According to a recent report, modified AirTags can be found online from which the built-in speakers have been removed, which would allow unsuspecting users to be spied on without even being able to identify signs of harmful activities. This “silent AirTags” is available for less than $80 USD.

While the seller of these devices, active on the e-commerce website Etsy, ensures that this modification is intended to help users find the devices without attracting the attention of potential thieves, this has undoubtedly been a cause for concern for cybersecurity experts, including director of cybersecurity at the Electronic Frontier Foundation Eva Galperin.

The specialist is concerned that these modified AirTags can be easily abused for other nefarious fines, leaving a potential victim exposed to tracking their location: “Any similar item could also be used to harass people,” Galperin says.

This is not a new practice, as you can even find online tutorials in text and video on how to disable the speakers on an AirTag simply by performing a small drill under the battery of the device, although this requires some skill and experience.

The concerns are legitimate, although Apple had already taken some action on the matter before; iPhone users can receive a notification in case they find a modified AirTag, plus Apple also developed an Android app with which users of any non-iOS device can scan around them for a hidden AirTag.

At the time of writing, this item had already been removed from Etsy website.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Silent AirTags with no speakers are being used for stalking appeared first on Information Security Newspaper | Hacking News.

The update (iOS 15.2.1) is now available for all supported iPhone and iPad devices. In its report, Apple only describes these flaws as a “resource depletion bug” that causes the device to crash when processing specially crafted HomeKit accessory names.

The sudden appearance of this update a couple of weeks after Trevor Spiniolas publicly disclosed the flaw in HomeKit confused the users, as the expert warned that the bug could be exploited to launch ransomware-like attacks on the affected iPhone/iPad.

The expert found that when the name of an Apple HomeKit device is changed to too large a string of characters, any iOS device that loads the string will face an interrupt condition. To make matters worse, resetting the affected device and logging back into the iCloud account linked to the HomeKit device will re-enable the error.

Spinolas suggested that this bug could trigger a campaign of extortion attacks against iOS device users: “Apps with access to homekit device owners’ startup data can lock them out of their local copies and prevent them from logging back into their iCloud on iOS,” the researcher states.

The expert also believes that malicious hackers could use email addresses intentionally similar to those used by Apple services to trick users into handing over sensitive information. Finally, Spinolas says it first reported this security issue to Apple in early August last year, and had since pressured the company to issue an update.

Users of iOS devices are advised to install the latest version available as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vulnerability in Apple devices that made them unusable finally fixed. Update immediately iOS appeared first on Information Security Newspaper | Hacking News.

A recent report by security firm Citizen Lab points to the discovery of a new zero-day attack on Apple iMessage exploited to infect affected devices with the dangerous Pegasus spyware, developed by NSO Group. This wave of attacks was detected in Bahrain and at least 9 targets have already been spotted, all identified as activists and users of iPhone devices.

The spy tool was installed on these devices after successfully exploiting two zero-click failures in iMessage; the term “zero click” means that exploiting the vulnerabilities requires no interaction from the target user. The exploits employed in this campaign have been identified as FORCEDENTRY and 2020 KIMSET.

The researchers tested a Pegasus infection using an iPhone Pro Max with iOS 14.6, the latest version of the iOS system, finding that these zero-click attacks are fully functional even on the latest Apple devices.

As you may recall, NSO Group sells Pegasus spyware primarily to state actors, regardless of whether they are governments characterized by their constant violations of the human rights of political opponents, activists and journalists.

Anyone would think that the risk of infection can be mitigated by simply disabling iMessage and Facetime, however, it is important to remember that NSO Group can compromise many other functions or applications on the infected device, including the popular messaging app WhatsApp.

Considering the lines above, the only method that could eliminate this risk definitively is for Apple to address the flaws exploited by FORCEDENTRY and 2020 KIMSET. In the meantime, NSO Group could continue to rack up successful attacks.

This is just one more report in the long list of scandals involving NSO Group. A couple of years ago, Facebook sued the Israel-based company over the sale of a zero-day exploit to compromise smartphones via WhatsApp; this attack would have involved people of interest such as diplomats, journalists and activists.

Although Pegasus’ existence and purposes have been known for years, this spyware was again in the news due to a report published by the non-governmental organization (NGO) Amnesty International, which revealed details such as NSO Group’s government clients and possible targets of the infection.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This is how you can infect with Pegasus spyware an iPhone or iPad without even touching it. Published evidence appeared first on Information Security Newspaper | Hacking News.

IT security services specialists reported the finding of a new flaw based on the use of special characters affecting Apple devices. The report, published on the MacRumors platform, mentions that there is a new flaw related to the characters linked to the Italian flag emoji in the company’s operating systems that could lead to the collapse of the target device after receiving a text message.  

Experts fear that this error will be found on all devices developed by Apple, including iPhone. MacBook, Apple Watch, Apple TV and so on, although so far the error has only been detected on iOS devices.

A Reddit post mentions that the flaw initially appeared in a text message sent through the Telegram app, although it was later distributed via Twitter, WhatsApp and Apple’s iMessage app, mentioned by experts in IT security services.

In addition, the EverythingApplePro platform, for enthusiasts of these devices, posted a video on Twitter in which you can see how the error works, proving that it is even possible to execute this flaw without using the emoji of the flag of Italy; this attack variant produces the same result: the sudden failure of the affected device.    

If you receive a notification that includes special characters, it is recommended that you ignore it; otherwise your devices might be exposed to this failure, generating multiple failures and even a forced restart, as mentioned by IT security services experts.

This is not the first similar error detected affecting Apple users. According to the International Institute of Cyber Security (IICS), a few months ago it was reported on “Telugu”, a similarly caused fault. One of the main drawbacks related to this type of character-based errors is that there is no way to prevent the system from avoiding this condition, so we only have to wait until companies release security updates.

Apple is expected to release a software update with a solution to this failure. Until then, Apple device users are advised to refrain from opening any notification that includes emojis or special characters.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

The post How to crash any iPhone, iPad o Apple Watch with a simple character appeared first on Information Security Newspaper | Hacking News.

When a user copies any information, it is stored on Apple‘s general pasteboard (usually known as a clipboard). According to the report, any application can access this information temporarily stored on the clipboard, so users are exposed to the leaking of sensitive data such as location, online profile access passwords, and banking details.

Apparently, all iOS apps have unlimited access to the general clipboard. A user could unintentionally expose their sensitive information (such as location data) to other apps by simply copying/pasting a photo taken with the device’s camera, thanks to the image metadata, mentioned by data protection specialists.

To prove their finding, the researchers developed a proof-of-concept app called KlipboardSpy and an iOS widget called KlipSpyWidget. This test app does not have access to the target device’s location data; however, the specialists were able to extract this information using the method described above.

Specialists say the report was sent to Apple from last January. However, the company’s data protection team responded that this error could not be considered a serious vulnerability, as its operating systems are designed to allow any application to access the clipboard only when apps are working in the foreground.  

In this regard, the International Institute of Cyber Security (IICS) believes that Apple should not allow apps to access the clipboard without restriction, such as the express consent of the user. The operating system should only expose the contents of the clipboard to an application by prior confirmation, as sometimes users are not aware of the contents of this tool.

The post Are you an iPhone user? Don’t copy-paste your card number or passwords. Other apps can steal your data from the clipboard appeared first on Information Security Newspaper | Hacking News.

The developers mention that iOS devices do not have support for hardware virtualization; however, with this app (called UTM) they will be able to connect to the SPICE server in QEMU, allowing the “para-virtualization”. Thanks to this, an iPhone or iPad will be able to run Windows 10, or even Linux, at an acceptable speed to work with.

Its creators claim that UTM will be available for download very soon, plus users will not require a device with jailbreak to run it. However, it is important to mention that compatibility may be removed in the future with a possible Apple update; in this case, the device must have jailbreak, ethical hacking experts mention.

Although the project is in the early stage, developers have already shown that running the desktop version of Windows 10 on an iPhone is completely possible, although the speed of installation and execution remain the main Inconvenience. The TCG accelerator, used to run the operating system in the app, can only run at 70% speed, although performance increases by reducing the quality of the graphics, ethical hacking specialists say.

For the bad fortune of enthusiasts, it is virtually impossible to run Windows 10 natively on Apple products: “Unfortunately this is just OS emulation, we probably won’t find a way to run Windows on ARM natively in an A9 processor,” added one of the developers of this app.   Those interested in the project can download the app, in addition to the ISO images of the Windows 10 operating system on the official website on GitHub of the UTM developers.  

According to the International Institute of Cyber Security (IICS), recently another team of researchers managed to install and run Windows 10X on an Apple MacBook, employing an emulator released by Microsoft, achieving an acceptable level of execution, so it may be a matter of time before you find the optimal method to run Microsoft’s operating system in Apple developments.

The post This app lets you run Windows 10 on any iPhone alongside with iOS appeared first on Information Security Newspaper | Hacking News.

With the release of the iOS8 operating system, Apple began implementing encryption on all of its products to protect users, as they were too exposed to malicious hacking activity. An identical measure was implemented by Google soon after. Since then it began somewhat a race between US government agents trying to obtain information from these devices and the developer companies, which were increasingly implementing stringent security measures.

The dispute between the US government and these companies is far from be over; meanwhile, law enforcement agencies have found a third way to bypass encryption on these devices without violating data protection legislation. Cyrus Vance Jr., Manhattan district attorney, and the city’s Cybercrime Unit, created a kind of prison for a specific purpose: extracting information stored on some smart devices using brute force tactics before their owners delete this data, which could be useful in criminal investigations.

The entrance to this “prison” resembles that of a bunker. This installation consists of a radio frequency isolation chamber protected behind two hermetically sealed steel doors. On the walls of this camera are connected dozens of Apple devices (iPad/iPhone), which were confiscated during the commission of currently investigated crimes.

All devices found in these facilities are connected to a set of massive processing power computers, dedicated to generate random number sequences to try to decrypt the access codes to these confiscated devices. Researchers working here can even take advantage of other systems that aren’t used at night to create a local supercomputer network, mentions a review of the business magazine Fast Company.

During the interview, Steve Moran, director of the High Technology Analysis Unit, shows as an example of the work done in this lab an iPhone in which more than 10k possible combinations have been tested: “This would have been enough to decrypt a four-digit password. However, Apple has been using six-digit access codes for the last five years, which requires a million possible combinations to be tested,” he said.

In addition, data protection specialists point out that Apple restricts the number of times per minute an access code can be entered; this is where investigators of these possible crimes come in. “It is required to think about possible combinations. We need to know some facts: date of birth, wedding anniversary, birthday of wives or children, even the number of favorite baseball player can be helpful in reducing the number of attempts needed to unlock the devices of the suspects” , adds Moran.

This is not the only variable that affects the operations of this lab, because in addition to the huge number of combinations to test, researchers should also prioritize some specific devices. To this, Moran designed a workflow that evaluates the most urgent cases; there are currently more than 3,000 low-priority devices sheltered in these facilities.

As already mentioned, Apple and Google’s main argument for encryption is data protection, a position entirely justified considering that these companies cover almost 99% of the global smartphone market.

While companies claim that no one, not even their internal staff, can access a device with encryption, prosecutor Vance believes it highly likely that Apple will have some kind of secret backdoor. “Apple accesses our devices all the time: OS updates, SMS messages, external links, it’s all part of that invasive practice.” Despite these claims, shared by a considerable number of experts on the subject, the user privacy speech has prevailed over the demand for access to these files.

On the other hand, Vance considers that the request to remove encryption is not exaggerated or unfounded, as there are cases where information stored on smart devices recovered at crime scenes or raids has been instrumental to solve complex cases. An example is the arrest and conviction of Lamar Davenport for the murder of E’Dena Hines, granddaughter of actor Morgan Freeman. The prosecutor in charge of the case presented as evidence a video found on the defendant’s iPhone after months of investigation to access to the device. “Not only that; thanks to the activity of this laboratory we have found useful information to prove the innocence of at least 16 suspects in various crimes,” he adds.

Vance’s anti-encryption campaign has not been limited to his local environment. The prosecutor has met on several occasions with members of Europol, Interpol, besides publishing articles in all kinds of magazines, in addition to trying to establish contact with the representatives of the technology companies.

The International Institute of Cyber Security (IICS) points out that, before 2014, technology companies seemed to have no problem cooperating with law enforcement agencies, even noting that Apple’s collaboration was considered outstanding and effective. However, this cooperative work came to a breaking point after Edward Snowden’s revelations about the US National Security Agency’s espionage activity. While all of the tech companies mentioned by Snowden denied collaborating with the US government, Apple opted for a more vigorous demonstration of privacy engagement, launching the iOS 8 system, which included full encryption for the first time.

This laboratory is one of the main tools for the investigation of criminal cases in the city, as it has the most complex hardware resources available, in addition to specially developed software to apply brute force to these devices. However, with the emergence of new versions of mobile operating systems, the work of these researchers becomes increasingly complex. “At the beginning of this project, only 52% of the smartphones analyzed were locked, while the number of locked devices is currently 82%,” Moran says, so government agencies also bet on legislation on encryption on mobile devices streamlines this work. 

The post New York has an electronic prison for hacking iPhones appeared first on Information Security Newspaper | Hacking News.

Just a few hours ago Apple released a couple of updates for their software, correcting bugs and repairing security holes in MacOS, watchOS, TvOS, Safari, itunes for Windows, iCloud for Windows and IOS for IPhone and IPad.

The software patch for iOS, which updates to the 11.4.1 version, is particularly interesting as it includes a new feature, the Restricted USB Mode.

According to secure data destruction specialists, this functionality is designed to disable the Lightning port of an iPhone or iPad, preventing it from transfer data an hour after the device was locked for the last time. You can still charge your device after your Lightning port has been disabled, but you must enter your password if you want to use the port to transfer data.

In more details, the company reported that “with the iOS 11.4.1, if you use USB accessories with your iOS device, or if you connect it to a PC, you must unlock your device to be recognized. Your accessory will remain connected even if your device is subsequently locked. If you don’t unlock your iOS device, or have not unlocked it and connected to a USB accessory in the last hour, your device will not communicate with the accessory or computer, and in some cases, it may not charge. You may also see an alert asking you to unlock your device to use accessories. ”

These seem to be bad news for intelligence agencies that would like to enter a locked iPhone using GrayKey or similar tools, which use the Lightning port to help anyone with physical access to the device to enter its system without decipher the password.

For Apple and its customer’s misfortune, who like to believe that their phone is private, a solution was discovered so anybody could prevent an iPhone or iPad from getting into the Restricted USB Mode if it is applied quickly.

Secure data destruction researchers discovered that the one-hour timer can be restarted simply by connecting the iPhone to a USB accessory with no security features.

In simple words, when someone gets an iPhone, he/she must immediately connect it to a USB accessory to prevent the Restricted USB Mode from blocking the device after one hour, which only works if the Restricted Mode has not yet been activated.

According secure data destruction specialists from the International Institute of Cyber Security you don’t need to look too much, as the company itself will be delighted to sell you a Lightning to USB camera adapter for only $39. There must be even cheaper accessories that work just as well.

Apple has successfully reduced any person’s window of opportunity (whether it is a member of law enforcement or not) to enter an iPhone, but this doesn’t means that they have completely eliminated any option.

Apple will have to strength the security and privacy of their mobile devices if they want to keep their advantage over many other Android smartphones. Upgrading to the 11.4.1 version is a good start, but it still is not enough.

The post New Apple security feature bypassed with an adapter that the brand itself sells appeared first on Information Security Newspaper | Hacking News.

A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software’s security mechanisms.

Since iOS 8 rolled out in 2014, all iPhones and iPads have come with device encryption. Often protected by a four- or six-digit passcode, a hardware and software combination has made it nearly impossible to break into an iPhone or iPad without cooperation from the device owner.

And if the wrong passcode is entered too many times, the device gets wiped.

But Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, found a way to bypass the 10-time limit and enter as many codes as he wants — even on iOS 11.3.

“An attacker just needs a turned on, locked phone and a Lightning cable,” Hickey told ZDNet.

Normally, iPhones and iPads are limited in how many times a passcode can be entered each minute. Newer Apple devices contain a “secure enclave,” a part of the hardware that can’t be modified, which protects the device from brute-force attacks, like entering as many passcodes as possible. The secure enclave keeps count of how many incorrect passcode attempts have been entered and gets slower at responding with each failed attempt.

Hickey found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.

“Instead of sending passcodes one at a time and waiting, send them all in one go,” he said.

“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.

Hickey posted a demonstration video of his attack online.

An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature, he explained. That means the attack works only after the device is booted up, said Hickey, because there are more routines running.

Hickey’s exploit would be another black eye for the iPhone and iPad maker, which has been in a cat and mouse chase with the makers of one recently revealed phone unlocking tool.

Little is publicly known about the company or its flagship product, but the $15,000 boxallows law enforcement to break any iOS device’s passcode, giving police full access to a device’s file system — messages, photos, call logs, browsing history, keychain, and user passwords, and more.

That’s thought to have been one of the reasons why Apple is rolling out a new feature called USB Restricted Mode in its upcoming iOS 12 update, which is said to make it far more difficult for police or hackers to get access to a person’s device — and their data.

The new feature will effectively prevent anyone from using the USB cable for anything other than charging the device if someone hasn’t unlocked the device with a passcode within the last hour.

Hickey’s attack is slow — running about one passcode between three and five seconds each or over a hundred four-digit codes in an hour — and may not stand up against Apple’s incoming feature.

His attack can work against six-digit passcodes — iOS 11’s default passcode length — but would take weeks to complete.

https://vimeo.com/276506763

Source:https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/

The post A hacker figured out how to brute force iPhone passcodes appeared first on Information Security Newspaper | Hacking News.

Miscreants who exploit these flaws can take over the vulnerable device – all a victim has to do is open a JPEG or PDF file booby-trapped with malicious code, so get patching before you’re caught out. Check for software

The fixes come just days before the Cupertino developer of TextEdit is set to hold a special event to introduce a (presumed) refresh of its Mac product line and potentially new iPad tablets.

For those running iOS, the 10.1 release includes updates to address 12 CVE-listed security vulnerabilities in the firmware for the iPhone, iPad and iPod Touch.

Those flaws include a remote code execution flaw in the handling of JPEG images (CVE-2016-4673), a remote code execution bug in WebKit (CVE-2016-4677), local code execution flaws, and a vulnerability in contacts (CVE-2016-4686) that would let an application pull Address Book details even when access has been revoked.

For macOS Sierra (10.12.1), the update brings fixes for 16 CVE-listed vulnerabilities. Those include the CVE-2016-4673 image-handling bug as well as remote code execution flaws that could be triggered by font files (CVE-2016-4667) and PDF files (CVE-2016-4671). Also released was a fix for a denial of service error in Nvidia graphics card drivers (CVE-2016-4663) and a bug that exposed the length of user passwords (CVE-2016-4670).

Included among the latest fixes for iOS and macOS was CVE-2016-4635, a remote audio eavesdropping vulnerability for FaceTime that Apple had previously attempted to remedy in older versions of iOS and OS X.

Apple did not say whether the flaw was exposed in iOS 10.1 and macOS Sierra, or if the fix was an update to an already-installed security measure.

For those running the Safari browser on Sierra and older versions of OS X, Apple has produced patches to address a trio of WebKit flaws that can allow web pages or applications to achieve remote code execution (CVE-2016-4666, CVE-2016-4677) and pull location information (CVE-2016-4676).

Meanwhile, Apple Watch users are advised to update their arm candy to watchOS 3.1 to get fixes for eight CVE-listed flaws, including two flaws in sandbox profiles (CVE-2016-4664, CVE-2016-4665) that allow third-party applications to view image libraries and sound files without permission.

The AppleTV will also get an update for 10 flaws, including the sandbox profiles flaws (CVE-2016-4664, CVE-2016-4665), the WebKit remote code execution bug (CVE-2016-4677), and the CoreGraphics JPEG bug (CVE-2016-4673) patched in other Apple products.

Source:https://www.theregister.co.uk/

The post It’s nearly 2017 and JPEGs, PDFs, font files can hijack your Apple Mac, iPhone, iPad appeared first on Information Security Newspaper | Hacking News.