The Coming Mac Threat (Revisited)

Foreword

The following article was written and published in 2008. The first iPhones were less than six months old and Apple's OS X operating system was just seven years old. The previous year Apple launched a version of OS X that could run on Intel systems. The following year OS X could *only* run on Intel systems. This could have made life easier for attackers, as they faced a familiar underlying system.

A lot has changed since then. According to some statistics the use of OS X (now MacOS) has risen between 2009 and 2021 from below 4% to around 16%. This is clearly a significant rise, but with around 75% of computer users still staring at Windows, the value to an attacker of MacOS exploits is still relatively low.

Attackers have targets and the chances of a valuable one using a Mac is now five times as likely. We've seen news reports of exploits targeted Apple-based devices. NSO's Pegasus spyware is now widely recognised as being a threat that targeted civilians, including journalists.

12 computer security tips

The bad guys can try to break in using computers only or they can try to trick you into providing them with access. Or they can use a mixture of tactics. Let's consider two main types of attack:

* Technical – breaking in via computers only
* Human – tricking people into aiding the attack

For the technical attacks you might consider the following, in order of priority/effectiveness:

Does your smartphone belong to you?

That expensive smartphone (iPhone, Android, whatever) that you spend your life staring at - is it yours? I mean, really under your control?

Do you have complete mastery over the content that it accesses, the files it downloads and the behaviour that it tracks?

If you buy a digital book will that book always belong to you, or could it disappear one day if the publisher decides to withdraw it?

If you aren't interested in a music band will its latest album appear on your device automatically?

Who has access to information about your personal fitness, such as how long it takes you to complete a run, and how often you exercise?

Apple has, with its iPhone and, to a lesser extent, OS X-based personal computers taken away some of the control that people assume they have over their electronic devices.

Most people don't seem to care, possibly because they don't realise that their £600+ device is actually controlled by Apple rather than them. So when something happens that highlights this fact the result is shock and outrage.

This last week Apple launched a new iPhone and simultaneously made freely available rock band U2's new album Songs of Innocence to 500 million iTunes customers.

This caused many vocal users to express their enormous, four-letter-word-based displeasure via Twitter.

The problem seemed not that Apple was giving away some music but that it was appearing on people's devices without their explicit consent.

That, and the fact many people tie their identities up with music so closely that getting it 'wrong' is more than annoying - it can be insulting.

If Apple had wanted to offer a music album for free it could have sent out vouchers to iTunes users' email accounts or pushed some sort of offer through iTunes itself. Instead it rather arrogantly uploaded the music to people's devices while providing no clear way for them to remove the content.

Days later the company issued a removal tool.

Apple is not the only company to control personal electronics, though. Android devices are ultimately controlled by Google, which is why the company is able to offer remote locking and wiping services, and all your files end up in the cloud unless you are very careful.

Google hasn't (yet) pushed content in the same way as Apple, though, and just two weeks ago it made available a Shaun the Sheep cartoon for free via its Play store. I don't remember a Twitter-storm of angst when that happened, probably because no files were automatically uploaded.

Amazon's Kindle is also controlled remotely and Amazon has, in distinct contrast to Apple's latest stunt, actually removed content from users' devices in the past. In 2009 it deleted copies of 1984 and Animal Farm due to copyright issues. This was an unpopular move because, again, it highlighted the fact that these devices are a means for content consumption and are managed remotely by those who largely sell the content.

We live next to these devices 24/7 and they are so important to us that online surveys abound that ask questions like "Would you rather lose your smartphone or... get a bad haircut/go without sex/something else?" The idea that they are not really ours and under our complete control is more than uncomfortable - it's unbelievable. Which is why so many people get upset when it's pointed out to them in no uncertain terms.

Mobile phone kill switches

Microsoft and Google have just announced so-called kill switches for Windows Phone and Android devices.

Apparently this is a response to a reduction of iPhone thefts reported since Apple introduced Activation Lock into iOS 7.

Kill switches are great in principle but hard to implement properly.

Don't assume that a kill switch will 'brick' a phone.

A kill switch is a way to render a lost or stolen phone useless, but currently they don't really do that. Or not fully, at least.

Users can lock or wipe Android devices remotely using third-party apps and, more recently, the Android Device Manager. Windows Phone users will soon see similar abilities included in the Find My Phone feature.

Wiping resets the device and that effectively means the thief (or whoever finds it) gets to keep a fresh and functional gadget. A locked smartphone can be reset too. The data may be wiped but someone else gets the benefit of your expensive hardware.

It's been possible to lock and wipe mobile devices from the major vendors for a while now. The real news is that these security features will soon be enabled by default.

The official statement from Attorney General Schneiderman includes, right at the end, the following:

"Because kill switches are only available on an opt-in basis, not enough consumers are signing-up. This underscores the urgency... to make kill switches a standard opt-out function on all phones."

So we've had kill switches for a while and now they will be opt-out. So far so good.

The kill switches used or planned by Apple, Google and Microsoft are based on software. As we know, there are ways to resurrect a phone locked down by software.

A more effective option would be to build new phones with hardware kill switches. Imagine a fuse that can be blown remotely. The device would then be properly 'killed' and would require expensive repairs to restore the device.

Hardware kill switches bring their own problems.

1. How do you test that they work without destroying your new phone?
2. If you can't test the kill switch, how confident are you that it will work when you need it?
3. You might 'brick' your lost phone and then find it down the back of the sofa.

If introducing software security features reduces thefts of expensive devices then it's worth doing, but users should be aware of the limitations inherent in this approach.

One final thought: if an unauthorised individual or organisation was to gain access to your account they would be able to kill your phone, tablet or other mobile device. If the kill switch was a software version then you'd experience significant inconvenience. If it was of a hardware type you'd face additional cost.

USB condom pumped up in press

Some IT news websites have posted excited articles about a new 'USB condom' that protects devices from hostile charging stations.

Unless I'm missing something, I think this excitement is a little unwarranted.

The threat

You plug your phone into an untrusted USB charger. This is secretly connected to a computer that mounts the phone's storage and accesses its data. This is known as 'juice-jacking'.

The solution

If you must charge your devices using an untrusted charging station you may improve your security by turning them off completely. You should receive a faster charge that way, too.

Alternatively use a USB charging cable, which is like a regular cable but the data pins are not connected. You can make one of these yourself very cheaply. It's not hard but, if you don't want to DIY, ready-made options are inexpensive - frequently less than £5.

The USB condom

The USB condom works by "cutting off the data pins in the USB cable and allowing only the power pins to connect through." So, very much the same as a USB charging cable then.

Pricing for this connector is not yet available* but, if it is very much lower than £5, it'll be a worthy addition to any security-conscious traveller's cable bag.

* UPDATE (18/09/2013): Pricing for these devices is now available. The USB Micro-B and USB Type A models are $9.99 each. In my opinion that is poor value for money.

Smartphone security

In 1999 a PC this powerful
would cost twice as much and
be 100 times bigger

At the moment we are, in terms of mobile malware development, in 1998.

Remember when we all used Windows 95 and connected with modems? The threats of the day were Trojans that would dial premium numbers to generate/steal money from victims.

As far as I can tell, that’s where we are today with smartphones.

Modern, powerful mobile handsets are essentially PCs with a modem, run by users who access banks and other financially-connected sites. I've yet to see any evidence of iOS or Android-compatible drive-by attacks so right now social engineering seems to be the most significant threat.

As such, a slight variation on the advice we used to give in the late 1990s is probably suitable:

1. Keep your phone’s firmware up to date (updates from vendor, via Android Settings).
2. Keep your software up to date (via Google Play updates). These updates can be set to run automatically.
3. Only install from official stores such as Google Play. Don’t side-load (i.e. install from removable media).
4. Ensure the software comes from the original developer. Google Play lists the developer and highlights very popular ones with the ‘Top Developer’ label.
5. Check the reviews of each application you want.
6. Check the permissions that each application requires and reject it if it wants too much (in your opinion).
7. When updating manually, review any new permissions the updated application requires.
8. Avoid pirated/cracked software, whatever the source.
9. Install an anti-malware product. After all, even the official stores have been found to host malicious files.

While all this will help, I doubt that normal people will neither bother nor be able to fully understand or remember the details. That's not their fault, though. It's the fault of the mobile industry. It should be easier to be more secure.

This article updates last year's notes on Android security tips.

How the police crack smart phones

It is easy for law enforcement and security services to pull data from a PC, unless the owner has taken some fairly advanced privacy measures. The same is not the case for smart phones.

Smart phones, such as Android handsets and Apple's iPhone, run operating systems that work in a fairly secure way. The user is unable to gain low-level access to the system, which also makes it hard for hackers and malware to gain a foothold.

This in-built security poses a significant challenge to the police, who have legitimate reasons for cracking open phones belonging to criminals. So how do the instruments of law gain access to phones? By hacking them, of course.

Hacking a phone, by which I mean using one or more tools to exploit a security hole (vulnerability) in the operating system or other low-level software, can be tricky. To make life easier some businesses have made automatic tools available.

Both Micro Systemation and Elcomsoft offer tools to law enforcement that achieve the same goal. They work in essentially the same way, which is to exploit a security hole in order to gain full access to the system. They then dump information down to a computer for analysis.

Micro Systemation published a very clear video that demonstrated its slick system but today (29/03/2012) the video was no longer available. You could try the original link to see if it has been put up again.

Elcomsoft has published a video demonstration that shows its system to be more command-line based. This video is also available below.

[This week there were reports in the mainstream media that new rules proposed by the EU would outlaw hacking tools. Cue security experts complaining that this will prevent legitimate security work.

This argument emerges every time the law changes to catch up with modern crime and terror techniques. I remember unsuccessful predictions being made in 2006 when the Computer Misuse Act was revamped.

My prediction is that penetration testing will not be outlawed, security research will continue unabated and companies like Micro Systemation and Elcomsoft will continue to sell their services to the police.

And the criminals will also continue with their activities too.]

Android "most attacked" mobile operating system

Tom's Guide reports that the Android operating system is now under heavy attack in comparison to other mobile platforms.

When the article mentions 'threats' it means individual Trojans in almost all cases. Viruses and worms don't really feature at all in recent years.

"The number of threats directed at Android in 2011 was a sharp increase from only 9 threats in 2010 -- only trumped by the number of threats for Symbian in 2006 (188) and 2005 (125). Since 2004, F-Secure listed a total of 710 security threats for mobile device. 525 of those affect Symbian, 125 Android, 40 PocketPC, 18 J2ME and 2 iOS. The vast majority of all mobile threats were trojans (519 overall, 136 in 2011). Viruses (56 total) have not been seen since 2007 and worms (38 total) appear to have been abandoned as well."

It will be interesting to see if/when the latest Windows mobile operating system appears on the chart.

Apple unable to vet all apps

Charlie Miller sends a remote
command to vibrate his iPhone

A researcher has found a security hole that could allow unauthorised access to Apple iPhones.

The embarrassing part of this news, for Apple, is that someone was able to sneak a potentially malicious application through its code auditing process.

iPhone users rely on Apple to check through all third-party programs for security issues. Once Apple has verified that an app is malware-free, and only then, it is allowed into the iPhone Apps Store.

Charlie Miller, a well-known security researcher, wrote a stock ticker app that contained a nasty surprise. Once installed it was able to download further code. This was software that Apple had not had a chance to check.

In a video demonstration, Miller shows how the Trojan would allow an attacker remote access to an iPhone. He downloads the address book and issues a command to make the unit vibrate from a reverse shell.

Reports suggest that Apple has retaliated by banning Miller from its iOS development program. Apparently he planned to present his findings, including a live exploitation of a phone, at the SysCan conference in Taiwan.

UPDATE (08/11/2011): SecurityWeek reports that the vulnerability is due to iOS not enforcing code signing for the Nitro JIT compiler.