Open thread: smartphone security

2012-03-27

in Bombs and rockets, Geek stuff, Internet matters, Law, Politics, Security

There are masses of important recent news stories on the topic of smartphone security. I have been filing them below posts like this one, this one, and this one, but they really deserve a spot of their own.

First news story: Micro Systemation makes software that allows people to bypass the 4-digit lock code on an iPhone in seconds. This could be important for people crossing borders, people who get arrested at political protests, etc.

Report a typo or inaccuracy

{ 32 comments… read them below or add one }

. April 5, 2012 at 12:02 pm

Can Apple give police a key to your encrypted iPhone data? Ars investigates

Does Apple have a backdoor that it can use to help law enforcement bypass your iPhone’s passcode? That question became front and center this week when training materials (PDF) for the California District Attorneys Association started being distributed online with a line implying that Apple could do so if the appropriate request was filed by police.

As with most things, the answer is complex and not very straightforward. Apple almost definitely does help law enforcement get past iPhone security measures, but how? Is Apple advising them using already well-known cracking techniques, or does the company have special access to our iDevices that we don’t know about? Ars decided to try to find out.

http://arstechnica.com/apple/news/2012/04/can-apple-give-police-a-key-to-your-encrypted-iphone-data-ars-investigates.ars

. April 22, 2012 at 1:22 am

Once the handset has been jailbroken and the passcode guessed, all the data on the handset, including call logs, messages, contacts, GPS data and even keystrokes, can be accessed and examined.

https://www.schneier.com/blog/archives/2012/04/law_enforcement.html

. May 17, 2012 at 11:18 am

UK Police Roll Out On-the-Spot Mobile Data Extraction System

http://yro.slashdot.org/story/12/05/16/2357251/uk-police-roll-out-on-the-spot-mobile-data-extraction-system

“The Metropolitan Police has rolled out a mobile device data extraction system to allow officers to extract data ‘within minutes’ from suspects’ phones while they are in custody. ‘Ostensibly, the system has been deployed to target phones that are suspected of having actually been used in criminal activity, although data privacy campaigners may focus on potentially wider use.'”

. June 2, 2012 at 5:53 pm

Apple Releases IOS Security Guide

“Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn’t been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple’s first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what’s in the new Apple guide has been discussed in presentations and talks by researchers. ‘Apple doesn’t really talk about their security mechanisms in detail. When they introduced ASLR, they didn’t tell anybody. They didn’t ever explain how codesigning worked,’ security researcher Charlie Miller said.”

. July 3, 2012 at 3:54 pm

Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit. As part of an effort to identify potential weaknesses in smartphone platforms, the team was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel.

http://it.slashdot.org/story/12/07/02/219234/prototype-clickjacking-rootkit-developed-for-android

. July 19, 2012 at 7:05 pm
. September 4, 2012 at 4:11 pm

Leave Your Cellphone at Home

Earlier this year in Wired, writer and intelligence expert James Bamford described the National Security Agency’s plans for the Utah Data Center. A nondescript name, but it has another: the First Intelligence Community Comprehensive National Cyber-security Initiative Data Center. The $2 billion facility, scheduled to open in September 2013, will be used to intercept, decipher, analyze, and store the agency’s intercepted communications—everything from emails, cell phone calls, Google searches, and Tweets, to retail transactions. How will all this data be stored? Imagine, if you can, 100,000 square-feet filled with row upon row of servers, stacked neatly on racks. Bamford projects that its processing-capacity may aspire to yottabytes, or 10^24 bytes, and for which no neologism of higher magnitude has yet been coined.

To store the data, the NSA must first collect it, and here Bamford relies on a man named William Binney, a former NSA crypto-mathematician, as his main source. For the first time, since leaving the NSA in 2001, Binney went on the record to discuss Stellar Wind, which we all know by now as the warrantless wiretapping program, first approved by George Bush after the 2001 attacks on the twin towers. The program allowed the NSA to bypass the Foreign Intelligence Surveillance Court, in charge of authorizing eavesdropping on domestic targets, permitting the wholesale monitoring of millions of American phone calls and emails. In his thirty years at the NSA, Binney helped to engineer its automated system of networked data collection which, until 2001, was exclusively directed at foreign targets. Binney left when the organization started to use this same technology to spy on American citizens. He tells of secret electronic monitoring rooms in major US telecom facilities, controlled by the NSA, and powered by complex software programs examining Internet traffic as it passes through fiber-optic cables. (At a local event last week, Binney circulated a list of possible interception points, including 811 10th Avenue, between 53rd & 54th St., which houses the largest New York exchange of AT&T Long Lines.) He tells of software, created by a company called Narus, that parses US data sources: any communication arousing suspicion is automatically copied and sent to the NSA. Once a name enters the Narus database, all phone calls, emails and other communications are automatically routed to the NSA’s recorders.

. September 6, 2012 at 3:26 pm

Just a day after the alleged leak of 12 million Apple UDID’s, both Apple and FBI have denied the story that Anonymous, a global hacking community, gained access to the files by hacking into an FBI laptop through a Java vulnerability. Earlier this morning the FBI claimed that, even though the agent cited in Anonymous’s story is an actual FBI operative, neither he nor anyone else in the agency has or has had access to Apple device information. This afternoon Apple followed up on the FBI’s statement, with an unidentified Apple representative claiming that, ‘The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.’ It should also be noted that while the hackers claim to have accessed 12 million UDID’s, only 1 million were publicly released. The Apple representative who made the previous statements also said that, ‘Apple has replaced the types of identifiers the hackers appear to have gotten and will be discontinuing their use.’ Even though neither Anonymous nor the FBI/APPLE will admit where the data actually came from, it does appear that at least some of the leaked UDID’s are legit and can be tied back to current, privately owned devices. So far no information besides the devices UDID, DevToken ID, and device name has been released, however the original hackers claimed that some devices were tied to details as exact as phone numbers and billing addresses.”

. September 11, 2012 at 11:36 am

“Spyware is no longer the primary concern with unwanted software on mobile devices. According to mobile security firm Lookout, most mobile malware performs ‘toll fraud’ — billing victims using premium SMS services. The problem is very geographically-dependent, worst in areas with weak SMS regulation, particularly China, Ukraine, and Russia, where users are 10,000 times more likely to have malware on their phones than users in Japan, for example. Other risks include mobile ads surreptitiously uploading personal data, as well as apps that download other malware without users knowing. The full report is available.”

. October 16, 2012 at 12:20 am

FBI warns users of malicious mobile malware

In a warning issued by a government task force, mobile users are told to beware of malware that is especially lured to Android’s operating system and ways to avoid it.

. November 20, 2012 at 6:34 pm
. December 19, 2012 at 7:48 pm

There’s a new exploit against Samsung Galaxy phones that allows a rogue app access to all memory. A hacker could copy all of your data, erase all of your data, and basically brick your phone.

Bugs Bunny (WB) April 4, 2013 at 5:59 pm
. July 15, 2013 at 3:22 pm

Your Cellphone is Covered in Spiders; Pragmatic Android Security

from Cooper Quintin

This is a presentation I gave at Hope Number 9 in NYC on July 14, 2012. I discuss the security and privacy concerns in Android and other smartphone platforms and present steps that even a non technical user can take to help secure their smartphone. I mostly focus on android in this talk but there is some iPhone talk as well.

The slides and additional notes are Free and Open Source and can be found and remixed here: github.com/cooperq/spiders

anon July 23, 2013 at 11:15 pm

Some phones can be pwned by sending two SMS messages to them

Security researcher Karsten Nohl has shown that if you send some mobile phones an SMS that appears to originate with the phone company, the phone will SMS back an error message containing sensitive info about its SIM. With this info, you can send another SMS that terminally compromises the phone, giving the attacker the ability to listen in on calls, read texts, and impersonate the phone’s owner. He disclosed the vulnerability to the GSM association early, and on August 1 he’ll present his work at Black Hat in Las Vegas. At the root of the problem is a reliance on an older, compromised form of crypto, DES

. September 8, 2013 at 2:38 pm

Privacy Scandal: NSA Can Spy on Smart Phone Data

SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.

anon November 14, 2013 at 11:19 pm
. December 21, 2013 at 10:01 pm

Though rare, more toxic mobile malware can collect personal data and contact lists, monitor keystrokes, track a phone’s location or even take photographs or video of users and their surroundings. It can then transmit this booty back to servers run by organised crime for extortion, identity theft, scams or phishing trips. Even more worryingly, thanks to improvements in “near-field communication”, phones are beginning to morph into wallets—with all the necessary links to bank accounts and credit cards—so users can make incidental payments at stations, convenience stores and elsewhere merely by waving their phone near a terminal. Cybercrooks must be rubbing their hands in glee.

. January 28, 2014 at 8:45 am
. August 10, 2014 at 2:32 pm

Silent Circle’s Blackphone Exploited at Def Con

Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com’s linked report: “However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities.” Case reacts via Twitter to the crowing: “Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only “secure” because it has few users and little value as a target.”

. August 16, 2014 at 10:45 am

Hackers Could Use Your Smartphone’s Gyroscope as a Microphone to Listen In

http://www.slate.com/blogs/future_tense/2014/08/15/researchers_got_smartphone_gyroscopes_to_act_as_microphones.html

. October 15, 2014 at 1:04 am
. December 27, 2014 at 2:56 pm

Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere

Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela’s Merkel’s phone.

Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.

. September 21, 2015 at 12:39 am

Apple’s iOS App Store suffers first major cyber attack

Apple Inc said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.

The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.

It is the first reported case of large numbers of malicious software programs making their way past Apple’s stringent app review process. Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc.

The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.

. October 5, 2015 at 10:47 pm

Smurfs vs phones: GCHQ’s smartphone malware can take pics, listen in even when phone is off

“Dreamy Smurf is the power management tool which means turning your phone on and off with you knowing,” he said.

“Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you – even if your phone is switched off because they’ve got the other tools for turning it on.

“Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.”

Mr Snowden also referred to a tool known as Paronoid Smurf.

“It’s a self-protection tool that’s used to armour [GCHQ’s] manipulation of your phone. For example, if you wanted to take the phone in to get it serviced because you saw something strange going on or you suspected something was wrong, it makes it much more difficult for any technician to realise that anything’s gone amiss.”

. November 12, 2015 at 2:42 pm

Stingray is a device that imitates cellular communications towers in order to trick mobile devices within range to connect to it instead. The cell-site simulator is then able to intercept both text and audio communication, as well as extract internal data from connected devices and even pinpoint their precise locations.

http://globalnews.ca/news/2335206/vancouver-police-refuse-to-disclose-use-of-covert-cell-spy-tech/

. July 11, 2016 at 3:04 pm

Users eager to get their hands on the new Nintendo mobile gaming app Pokemon GO, downloading unofficial copies of the game are opening themselves up to hackers who are circulating malicious versions of the Android APK. A remote access tool (RAT), known as DroidJack (or SandroRAT), has been added to some APK files, allowing third parties to gain full control over the users’ mobile devices. Permissions granted to the dodgy app include; directly calling phone numbers, reading phone status’ and identities, editing and reading text messages, sending SMS messages and recording audio.

https://it.slashdot.org/story/16/07/11/1757210/infected-pokemon-go-apk-carries-dangerous-android-backdoor

. July 21, 2016 at 4:02 pm

Baseband vulnerability could mean undetectable, unblockable attacks on mobile phones

The baseband firmware in your phone is the outermost layer of software, the “bare metal” code that has to be implicitly trusted by the phone’s operating system and apps to work; a flaw in that firmware means that attackers can do scary things to your hone that the phone itself can’t detect or defend against.

Now, a CERT advisory confirms an earlier report of a vulnerability in Qualcomm’s baseband firmware, which is very widely deployed. Any patch for this vulnerability will have to be installed on billions of end points, many of them in hard-to-reach places, which means that attackers will be well-served by any work they do to exploit this vulnerability.

. September 26, 2016 at 8:38 pm

Meeting Cellebrite – Israel’s master phone crackers

It’s an Israeli company that helps police forces gain access to data on the mobile phones of suspected criminals.

Cellebrite was in the headlines earlier this year when it was rumoured to have helped the FBI to crack an iPhone used by the San Bernardino shooter.

Now the company has told the BBC that it can get through the defences of just about any modern smartphone. But the firm refuses to say whether it supplies its technology to the police forces of repressive regimes.

Last week Cellebrite was showing off its technology to British customers. I was invited to a hotel in the Midlands, where police officers from across the UK had come to see equipment and software that first extracts data from suspects’ phones, then analyses how they interact with others.

. April 6, 2017 at 10:57 am

Poisoned wifi signals can take over all Android devices in range, no user intervention required

Vulnerabilities in the Broadcom system-on-a-chip that provides wifi for many Android devices mean that simply lighting up a malicious wifi access point can allow an attacker to compromise every vulnerable device in range, without the users having to take any action — they don’t have to try to connect to the malicious network.

Iphones are also vulnerable to the attack, but Apple issued a patch for them on Monday.

. August 18, 2017 at 12:05 pm

People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens — one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 — can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a “trust boundary.”

. September 11, 2017 at 9:10 am

A Hardware Privacy Monitor for iPhones

Andrew “bunnie” Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone’s operating system has been compromised. They call it an Introspection Engine, and their use model is a journalist who is concerned about government surveillance

Our introspection engine is designed with the following goals in mind:

Completely open source and user-inspectable (“You don’t have to trust us”)

Introspection operations are performed by an execution domain completely separated from the phone”s CPU (“don’t rely on those with impaired judgment to fairly judge their state”)

Proper operation of introspection system can be field-verified (guard against “evil maid” attacks and hardware failures)

Difficult to trigger a false positive (users ignore or disable security alerts when there are too many positives)

Difficult to induce a false negative, even with signed firmware updates (“don’t trust the system vendor” — state-level adversaries with full cooperation of system vendors should not be able to craft signed firmware updates that spoof or bypass the introspection engine)

As much as possible, the introspection system should be passive and difficult to detect by the phone’s operating system (prevent black-listing/targeting of users based on introspection engine signatures)

Simple, intuitive user interface requiring no specialized knowledge to interpret or operate (avoid user error leading to false negatives; “journalists shouldn’t have to be cryptographers to be safe”)

Final solution should be usable on a daily basis, with minimal impact on workflow (avoid forcing field reporters into the choice between their personal security and being an effective journalist)

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: