Connect with us

Biz & IT

A critical iPhone and iPad bug that lurked for 8 years may be under active attack

Published

on

ZecOps

A critical bug that has lurked in iPhones and iPads for eight years appears to be under active attack by sophisticated hackers to hack the devices of high-profile targets, a security firm reported on Wednesday.

The exploit is triggered by sending booby-trapped emails that, in some cases, require no interaction at all and, in other cases, require only that a user open the message, researchers from ZecOps said in a post. The malicious emails allow attackers to run code in the context of the default mail apps, which make it possible to read, modify, or delete messages. The researchers suspect the attackers are combining the zero-day with a separate exploit that gives full control over the device. The vulnerability dates back to iOS 6 released in 2012. Attackers have been exploiting the bug since 2018 and possibly earlier.

Enormous scope

“With very limited data we were able to see that at least six organizations were impacted by this vulnerability— and the full scope of abuse of this vulnerability is enormous,” ZecOps researchers wrote. “We are confident that a patch must be provided for such issues with public triggers ASAP.”

Targets from the six organizations include:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan
  • A VIP from Germany
  • Managed security services providers in Saudi Arabia and Israel
  • A journalist in Europe
  • Suspected: An executive from a Swiss enterprise

Zerodays, or vulnerabilities that are known to attackers but not the manufacturer or the general public, are rarely exploited in the wild against against users of iPhones and iPads. Some of the only known incidents a 2016 attack that installed spyware on the phone of a dissident in the United Arab Emirates, a WhatsApp exploit in May of last year that was transmitted with a simple phone call, and attacks that Google disclosed last August.

Apple has currently patched the flaw in the beta for iOS 13.4.5. At the time this post went live, a fix in the general release had not yet been released.

Malicious mails that trigger the flaw work by consuming device memory and then exploiting a heap overflow, which is a type of buffer overflow that exploits an allocation flaw in memory reserved for dynamic operations. By filling the heap with junk data, the exploit is able to inject malicious code that then gets executed. The code triggers strings that include 4141…41, which are commonly used by exploit developers. The researchers believe the exploit then deletes the mail.

A protection known as address space layout randomization prevents attackers from knowing the memory location of this code and thus executing in a way that takes control of the device. As a result, the device or application merely crashes. To overcome this security measure, attackers must exploit a separate bug that reveals the hidden memory location.

Little or no sign of attack

The malicious mails need not be prohibitively large. Normal-size emails can consume enough RAM using rich text format documents, multi-part content, or other methods. Other than a temporary device slowdown, targets running iOS 13 aren’t likely to notice any signs that they’re under attack. In the event that the exploit fails on a device running iOS 12, meanwhile, the device will show a message that says “This message has no content.”

ZecOps said the attacks are narrowly targeted but provided only limited clues about the hackers carrying them out or targets who were on the receiving end.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings),” ZecOps researchers wrote. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

The most visible third-party organization selling advanced smartphone exploits is Israel-based NSO Group, whose iOS and Android exploits over the past year have been found being used against activists, Facebook users, and undisclosed targets. NSO Group has come under sharp criticism for selling its wares in countries with poor human-rights records. In recent months, the company has vowed to serve only organizations with better track records.

It’s generally against security community norms to disclose vulnerabilities without giving manufacturers time to release security patches. ZecOps said it released its research ahead of a general release fix because the zeroday alone isn’t enough to infect phones, the bugs had already been mentioned in the beta release, and the urgency created by the six organizations the firm believes are under active attack

To prevent attacks until Apple releases a general-availability patch, users can either install the beta 13.4.5 or use an alternate email app such as Gmail or Outlook. Apple representatives didn’t respond to an email seeking comment for this post.

Continue Reading

Biz & IT

OpenAI invites everyone to test new AI-powered chatbot—with amusing results

Published

on

Enlarge / An AI-generated image of a chatbot exploding forth from squiggly radial lines, as was foretold by the prompt.

Benj Edwards / Ars Technica

On Wednesday, OpenAI announced ChatGPT, a dialogue-based AI chat interface for its GPT-3 family of large language models. It’s currently free to use with an OpenAI account during a testing phase. Unlike the GPT-3 model found in OpenAI’s Playground and API, ChatGPT provides a user-friendly conversational interface and is designed to strongly limit potentially harmful output.

“The dialogue format makes it possible for ChatGPT to answer followup questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests,” writes OpenAI on its announcement blog page.

So far, people have been putting ChatGPT through its paces, finding a wide variety of potential uses while also exploring its vulnerabilities. It can write poetry, correct coding mistakes with detailed examples, generate AI art prompts, write brand-new code, expound on the philosophical classification of a hot dog as a sandwich, and explain the worst-case time complexity of the bubble sort algorithm… in the style of a “fast-talkin’ wise guy from a 1940’s gangster movie.”

ChatGPT also refuses to answer many potentially harmful questions (related to topics such as hate speech, violent content, or how to build a bomb) on the grounds that the answers would go against its “programming and purpose.” OpenAI has achieved this through both a special prompt it prepends to all input and by use of a technique called Reinforcement Learning from Human Feedback (RLHF), which can fine-tune an AI model based on how humans rate its generated responses.

Reining in the offensive proclivities of large language models is one of the key problems that has limited their potential market usefulness, and OpenAI sees ChatGPT as a significant iterative step in the direction of providing a safe AI model for everyone.

And yet, unsurprisingly, people have already figured out how to circumvent some of ChatGPT’s built-in content filters using quasi-social engineering attacks, such as asking the AI to frame a restricted output as a pretend scenario (or even as a poem). ChatGPT also appears to be vulnerable to prompt-injection attacks, which we broke a story about in September.

Like GPT-3, its dialogue-based cousin is also very good at completely making stuff up in an authoritative-sounding way, such as a book that doesn’t exist, including details about its content. This represents another key problem with large language models as they exist today: If they can breathlessly make up convincing information whole cloth, how can you trust any of their output?

Still, as people have noticed, ChatGPT’s output quality seems to represent a notable improvement over previous GPT-3 models, including the new text-davinci-003 model we wrote about on Tuesday. OpenAI itself says that ChatGPT is part of the “GPT 3.5” series of models that was trained on “a blend of text and code from before Q4 2021.”

Meanwhile, rumors of GPT-4 continue to swirl. If today’s ChatGPT model represents the culmination of OpenAI’s GPT-3 training work in 2021, it will be interesting to see what GPT-related innovations the firm has been working on over these past 12 months.

Continue Reading

Biz & IT

Hive Social turns off servers after researchers warn hackers can access all data

Published

on

Hive Social

Hive Social, a social media platform that has seen meteoric growth since Elon Musk took over Twitter, abruptly shut down its service on Wednesday after a security advisory warned the site was riddled with vulnerabilities that exposed all data stored in user accounts.

“The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages,” the advisory, published on Wednesday by Berlin-based security collective Zerforschung, claimed. “This also includes private email addresses and phone numbers entered during login.”

The post went on to say that after the researchers privately reported the vulnerabilities last Saturday, many of the flaws they reported remained unpatched. They headlined their post “Warning: do not use Hive Social.”

Hive Social responded by pulling down its entire service.

“The Hive team has become aware of security issues that affect the stability of our application and the safety of our users,” company officials wrote. “Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience.”

The Zerforschung post said the vulnerabilities were so serious that they were withholding technical details to prevent the active exploitation of them by malicious hackers.

The series of events raised questions about why Hive Social waited some 72 hours to shut down its site after receiving notification users’ most private data was free for the taking. Zerforschung said that after multiple communications, Hive Social claimed to have fixed all issues when that was clearly not the case. The social media site said it never claimed the vulnerabilities were fixed.

Hive Social’s user base reportedly doubled in the last few weeks, going from about 1 million to 2 million as of last week, according to Business Insider. Despite the massive growth, the social media site continued to be staffed by just two people, neither of whom had much of a background in security.

Representatives of both Hive Social and Zerforschung didn’t respond to questions sent by email.

While there are no reports that the vulnerabilities were actively exploited, there’s no way at the moment to rule that out. Anyone with a Hive Social account should be prepared for the possibility that the data they provided during sign up, as well as private messages, whether deleted or not, have been obtained.

The lesson from this event further supports advice Ars gave on Tuesday concerning Mastodon, another social media site that has also seen skyrocketing user numbers in the aftermath of the Twitter takeover by Musk. Put nothing on the site that you wouldn’t mind being public. Confidential information should never be put in direct messages or any other place. Here’s hoping Hive Social users already knew that.

Continue Reading

Biz & IT

My secret life as an 11-year-old BBS sysop

Published

on

Enlarge / Benj Edwards’ computer running The Cave BBS in 1994.

Thirty years ago last week—on November 25, 1992—my BBS came online for the first time. I was only 11 years old, working from my dad’s Tandy 1800HD laptop and a 2400 baud modem. The Cave BBS soon grew into a bustling 24-hour system with over 1,000 users. After a seven-year pause between 1998 and 2005, I’ve been running it again ever since. Here’s the story of how it started and the challenges I faced along the way.

Enter the modem

In January 1992, my dad brought home a gateway to a parallel world: a small black plexiglass box labeled “ZOOM” that hooked to a PC’s serial port. This modem granted the power to connect to other computers and share data over the dial-up telephone network.

While commercial online services like CompuServe and Prodigy existed then, many hobbyists ran their own miniature online services called bulletin board systems, or BBSes for short. The Internet existed, but it was not yet widely known outside academic circles.

A photo of a Zoom 2400 BPS modem like I first used in 1992.
Enlarge / A photo of a Zoom 2400 BPS modem like I first used in 1992.

John Scagon

Whereas the Internet is a huge connected web of systems with billions of users, most BBSes were small hobbyist fiefdoms with a single phone line, and only one person could call in and use it at a time. Although BBS-to-BBS message networks were common, each system still felt like its own island culture with a tin-pot dictator (the system operator—or “sysop” for short) who lorded over anyone who visited.

Not long after my dad brought home the modem, he handed off a photocopied list that included hundreds of BBS numbers from our 919 area code in North Carolina. Back then, the phone company charged significantly for long-distance calls (which could also sneakily include parts of your area code), so we’d be sticking to BBSes in our region. This made BBSes a mostly local phenomenon around the US.

My original Raleigh-area BBS list from 1992, dated December 9, 1991.
Enlarge / My original Raleigh-area BBS list from 1992, dated December 9, 1991.

Benj Edwards

With modem in hand, my older brother—about five years older than me—embraced calling BBSes first (we called it “BBSing”). He filled up his Procomm Plus dialing directory with local favorite BBSes such as The Octopus’s Garden, The Body Shop, and Chalkboard. Each system gained its own flavor from its sysop, who decorated it with ANSI graphics or special menus and also acted as an emcee and moderator for the board’s conversations.

I have a distinct memory of the first time I realized what a BBS was. One day while I looked over my brother’s shoulder, he showed me the file section of one of those BBSes—a list of available files that you could download to your local computer. Pages of free-to-download shareware games scrolled by. My eyes widened, and something clicked.

“You can download games for free?” I remember thinking. I noticed one file labeled “RAMPAGE.ZIP” that was one hundred kilobytes—or “100K,” as listed. Thinking of Rampage on the NES, which was one of my favorite games at the time, I asked my brother to download it. He declined because it would have taken over five minutes to transfer on our 2400 BPS modem. Any file around one megabyte would take about an hour to download.

Online time was precious back then. Since most BBSes only had one phone line, you didn’t want to hog the line for too long or the sysop might boot you. And there was extra jeopardy involved. Since we were using our regular house telephone line to connect, the odds that my mom would pick up and try to dial out—thus ruining the transfer process—remained very high. But whatever the risks, the thrill of remote projection by computer sunk into me that day and never left.

Continue Reading

Trending