Thursday, February 28, 2013

Second iPhone passcode hack vulnerability discovered

Researchers are having a fun time with iOS 6.1 passcode locks this month, with Vulnerability Lab having discovered a second version of a vulnerability that lets a hacker slip past a lock screen to access a user's contact list, voicemails and more.

The first vulnerability, which popped up on YouTube earlier in the month, entailed this laundry list of steps, brought to us courtesy of Naked Security's Paul Ducklin:

-You need physical access to the device.
-You need manual dexterity or a fair bit of practice.
-You only get access to some of the data.
-You have to place a phony emergency call as part of the process.
-The most recent vulnerability, described in a post on the Full Disclosure mailing list late last week by Benjamin Kunz Mejri - founder and CEO of Vulnerability Lab - and spotted by Threatpost's Christopher Brook, adds on to the earlier exploit.

Both attacks require using the Emergency Call function in addition to the lock/sleep button and the screenshot feature.

When placing the emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.

In this second version of the exploit, a hacker can also make the iPhone screen go black, thereby allowing him or her to plug the phone into a computer via USB and grab data off the device without a PIN or passcode credentials.

Here's Mejri's description of the bug, from his Full Disclosure post:

A code lock bypass vulnerability via iOS as glitch is detected in the official Apple iOS v6.1 (10B143) for iPad & iPhone.

The vulnerability allows an attacker with physical access to bypass via a glitch in the iOS kernel the main device code lock (auth).

The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs.

The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction.

Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.

Exploiting this second bug still requires a certain degree of dexterity, if not a prehensile tail. But the bug still implies a risk to iOS 6.1 users' data and Vulnerability Lab estimates it's a high risk.

When the first vulnerability was discovered - also in iOS 6.1 - Apple told Macworld that a fix was in the works, though the spokesperson didn't say when that would come.

But as Macworld noted, this isn't the first time Apple has had to grapple with an iPhone password security flaw.

It got a fix out for a 2010 bug without a big time lag. Let's hope it promptly gets a fix out for these two new bugs, as well.

While we wait, try to refrain from searching for, and replicating, the steps to the attack.

Bear in mind that, just as Paul Ducklin pointed out with regards to this month's first iOS 6.1 bug, it's not nice - and, at least in some, if not all areas, is illegal - to place bogus emergency calls.

Wednesday, February 20, 2013

Apple, Macs hit by hackers who targeted Facebook

Apple Inc was recently attacked by hackers who infected Macintosh computers of some employees, the company said Tuesday in an unprecedented disclosure describing the widest known cyber attacks targeting Apple computers used by corporations.

Unknown hackers infected the computers of some Apple workers when they visited a website for software developers that had been infected with malicious software. The malware had been designed to attack Mac computers.

The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday.

The malware was also employed in attacks against Mac computers used by "other companies," Apple said, without elaborating on the scale of the assault.

Twitter, which disclosed that it had been breached February 1 and that hackers might gave accessed some information on about 250,000 users, was hit in the same campaign, according to a person close to the investigation.

Another person briefed on the case said that hundreds of companies, including defense contractors, had been infected with the same malicious software. Though this person said that the malware could have originated from China, there was no proof.

"This is a new campaign. It's not like the other ones you read about where everyone can tell it's China," the first person said.

Investigations into the breaches are ongoing. It was not immediately clear when the attacks had begun, the extent to which the hackers had succeeded in stealing data from targeted systems, or whether all infected machines have been identified.

The malware was distributed at least in part through a site aimed at iPhone developers, which might still be infecting visitors who haven't disabled Java in their browser, the person close to the case said. There is a version that infects computers running Microsoft Windows as well.

Security firm F-Secure wrote that the attackers might have been trying to get access to the code for apps on smartphones, seeking a way to infect millions of end-users. It urged developers to check their source code for unintended changes.

Apple disclosed the breach as tensions are heating up over U.S. allegations that the Chinese military engages in cyber espionage on U.S. companies.

U.S. cyber security firm Mandiant reported over the weekend that it has uncovered evidence that the Chinese military is behind a slew of cyber attacks on U.S. businesses. The White House said it has repeatedly raised concerns about Chinese cyber theft with Beijing.

The breaches described by Apple mark the highest-profile cyber attacks to date on businesses running Mac computers. Hackers have traditionally focused on attacking machines running the Windows operating system, though they have gradually turned their attention to Apple products over the past couple of years as the company gained market share over Microsoft Corp.

"This is the first really big attack on Macs," said the source, who declined to be identified because the person was not authorized to discuss the matter publicly. "Apple has more on its hands than the attack on itself."

Charlie Miller, a prominent expert on Apple security who is co-author of the Mac Hacker's Handbook, said the attacks show that criminal hackers are investing more time studying the Mac OS X operating system so they can attack Apple computers.

For example, he noted, hackers recently figured out a fairly sophisticated way to attack Macs by exploiting a flaw in Adobe Systems Inc's Flash software.

"The only thing that was making it safe before is that nobody bothered to attack it. That goes away if somebody bothers to attack it," Miller said.


Cyber security attacks have been on the rise. In last week's State of the Union address, U.S. President Barack Obama issued an executive order seeking better protection of the country's critical infrastructure from cyber attacks.

White House spokesman Jay Carney told reporters on Tuesday that the Obama administration has repeatedly taken up its concerns about Chinese cyber theft with Beijing, including the country's military. There was no indication as to whether the group described by Mandiant was involved in the attacks described by Apple and Facebook.

An Apple spokesman declined to specify how many companies had been breached in the campaign targeting Macs, saying he could not elaborate further on the statement it provided.

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers," the statement said.

"We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple," it continued.

The statement said Apple was working closely with law enforcement to find the culprits, but the spokesman would not elaborate. The Federal Bureau of Investigation declined to comment.

Apple said it plans to release a piece of software on Tuesday that customers can use to identify and repair Macs infected with the malware used in the attacks.

Thursday, February 14, 2013

Hacker bypasses iOS 6.1 lockscreen with a scary, simple trick

iO6 6.1 didn’t just open up the door for jailbreakers – it made life easier for iPhone thieves as well

Via a frighteningly simple trick in iOS 6.1, thieves and other wrongdoers can bypass the iPhone’s lock screen, giving them access to contacts, voicemail, and even photos. The process, which you can see in the video below, takes only a few seconds and shouldn’t be hard for anyone with two hands to pull off.
The bug is almost identical to a similar one that appeared in iOS 4.1 back in 2010. In that bug, iPhone owners were able to bypass their phones’ lockscreens by calling a random emergency number then quickly hitting the hardware lock button twice.

The iOS 6.1 bug is at least the second one in iOS that’s made news in recent days. In another glitch, problems between iOS and Microsoft Exchange Server have created big headaches for iCal users. Fortunately, Apple’s aware of that issue and says its working on the fix.

As for the latest lockscreen bug, we’ve reached out to Apple for comment and will update when the company responds.