As you saddle up to the bar at your favorite saloon sipping suds in celebration of this National Beer Day, may we suggest pairing that cold one with this plate of hand-selected mobile security news?
This week’s edition of #MobSec5 includes:
- Owning iOS and Android devices over Wi-Fi
- A security bulletin two-fer: Android and iOS updates released this week
- Mobile privacy preservation in light of FCC privacy rules repeal
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
(Google Project Zero)
“In this two-part blog series, we’ll explore the exposed attack surface introduced by Broadcom’s Wi-Fi SoC on mobile devices.”
Citing the security community’s success in helping secure mobile devices’ application processors, Gal Beniamini of Google Project Zero recently decided to shift focus to the Wi-Fi chip used by a number of Android and iOS devices. This week he published details of his research identifying remote code execution vulnerabilities in the Broadcom Wi-Fi chip. Part two of the blog series will detail the next step in the attack chain – elevating privileges from the Wi-Fi chip to the Android kernel. A combination of these methods allow an attacker within Wi-Fi range to completely hijack a mobile device over Wi-Fi without the need for user interaction. Android and iOS security updates released this week, and listed below, both provide patches related to vulnerabilities brought to light by Beniamini’s research.
Android Security Bulletin—April 2017
(Android Open Source Project)
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
About the security content of iOS 10.3.1
“This document describes the security content of iOS 10.3.1.”
This security update comes just a week after the release of iOS 10.3. The update patches a stack buffer overflow vulnerability that allowed for the execution of arbitrary code on the Wi-Fi chip.
Trump has signed repeal of the FCC privacy rules. Here’s what happens next.
(The Washington Post)
“President Trump signed congressional legislation Monday night that repeals the Federal Communications Commission’s privacy protections for Internet users.”
The FCC privacy rules, which hadn’t yet taken effect, would have required that internet service providers (ISPs) obtain users’ consent before selling certain types of data about them. This week on the blog we explained how the repeal of the FCC privacy rules affects mobile data, devices, and apps and what steps users can take to preserve some of their privacy through their wireless carriers’ privacy options.
Pegasus For Android Spyware Just As Lethal As iOS Version
“As with the iOS version, Pegasus for Android packs a boatload of nasty capabilities – including the ability to log keystrokes, capture screenshots and live audio, and read messages sent via apps like WhatsApp, Skype, and Facebook. It can also steal email from Android’s native email client and pilfer browser histories, text messages and contact details from infected devices.”
“Data collected from technology research firm Creative Strategies reported that 40 percent of U.S. consumers have raised concerns about security risks of adding a credit or debit card onto their iPhone.”
The Federal Reserve Board has surveyed consumers annually since 2011 about their use of mobile financial services. Twenty-two percent of respondents used mobile banking in 2011 compared to 43 percent in 2015 and 12 percent used mobile payments in 2011 compared to 24 percent in 2015. Long story short, people are increasingly adopting mobile financial services. But, consumers’ perception of the security of those services will play into their choices. Join NowSecure for a webinar on the topic of delivering secure mobile financial services (MFS) on May 2.
Google Online Security Blog: An Investigation of Chrysaor Malware on Android
(Google Security Blog)
“In this blog post, we describe Chrysaor, a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices, and how investigations like this help Google protect Android users from a variety of threats.”
“I believe this vulnerability is introduced in iOS 10, so iOS 9/OSX 10.11 users are not affected (how many ppls are still using iOS9? Raise your hands). For iOS 10/macOS 10.12 users, please upgrade to 10.3/10.12.4 for the official fix.”
“If you’re a hacker looking to grab attention by attacking a news outlet, what do you do? Deface their website? Take control of their social media accounts? Those are old hat.”
Samsung’s Android Replacement Is a Hacker’s Dream
“A security researcher has found 40 unknown zero-day vulnerabilities in Tizen, the operating system that runs on millions of Samsung products.”
“Google is launching a new certification program for mobile site developers today. The exam covers everything from the basics of why mobile sites matter to how to improve mobile site speed, effective mobile UX design and more advanced topics like progressive web apps.”
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.