alex_aldo - Fotolia
A new attack technique called SandJacking can load malicious apps to any non-jailbroken iPhone, even against the latest version of iOS.
SandJacking was demonstrated last week by a security researcher at the Hack In The Box (HITB) conference in Amsterdam, and Apple has not yet patched the vulnerability that enables the attack. SandJacking allows attackers with physical access to an unlocked iPhone to quickly replace a legitimate app with a malicious version of that app, capable of accessing sandboxed data from the targeted phone.
The SandJacking attack exploits a feature in Xcode 7 that allows developers to use certificates acquired by providing a valid Apple ID to sign custom apps, and allowing those apps to be distributed directly, bypassing Apple's app store restrictions. Chilik Tamir, chief architect of research and development at mobile security firm Mi3 Security, first demonstrated similar attacks against older versions of iOS using the proof of concept Su-A-Cyder toolkit at Black Hat Asia 2016 earlier this year.
The Su-A-Cyder toolkit automates the SandJacking attack process. The iOS device is first backed up, then the targeted (legitimate) app is deleted, the malicious app is installed, and the backup is restored leaving the malicious version of the app installed on the device. The app then has access to any of the application's sandboxed content.
Su-A-Cyder combines open source technologies with scripts that "automate the processes of taking a decrypted iOS app, injecting it with any evil code, re-signing it with an anonymous Apple ID and then installing the repackaged app on a non-jailbroken device," Mi3 wrote. "Because Su-A-Cyder is a toolset and not an actual app or malicious code, antivirus solutions will not be able to identify that Su-A-Cyder was used."
Kevin Bocek, vice president of security strategy and threat intelligence at SSL encryption vendor Venafi, said: "This SandJacking attack shows just how powerful certificates have become as potential weapons. Cryptographic keys and digital certificates form the foundations of trust online and enable our software and devices to [decide] whether something should be trusted or not.
"Issuing free unvalidated Apple certificates is now a fast-track to enabling malware to be installed. There are already well over 20 million malware samples authenticated by digital certificates. Bad guys know what powerful weapons digital certificates have become. It's past due that we learn from our human immune system and apply that to the digital world to know which certificates should be trusted and who is friend or foe."
Mi3 contacted Apple in January to notify them of the vulnerability and ask for a patch release; Tamir reported that the fix was in progress as of May 23.
In other news:
- A medical system for tracking and managing patients and surgical staff before, during and after surgery uses hard-coded credentials, according to CERT. The MEDHOST Perioperative Information Management System (PIMS) "contains hard-coded credentials that are used for customer database access," according to the CERT security advisory. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the application database server may be able to obtain or modify sensitive patient information." MEDHOST has updated their product to address the issue, and urged system administrators to upgrade to the most recent version.
- While calling the EU-U.S. Privacy Shield "a step in the right direction," the European Data Protection Supervisor (EDPS) warned that "as currently formulated [Privacy Shield] does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress." The EDPS, which is an independent EU authority, called for significant improvements before adopting the new framework, intended to replace the Safe Harbor data flow framework. "In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimizing routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU."
- "OEM software is making us vulnerable and invading our privacy," wrote Darren Kemp, security researcher at Duo Labs, the advanced research team at SaaS security firm Duo Security. After disclosure of vulnerabilities like eDellRoot and Superfish, Duo Labs dug deeper into the state of security for OEM software updaters provided by Acer, Asus, Dell, HP and Lenovo, and reported on their results, which were not encouraging. Every one of those vendors "shipped with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine." Other problems: failure to use TLS, failure to validate update integrity and more. "The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial."
- The Network File System (NFS) version 3 is still being widely used and misused, according to Fortinet researcher Tien Phan. Using the Shodan search engine, researchers found that 10% of internet-facing NFS servers were completely open; some of the servers "contain confidential data such as email backups, server logs and web source code for active websites." The researchers estimated that thousands of terabytes of data is exposed. No user-based authentication is implemented in NFS version 3, though NFS version 4 (first released in 2000) incorporates strong authentication using Kerberos. NFS is a distributed file system protocol first introduced for file sharing under UNIX by Sun Microsystems in 1984.
Learn more about defending against password-stealing malware on jailbroken iOS devices.
Dig Deeper on Mobile security threats and prevention
A look at MTD vendor Zimperium, and their new product suite, MAPS
Facebook documents: Memo of points and authorities by David Godkin – 20 May 2018
Facebook documents: Declaration by David Godkin with 218 exhibits – 17 May 2018
Facebook documents: Declaration by David Godkin producing 212 sealed exhibits – 16 May 2018