Welcome to the last #MobSec5 issue of 2017 — #MobSec5 will go on holiday hiatus for the next two weeks. Enjoy your holidays, and we’ll see you again on Friday, January 5, 2018.
This week’s digest of the mobile security news that matters includes:
- Exploit published this week MAY provide stepping stone for iOS 11.1.2 jailbreak
- Fake $4.99 Ethereum wallet app masquerading as MyEtherWallet ranks #3 in the Apple® App Store®
- ROBOT attack on RSA encryption can also affect mobile apps
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Google Releases Tool To Help iPhone Hackers
“Google’s elite team of hackers released a much-anticipated tool to help security researchers hack and jailbreak the iPhone.”
Last week we told you that Google Project Zero member Ian Beer advised security researchers to reserve a “research-only” device on iOS 11.1.2 if they had interest in doing iOS 11 kernel research. On Monday, Beer published an exploit that uses two vulnerabilities, CVE-2017-13861 and CVE-2017-13865 (both patched in iOS 11.2) and allows “unfettered access to kernel memory.” The exploit itself is not a jailbreak, but many speculate that it will lead to one for iOS 11.1.2. If you are a NowSecure Workstation customer, DO NOT upgrade any iOS devices you currently use with your NowSecure Workstation. However, if you have spare devices on reserve, consider upgrading those spare devices only to iOS 11.1.2 — and do so soon while Apple is still signing that version. For instructions or more information, please contact the NowSecure Support team at [email protected].
About the security content of iOS 11.2.1
“This document describes the security content of iOS 11.2.1.”
The iOS 11.2.1 update this week includes a single security patch for a vulnerability in HomeKit — Apple’s home automation platform. 9to5Mac wrote last week that “The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers.” Apple reportedly made a server-side fix last week to address the flaw.
“Facebook has paid out a bounty to thank some benevolent hackers who made subtle alterations to an 19-year-old attack to potentially steal user accounts.”
The researchers focused on popular websites, but mobile apps that use web services that support RSA key exchanges can also be affected. Fortunately, iOS apps that implement App Transport Security (ATS) are not be vulnerable to the attack because ATS doesn’t allow RSA encryption. Read more in our security analyst’s guide to ATS on the NowSecure blog.
“Apple allowed a fake cryptocurrency app to become #3 in the App Store”
Apple has since removed the app from the store.
Tracking People Without GPS
(Schneier on Security)
“This is a good example of how powerful synthesizing information from disparate data sources can be.”
“A Top Google Play App was found to be leaking sensitive data and to contain several OWASP flaws making the app vulnerable to data leakage, denial of service and data corruption.”
Chinese woman offered refund after facial recognition allows colleague to unlock iPhone X
(South China Morning Post)
“A woman in the eastern Chinese city of Nanjing has been offered a second refund after faulty facial recognition software on two iPhone X handsets allowed her colleague to unlock them.”
Hunting for iOS Kernel Symbols
(Craig Ingram via Medium)
“Mr. Beer’s vulnerability announcement and PoC code was released yesterday, and it was beautiful…Luckily as part of that well documented code, he included detailed hints for how to find the symbols, so I was ready for the challenge. The rest of this post walks through my process for finding the symbols, in the hope that it may also be useful for you to add support for your device.”
“According to Leagoo, the S9 will cost just a fraction of the iPhone X’s $999 price range, with the copycat set to run for ‘under $300.’ That price isn’t getting you the greatest device, though.”
Mirai IoT Botnet Co-Authors Plead Guilty
(Krebs on Security)
“Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks.”
Most Android-Based TV Set-Top Boxes Run Old and Insecure OS Versions
“Android-based TV set-top boxes sold online are most likely running outdated operating systems that have not received security updates for at least a year.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.