iOS Group FaceTime Oversight Bypasses Access to Contact Information

With the release of iOS 12.1 for Apple’s mobile devices came the exciting (and much-desired) ability to have group video calls with their built in app, FaceTime. However, this new addition brought about an exploit that can allow any attacker to easily bypass a device’s lock screen password and view all the contact information stored on it. It was discovered by Jose Rodriguez (Twitter: @VBarraquito), a Spanish security researcher who is well-known for discovering a variety of bypass methods, including one that previously allowed information to be viewed through the photo sharing feature on the lock screen camera.

The exploit is fairly simple to execute once an attacker has the target device in their possession, and if it is set up with certain features. Firstly, the phone number of the target device is needed, which is fairly simple if it has Siri enabled. With a different device of their own, they just need to:

  • Call the target device.
  • Tap the FaceTime icon on the call screen to have it routed through there instead.
  • Go to add contacts once the call begins.
  • If the target device happens to have 3D touch enabled, a heavy press on the screen on any contact name will bring up the full list of their contact information.

As of right now, it is not yet known if Apple is working on an update to patch the exploit, given how recent the update itself is. With how easy it is for the average person to use, it should hopefully be high on their priority list. Many users who tend to multitask more on their phones, such as those that work for large companies, will tend to have 3D touch and Siri enabled for their ease of usage, thus making them more likely to fall victim to the exploit, especially given how often they may be in public spaces and could potentially have their device stolen.

Source
Post by Allan Sun

A New Form of Cold Boot Attacks

By Robert Gray:

Security researchers at F-Secure have developed a new method to extract encryption keys or other sensitive data in memory from a laptop in sleep mode if an attacker can gain physical access to it.

A quick explanation of how this type of cold boot attack works.

A “cold reboot” occurs when a computer is improperly shut down.  When that happens, the contents of the system RAM briefly remain after power is lost and might be readable when the system boots back up.  In response to this security issue, computer manufacturers programmed the BIOS to overwrite the RAM early in the boot process.  This new issue comes in how this fix was implemented.  The BIOS stores a value in flash storage to determine whether it needs to wipe the RAM on the next boot, but that value can be set by the operating system or through hardware tweaking.  An attacker can then boot the system from a USB drive and read the contents of memory.

This attack is theoretically possible against any Windows-based computer or any Apple computer released prior to 2018 that an attacker can gain physical access to.  Microsoft’s current recommendation is for anyone using encryption to use Hibernate mode instead of Suspend mode for keeping a laptop in sleep, as Hibernate wipes any encryption keys from RAM.  A more complete fix will require hardware and BIOS changes and likely will not be available for a while.

Sources:
https://blog.f-secure.com/cold-boot-attacks/
https://arstechnica.com/gadgets/2018/09/cold-boot-attacks-given-new-life-with-firmware-attack/

Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)

Baltimore’s Dispatch System Taken Down

Baltimore’s 911 dispatch system was breached Sunday, March 25th, shutting down automatic dispatching until Monday, March 26th, as well as halting call logs from 9:54 a.m. Sunday to 7:42 a.m. Monday.

A server running the city’s computer-aided dispatch (CAD) system was infiltrated around 8:30 Sunday morning, forcing caller information to be relayed manually for the remainder of the day into Monday. Under normal circumstances, caller information appears on a map and the nearest first responders are dispatched automatically. The attack effectively slowed this process and demanded that call center staff relay this information to dispatchers themselves.

The exploited vulnerability was a port that had been left open after an IT team attempted to troubleshoot a communications issue and in the process made changes to the firewall. City workers were able to take the affected server offline, conduct a thorough investigation, and successfully bring it back online by approximately 2 a.m. Monday morning. Later reports confirmed that the attack did involve ransomware, but neither the ransom amount nor the city’s response to the ransomware has been stated.

-Jordan Sullivan

Sources:

Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio

Souces:
https://viraldocks.com/cryptojacking-attack-hits-4000-websites/

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites