Andrew Orr joins host Kelly Guimont to discuss Security Friday news, including Mac and iOS exploits, and encrypted services for your data.
‘Insomnia’ iOS Exploit Used to Target Uyghurs in China
An iOS exploit called Insomnia was used between January and March 2020 to spy on Uyghurs in China using apps like Signal and ProtonMail.
New Exploit Shows We Should Just Skip to iOS 13.1
A contacts exploit was discovered in iOS 13 that lets a person bypass Face ID / Touch ID to see an iPhone’s contacts.
Relatively little is at stake with this exploit. Beyond the inherent danger of an assailant having your iPhone, this method only allows someone to view the contacts within the target iPhone, provided that they have physical access to the target phone and can complete the VoiceOver exploit.
Little is at stake, but there have been so my iOS exploits in the news lately that we might as well go straight to iOS 13.1.
Google's Project Zero Finds 6 iOS 'Interactionless' Bugs
Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.
The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.
A Fix For That Scary WhatsApp Exploit is Live
An Israeli firm called NSO Group used a WhatsApp exploit to inject spyware on target devices. A fix for the exploit is live.
Given the stealthy way the attack was attempted, it’s impressive that WhatsApp caught it as quickly as they did. Engineers at Facebook have been busy sorting this one out over the weekend…Named CVE-2019-3568…affected versions include…WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51.
Security Researcher Won't Share macOS Keychain Bug
Security researcher Linuz Henze found a macOS Keychain bug but won’t share it with Apple out of protest.
Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility. However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.
It is odd that there isn’t a macOS bug bounty but I think withholding security information isn’t the way to go.
Hacker Team Recovers Deleted iPhone Photos
The team—Fluoroacetate—was crowned Master of Pwn with 45 points.
iOS Safari Spoofing Exploit Found With No Fix Yet
Security researcher Rafay Baloch found an iOS Safari spoofing exploit, and at this time there is no documented fix. Will iOS 12 patch it?
Charter Security Flaw Just Exposed Customer Data for Millions
Charter won’t say how many people have been affected, although the company claims that the flaws weren’t actually exploited.
macOS Zero Day Found That Was Present Since 2002
A new macOS zero day exploit has been found, and this one has been present in the operating system since 2002.
Google is About to Release an iOS Jailbreak Exploit
This is part of Project Zero’s modus operandi, as it routinely searches other companies’ software for bugs.
HomeKit Zero Day Exploit, the iPad Computer Debate - TMO Daily Observations 2017-12-08
Dave Hamilton and John Martellaro join Jeff Gamet to discuss the HomeKit Zero Day exploit that was just revealed, plus John and Jeff get into a debate about whether the iPad should be considered a computer.
Wikileaks Giving CIA's iPhone Spy Code to Apple
Apple may have patched most of the security flaws that Wikileaks revealed the CIA is exploiting, but not all of them. Apple has been scrambling trying to learn more about the remaining exploits and it looks like the help it needs is coming directly from Wikileaks. The organization said it plans to share everything it knows about the hacks with Apple, and it’s going to do the same for other tech companies the CIA targeted, too.
Update your iOS 9.x Devices Now!
Dr. Mac says he doesn’t usually write about Apple’s minor operating system updates, but, if you’re using an iPhone, iPad, or iPod touch, you should update to iOS version 9.3.5 without delay. Read all about it in Dr. Mac’s Rants & Raves #190: Update your iOS 9.x Devices Now!