Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. Google Project Zero‘s elite team of bug hunters needs no introduction. The white-hat hackers have been adept at finding flaws in Android and iOS, but this impressive new disclosure from Ian Beer beats everything that came before it. Beer spent six months of his lockdown single-handedly devising a method to remotely hijack iPhones, showing that with just a Raspberry Pi, off-the-shelf Wi-Fi adaptors that cost a total of $100, and a few lines of code, it’s possible for a remote attacker to gain complete control of any iPhone in the vicinity. What’s more impressive is that it doesn’t involve chaining multiple vulnerabilities together to fully control an iPhone, Beer explained in a 30,000 word magnum opus. Rather, the exploit “uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device,” permitting a baddie to “view all the photos, read all the email, copy all the private messages, and monitor everything which happens on [the device] in real-time.” The bugs that Beer found to develop this exploit chain have all been patched before the release of iOS 13.5 earlier this year. But as Beer wrote in his post, the takeaway here should be that “one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.” Patrick Wardle, a senior security researcher at Jamf, called Beer’s lockdown project a “work of art.”
What’s trending in security?
Google Messages app for Android, Facebook patched a critical issue in its Messenger app for Android that could allow an attacker to eavesdrop on callers, and Twitter rolled out support for two-factor authentication using physical security keys.
In a huge win for privacy and security, Google said it will add end-to-end encryption to its Messages app for Android, starting with one-on-one conversations between people using the app. [Google] Swiss lawmakers raised concerns following reports that an encryption company based in the country called Omnisec was allegedly used as a Trojan horse by the US and German intelligence agencies to spy on governments worldwide. [AFP] Facebook patched a critical issue in its Messenger app for Android that could have allowed a hacker to call you and start listening before you picked up the call. It’s similar to a security flaw in FaceTime that Apple rushed to fix last year. [Google Project Zero] Researchers at the University of Leuven in Belgium found flaws in the keyless entry system of the Tesla Model X that would have allowed attackers to steal the car within just a few minutes. This is the third such attack demonstrated on Tesla’s key fob. [IMEC] Symantec researchers implicated Chinese threat actor APT10 (aka Stone Panda and Cicada) in a year-long effort to steal sensitive data from numerous Japanese companies and their subsidiaries. [Symantec] The hacking group known as APT32 or OceanLotus has unleashed a new macOS backdoor that provides the attackers with a window into the compromised machine, enabling them to snoop on and steal confidential information and sensitive business documents. [Trend Micro] Security engineer and bug hunter Ashar Javed is on a journey to find 365 security bugs in Microsoft Office 365. [Vice] North Korean hackers tried to break British drug maker AstraZeneca’s systems using LinkedIn and WhatsApp to send spoofed job offers laced with malware, as nation-state threat actors continue to target healthcare organizations working on COVID-19 vaccine research. [Reuters] Just as the privacy pitfalls associated with Covid-related apps are coming to sharp focus, Australia’s Inspector-General of Intelligence and Security (IGIS) found that the nation’s spy agencies “incidentally” collected data from the country’s COVIDSafe contact tracing app in its first six months of operation. But the data was not decrypted, accessed or used. [iTnews] Academics from Israel’s Ben-Gurion University of the Negev described a new form of “cyberbiological attack” that could allow a malicious actor to compromise a biologist’s computer to inject pathogenic sub-strings in DNA sequences and develop dangerous viruses and toxins. [ZDNet / ESET] Twitter added support for two-factor authentication using hardware security keys. [Twitter] The past fortnight in data breaches, leaks, and ransomware: Advantech, Belden, Embraer, Spotify, U.S. Fertility, and the personal data of 16 million Brazilian COVID-19 patients.
Data Point
According to cybersecurity firm Kaspersky’s IT Threat Evolution report for Q3 2020, cybercriminals are resorting to distributing malware containing the names of popular streaming platforms to trick people into downloading them. “Typically, backdoors and other Trojans are downloaded when people attempt to gain access through unofficial means – by purchasing discounted accounts, obtaining a ‘hack’ to keep their free trial going, or attempting to access a free subscription.” Trojans accounted for 47.23% of all malicious programs disguised under the names of popular streaming platforms between January 2019 and 8 April 2020. That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)