Mobile network data might be one of our most recent and thorough dossiers. Our mobile phones are linked to these networks and expose our demographics, social circles, purchasing habits, sleeping patterns, where we live and work, and travel history. Technical weaknesses in mobile communications networks threaten this aggregate data. Such vulnerabilities may reveal private information to numerous varied players and are closely tied to how mobile phones roam among cell providers for travel. These vulnerabilities are usually related to signalling signals carried across telecommunications networks, which expose phones to possible location disclosure.
Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.
Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as âsurveillance actorsâ throughout this paper since they are interested in mobile geolocation surveillance.
Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.
The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a userâs position using mobile signalling networks. They may use numerous strategies to do this.
The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phoneâs geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.
However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.
The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a userâs location.
Active Surveillance:
In active surveillance, actors use software to interact with mobile networks and get a response with the target phoneâs location.
Vulnerable networks without proper security controls are susceptible to active attacks.
Actors can access networks through lease arrangements to carry out active surveillance.
Passive Surveillance:
In passive surveillance, a collection device is used to obtain phone locations directly from the network.
Surveillance actors might combine active and passive methods to access location information.
Active Attacks:
Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.
Vulnerabilities in Home Location Register (HLR) Lookup:
Commercial HLR lookup services can be used to check the status of mobile phone numbers.
Surveillance actors can pay for these services to gather information about the target phoneâs location, country, and network.
Actors with access to the SS7 network can perform HLR lookups without intermediary services.
Domestic Threats:
Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.
Passive Attacks:
Passive location attacks involve collecting usage or location data using network-installed devices.
Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.
Packet Capture Examples of Location Monitoring:
Packet captures show examples of signaling messages used for location tracking.
Location information, such as GPS coordinates and cell information, can be exposed through these messages.
User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.
The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.
It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.
Mobile Verification Toolkit key features
MVTâs capabilities are continuously evolving, but some of its key features include:
Decrypt encrypted iOS backups.
Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
Extract installed applications from Android devices.
Extract diagnostic information from Android devices through the adb protocol.
Compare extracted records to a provided list of malicious indicators in STIX2 format.
Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.
Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.
Although iSpoof advertised openly for business on a non-darkweb site, reachable with a regular browser via a non-onion domain name, and even though using its services might technically have been legal in your country (if youâre a lawyer, weâd love to hear your opinion on that issue once youâve seen the historical website screenshots below)âŠ
âŠa UK court had no doubt that the iSpoof system was implemented with life-ruining, money-draining malfeasance in mind.
The siteâs kingpin, Tejay Fletcher, 35, of London, was given a prison sentence of well over a decade to reflect that fact.
Show any number you like
Until November 2022, when the domain was taken down after a seizure warrant was issued to US law enforcement, the siteâs main page looked something like this:
You can show any number you wish on call display, essentially faking your caller ID.
And an explanatory section further down the page made it pretty clear that the service wasnât merely there to enhance your own privacy, but to help you mislead the people you were calling:
Get the ability to change what someone sees on their caller ID display when they receive a phone call from you. Theyâll never know it was you! You can pick any number you want before you call. Your opposite will be thinking youâre someone else. Itâs easy and works on every phone worldwide!
In case you were still in any doubt about how you could use iSpoof to help you rip off unsuspecting victims, hereâs the siteâs own marketing video, provided courtesy of the Metropolitan Police (better known as âthe Metâ) in London, UK:
As you will see below, and in our previous coverage of this story, iSpoof users werenât actually anonymous at all.
More than 50,000 users of the service have been identified already, with close to 200 people already arrested and under investigation in the UK alone.
The vulnerability (CVE-2023-21492) affects mobile devices manufactured by Samsung and running on the following versions of the Android operating system. The vulnerability results from the accidental inclusion of sensitive data in log files.
Android 11, Android 12, Android 13
CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Androidâs address space layout randomization (ASLR) protection while carrying out targeted attacks.
Randomization of the memory locations at which important app and operating system components are loaded into the deviceâs memory is made possible thanks to Androidâs Address Space Layout Randomization (ASLR), which is a fundamental component of Androidâs security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.
According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.
Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.
These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests. While this is going on, security researchers working for Googleâs Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISAâs list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.
In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISAâs KEV list.
Researchers have identified a new sort of attack that they have given the name âGhost Touch.â This new form of attack may access the screen of your mobile device without even requiring you to touch it.
It would seem that those who commit crimes online are constantly able to one-up themselves and surprise everyone with innovative new strategies. You are already familiar with methods such as phishing, frauds, and the use of malware to infect devices. However, researchers from the Zhejiang University in China and the Darmstadt University of Technology in Germany have now uncovered a new hardware-based way that cybercriminals may use to get their hands on your smartphone.
These are known as Ghost Touch, and they may be used to unlock a mobile device, allowing the user to get access to sensitive information like passwords or banking apps, and even install malware. According to their explanation, the attack makes advantage of âelectromagnetic interference (EMI) to inject fake touch points into a touch screen without physically touching it.â
Make note of the fact that this latest attack is aimed. To put it another way, in order to adjust the gadget, it is essential to have knowledge on the make and model of the cell phone belonging to the victim. The attacker may additionally need extra knowledge about it, such as the access code, which has to be obtained via social engineering. This might be a need for the attack. The attack is effective from a distance of up to 40 mm and makes use of the sensitivity of the touch screen to electromagnetic interference (EMI). Attackers have the ability to inject electromagnetic impulses into the implanted electrodes of the screen, which will cause the screen to record these signals as touch events (a touch, exchange, press, or hold).
On a total of nine different smartphone models, including the iPhone SE (2020), the Samsung Galaxy S20 FE 5G, the Redmi 8, and the Nokia 7.2, its efficacy has been shown. If a userâs screen has been hacked, it will begin operating on its own without the userâs intervention. For instance, it will begin answering calls on the userâs behalf or it will become unblocked.
When a mobile device begins visiting arbitrary web sites, entering into the userâs bank account, opening files, playing a movie, or typing on Google without the userâs interaction, this is another clear indication that the device has been compromised.
âYou can protect yourself against touchscreen attacks in a number of different ways, including adding more security to your phone and being more vigilant in public places,â the article states. They recommend that you keep your phone in your possession at all times, since this will significantly lower the likelihood that it will be hacked.
BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.
The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.
âWhat is the easiest way to infect millions of devices?â posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.
He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.
The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.
âBut of course thereâs no free stuff,â said Yarochkin, who explained that the firmware started to come with an undesirable feature â silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.
The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.
The objective of the malware is to steal info or make money from information collected or delivered.
The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.
âThe user of the proxy will be able to use someone elseâs phone for a period of 1200 seconds as an exit node,â said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
As for where the threats are coming from, the duo wouldnât say specifically, although the word âChinaâ showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.
âEven though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we donât know for sure at what moment it got into the supply chain,â said Yarochkin.
The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.
âBig brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,â said Yarochkin. Âź
The Exynos Modems manufactured by Samsung Semiconductor were found to have eighteen 0-day vulnerabilities, as revealed by Project Zero. Internet-to-baseband remote code execution was possible due to the four vulnerabilities that were deemed to be the most serious among these eighteen flaws (CVE-2023-24033 and three further vulnerabilities that have not yet been allocated CVE-IDs). Tests that were carried out by Project Zero have shown that the aforementioned four vulnerabilities make it possible for an attacker to remotely compromise a phone at the baseband level without any interaction from the user; all that is required is for the attacker to know the phone number of the victim. We anticipate that highly competent adversaries would be able to swiftly design an operational exploit to compromise impacted devices in a stealthy and remote manner if they were just given access to modest extra research and development resources.
The fourteen other similar vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine additional vulnerabilities that have yet to be granted CVE-IDs) were not as serious since they need either a hostile mobile network operator or an attacker with local access to the device.
The list of Exynos chipsets that are susceptible to these vulnerabilities may be found in the advisory published by Samsung Semiconductor. On the basis of information obtained from public sources that provide a mapping of chipsets to devices, the following devices are likely to be affected:
Devices from Samsungâs S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series;
Devices from Vivoâs S16, S15, S6, X70, X60, and X30 series
Devices from Googleâs Pixel 6 and Pixel 7 series
Any wearables that use the Exynos W920 chipset and vehicles that use the Exynos Auto T5123 chipset.
Timelines for patches to address these vulnerabilities will differ depending on the manufacturer. Those who have devices that are vulnerable may protect themselves from baseband remote code execution vulnerabilities in the meanwhile by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in the settings of their devices.
Due to the unusual combination of the level of access that these vulnerabilities provide and the speed at which they believe a reliable operational exploit could be crafted, the Google Security Team has decided to make an exception to their standard disclosure policy and delay the disclosure of the four most severe vulnerabilities. This decision was made because the Google Security Team believes that a reliable operational exploit could be crafted relatively quickly.
But, they will maintain their tradition of openness by publicly publishing disclosure policy exclusions, and after all of the concerns have been identified, they will add these problems to the list. Five of the remaining fourteen vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, and CVE-2023-24076) have surpassed Project Zeroâs regular 90-day limit and have been publicly revealed in their issue tracker. The other nine vulnerabilities will be publicly disclosed at that time if they are still unfixed.
End users are strongly urged by the Google Security Team to upgrade their devices as soon as is practically practicable in order to guarantee that they are using the most recent releases, which patch security flaws that have been made public as well as those that have not been made public. It is very vital to maintain vigilance and adopt the appropriate safety measures in order to safeguard oneâs personal information and electrical devices from possible security risks.
The majority of major automobile manufacturers have addressed vulnerability issues that would have given hackers access to their vehicles to perform the following activities remotely:-
Lock the car
Unlock the car
Start the engine
Press the horn
Flas the headlights
Open the trunk of certain cars made after 2012
Locate the car
Flaw in SiriusXM
SiriusXM, one of the most widely used connected vehicle platforms available on the market, has a critical bug in its platform that affects all major vehicle brands.
There is a particular interest among security researchers in the area of connected cars, like Yuga Labsâ Sam Curry. In fact, heâs the one who was responsible for discovering a security hole in the connected cars of major car manufacturers during his routine research.
More car hacking!
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
There are a number of car manufacturers who use Sirius XM telematics and infotainment systems as a part of their vehicle technology.
Affected Car Brands
Here below we have mentioned the brandsâ names that are affected due to this critical bug in SiriusXM:-
Acura
BMW
Honda
Hyundai
Infiniti
Jaguar
Land Rover
Lexus
Nissan
Subaru
Toyota
Vulnerability Analysis
During the process of analyzing the data, it was found that there is a domain (http://telematics(.)net) that is used during the vehicle enrollment process for the remote management of Sirius XM.
The flaw is associated with the enrollment process for SiriusXMâs remote management functionality which results in the vehicle being tampered with.
There is not yet any technical information available about the findings of the researchers at the present time, since they havenât shared anything in detail.
Upon further analysis of the domain, it becomes apparent that the Nissan Car Connected App is one of the most plentiful and frequently referenced apps in this domain.
In order for the data exchanged through the telematics platform to be authorized, the vehicle identification number (VIN) only needs to be used. The VIN of the vehicle can therefore be used to carry out a variety of commands by anyone who knows the number.
The next step would be to log in to the application later on, and then the experts examined the HTTPS traffic that came from a Nissan car owner.
Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account. pic.twitter.com/Bz5G5ZvHro
Researchers discovered one HTTP request during the scan in which they conducted a deep analysis.
It is possible to obtain a bearer token return and a â200 OKâ response by passing a VPN prefixed ID through as a customerID in the following way:-
Using the Authorization bearer in an HTTP request, researchers attempted to obtain information about the user profile of the victim and, as a result, they successfully retrieved the following information:-
Name
Phone number
Address
Car details
In addition to this, the API calls used by SiriusXM for its telematics services worked even if the user did not have an active subscription with SiriusXM.
As long as the developers or owners are not involved in the process of securing a vulnerable app, it is impossible to guarantee the security of that app. This is why they should be the only ones who can issue security updates and patches.
Recommendations
Here below we have mentioned the recommendations made by the security analysts:-
Ensure that you do not share the VIN number of your car with unreliable third parties.
In order to protect your vehicle from thieves, it is imperative to use unique passwords for each app connected to the vehicle.
Keep your passwords up-to-date by changing them on a regular basis.
Keeping your system up-to-date should be a priority for users.
A bug bounty hunter called David SchĂŒtz has just published a detailed report describing how he crossed swords with Google for several months over what he considered a dangerous Android security hole.
According to SchĂŒtz, he stumbled on a total Android lockscreen bypass bug entirely by accident in June 2022, under real-life conditions that could easily have happened to anyone.
In other words, it was reasonable to assume that other people might find out about the flaw without deliberately setting out to look for bugs, making its discovery and public disclosure (or private abuse) as a zero-day hole much more likely than usual.
Unfortunately, it didnât get patched until November 2022, which is why heâs only disclosed it now.
A serenditious battery outage
Simply put, he found the bug because he forgot to turn off or to charge his phone before setting off on a lengthy journey, leaving the device to run low on juice unnoticed while he was on the road.
According to SchĂŒtz, he was rushing to send some messages after getting home (weâre guessing heâd been on a plane) with the tiny amount of power still left in the batteryâŠ
âŠwhen the phone died.
Weâve all been there, scrabbling for a charger or a backup battery pack to get the phone rebooted to let people know we have arrived safely, are waiting at baggage reclaim, have reached the train station, expect to get home in 45 minutes, could stop at the shops if anyone urgently needs anything, or whatever weâve got to say.
And weâve all struggled with passwords and PINs when weâre in a rush, especially if theyâre codes that we rarely use and never developed âmuscle memoryâ for typing in.
In SchĂŒtzâs case, it was the humble PIN on his SIM card that stumped him, and because SIM PINs can be as short as four digits, theyâre protected by a hardware lockout that limits you to three guesses at most. (Weâve been there, done that, locked ourselves out.)
After that, you need to enter a 10-digit âmaster PINâ known as the PUK, short for personal unblocking key, which is usually printed inside the packaging in which the SIM gets sold, which makes it largely tamper-proof.
And to protect against PUK guessing attacks, the SIM automatically fries itself after 10 wrong attempts, and needs to be replaced, which typically means fronting up to a mobile phone shop with identification.
What did I do with that packaging?
Fortunately, because he wouldnât have found the bug without it, SchĂŒtz located the original SIM packaging stashed somewhere in a cupboard, scratched off the protective strip that obscures the PUK, and typed it in.
At this point, given that he was in the process of starting up the phone after it ran out of power, he should have seen the phoneâs lockscreen demanding him to type in the phoneâs unlock codeâŠ
âŠbut, instead, he realised he was at the wrong sort of lockscreen, because it was offering him a chance to unlock the device using only his fingerprint.
Thatâs only supposed to happen if your phone locks while in regular use, and isnât supposed to happen after a power-off-and-reboot, when a full passcode reauthentication (or one of those swipe-to-unlock âpattern codesâ) should be enforced.
Is there really a âlockâ in your lockscreen?
As you probably know from the many times weâve written about lockscreen bugs over the years on Naked Security, the problem with the word âlockâ in lockscreen is that itâs simply not a good metaphor to represent just how complex the code is that manages the process of âlockingâ and âunlockingâ modern phones.
A modern mobile lockscreen is a bit like a house front door that has a decent quality deadbolt lock fittedâŠ
âŠbut also has a letterbox (mail slot), glass panels to let in light, a cat flap, a loidable spring lock that youâve learned to rely on because the deadbolt is a bit of a hassle, and an external wireless doorbell/security camera thatâs easy to steal even though it contains your Wi-Fi password in plaintext and the last 60 minutes of video footage it recorded.
Oh, and, in some cases, even a secure-looking front door will have the keys âhiddenâ under the doormat anyway, which is pretty much the situation that SchĂŒtz found himself in on his Android phone.
A map of twisty passageways
Modern phone lockscreens arenât so much about locking your phone as restricting your apps to limited modes of operation.
This typically leaves you, and your apps, with lockscreen access to a plentiful array of âspecial caseâ features, such as activating the camera without unlokcking, or popping up a curated set of notification mesaages or email subject lines where anyone could see them without the passcode.
What SchĂŒtz had come across, in a perfectly unexceptionable sequence of operations, was a fault in whatâs known in the jargon as the lockscreen state machine.
A state machine is a sort of graph, or map, of the conditions that a program can be in, along with the legal ways that the program can move from one state to another, such as a network connection switching from âlisteningâ to âconnectedâ, and then from âconnectedâ to âverifiedâ, or a phone screen switching from âlockedâ either to âunlockable with fingerprintâ or to âunlockable but only with a passcodeâ.
As you can imagine, state machines for complex tasks quickly get complicated themselves, and the map of different legal paths from one state to another can end up full of twists, and turnsâŠ
âŠand, sometimes, exotic secret passageways that no one noticed during testing.
Indeed, SchĂŒtz was able to parlay his inadvertent PUK discovery into a generic lockscreen bypass by which anyone who picked up (or stole, or otherwise had brief access to) a locked Android device could trick it into the unlocked state armed with nothing more than a new SIM card of their own and a paper clip.
In case youâre wondering, the paper clip is to eject the SIM already in the phone so that you can insert the new SIM and trick the phone into the âI need to request the PIN for this new SIM for security reasonsâ state. SchĂŒtz admits that when he went to Googleâs offices to demonstrate the hack, no one had a proper SIM ejector, so they first tried a needle, with which SchĂŒtz managed to stab himself, before succeeding with a borrowed earring. We suspect that poking the needle in point first didnât work (itâs hard to hit the ejector pin with a tiny point) so he decided to risk using it point outwards while âbeing really carefulâ, thus turning a hacking attempt into a literal hack. (Weâve been there, done that, pronged ourselves in the fingertip.)
Gaming the system with a new SIM
Given that the attacker knows both the PIN and the PUK of the new SIM, they can deliberately get the PIN wrong three times and then immediately get the PUK right, thus deliberately forcing the lockscreen state machine into the insecure condition that SchĂŒtz discovered accidentally.
With the right timing, SchĂŒtz found that he could not only land on the fingerprint unlock page when it wasnât supposed to appear, but also trick the phone into accepting the successful PUK unlock as a signal to dismiss the fingerprint screen and âvalidateâ the entire unlock process as if heâd typed in the phoneâs full lock code.
Unlock bypass!
Unfortunately, much of SchĂŒtzâs article describes the length of time that Google took to react to and to fix this vulnerability, even after the companyâs own engineers had decided that the bug was indeed repeatable and exploitable.
As SchĂŒtz himself put it:
This was the most impactful vulnerability that I have found yet, and it crossed a line for me where I really started to worry about the fix timeline and even just about keeping it as a âsecretâ myself. I might be overreacting, but I mean not so long ago the FBI was fighting with Apple for almost the same thing.
Disclosure delays
Given Googleâs attitude to bug disclosures, with its own Project Zero team notoriously firm about the need to set strict disclosure times and stickto them, you might have expected the company to stick to its 90-days-plus-14-extra-in-special-cases rules.
But, according to SchĂŒtz, Google couldnât manage it in this case.
Apparently, heâd agreed a date in October 2022 by which he planned to disclose the bug publicly, as heâs now done, which seems like plenty of time for a bug he discovered back in June 2022.
But Google missed that October deadline.
The patch for the flaw, designated bug number CVE-2022-20465, finally appeared in Androidâs November 2022 security patches, dated 2022-11-05, with Google describing the fix as: âDo not dismiss keyguard after SIM PUK unlock.â
In technical terms, the bug was whatâs known a race condition, where the part of the operating system that was watching the PUK entry process to keep track of the âis it safe to unlock the SIM now?â state ended up producing a success signal that trumped the code that was simultaneously keeping track of âis is safe to unlock the entire device?â
Still, SchĂŒtz is now significantly richer thanks to Googleâs bug bounty payout (his report makes it clear he was hoping for $100,000, but he had to settle for $70,000 in the end).
And he did hold off on disclosing the bug after the 15 October 2022 deadline, accepting that discretion is the sometimes better part of valour, saying:
I [was] too scared to actually put out the live bug and since the fix was less than a month away, it was not really worth it anyway. I decided to wait for the fix.
What to do?
Check that your Android is up to date: go to Settings > Security > Security update > Check for update.
Note that when we visited the Security update screen, having not used our Pixel phone for a while, Android boldly proclaimed Your system is up to date, showing that it had checked automatically a minute or so earlier, but still told us we were on the October 5, 2022 security update.
We forced a new update check manually and were immediately told Preparing system updateâŠ, followed by a short download, a lengthy preparatory stage, and then a reboot request.
After rebooting we haad reached the November 5, 2022 patch level.
We then went back and did one more Check for update to confirm that there were no fixes still outstanding.
A security flaw in the Galaxy Store allows attackers to trigger remote code execution on affected smartphones.
 The now patched vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.
Vulnerability Details
The now-patched vulnerability is related to a cross-site scripting (XSS) flaw that occurs when handling specific deep links and it affects Galaxy Store version 4.5.32.4. The problem was first reported by an independent security researcher.
Particularly, deeplink can be called from another application or from a browser. The store receives appropriate deeplinks, it will process and show them in a webview.
In this case, by failing to secure the deeplink, the attacker is able to run JS code in the Galaxy Store applicationâs webview context whenever a user hits a link from a website that contains the deeplink.
The expert focuses on deep links configured for Samsungâs Marketing & Content Service (MCS).
Although the Samsung MCS Direct Page website was extracting the argument from the url and displaying it on the website, it did not encrypt, which resulted in an XSS problem.
âWe can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.â reads the advisory published by SSD Secure Disclosure.
Experts observed two functions âdownloadAppâ and âopenAppâ here these two functions will get the app id and download them from the store or open them.
This indicates that these two functions can be called using JS code. In this case, an attacker has the ability to execute arbitrary code by injecting it into the MCS website.
âTo be able to successfully exploit the victimâs server, it is necessary to have HTTPS and CORS bypass of Chrome,â advisory published by SSD Secure Disclosure
Affected Products and Patch Available
The vulnerability impacts Galaxy Store version 4.5.32.4.
Therefore, Samsung has issued patches that are now in wide circulation for all Samsung devices.
Here are the top phone security threats in 2022 and how to avoid them
Your handset is always at risk of being exploited. Here’s what to look out for.
Oscar Wong / Getty
Our mobile devices are now the keys to our communication, finances, and social lives — and because of this, they are lucrative targets for cybercriminals.
Whether or not you use a Google Android or Apple iOS smartphone, threat actors are constantly evolving their tactics to break into them.
This includes everything from basic spam and malicious links sent over social media to malware capable of spying on you, compromising your banking apps, or deploying ransomware on your device.
The top threats to Android and iOS smartphone security in 2022
Phishing and smishing
Image: Maria Diaz / ZDNet
Phishing occurs when attackers send you fake and fraudulent messages. Cybercriminals attempt to lure you into sharing personal information, clicking malicious links, downloading and unwittingly executing malware on your device, or handing over your account details — for a bank, PayPal, social network, email, and more.
Mobile devices are subject to phishing through every avenue PCs are, including email and social network messages. However, mobile devices are also vulnerable to smishing, which are phishing attempts sent over SMS texts.
Regarding phishing, it doesn’t matter if you are using an Android or an iOS device. To fraudsters and cybercriminals, all mobile devices are created equally.
Your best defense: Don’t click on links in emails or text messages unless you can be 100% they’re legit.
Physical security
Image: Maria Diaz / ZDNet
Many of us forget an essential security measure: physically securing our mobile devices. We may not use a PIN, pattern, or a biometric check such as a fingerprint or retina scan — and if so, we are making our handset vulnerable to tampering. In addition, if you leave your phone unattended, it may be at risk of theft.
Your best defense:Â Lock down your phone with a strong password or PIN number, at a minimum, so that if it ends up in the wrong hands, your data and accounts can’t be accessed.
SIM hijacking
Image: Maria Diaz / ZDNet
SIM hijacking, also known as SIM swapping or SIM porting, is the abuse of a legitimate service offered by telecom firms when customers need to switch their SIM and telephone numbers between operators or handsets.
Usually, a customer would call their telecom provider and request a switch. An attacker, however, will use social engineering and the personal details they discover about you — including your name, physical address, and contact details — to assume your identity and to dupe customer service representatives into giving them control of your number.
In successful attacks, a cybercriminal will be able to redirect your phone calls and texts to a handset they own. Importantly, this also means any two-factor authentication (2FA) codes used to protect your email, social media, and banking accounts, among others, will also end up in their hands.Â
SIM hijacking usually is a targeted attack as it takes data collection and physical effort to pull off. However, when successful, they can be disastrous for your privacy and the security of your online accounts.
Your best defense: Protect your data through an array of cybersecurity best practices so that it can’t be used against you via social engineering. Consider asking your telecom provider to add a “Do not port” note to your file (unless you visit in person).
Nuisanceware, premium service dialers, cryptocurrency miners
Image: Maria Diaz / ZDNet
Your mobile device is also at risk of nuisanceware and malicious software that will force the device to either make calls or send messages to premium numbers.
Nuisanceware is malware found in apps (more commonly in the Android ecosystem in comparison to iOS) which makes your handset act annoyingly. Usually not dangerous but still irritating and a drain on your power, nuisanceware may show you pop-up adverts, interrupt your tasks with promotions or survey requests, or open up pages in your mobile browser without permission.
While nuisanceware can generate ad impressions through users, premium service dialers are worse. Apps may contain hidden functions that will covertly sign you up to premium, paid services, send texts, or make calls — and while you end up paying for these ‘services,’ the attacker gets paid.
Some apps may quietly steal your device’s computing resources to mine for cryptocurrency.
Your best defense:Â Only download apps from legitimate app stores and carefully evaluate what permissions you’re allowing them to have.Â
Open Wi-Fi
Image: Maria Diaz / ZDNet
Open and unsecured Wi-Fi hotspots are everywhere, from hotel rooms to coffee shops. They are intended to be a customer service, but their open nature also opens them up to attack.
Specifically, your handset or PC could become susceptible to Man-in-The-Middle (MiTM) attacks through open Wi-Fi connections. An attacker will intercept the communication flow between your handset and browser, stealing your information, pushing malware payloads, and potentially allowing your device to be hijacked.
You also come across ‘honeypot’ Wi-Fi hotspots every so often. These are open Wi-Fi hotspots created by cybercriminals, disguised as legitimate and free spots, for the sole purpose of performing MiTM.
Your best defense: Avoid using public Wi-Fi altogether and use mobile networks instead. If you must connect to them, at least consider using a virtual private network (VPN).
Surveillance, spying, and stalkerware
Image: Maria Diaz / ZDNet
Surveillanceware, spyware, and stalkerware come in various forms. Spyware is often generic and will be used by cyberattackers to steal information including PII and financial details. However, surveillanceware and stalkerware are normally more personal and targeted; for example, in the case of domestic abuse, a partner may install surveillance software on your phone to keep track of your contacts, phone calls, GPS location, and who you are communicating with, and when.
Your best defense: An antivirus scan should take care of generic spyware, and while there’s no magic bullet for surveillanceware or stalkerware, you should watch out for any suspicious or unusual behavior on your device. If you think you are being monitored, put your physical safety above all else. See our guide for how to find and remove stalkerware from your phone.
Ransomware
Image: Maria Diaz / ZDNet
Ransomware can impact mobile devices as well as PCs. Ransomware will attempt to encrypt files and directories, locking you out of your phone, and will demand payment — commonly in cryptocurrency — through a blackmail landing page. Cryptolocker and Koler are prime examples.
Ransomware is often found in third-party apps or deployed as a payload on malicious websites. For example, you may see a pop-up request to download an app — disguised as everything from a software cracker to a pornography viewer — and your handset can then be encrypted in mere minutes.
Your best defense: Keep your phone up-to-date with the latest firmware, your Android or iOS handset’s fundamental security protections on, and don’t download apps from sources outside official repositories.
Trojans, financial malware
By Rawpixel.com — Shutterstock
There are countless mobile malware variants, but Google and Apple’s fundamental protections stop many in their tracks. However, out of the malware families, you should be aware of, trojans top the list.
Trojans are forms of malware that are developed with data theft and financial gains in mind. Mobile variants include EventBot, MaliBot, and Drinik.
Most of the time, users download the malware themselves, which may be packaged up as an innocent and legitimate app or service. However, once they have landed on your handset, they overlay a banking app’s window and steal the credentials you submit. This information is then sent to an attacker and can be used to pillage your bank account. Some variants may also intercept 2FA verification codes.
The majority of financial trojans target Android handsets. iOS variants are rarer, but strains including XCodeGhost still exist.
Your best defense:Â Keep your phone up-to-date with the latest firmware, your Android or iOS handset’s fundamental security protections on, and don’t download apps from sources outside official repositories. If you suspect your phone has been compromised, stop using financial apps, cut off your internet connection, and both run a personal check and antivirus scan.
Mobile device management exploits
Image: Maria Diaz / ZDNet
Mobile Device Management (MDM) solutions are enterprise-grade tools suited for the workforce. MDM features can include secure channels for employees to access corporate resources and software, spreading a company’s network security solutions and scans to each endpoint device, and blocking malicious links and websites.
However, if the central MDM solution is infiltrated or otherwise compromised, each mobile endpoint device is also at risk of data left, surveillance, or hijacking.
Your best defense:Â The nature of MDM solutions takes control out of the hands of end users. Therefore, you can’t protect against MDM compromise. What you can do, however, is maintain basic security hygiene on your device, make sure it is up-to-date, and keep your personal apps and information off work devices.Â
How can I physically protect my device?
Your lock screen is the gateway to your device, data, photos, private documents, and apps. As such, keeping it secure is paramount.
On Android, consider these settings:
Screen lock type: Swipe, pattern, PIN, password, and biometric checks using fingerprints or your face
Smart lock: Keeps your phone unlocked when it is with you, and you can decide what situations are considered safe
Auto factory resets: Automatically wipes your phone after 15 incorrect attempts to unlock
Notifications: Select what notifications show up and what content is displayed, even when your phone is locked
Lockdown mode: From Android 9.0, lockdown mode can be enabled
Find my Device: Find, lock, or erase your lost device
On iOS devices, check out:
Passcode: set a passcode to unlock your device
Face ID, Touch ID: Biometrics can be used to unlock your device, use apps, and make payments
Find my iPhone: Find, track, and block your lost iPhone
Lockdown mode: Apple previewed its own version of lockdown mode in July. Dubbed “extreme” protection for a small pool of users, the upcoming feature will provide improved security for malicious links and connections, as well as wired connections when an iPhone is locked.Â
What should I look out for as symptoms of a malware infection?
If you notice your Android or iOS device is not behaving normally, you may have been infected by malware or be otherwise compromised.
Things to watch out for are:
Battery life drain: Batteries degrade over time, especially if you don’t let your handset run flat every so often or you are constantly running high-power mobile apps. However, if your handset is suddenly hot and losing power exceptionally quickly, this could signify malicious apps and software burning up your resources.
Unexpected behavior: If your smartphone is behaving differently and you’ve recently installed new apps or services, this could indicate that all is not well.
Unknown apps: Software that suddenly appears on your device, especially if you have allowed the installation of apps from unidentified developers or have a jailbroken smartphone, could be malware or surveillance apps that have been installed without your knowledge or consent.
Browser changes: Browser hijacking, changes to a different search engine, web page pop-ups, and ending up on pages you didn’t mean to could all be a sign of malicious software tampering with your device and data.
Unexpected bills: Premium number scams and services are operated by threat actors to generate fraudulent income. If you have unexpected charges, calls, or texts to premium numbers, this could mean you are a victim of these threats.
Service disruption: SIM hijacking is a severe threat. This is normally a targeted attack with a particular goal, such as stealing your cryptocurrency or accessing your online bank account. The first sign of attack is that your phone service suddenly cuts off, which indicates your telephone number has been transferred elsewhere. A lack of signal, no ability to call, or a warning that you are limited to emergency calls only can indicate a SIM swap has taken place. Furthermore, you may see account reset notifications on email or alerts that a new device has been added to your existing services.
What about Pegasus and government-grade malware?
On occasion, enterprise and government-grade malware hit the headlines. Known variants include Pegasus and Hermit, used by law enforcement and governments to spy on everyone from journalists to lawyers and activists.
In June 2022, Google Threat Analysis Group (TAG) researchers warned that Hermit, a sophisticated form of iOS and Android spyware, is exploiting zero-day vulnerabilities and is now in active circulation.
The malware tries to root devices and capture every detail of a victim’s digital life, including their calls, messages, logs, photos, and GPS location.
However, the likelihood of you being targeted by these expensive, paid-for malware packages is low unless you are a high-profile individual of interest to a government willing to go to these lengths. You are far more likely to be targeted by phishing, generic malware, or, unfortunately, friends and family members who are using stalkerware against you.
What should I do if I think my Android or iOS phone is compromised?
If you suspect your Android or IOS device has been infected with malware or otherwise compromised, you should take urgent action to protect your privacy and security. Consider these steps below:
Run a malware scan: You should ensure your handset is up-to-date with the latest operating system and firmware, as updates usually include patches for security vulnerabilities that can be exploited in attacks or malware distribution. Google and Apple offer security protection for users, but it wouldn’t hurt to download a dedicated antivirus app. Options include Avast, Bitdefender, and Norton. Even if you stick to the free versions of these apps, it’s far better than nothing.
Delete suspicious apps: Deleting strange apps isn’t foolproof, but any apps you don’t recognize or use should be removed. In the cases of nuisanceware, for example, deleting the app can be enough to restore your handset to normal. You should also avoid downloading apps from third-party developers outside of Google Play and the Apple Store that you do not trust.
Revisit permissions: From time to time, you should check the permission levels of apps on your mobile device. If they appear to be far too extensive for the app’s functions or utilities, consider revoking them or deleting the app entirely. Keep in mind that some developers, especially in the Android ecosystem, will offer helpful utilities and apps in Google Play only to turn them malicious down the line.
Tighten up communication channels: You should never use open, public Wi-Fi networks. Instead, stick to mobile networks; if you don’t need them, turn off Bluetooth, GPS, and any other features that could broadcast your data.
Premium service dialers: If you’ve had unexpected bills, go through your apps and delete anything suspicious. You can also call your telecom provider and ask them to block premium numbers and SMS messages.
Ransomware: There are several options if you have unfortunately become the victim of mobile ransomware and cannot access your device.
If you were alerted to the ransomware before your device is encrypted and a ransom note is displayed, cut off the internet and any other connections — including any wired links to other devices — and boot up your mobile in Safe Mode. You might be able to delete the offending app, run an antivirus scan, and clean up before any significant damage occurs.
However, if your handset is locked, your next steps are more limited, as removing the malware only deals with part of the problem.
If you know what ransomware variant is on your handset, you can try using a decryption tool such as those listed by the No More Ransom project. You can also provide information to Crypto Sheriff, and researchers will try and find out what type of malware you’re dealing with for free.
In the worst-case scenario, you might need to perform a factory reset. Removing ransomware stops it from spreading further but will not restore files that have been encrypted. You can restore your device following a reset if you’ve consistently backed up your data.
Remember, paying a ransom does not guarantee that your files will be decrypted and returned to you.
Stalkerware, surveillanceware: When you know or suspect you’ve been targeted by stalkerware or surveillanceware, this can be extremely difficult to handle. If it’s the case that basic, generic spyware has landed on your device, Google, Apple, or a dedicated antivirus app should pick this up for you and remove it.
However, suppose a partner or other close contact is monitoring you, and you try to remove a stalkerware app from your phone. In that case, they will be alerted directly, or they will become aware because they are no longer receiving your information.
You shouldn’t try to remove these apps if this risks your physical safety. Indeed, some commercially-available forms of spyware damage a handset so severely that the operator can remotely reinstall them, anyway, and the only real option is to throw the device away (or keep it for law enforcement purposes).
Reach out to an organization that can help you, consider using a burner phone if you can, and keep yourself as physically safe as possible.Â
SIM hijacking: If you suspect you have been SIM-swapped, you have a very short window for damage control. The first thing you should do is call your telecom provider and try to have your service restored as quickly as possible — but as we all know, you can be left on hold for an infuriatingly long time.
If you can, go and visit your carrier in person, in-store.
No one is exempt from the risk of SIM swaps, customer service representatives may not have been trained to recognize SIM hijacking, and cybercriminals may have enough of your personal information to pass as you without challenge.
To mitigate the risk in the first place, consider linking your crucial ‘hub’ accounts, financial services, and cryptocurrency wallets to a number that isn’t publicly connected to you. A simple pay-as-you-go number will do, and so if your personal or work numbers are compromised, the potential opportunities for theft are limited.Â
Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police?
We sympathise â weâre sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to be answeredâŠ
âŠbut that rarely, if ever, turn out to have a familiar voice at the other end.
Rober makes some alarming but entirely believable claims of just how much money [a] a top call-centre scammer can make if they hit their on-target earnings and [b] just how much a typical call centre of this sort turns over each day.
If you havenât seen it, the video starts with the words, âI have 100 cockroaches here, and I placed them in this James Bond-style contraption,â so you can probably imagine how things end.
Despite the not-very-threatening outcome when Rober later releases the insects inside a scam call centre where he has access to footage from the CCTV feed, the video gives a good visual indication of just how industriously and unrelentingly these scammers operate. (When not driven from their work pods by roaches, that is.)
Fake refund scams
The scammers in Roberâs video seem to go in mainly for what are known as âfake refundâ tricks, which go something like this:
Scammers ârefundâ you an impressive but believable amount, say $2000, for an âover-billingâ for a product or service you actually use.
They then âhelpâ you login to your bank account to ensure that the transaction went through.
They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
They cry out in alarm, claiming they themselves must have typed in an extra zero and that theyâve accidentally refunded too much.
Then they burst into tears, or turn on the emotional blackmail, claiming they (or you!) will be liable for the massive difference, so please, oh! please! wonât you help?
Their goal is to lure, browbeat, wheedle, threaten, cajole, beg and convince you to refund the âextraâ money out of your own account.
After all, you can see the giant refund is there⊠except that it isnât, because the item on the page is fake, with the HTML modified in memory to show a huge deposit and a vastly increased balance.
Youâre scammed into thinking that theyâve made a mistake that will definitely get them in trouble, and could get you into trouble, too.
The crooks therefore hope to persuade you to help them âcover upâ their mistake by withdrawing the âexcessâ from your own account and paying the non-existent âdifferenceâ back to them via some other channel.
While you might be sure that no criminal would ever catch you out with an apparently obvious trick like this, youâll probably admit that, like most things, this sort of scam is only truly obvious the second time you see it or hear about it.
Researchers devised an attack technique to tamper the firmware and execute a malware onto a Bluetooth chip when an iPhone is âoff.â
A team of researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt demonstrated a technique to tamper with the firmware and load malware onto a chip while an iPhone is âOFF.â
Experts pointed out that when an iPhone is turned off, most wireless chips (Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB)) continue to operate.
The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,â the researchers said.
The Low-Power Mode was implements with iOS 15, it is supported by iPhone 11, iPhone 12, and iPhone 13 devices.
Many users are not aware of these features, even if they are aware that their iPhone remains locable even when the device was turned off.
The experts mentioned the case of a user-initiated shutdown during which the iPhone remains locatable via the Find My network.
The researchers focused their analysis on how Apple implements standalone wireless features while the iOS is not running, they also discovered that the wireless chips have direct access to the secure element.
âLPM [Low Power Mode] support is implemented in hardware. The Power Management Unit (PMU) can turn on chips individually. The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components.â reads the paper published by the researchers. âAs a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model. Previous work only considered that journalists are not safe against espionage when enabling airplane mode in case their smartphones were compromisedâ
The experts explained that a threat actor has different options to tamper with firmware, which depend on their preconditions. Unlike NFC and UWB chips, the Bluetooth firmware is neither signed nor encrypted opening the doors to modification.
An attacker with privileged access can exploit this bug to develop a malware that can run on an iPhone Bluetooth chip even when it is off.
âThe current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhoneâs hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model.â concludes the paper. âTo the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues. Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access.â
The researchers will present the results of their study at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022).
Gone are the days when phones were only used to make phone calls and send text messages; nowadays, smartphones are more akin to a pocket-sized version of a high-functioning microcomputer that can perform a wide range of functions aside from communications. Android phones are essentially a sub-category of smartphones with installed Android operating systems, allowing their features to function effectively. Today, virtually everybody owns a smartphone, especially the prevalent android versions. More advanced versions of these phones are released yearly with newer innovations and improved operating systems to enhance user experience. Itâs simply a cutting-edge technology that we canât get enough of.
Nowadays, Android phones are quickly becoming a must-have gadget because they are used to perform virtually all everyday functions, from communication, advertising, and marketing to entertainment. They also serve as a means of accessing information through social media and can be used for a wide variety of other functions like taking high-quality pictures, watching movies, typing documents, etc.
Overall, technology has truly revolutionized our daily lives, and the introduction of smartphones made it easier and faster for us to access information and communicate with greater ease. However, aside from the numerous conventional functions that we use our android phones for, there is a long list of hidden features, tricks, shortcuts, and quick hacks that you can take advantage of with your Android phone.
In this article, we will discuss some of the Android tips and tricks for getting the most from your phone.
You might have heard that the iPhone is almost completely impossible to hack or that Samsung devices have some of the best firewalls in the world built right into the device. While these statements are true, they do not mean that your personal information is automatically safe.
In fact, there are a handful of ways hackers can get into your mobile device. That being said, there are several steps you can take to fight back against it. So, letâs take a look and explore those in a bit more depth today.
A security research called Trevor Spiniolas has just published information about a bug he claims has existed in Appleâs iOS operating system since at least version 14.7.
The bug affects the Home app, Appleâs home automation software that lets you control home devices â webcams, doorbells, thermostats, light bulbs, and so on â that support Appleâs HomeKit ecosystem.
Spiniolas has dubbed the bug doorLock, giving it both a logo and a dedicated web page, claiming that although he disclosed it to Apple back in August 2021, the companyâs attempts to patch it so far have been incomplete, and his specified deadline of 01 January 2022 for âgoing liveâ with details of the flaw has now passed:
I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.
Youâll have to make your own mind up about whether this bug truly âposes a serious riskâ, but in this article weâll tell you how to deal with the issue anyway.
The good news is that the bug doesnât let attackers spy on your phone (or your HomeKit devices), steal data such as passwords or personal messages, install malware, rack up fraudulent online charges, or mess with your network.
Also, there are some easy ways to avoid getting bitten by this bug in the first place while you wait for Apple to come up with a complete fix.
The bad news is that if an attacker does trick you into triggering the bug, you could end up with a phone thatâs so unresponsive that you have to do a firmware reset to get back into the device.
And, as you probably already knew â or, if you didnât, you know now! â using Device Recovery or DFU (a direct firmware update, where you completely reinitialise the firmware of a recalcitrant iDevice over a USB cable) automatically wipes out all your personal data first.
Which devices are affected?
Spiniolas doesnât say, but weâre assuming that this same bug is present in iPadOS, which has shipped separately from iOS since version 13, though always with a matching version number.
We also donât know how far back this bug goes: as mentioned above, Spiniolas says âfrom iOS 14.7â, which weâre guessing is the earliest version heâs been able to test.
Apple doesnât allow iPhones and iPads to be downgraded, as a way of preventing would-be jailbreakers from reverting to known-buggy iOS versions in order to reintroduce exploitable security holes on purpose.
I specialize in cybersecurity not mental health, so I canât comment on how this intimacy with a device affects our well-being. But I can say that we must secure any platform thatâs always connected, always on, and almost always within inches of our bodies.
Letâs take a look at the six threats F-Secureâs Tactical Defense Unit sees most often as we continually analyze the mobile landscape.
Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed.
An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning.
The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.âs National Cyber Security Centre (NCSC). But Visa, for its part, said that Apple Pay payments are secure and that any real-world attacks would be difficult to carry out.
The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in âExpress Transitâ mode. Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices.
âAn attacker only needs a stolen, powered-on iPhone,â according to a writeup (PDF) published this week. âThe transactions could also be relayed from an iPhone inside someoneâs bag, without their knowledge. The attacker needs no assistance from the merchant.â
In a proof-of-concept video, the researchers showed a ÂŁ1,000 payment being sent from a locked iPhone to a standard, non-transit Europay, Mastercard and Visa (EMV) credit-card reader.
Exploiting Apple Pay Express Transit Mode
The attack is an active man-in-the-middle replay and relay attack, according to the paper. It requires an iPhone to have a Visa card (credit or debit) set up as a transit card in Apple Pay.
The attackers would need to set up a terminal that emulates a legitimate ticket barrier for transit. This can be done using a cheap, commercially available piece of radio equipment, researchers said. This tricks the iPhone into believing itâs connecting to a legitimate Express Transit option, and so, therefore, it doesnât need to be unlocked.
âIf a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this [to be] a transaction with a transport EMV reader,â the team explained.
If youâve already listened to this weekâs Naked Security Podcast youâll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this MondayâŠ
âŠhad been dumped forever by Apple.
Apple notoriously wonât tell you anything about the security situation in its products unless and until it has a patch out.
So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didnât, we couldnât tell whether it was still safe and didnât need the patches, whether it needed the patches but theyâd be a bit late, or whether it needed the patches but would never get them.
And with iOS 15 arriving as the new kid on the block this week, we assumed the worst, following the âone-in-one-outâ principle.
