With the release of iOS 12.1 for Apple’s mobile devices came the exciting (and much-desired) ability to have group video calls with their built in app, FaceTime. However, this new addition brought about an exploit that can allow any attacker to easily bypass a device’s lock screen password and view all the contact information stored on it. It was discovered by Jose Rodriguez (Twitter: @VBarraquito), a Spanish security researcher who is well-known for discovering a variety of bypass methods, including one that previously allowed information to be viewed through the photo sharing feature on the lock screen camera.
The exploit is fairly simple to execute once an attacker has the target device in their possession, and if it is set up with certain features. Firstly, the phone number of the target device is needed, which is fairly simple if it has Siri enabled. With a different device of their own, they just need to:
Call the target device.
Tap the FaceTime icon on the call screen to have it routed through there instead.
Go to add contacts once the call begins.
If the target device happens to have 3D touch enabled, a heavy press on the screen on any contact name will bring up the full list of their contact information.
As of right now, it is not yet known if Apple is working on an update to patch the exploit, given how recent the update itself is. With how easy it is for the average person to use, it should hopefully be high on their priority list. Many users who tend to multitask more on their phones, such as those that work for large companies, will tend to have 3D touch and Siri enabled for their ease of usage, thus making them more likely to fall victim to the exploit, especially given how often they may be in public spaces and could potentially have their device stolen.
Apple has recently released the initial version of a new website that will allow their users to check what personal information has been collected by Apple. This comes after an interview with Tim Cook in March where he said: “We’ve never believed that these detailed profiles of people that have incredibly deep personal information that is patched together from several sources should exist”. This website would add an unprecedented level of transparency for a company of this size. Despite this transparency and their apparent aversion to not making their customers products Apple still collects a wide variety of user information ranging from calendars and contacts to entire documents and photos. The website has already been tested in the EU to make sure it passed all of the privacy regulations that are present there. Their intentions do seem pure at least for right now. As part of the recently released iOS 12, Apple added features which help block targeted ads based on shopping or search history. Apple has continued to be very active in trying to push regulations regarding privacy across the globe. Even though they are making it harder for other companies to get personal information and allowing you to see your own they are continuing to collect and store that same information.
A researcher has found large flaws in the leading Real-Time Operating System, FreeRTOS. This leaves a large number of Internet of Things devices vulnerable to attack. This affects devices from refrigerators to pacemakers. Last year, Amazon took over project management and upgraded the OS for their own Amazon FreeRTOS IoT operating system. They enhanced the OS for use with their own products in the future.
There are a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack, which affect the Amazon FreeRTOS as well. These issues let hackers do just about anything they want to the target device, from executing their own code to leaking memory information. The technical details of the flaws have not been revealed to the public in order to protect the development of a fix.
RIT is rolling out Multi Factor Authentication very soon. Multi Factor Authentication is adding an extra factor to validate your credentials. For example, when you log into RIT services you are prompted your username and password; with the new multi factor authentication, you will need to provide an extra form of authentication. These methods include: Using the DUO mobile app, text, phone call, office phone call, and email. RIT has been experiencing more attacks than ever before, and this is their attempt at mitigating the risk of attacks. Last year MFA was put into effect for faculty, staff, and student employees. This was because many Ebiz accounts became compromised. The attackers then changed direct deposit numbers to be routed somewhere else. Luckily no one lost money because controllers saw the change in numbers and knew what was happening because another university was attacked in the same manner.
Why does this matter to us?
If we do not enroll in MFA by the 24th of October, there will be a hold on your account and you will not be able to enroll for classes next semester.
With MFA comes the use of another device to authenticate yourself on RIT services. For example, if you signed up and planned on using the DUO app, DO NOT forget your phone. ITS will have to give you a Bypass until you can get access to your phone, which would be unfortunate if you need to log onto something ASAP. I personally don’t see why the students need MFA, but I have no choice but to enroll into it.
California Governor Jerry Brown is the first governor to sign a bill to protect against the very prevalent cyber attacks on Internet of Things (IoT) devices. CNET tells:
The law mandates that any maker of an Internet-connected, or “smart,” device ensure the gadget has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
Since this bill is the first of its kind, it is expected that many other states will begin to follow California’s example and implement some sort of protection against IoT attacks. Although the bill requires manufacturers to assign a password to each device, many of the stipulations are non-specific, like many cyber laws. It is hard to be specific in a case like this, as attacks could easily find a loophole not covered within the bill. With a vague bill, it in a way could deter an attacker who knows the law could be translated in a number of ways to point to what he or she might have been doing as illegal.
This need of security was demonstrated most by the WannaCry ransomware attacks that hit hospitals across the nation. Hospitals have been increasingly using devices connected to their networks to aid in caring for patients. The attacks locked up devices that were in use, potentially threatening the lives of patients. An attack like this is more alarming than many ransomware attacks, as it takes the attacker’s morals (or in this case, lack of morals) into account more than other attacks.
The lack of security on IoT devices has desperately needed to be addressed, as over 8.4 billion IoT devices are out in the world on networks with little to no security. The law goes into effect at the beginning of 2020. California’s status as the most populated state in the U.S. is part of the reason the bill was signed into effect and is also the hope for cyber security experts to be influential in persuading others to join in the fight against attacks.