to Fandango, to Airbng. All of these extensions and interconnections increase the likelihood of mistakes and weaknesses.”
“One of the most interesting interaction-less bugs Silvanovich found was a fundamental logic issue that could have allowed a hacker to easily extract data from a user’s messages,” Ms. Newman wrote. “An attacker could send a specially crafted text message to a target, and the iMessage server would specific user data back, like the content of their SMS messages or images. The victim wouldn’t even have to open their iMesage for the attack to work. iOS has protections in place that would usually block an attack like this; but, because it takes advantages of the systems underlying logic. iOS’ defenses intercept it as legitimate and intended.”
“Other bugs Slivanovich found could lead to malicious code being placed on a victim’s device, again, just from an incoming text,” Ms. Newman wrote.
“Interaction-less bugs are highly coveted by exploit vendors and nation-state hackers, because they make it so easy to compromise a target’s device, without requiring any buy-in from the victim,” Ms. Newman wrote. The six vulnerabilities Silvanovich found — with more yet to be announced — would potentially be worth millions of dollars on the exploit market.”
“Bugs like this haven’t been made public for a long time,” Silvanovich said. “There’s a lot of additional attack surface in programs like iMessage. The individual bugs are reasonably easy to patch, but you can never find all the bugs in software, and every library you use will become an attack surface. So, that design problem is relatively difficult to fix.”
“Silvanovich emphasizes that the security of iMessage is strong overall; and, that Apple is far from the developer that sometimes makes mistakes in grappling with this conceptual issue,” Ms. Newman wrote. “Apple did not return a request from WIRED for comment.”
“Silvanovich said she also looked for interaction-less bugs in Android, but hasn’t found any so far,” Ms. Newman wrote. “She notes though, that it’s likely that such vulnerabilities exist in almost any target. Over the past year, she’s found similar flaws in WhatsApp, FaceTime, and the video conferencing protocol webRTC.”
“Maybe this is an area that gets missed in security,” Silvanovich said. “There’s a huge amount of focus on implementation of protections, like cryptography, but it doesn’t matter how good your crypto is, if the program has bugs on the receiving end.”
“The best thing you can do to protect yourself against interaction-less attacks, is to keep your phone operating system and apps updated; Apple patched all six of the iMessage bugs Silvanovich presented in the recently released iOS 12.4 and macOS 10.14.6,” Ms. Newman explained. “But, beyond that, it’s up to developers to avoid introducing these types of bugs in their code, or spot them as quickly as possible. Given how inexorable interaction-less attacks can be, there’s not a lot users can do to stop them, once malicious messages or calls start pouring in.”
As I have written countless times on this blog, the Internet, and now the Internet-of-Things was built for access and ease of communications, security was barely on the radar. Thus, the Internet is build on a flawed foundation, and remains an Internet-of-Threats as well. I am not surprised by this Apple threat/flaw, and I am skeptical that this threat is confined only to the iPhone. FaceBook’s WhatsApp is another digital attack space.
Peter Lloyd, posted an August 8, 2019 article in the DailyMail.com, noting that “a glitch in the code of WhatsApp could let hackers alter your messages, and change the words you have sent. Attackers could use [exploit] the flaw, altering text from quoted messages and manipulate the thread of the conversation,” according to cyber security experts. They could even make it look as if the sender said something they didn’t say, by putting a different name above the comments made [that have been altered].”
Israel-based cyber security firm Check Point Research (CPR) “who uncovered the flaw, warned that ‘malicious actors’ may use the glitch to spread misinformation and fake news,” Mr. Lloyd wrote. CPR “claimed that FaceBook bosses were made aware of the issue last year, but have yet to fix it.
In a statement to Forbes Magazine, WhatsApp said “it didn’t recognize the glitch as a flaw in the software, but it did fix another error, which allowed people to send a private message to another group participant, disguised as a public message. We carefully reviewed this issue a year ago, and it is false to suggest there is a vulnerability with the security we provide on WhatsApp.”
Regardless, disinformation and fake news, fake photos, fake videos, etc. are all going to become even more dangerous and threatening in 2020, as hackers, nation-states and others employ artificial intelligence — which will supercharge their nefarious digital activities and techniques.
Remember, the only ‘clean’ digital devices are those that have never been used. Just because you think your system/network is clean, it probably isn’t. As my old boss Secretary of Defense Rumsfeld was fond of saying, “The absence of evidence, does not constitute evidence of absence.” Just because you haven’t seen it — doesn’t mean it hasn’t already happened. The best cyber thieves…..haven’t been caught yet. RCP, fortunascorner.com
No comments:
Post a Comment