Connect with us

Biz & IT

Three iOS 0-days revealed by researcher frustrated with Apple’s bug bounty

Published

on

Enlarge / Pseudonymous researcher illusionofchaos joins a growing legion of security researchers frustrated with Apple’s slow response and inconsistent policy adherence when it comes to security flaws.

Aurich Lawson | Getty Images

Yesterday, a security researcher who goes by illusionofchaos dropped public notice of three zero-day vulnerabilities in Apple’s iOS mobile operating system. The vulnerability disclosures are mixed in with the researcher’s frustration with Apple’s Security Bounty program, which illusionofchaos says chose to cover up an earlier-reported bug without giving them credit.

This researcher is by no means the first to publicly express their frustration with Apple over its security bounty program.

Nice bug—now shhh

illusionofchaos says that they’ve reported four iOS security vulnerabilities this year—the three zero-days they publicly disclosed yesterday plus an earlier bug that they say Apple fixed in iOS 14.7. It appears that their frustration largely comes from how Apple handled that first, now-fixed bug in analyticsd.

This now-fixed vulnerability allowed arbitrary user-installed apps to access iOS’s analytics data—the stuff that can be found in Settings --> Privacy --> Analytics & Improvements --> Analytics Data—without any permissions granted by the user. illusionofchaos found this particularly disturbing, because this data includes medical data harvested by Apple Watch, such as heart rate, irregular heart rhythm, atrial fibrillation detection, and so forth.

Analytics data was available to any application, even if the user disabled the iOS Share Analytics setting.

According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple did indeed fix the bug with iOS 14.7, but the security content list for iOS 14.7 acknowledged neither the researcher nor the vulnerability.

Apple told illusionofchaos that its failure to disclose the vulnerability and credit them was just a “processing issue” and that proper notice would be given in “an upcoming update.” The vulnerability and its resolution still were not acknowledged as of iOS 14.8 on September 13 or iOS 15.0 on September 20.

Frustration with this failure of Apple to live up to its own promises led illusionofchaos to first threaten, then publicly drop this week’s three zero-days. In illusionofchaos‘ own words: “Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would.”

We do not have concrete timelines for illusionofchaos‘ disclosure of the three zero-days, or of Apple’s response to them—but illusionofchaos says the new disclosures still adhere to responsible guidelines: “Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120. I have waited much longer, up to half a year in one case.”

New vulnerabilities: Gamed, nehelper enumerate, nehelper Wi-Fi

The zero-days illusionofchaos dropped yesterday can be used by user-installed apps to access data that those apps should not have or have not been granted access to. We’ve listed them below—along with links to illusionofchaos‘ Github repos with proof of concept code—in order of (our opinion of) their severity:

  • Gamed zero-day exposes Apple ID email and full name, exploitable Apple ID authentication tokens, and read access to Core Duet and Speed Dial databases
  • Nehelper Wi-Fi zero-day exposes Wi-Fi information to apps that have not been granted that access
  • Nehelper Enumerate zero-day exposes information about what apps are installed on the iOS device

The Gamed 0-day is obviously the most severe, since it both exposes Personal Identifiable Information (PII) and may be used in some cases to be able to perform actions at *.apple.com that would normally need to be either instigated by the iOS operating system itself, or by direct user interactions.

The Gamed zero-day’s read access to Core Duet and Speed Dial databases is also particularly troubling, since that access can be used to gain a pretty complete picture of the user’s entire set of interactions with others on the iOS device—who is in their contact list, who they’ve contacted (using both Apple and third-party applications) and when, and in some cases even file attachments to individual messages.

The Wi-Fi zero-day is next on the list, since unauthorized access to the iOS device’s Wi-Fi info might be used to track the user—or, possibly, learn the credentials necessary to access the user’s Wi-Fi network. The tracking is typically a more serious concern, since physical proximity is generally required to make Wi-Fi credentials themselves useful.

One interesting thing about the Wi-Fi zero-day is the simplicity of both the flaw and the method by which it can be exploited: “XPC endpoint com.apple.nehelper accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, com.apple.developer.networking.wifi-info entitlement check is skipped.” In other words, all you need to do is claim to be using an older software development kit—and if so, your app gets to ignore the check that should disclose whether the user consented to access.

The Nehelper Enumerate zero-day appears to be the least damaging of the three. It simply allows an app to check whether another app is installed on the device by querying for the other app’s bundleID. We haven’t come up with a particularly scary use of this bug on its own, but a hypothetical malware app might leverage such a bug to determine whether a security or antivirus app is installed and then use that information to dynamically adapt its own behavior to better avoid detection.

Conclusions

Assuming illusionofchaos‘ description of their disclosure timeline is correct—that they’ve waited for longer than 30 days, and in one case 180 days, to publicly disclose these vulnerabilities—it’s hard to fault them for the drop. We do wish they had included full timelines for their interaction with Apple on all four vulnerabilities, rather than only the already-fixed one.

We can confirm that this frustration of researchers with Apple’s security bounty policies is by no means limited to this one pseudonymous researcher. Since Ars published a piece earlier this month about Apple’s slow and inconsistent response to security bounties, several researchers have contacted us privately to express their own frustration. In some cases, researchers included video clips demonstrating exploits of still-unfixed bugs.

We have reached out to Apple for comment, but we have yet to receive any response as of press time. We will update this story with any response from Apple as it arrives.

Continue Reading

Biz & IT

Verizon’s Visible Wireless investigating hacked customer accounts

Published

on

Numerous Visible Wireless subscribers are reporting their accounts have been “hacked” this week. Visible runs on Verizon’s 5G and 4G LTE networks. Rather than being a Mobile Virtual Network Operator (MVNO), Visible is actually owned by Verizon.

Suspicions of a data breach at Visible started Monday when some customers saw random unauthorized purchases on their Visible accounts:

On the Visible subreddit, users have reported seeing unauthorized orders placed from their accounts, with a shipping address different from theirs:

Visible customer:
Enlarge / Visible customer: “Got hacked yesterday, order still shipped!!!”

Social media was flooded with similar reports of customers not receiving a response from Visible for days:

Credential stuffing likely the cause of hacked accounts

In an email sent out to customers and a public announcement posted yesterday, Visible shared what could be the cause of these hacks:

“We have learned of an incident wherein information on some member accounts was changed without their authorization. We are taking protective steps to secure all impacted accounts and prevent any further unauthorized access,” said Visible in an announcement. “Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.”

Rather than a data breach at Visible itself, the company’s wording makes it sound like customer credentials were obtained from a third-party leak or breached database and then used to access customer accounts—a practice known as credential stuffing. The company advises customers to reset passwords and security information and will prompt users to re-validate payment information before further purchases can be made.

But experts have cast doubts on theories that this incident stemmed from credential stuffing, considering Visible also admitted to “technical issues” on its chat platform, with the company briefly unable to make any changes to customer accounts just this week. Visible’s tweet mentioning this information was deleted by the company.

Did Visible know about the incident since last week?

Although a public statement from Visible arrived yesterday, the company had first acknowledged the issue on Twitter on October 8, if not earlier. Interestingly, a vague reason was provided at the time—order confirmation emails having been erroneously sent out by Visible. “We’re sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it.”

Visible had initially responded vaguely to concerns on Oct 8.
Enlarge / Visible had initially responded vaguely to concerns on Oct 8.

One Visible customer reacted angrily to the delay: “This response is completely irresponsible, given the fact that you are currently under attack and are aware of MANY users that have had their accounts compromised.”

Despite the panic generated among hacked customers, at least, one can find relief in the fact that customers won’t be held liable for any unauthorized charges. “If there is a mistaken charge on your account, you will not be held accountable, and the charges will be reversed,” states the company as the investigation continues.

In addition to monitoring for suspicious transactions, Visible customers impacted by the incident should change their credentials, both on Visible websites and any other websites where they have used the same credentials.

Continue Reading

Biz & IT

US gov’t will slap contractors with civil lawsuits for hiding breaches

Published

on

In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced “Civil Cyber-Fraud Initiative” will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DoJ calls “cybersecurity fraud.” Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.

Cyber contractors chose silence “for too long”

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” states Deputy Attorney General Lisa O. Monaco, who is pioneering the initiative. “Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

The introduction of the Civil Cyber-Fraud Initiative is the “direct result” of the department’s ongoing thorough review of the cybersecurity landscape ordered by the deputy attorney general in May. The goal behind these review activities is to develop actionable recommendations that enhance and expand the DoJ’s efforts for combating cyber threats.

The launch of the Initiative aims to curb new and emerging cybersecurity threats to sensitive and critical systems by bringing together subject-matter experts from civil fraud, government procurement, and cybersecurity agencies.

The development comes at a time when cyberattacks are rampant, and advanced ransomware gangs repeatedly target critical infrastructures, such as the Colonial Pipeline and health care facilities.

Provisions of the act would protect whistleblowers

The Civil Cyber-Fraud Initiative will utilize the False Claims Act, aka the “Lincoln Law,” which serves as a litigative tool to the government when placing liability on those who defraud government programs.

“The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation,” explains the DoJ in a press release.

The initiative will hold entities, such as federal contractors or individuals, accountable when they put US cyber infrastructure at risk by knowingly “providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

In summary, the Initiative is designed with the following objectives in mind:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users, and the American public.

The timing of this announcement also coincides with the deputy attorney general’s creation of a “National Cryptocurrency Enforcement Team” designed to tackle complex investigations and criminal cases of cryptocurrency misuse. In particular, the team’s activities will focus on offenses committed by cryptocurrency exchanges and money-laundering operations.

What stands out, though, is that the Civil Cyber-Fraud Initiative would pursue those who were knowingly negligent in the implementation of a robust cybersecurity posture or knowingly misrepresented their cybersecurity practices—leaving room for plausible deniability.

Equally interesting is the fact that just two days ago, Senator Elizabeth Warren and Representative Deborah Ross proposed a new bill dubbed the “Ransom Disclosure Act.” The act would require ransomware victims to disclose details of any ransom amount paid within 48 hours of payment and to divulge “any known information about the entity demanding the ransom.”

Continue Reading

Biz & IT

Company that routes SMS for all major US carriers was hacked for five years

Published

on

Getty Images | d3sign

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers’ text messages.

A filing with the Securities and Exchange Commission last week said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”

Syniverse said that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”

Syniverse isn’t revealing more details

When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what’s in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.

“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.

The SEC filing is a preliminary proxy statement related to a pending merger with a special purpose acquisition company that will make Syniverse a publicly traded firm. (The document was filed by M3-Brigade Acquisition II Corp., the blank-check company.) As is standard with SEC filings, the document discusses risk factors for investors, in this case including the security-related risk factors demonstrated by the Syniverse database hack.

Syniverse routes messages for 300 operators

Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn’t a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.

We asked AT&T, Verizon, and T-Mobile today whether the hacker had access to people’s text messages, and we will update this article if we get any new information.

Syniverse’s importance in SMS was highlighted in November 2019 when a server failure caused over 168,000 messages to be delivered nearly nine months late. The messages were in a queue and left undelivered when a server failed on February 14, 2019, and finally reached their recipients in November when the server was reactivated.

Syniverse says it fixed vulnerabilities

Syniverse said in the SEC filing and its statement to Ars that it reset or deactivated the credentials of all EDT customers, “even if their credentials were not impacted by the incident.”

“Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time,” the SEC filing said. Syniverse told us that it also “implemented substantial additional measures to provide increased protection to our systems and customers” in response to the incident, but did not say what those measures are.

Syniverse is apparently confident that it has everything under control but told the SEC that it could still discover more problems resulting from the breach:

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity… While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.

Syniverse’s SEC filing was submitted on September 27 and discussed yesterday in an article in Vice’s Motherboard section. According to Vice, a “former Syniverse employee who worked on the EDT systems” said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.

Vice wrote:

Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

Continue Reading

Trending