Category: Spyware


600 million Apple devices contain secret backdoors, researcher claims

Apple-iconA security researcher considered to be among the foremost experts in his field says that more than a half-billion mobile devices running Apple’s latest iOS operating system contain secret backdoors.

Jonathan Zdziarski, also known by his online alias “NerveGas,” told the audience attending his Friday morning presentation at the Hackers on Planet Earth conference in New York City that around 600 million Apple devices, including iPhones and tablets, contain hidden features that allow data to be surreptitiously slurped from those devices.

During Zdziarski’s HOPE presentation, “Identifying Backdoors, Attack Points and Surveillance Mechanisms in iOS Devices,” the researcher revealed that several undocumented forensic services are installed on every new iPhone and iPad, making it easier that ever for a third-party to pull data from those devices in order to compromise a target and take hold of their personal information, including pictures, text messages, voice recordings and more.

Among the hidden functions running on iOS devices, Zdziarski said, are programs called “pcapd,” “file_relay” and “file_relay.” If used properly, he added, those programs can allow anyone with the right means and methodology to pull staggering amounts of data from a targeted phone, even when the rightful owner suspects the device is sufficiently locked.

Zdziarski has previously exploited older versions of the iOS operating system and authored several books on mobile security. Even after raising multiple questions with Apple, however, he said he has yet to figure out why, exactly, the tech giant ships iOS devices with programs that appear to do nothing other than leak digital data.

According to the slides Zdziarski presented during Friday’s talk, there’s little reason to believe the functions are used to run diagnostics or help developers.

Most services are not referenced by any known Apple software,” one slide says in part, and “the raw format of the data makes it impossible to put data back onto the phone, making useless for Genius Bar or carrier tech purposes.”

“The personal nature of the data makes it very unlikely as a debugging mechanism,” he added.

A man shows a photograph he took on his iPhone of an Apple store in Beijing

According to the researcher, evidence of the mysterious programs raises more questions than it does answers.

“Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?” he asked in one slide. “Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone? Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?”

“Apple really needs to step up and explain what these services are doing,” Zdziarski told Ars Technia on Monday after his HOPE presentation was hailed over the weekend by the conference’s attendees as a highlight of the three-day event. “I can’t come up with a better word than ‘backdoor’ to describe file relay, but I’m willing to listen to whatever other explanation Apple has. At the end of the day, though, there’s a lot of insecure stuff running on the phone giving up a lot of data that should never be given up. Apple really needs to fix that.”

Indeed, Apple responded on late Tuesday by saying that the tree functions in question are “diagnostic capabilities to help enterprise IT departments, developers and AppleCare troubleshoot issues.”

“Apple has, in a traditional sense, admitted to having back doors on the device specifically for their own use,” Zdziarski responded quickly on his blog. “Perhaps people misunderstand the term ‘back door’ due to the stigma Hollywood has given them, but I have never accused these ‘hidden access methods’ as being intended for anything malicious, and I’ve made repeated statements that I haven’t accused Apple of working with NSA. That doesn’t mean, however that the government can’t take advantage of back doors to access the same information. What does concern me is that Apple appears to be completely misleading about some of these (especially file relay), and not addressing the issues I raised on others.”

“I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data. They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me,” he added.

On Apple’s part, the company said they have “never worked with any government agency from any country to create a backdoor in any of our products of services.”

 

Source: RT

iPhones, iPads vulnerable to hacking: Apple

A major flaw in Apple software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said Friday.

If attackers have access to a user’s network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook, experts said.

“It’s as bad as you could imagine, that’s all I can say,” said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited. But a statement on its support website was blunt: The software “failed to validate the authenticity of the connection.”

Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.

Apple did not reply to requests for comment.

The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple’s stature and technical prowess. The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday’s announcement suggests that enterprising hackers could have had great success as well if they knew of the flaw.

Ryan:  Kinda told you Apple lovers that this gear is very insecure.. did ya listen to me?

Here Is How Hackers Can Spy On Your MacBook Camera

Just a few months ago, a story broke about how Samsung smart TVs were susceptible to remote spying by users that hack into the built-in camera. Now, new research demonstrates that MacBook webcams are just as susceptible to being hacked and spied-on as televisions.

Researchers at John Hopkins University discovered exactly how the hacking process is possible without signaling for the light adjacent to the camera to turn on, which is usually an indication that the camera is on.

The primary researcher, computer science professor Stephen Checkoway, published a paper in conjunction with graduate student Matthew Brocker entitled “iSeeYou: Disabling the MacBook Webcam Indicator LED” that contains the detailed process of remotely spying on others’ laptops. Although the researchers could only prove their methods worked with MacBooks created before 2008, they suggest that the process could be successfully repeated with newer computers.

The Washington Post recently ran an article detailing the story of Miss Teen USA Cassidy Wolf, who received nude photographs of herself via email. After an FBI investigation, the authorities discovered that Wolf’s former high school classmate Jared Abrahams had hacked into her computer, as well as the computers of several other women, and had been spying on them via their webcam.

The case of Wolf as well as the new research from John Hopkins raises several issues about privacy and security in the modern world. While Apple’s light was intended as a security feature to alert users when their camera was on, it appears that hackers have found an easily solution to disable that feature. According to The Washington Post, the FBI has been using similar hacking technology for years.

Source: PRPick.com

Russian BadNews bug found in Android app store

Security researchers have identified 32 separate apps on Google Play that harboured a bug called BadNews.

On infected phones, BadNews stole cash by racking up charges from sending premium rate text messages.

The malicious program lay dormant on many handsets for weeks to escape detection, said security firm Lookout which uncovered BadNews.

The malware targeted Android owners in Russia, Ukraine, Belarus and other countries in eastern Europe.

The exact numbers of victims was hard to calculate, said Lookout, adding that figures from Google Play suggest that between two and nine million copies of apps booby trapped with BadNews were downloaded from the store.

In a blogpost, Lookout said that a wide variety of apps were harbouring the BadNews malware. It found the programme lurking inside recipe generators, wallpaper apps, games and pornographic programmes.

The 32 apps were available through four separate developer accounts on Play. Google has now suspended those accounts and removed all the affected apps from its online store. No official comment from Google has yet been released.

Lookout said BadNews concealed its true identity by initially acting as an “innocent, if somewhat aggressive, advertising network”. In this guise it sent users news and information about other infected apps, and prompted people to install other programmes.

BadNews adopted this approach to avoid detection systems that look for suspicious behaviour and stop dodgy apps being installed, said Lookout.

This masquerade ended when apps seeded with BadNews got a prompt from one of three command and control servers, then it started pushing out and installing a more malicious programme called AlphaSMS. This steals credit by sending text messages to premium rate numbers.

Users were tricked into installing AlphaSMS as it was labelled as an essential update for either Skype or Russian social network Vkontakte.

Security firm Lookout said BadNews was included in many popular apps by innocent developers as it outwardly looked like a useful way to monetise their creations. It urged app makers to be more wary of such “third party tools” which they may include in their code.

Half of the 32 apps seeded with BadNews are Russian and the version of AlphaSMS it installed is tuned to use premium rate numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan.

Source: BBC News

Sophisticated botnet steals more than $47M by infecting PCs and phones

A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks’ use of two-factor authentication for transactions by intercepting messages sent by the bank to victims’ mobile phones.

The malware and botnet system, dubbed “Eurograbber” by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims’ bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday.

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim’s browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a “security upgrade” from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber’s attack.

With the phone number and platform information, the attacker sends a text message to the victim’s phone with a link to a site that downloads what it says is “encryption software” for the device. But it is, in fact, “Zeus in the mobile” (ZITMO) malware—a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim’s balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan’s command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

Both Checkpoint and Versafe have added signature and behavior detection to their malware protection products that can block Eurograbber. Updating software that is a frequent target for Web “driveby download” exploits—such as Adobe Flash, Java, and Web browsers—can help prevent infection by the malware, as can a healthy amount of paranoia about clicking links in e-mails.

Source: Arstechnica

Google engineer finds British spyware on PCs and smartphones

Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world.

Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets.

The spying software has the capability to monitor and report back on calls and GPS positions from mobile phones, as well as recording Skype sessions on a PC, logging keystrokes, and controlling any cameras and microphones that are installed.

They report the code appears to be FinSpy, a commercial spyware sold to countries for police criminal investigations. FinSpy was developed by the German conglomerate Gamma Group and sold via the UK subsidiary Gamma International. In a statement to Bloomberg, managing director Martin Muench denied the company had any involvement.

“As you know we don’t normally discuss our clients but given this unique situation it’s only fair to say that Gamma has never sold their products to Bahrain,” he said. “It is unlikely that it was an installed system used by one of our clients but rather that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere.”

Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon’s EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.

Gamma and FinSpy gained notoriety last year when documents apparently from the company were found in the Egyptian security service headquarters when it was ransacked by protestors after the fall of Hosni Mubarak. These appear to be a proposal that the Egyptian government buy a five-month license for the software for €287,000. Again Gamma denied involvement.

But Marquis-Boire and Marczak told The New York Times that they appear to have found a link to Gamma in these latest code samples. The malware for Symbian phones uses a code certificate issued to Cyan Engineering, whose website is registered to one Johnny Geds.

The same name is listed as Gamma Group’s sales contact on the FinSpy proposal uncovered in the raid on Egypt’s security headquarters. Muench has confirmed they do employ someone of that name in sales but declined to comment further.

Commercial spyware is an increasingly lucrative racket, as El Reg has pointed out, and there’s growing evidence that Britain is one of the leading players in the market. Privacy International has formally warned the British government that it will be taking legal action on the issue and this latest research only adds weight to the issue.

Source: The Register