What is Apple’s App Privacy Report?

The App Privacy Report is a feature that allows users to monitor apps’ activities, particularly in terms of data access and network communication. This report provides detailed insights into how apps access sensitive device resources and communicate with external domains. By providing this transparency, Apple aims to help users make more informed decisions about which apps they trust with their data.

Key Features of the App Privacy Report:

1. Data & Sensor Access: Tracks when apps access your camera, microphone, location, photos, and contacts.
2. Network Activity: Displays the domains that apps communicate with, including third-party services and trackers.
3. Website Network Activity: Shows network interactions when using apps with built-in browsers.
4. Most Contacted Domains: Lists the domains most frequently contacted by your apps.

This feature aligns with Apple’s broader privacy initiatives, such as App Tracking Transparency and Privacy Nutrition Labels in the App Store.

How to Enable App Privacy Report

Setting up the App Privacy Report is simple and takes just a few steps:

1. Open Settings: On your iPhone or iPad, navigate to the Settings app.
2. Go to Privacy & Security: Scroll down and select the “Privacy & Security” option.
3. Enable App Privacy Report: Tap on “App Privacy Report” (near the bottom) and turn it on.

Once enabled, the feature will begin collecting data on app activities. Note that it may take some time (a few hours to a day) for the report to populate with meaningful insights.

Navigating the App Privacy Report

After enabling the feature, you can access detailed reports by returning to Settings > Privacy & Security > App Privacy Report. The report is divided into four main sections:

1. Data & Sensor Access

This section shows how often apps have accessed sensitive data and device sensors, such as:

• Camera: Did an app access your camera unexpectedly?
• Microphone: Are there any apps using your microphone when they shouldn’t?
• Location: Are apps requesting your location more frequently than necessary?

2. App Network Activity

See the domains that apps communicate with. This is particularly useful for identifying apps that:

• Use third-party analytics or trackers.
• Share data with external servers.

3. Website Network Activity

For apps with built-in browsers, this section reveals the websites you’ve visited and any associated network activity.

4. Most Contacted Domains

This section highlights the domains that are most frequently contacted by apps. If you notice repeated communication with unfamiliar or suspicious domains, it could indicate potential privacy concerns.

How to Use the App Privacy Report Effectively

The App Privacy Report provides powerful insights, but knowing how to act on the information is key. Here’s a guide to making the most of the report:

1. Review Data Access

Pay close attention to which apps access your sensitive data and sensors. Ask yourself:

• Is the access necessary for the app’s functionality?
• Does the app’s behavior align with your expectations?

For example, a weather app may need location access, but it should not be accessing your microphone.

2. Monitor Network Activity

Look for:

• Apps communicating with unknown domains.
• Excessive contact with third-party services.

If you identify apps sharing data with suspicious or unnecessary domains, consider revoking their permissions or uninstalling them.

3. Adjust App Permissions

To control data access:

1. Go to Settings > Privacy & Security.
2. Select the specific data type (e.g., Camera, Microphone, or Location Services).
3. Adjust permissions for individual apps as needed.

4. Uninstall Suspicious Apps

If an app exhibits excessive or unjustified access to data or communicates with too many unknown domains, it may be worth uninstalling it.

5. Reset the Report (Optional)

If you want to start monitoring from scratch:

1. Go to Settings > Privacy & Security > App Privacy Report.
2. Scroll down and tap “Turn Off App Privacy Report.”
3. Re-enable it to reset the data collection.

Why the App Privacy Report Matters

1. Transparency

The App Privacy Report empowers users by shining a light on app behavior. It helps you understand which apps are respecting your privacy and which might be overstepping boundaries.

2. Control

By providing detailed insights, the feature allows you to take control of your data. You can adjust permissions, restrict access, or uninstall apps based on their behavior.

3. Privacy Awareness

The report raises awareness about how apps communicate with third-party services, helping you spot potential privacy risks.

4. Aligns with Apple’s Privacy Goals

Apple’s commitment to user privacy is evident in features like App Tracking Transparency and Privacy Nutrition Labels. The App Privacy Report is yet another step toward giving users greater control over their data.

Conclusion

Apple’s App Privacy Report is a powerful tool for anyone who values their privacy. By providing transparency into how apps access your data and communicate with external domains, it empowers you to make informed decisions about which apps to trust. Whether you’re monitoring data access, adjusting permissions, or identifying suspicious behavior, the App Privacy Report is an essential feature for maintaining your digital privacy.

Enable it today and take the first step toward a more secure and private app experience!

The post Unlocking Privacy: A Comprehensive Guide to Apple’s App Privacy Report appeared first on Information Security Newspaper | Hacking News.

What is RCS?

Rich Communication Services (RCS) is a modern messaging protocol designed to replace SMS and MMS. It provides advanced features such as:

• Group chats
• High-resolution multimedia sharing
• Typing indicators
• Read receipts

However, the enhanced functionality comes with added complexity, which can open up vulnerabilities when improperly implemented.

The Nature of CVE-2024-49415

The vulnerability lies in Samsung’s handling of RCS messages, specifically in how incoming data is parsed and processed. The flaw enables remote code execution (RCE) via malicious RCS packets.

1. Root Cause:
   • Improper Input Validation: The RCS implementation fails to adequately validate incoming message data, allowing oversized or malformed payloads to bypass checks.
   • Memory Corruption: Attackers can exploit weaknesses in memory handling to cause buffer overflows or other memory corruption issues.
   • Authentication Flaws: Inadequate verification of incoming messages allows attackers to spoof legitimate RCS servers and inject malicious payloads.
2. Attack Characteristics:
   • Zero-Click Nature: No user interaction is required; the exploit executes automatically upon receiving the malicious RCS message.
   • Remote Delivery: The attacker sends the payload through legitimate RCS delivery mechanisms, leveraging vulnerabilities in Samsung’s RCS framework.

How the Exploit Works

Step 1: Reconnaissance

The attacker identifies target devices that are using Samsung’s RCS features. This can involve reverse-engineering the RCS protocol to locate vulnerabilities.

Step 2: Crafting the Payload

The attacker constructs a malicious RCS message that includes:

• Malformed headers designed to bypass basic validation checks.
• Oversized data fields to trigger memory overflows.
• Embedded code that will execute on the target device upon exploitation.

Step 3: Delivery

The malicious RCS message is delivered to the target device via:

• Telecom infrastructure handling RCS delivery.
• IP-based messaging systems linked to the target’s RCS client.

Step 4: Exploitation

When the target device receives the message:

1. The RCS client parses the message automatically.
2. The malformed payload triggers:
   • Buffer Overflows: Overwriting memory regions, allowing malicious code injection.
   • Logic Exploitation: Hijacking legitimate workflows to execute unauthorized functions.

Step 5: Remote Code Execution

The attacker’s code executes with the privileges of the RCS client, allowing:

• Access to sensitive files, messages, and multimedia.
• Remote monitoring of the device (e.g., activating the microphone or camera).
• Installation of persistent malware for ongoing control.

Step 6: Maintaining Persistence

The attacker may:

• Install a backdoor for continued access.
• Exploit RCS features to exfiltrate data.
• Erase traces of the attack by clearing logs or disabling alerts.

Technical Weaknesses

1. Bounds Checking:
   • Insufficient validation of incoming message sizes and structures leads to vulnerabilities such as buffer overflows.
2. Memory Management:
   • Flaws in allocation and deallocation of memory (e.g., use-after-free) create opportunities for exploitation.
3. Authentication Failures:
   • Inadequate checks allow attackers to impersonate legitimate RCS endpoints.

Real-World Implications

• Stealthy and Hard to Detect: The zero-click nature makes this exploit particularly dangerous as it doesn’t require user interaction.
• Global Impact: Millions of Samsung devices using RCS are at risk, significantly broadening the attack surface.
• High-Stakes Consequences: Compromised devices can leak sensitive information, serve as espionage tools, or act as part of a larger botnet for distributed attacks.

Mitigation Efforts

Samsung’s Response

Samsung has released a patch to address the vulnerability. Key measures include:

1. Input Validation:
   • Ensuring all incoming RCS messages are sanitized for size and format.
2. Memory Safety Improvements:
   • Fixing memory allocation and deallocation processes to prevent overflows.
3. Authentication Enhancements:
   • Implementing stricter sender verification mechanisms.

Recommendations for Users

1. Update Devices: Install the latest firmware updates immediately.
2. Disable RCS Temporarily: If patches are unavailable, disabling RCS reduces exposure.
3. Monitor Device Activity: Watch for unusual behavior, such as unexpected messages or data usage.

Broader Lessons

1. Complexity Increases Risk: Advanced protocols like RCS require robust implementation to avoid exploitable vulnerabilities.
2. Zero-Click Exploits are Dangerous: Removing user interaction makes these attacks harder to detect and mitigate.
3. Proactive Security is Essential: Efforts by researchers like Google Project Zero are critical for uncovering and addressing vulnerabilities before they are exploited in the wild.

CVE-2024-49415 highlights the need for vigilance in developing and deploying modern communication technologies. While Samsung’s quick response mitigates the immediate risk, the broader security challenges posed by zero-click vulnerabilities demand ongoing collaboration between manufacturers, researchers, and the cybersecurity community.

The post How Hackers Remotely Control Any Samsung S23 and S24 in the World: Zero-Click Vulnerability & Exploit Explained appeared first on Information Security Newspaper | Hacking News.

The vulnerability was discovered by cybersecurity researchers who found that threat actors could craft malicious APK files that appeared as video files within the Telegram app. When users attempted to play these videos, they were prompted to open the file in an external application, leading to the installation of the malicious APK and potentially compromising the user’s device.

The Telegram ‘EvilVideo’ zero-day vulnerability allowed attackers to send Android APK files disguised as video files. This exploitation was primarily due to insufficient file validation and improper handling of media files within the Telegram Android app.

Exploitation Process:

1. Crafting the Malicious APK:
   • File Header Modification: Attackers crafted a malicious APK file by modifying its file header and metadata to mimic those of a legitimate video file. This involves altering the file extension and adjusting the header information so that the APK file appears as a common video format such as MP4 or AVI.
   • Embedding Malicious Code: The APK file was embedded with malicious payloads, which could range from spyware to ransomware. This payload was designed to execute specific actions once installed on the victim’s device.
2. Disguising the Malicious Payload:
   • Manipulating File Metadata: Attackers manipulated the file metadata to ensure that Telegram’s initial file inspection would not flag the file as suspicious. This included changing the MIME type and file extension to those associated with video files.
   • Creating a Deceptive Appearance: The file was named and presented in a way that would not raise immediate suspicion from the user. For example, it might be named “vacation_video.mp4” to appear as an innocent video.
3. Delivering the Malicious APK via Telegram:
   • Sending the File: The attacker sent the disguised APK file to the target using Telegram. The vulnerability in Telegram’s file handling allowed the app to accept and present the file as a video.
   • Initial User Interaction: The recipient sees the file as a video and attempts to play it within Telegram. The app, recognizing the file as a video, tries to play it but fails due to its true APK nature.
4. Triggering the Exploit:
   • Error Prompt: When the user tries to play the “video,” Telegram displays an error message indicating that the video cannot be played within the app. It then prompts the user to open the file using an external application.
   • Executing the Malicious APK: If the user consents to open the file externally, the operating system’s file handler processes the file as an APK and executes it. This results in the installation of the malicious payload on the device.
5. Post-Exploitation Actions:
   • Payload Execution: Once installed, the malicious APK can perform various harmful activities based on the attacker’s intent. This might include exfiltrating personal data, encrypting files for ransom, or creating backdoors for further exploitation.
   • Maintaining Persistence: The malware may also establish persistence on the device, ensuring that it remains active even after reboots or attempts to remove it.

Technical Specifics of the Exploit:

• File Header and Metadata Spoofing: By altering the file header and metadata, attackers could bypass Telegram’s superficial file validation checks.
• MIME Type Manipulation: Changing the MIME type to video formats such as “video/mp4” misled Telegram into treating the APK file as a video.
• Error Handling Exploitation: Leveraging the error prompt mechanism, attackers guided users to execute the APK file using external apps, where the actual nature of the file would be revealed and executed by the Android OS.

Mitigation and Prevention:

• Enhanced File Validation: Telegram’s patch involved implementing stricter file validation processes, ensuring that files were thoroughly checked before being accepted as media files.
• User Education: Educating users about the risks of opening unknown files and the importance of verifying the source of received media can reduce the likelihood of such exploits being successful.
• Security Software: Utilizing robust security applications that can detect and block malicious APKs, even when disguised as media files, adds an additional layer of protection.

Best Practices for Users:

1. Keep Apps Updated:
   • Always ensure that apps, particularly those handling sensitive information or media, are updated to the latest versions to benefit from security patches and enhancements.
2. Exercise Caution with Unknown Files:
   • Avoid opening files from unknown or untrusted sources. Be especially wary of media files that prompt external application execution.
3. Employ Security Solutions:
   • Use robust security software to detect and mitigate potential threats. This includes antivirus programs and malware scanners that can identify and block malicious APKs.

The post EvilVideo Exploit: How to Hack a Phone via Telegram Video? appeared first on Information Security Newspaper | Hacking News.

• The study focuses on the Sierra Wireless AirLink cellular routers, crucial for connecting OT/IoT networks to the internet.
• These routers are used in various critical infrastructure sectors, including manufacturing, healthcare, government, energy, transportation, and emergency services.
• Sierra Wireless, OpenNDS, and Nodogsplash have patched several vulnerabilities, but challenges remain due to the abandonment of projects like TinyXML​​.

Flaws and Examples

The vulnerabilities are grouped into five impact categories​​:

1. Remote Code Execution (RCE): Attackers can take full control of a device by injecting malicious code.
2. Cross-Site Scripting (XSS): This allows for the injection of malicious code on clients browsing the ACEmanager application, potentially leading to credential theft.
3. Denial of Service (DoS): These vulnerabilities can be used to crash ACEmanager, rendering it unreachable or causing it to restart automatically.
4. Unauthorized Access: This involves design flaws like hardcoded credentials and private keys, which could allow attackers to perform man-in-the-middle attacks or recover passwords.
5. Authentication Bypasses: These allow attackers to bypass the authentication service of the captive portal and directly connect to the protected WiFi network.

Severity of Vulnerabilities: Among these 21 vulnerabilities, one is of critical severity, nine have high severity, and eleven have medium severity. These vulnerabilities could allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device, and use it as an initial access point into critical networks.

Affected Sectors: The affected devices are found in multiple critical infrastructure sectors. These include manufacturing, healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services, and vehicle tracking. Additionally, these routers are used to stream video for remote surveillance and connect police vehicles to internal networks.

Extent of Exposure: Over 86,000 vulnerable routers are exposed online. Notably, less than 10% of these exposed routers have been confirmed to be patched against known vulnerabilities found since 2019, which indicates a large attack surface. Moreover, 90% of devices exposing a specific management interface (AT commands over Telnet) have reached the end of their life, meaning they cannot receive further patches​​.

Specific examples include:

• CVE-2023-40458: ACEmanager enters an infinite loop when parsing malformed XML documents, leading to DoS.
• CVE-2023-40459: A NULL-pointer dereference in ACEmanager during user authentication, leading to limited DoS.
• CVE-2023-40460: Attackers can upload HTML documents to replace legitimate web pages in ACEmanager, leading to XSS attacks.
• CVE-2023-40461 and CVE-2023-40462: Issues with uploading client certificates and client TLS keys in ACEmanager, enabling JavaScript code injection.
• CVE-2023-40463: Hardcoded hash of the root password in ALEOS, allowing unauthorized root access.
• CVE-2023-40464: Default SSL private key and certificate in ALEOS, enabling impersonation and traffic sniffing/spoofing​​.

Mitigation or Workaround

• Patching is essential. Sierra Wireless has released updated ALEOS versions containing fixes.
• Change default SSL certificates.
• Disable unnecessary services like captive portals, Telnet, and SSH.
• Deploy web application firewalls to protect against web-based vulnerabilities.
• Use OT/IoT-aware intrusion detection systems to monitor network connections​​.

Conclusion

• Vulnerabilities in OT/IoT network infrastructure are a major concern and are often left unpatched.
• Less than 10% of routers exposed online are patched against known vulnerabilities.
• Embedded devices lag in addressing vulnerabilities and implementing exploit mitigations.
• Incomplete fixes can lead to new issues, as seen with CVE-2023-40460, originating from an incomplete fix for a previous vulnerability.
• Manufacturers need to understand and address the root causes of vulnerabilities for effective long-term solutions​​.

The post Over 86,000 Routers at Risk – Is Yours One of Them? Shocking Vulnerabilities in Widely Used OT/IoT Routers appeared first on Information Security Newspaper | Hacking News.

Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.

Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as ‘surveillance actors’ throughout this paper since they are interested in mobile geolocation surveillance.

Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.

The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a user’s position using mobile signalling networks. They may use numerous strategies to do this.

The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phone’s geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.

However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.

The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a user’s location.

Active Surveillance:

• In active surveillance, actors use software to interact with mobile networks and get a response with the target phone’s location.
• Vulnerable networks without proper security controls are susceptible to active attacks.
• Actors can access networks through lease arrangements to carry out active surveillance.

Passive Surveillance:

• In passive surveillance, a collection device is used to obtain phone locations directly from the network.
• Surveillance actors might combine active and passive methods to access location information.

Active Attacks:

• Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
• They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.

Vulnerabilities in Home Location Register (HLR) Lookup:

• Commercial HLR lookup services can be used to check the status of mobile phone numbers.
• Surveillance actors can pay for these services to gather information about the target phone’s location, country, and network.
• Actors with access to the SS7 network can perform HLR lookups without intermediary services.

Domestic Threats:

• Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
• Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
• In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.

Passive Attacks:

• Passive location attacks involve collecting usage or location data using network-installed devices.
• Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
• Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.

Packet Capture Examples of Location Monitoring:

• Packet captures show examples of signaling messages used for location tracking.
• Location information, such as GPS coordinates and cell information, can be exposed through these messages.
• User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.

The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.

The post The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks appeared first on Information Security Newspaper | Hacking News.

The Android App Pin feature is where the vulnerability may be accessed once it has already been exploited.Android app pinning was first referred to as’screen pinning’ when it was first introduced with Android 5.0 Lollipop (API level 21) on November 12, 2014. On Android smartphones, this powerful security feature improves the user’s ability to regulate their privacy and protect their data.

Users are given the ability to restrict their mobile device to a single program via the use of a feature known as “app pinning,” which effectively restricts their access to other apps and sensitive data. This capability proved to be quite useful in situations where keeping a highly concentrated work environment, dealing with public terminals, or sharing a device were all necessary requirements. When this is done, it stops unauthorized users from accessing personal data, programs, and settings, which contributes to an overall more secure digital experience.

The following procedures are often included when implementing app pinning as a method of application management:

Users may enable this feature by going to the Settings menu on their smartphone and selecting the Security and Privacy menu followed by the More Security Settings menu and then selecting the App Pinning option. After it has been enabled, users will be able to choose whatever app they want to pin.

Launching the chosen application is the first step in the pinning process, which allows users to enter pinned mode. This operation will permanently lock the device within the user interface of the chosen app.

When using the pinned mode, you won’t be able to interact with any other applications since they will be momentarily hidden from view. If you try to move to another app, access notifications, or perform any other function while the pinned app is open, the device will remind you that you are in the wrong app and keep you there.

Exiting Pinned Mode Users often need to give an extra layer of authentication in order to quit this mode. This may take the form of inputting a pre-set PIN, pattern, or password, or it can be accomplished via the use of biometric recognition (such as fingerprints or face recognition). Because of this additional degree of security, only users who are permitted to do so are able to exit the pinned app environment.

Pinning an Android app has many advantages, including the following:

Pinned mode protects users’ privacy and security by preventing unwanted access to private information, data, and programs that are deemed particularly sensitive.

Public Terminals: App pinning is important in scenarios like kiosks or shared devices since it confines users to a single program, hence decreasing the danger of illegal access and data exposure. This may be accomplished by pinning the application to the home screen of the device.

Focus and Productivity: Users may establish focused work environments by restricting the capabilities of their device to a single application that is task-oriented. This can increase their level of productivity.

Pinning an app to the home screen allows parents to limit their children’s access to just those games and programs that are suitable for their age or those that are instructive.

In a nutshell, Android app pinning, which was formerly referred to as “screen pinning,” was launched with Android 5.0 Lollipop and offers comprehensive control over the functionality and access of the device. It provides increased security, privacy, and focused interaction with digital information by designating a certain app as the one that may be used and needing authentication in order to leave that mode.

There is a logic mistake in the code that makes it possible for a general purpose NFC reader to read the whole card number and expiration data even while the screen on the device is locked. This problem can be found in the HostEmulationManager.java file, which is located in the onHostEmulationData section. This might result in the leaking of local information without the need of any extra execution rights. Exploitation may occur without the participation of the user.

According to Google’s calculations, the severity of this vulnerability is rather high.Along with his discoveries, the hacker was kind enough to submit a proof-of-concept attack, which brought attention to the seriousness of this high-severity vulnerability.

The post Exploiting Android App Pin feature to steal money from mobile wallets apps appeared first on Information Security Newspaper | Hacking News.

Nevertheless, researchers at Jamf Threat Labs have recently uncovered and successfully demonstrated an exploit approach that allows an attacker to retain persistence on their victim’s device even when the user thinks they are offline. This technique was developed in response to a vulnerability that was revealed in a previous exploit. The approach, which has not been seen being used in the wild, relies on the successful development of a fake airplane mode “experience” by a hypothetical threat actor. This “experience” causes the device to give the appearance of being offline while in reality it is still functioning normally.

The exploit chain that was put together by Jamf ultimately results in a scenario in which processes that are controlled by an attacker are able to operate in the background undetected and unseen, while the owner of the device is blissfully oblivious that anything is wrong.

SpringBoard, which handles visible changes to the user interface (UI), and CommCentre, which controls the underlying network interface and maintains a feature that enables users to limit mobile data access for certain applications, are the two daemons that are assigned with the process of converting iOS devices to airplane mode. SpringBoard handles visible changes to the UI, while CommCentre manages the functionality. When airplane mode is activated under typical circumstances, the mobile data interface will no longer show IPv4 or 6 IP addresses. Additionally, the mobile network will become disconnected and inaccessible to the user at the level of the user space.

The Jamf team, on the other hand, was able to pinpoint the pertinent area of the target device’s console log and, from that point on, utilize a certain string—”#N User airplane mode preference changing from kFalse to KTrue”—to locate the code that was referencing it. From there, they were able to successfully access the code of the device, at which point they hooked into the function and replaced it with an empty or inactive function. They were able to do this in order to construct a bogus airplane mode, in which the device does not truly get disconnected from the internet and they still have access to it.

After that, they went after the user interface by hooking two unique Objective-C methods to inject a tiny bit of code that changed the mobile connection indicator to make it seem dark, leading the user to believe that it is switched off, and highlighting the airplane mode icon, which is represented by a picture of an airplane.If the hypothetical victim were to open Safari at this point, they would have a good reason to believe that they would be prompted to disable airplane mode or connect to a Wi-Fi network in order to access data. This would be a reasonable assumption given that it seems that aircraft mode is enabled on their device.

They would receive a separate message asking them to authorize Safari to utilize wireless data through WLAN or mobile, or WLAN alone, which would be a hint that something was wrong. However, since they are really still connected to the internet, they would see this prompt.The Jamf team was aware that this problem needed to be fixed in order for the exploit chain to be successful. As a result, they devised a strategy that enabled them to give the impression to the user that they had been disconnected from mobile data services. This was accomplished by exploiting the CommCenter feature, which blocks mobile data access for specific applications, and then disguising this action as airplane mode by hooking yet another function.

They accomplished this by creating an environment in which the user was presented a prompt to switch off airplane mode, rather than the prompt that they should have seen.The team made use of a feature of SpringBoard that prompts the “turn off airplane mode” notification after being notified to do so by CommCenter. CommCenter, in turn, receives this notification from the device kernel via a registered observer/callback function. This allowed the team to disable Safari’s internet connection without actually turning on airplane mode.

The group then discovered that CommCenter also handles a SQL database file that records the mobile data access status of each program. If an application is prevented from accessing mobile data, that application is marked with a particular flag. They would then be able to selectively prohibit or enable an application’s access to mobile data or Wi-Fi by reading a list of application bundle IDs and obtaining their default settings from this information.

Chain of exploitation

 After putting all of this information together, the team had basically developed an attack chain in which their fake airplane mode seems to the victim to be running exactly as the genuine one does, with the exception that non-application programs are allowed to access mobile data.”This hack of the user interface disguises the attacker’s movement by placing the device into a state that is counterintuitive to what the user expects,” he added. “The user expects one thing, but the device behaves in a way that betrays their expectations.” “An adversary could use this to surveil the user and their surroundings at a time when no one would suspect video recording or a live microphone capturing audio,” says one researcher. “This could give an adversary an advantage in a fight.” This is feasible because to the fact that the mobile device in question is still connected to the internet, regardless of what the user interface is trying to convey to them.

According to Covington, the discovery does not fall under the normal responsible disclosure process because the exploit chain does not constitute a vulnerability in the traditional sense. Rather, it is a technique that enables an attacker to maintain connectivity once they have control of the device through another series of exploits. Researchers Did Notify Apple of the Research but no one has responded to request for comment.”

The new attack approach poses a danger, but if it were to be used in anger, it would more likely be used in a targeted attack scenario by a threat actor with very particular aims in mind than in a mass-exploitation event targeting the general public. If it were to be used in anger, however, it would be more likely to be used in anger by a threat actor with very specific goals in mind.As an example, exploitation for the purposes of espionage or surveillance by adversarial actors supported by the government against persons of interest is a scenario that is more likely than exploitation by financially driven cyber thieves.

Despite the fact that the technique is most likely to be used in a targeted attack, it is still important to raise awareness on how device user interfaces, particularly those built by trusted suppliers such as Apple, can be turned against their users. This is because of the inherent trust that people place in their mobile devices.The most crucial thing, according to him, is for consumers and security teams to better understand contemporary attack methods like those shown by the fake airplane mode study. In a sense, this is the next generation of social engineering, and it’s not too unlike to how artificial intelligence is being used to produce bogus testimonials that look to be from well-known celebrities.

The post Fake airplane mode attack allows to spy and hack iPhone users appeared first on Information Security Newspaper | Hacking News.

So without wasting too much time we will show you top 10 mobile patterns that are hard to break. Before we jump let us understand that pattern is combination of 9 dots in most of the cases. Below figure will help you understand the numbers used behind these patterns.

Now we understood the concept behind the pattern. The way it works is that whenever we draw any pattern its converted to the numbers for the mobile phone to unlock it. Mobile takes these numbers as password and unlocks your mobile phone. Let’s see which are the 10 most impossible mobile patterns to break.

1. FISH (2-5-8-4-6-9-3-1)

The is called fish pattern and the number written in brackets are the sequence of the patterns to be followed to create a pattern that resembles fish. Its starting with dot number 2 and then draw a line to dot 5 and then from dot 5 to dot and so on as shown below.

2. Love Angle (2-5-9-1-4-8-6-3-7)

Its is lovely angle pattern use it if you love someone but don’t want to tell her or him.

3. Ribbon (5-7-3-6-4-1-9)

4. Bird man mobile pattern (2-5-7-3-6-4-1-9)

5. Robo Head (2-5-4-6-3-9-8-7-2)

6. MKBHD (4-8-6-9-3-5-1-7)

7. Illusion (2-1-3-5-4-6-8-7-9)

8. Impossible (8-6-5-4-2-1-3-7-9)

9. MAZE (1-2-5-4-6-3-9-8-7)

10. Time Machine (8-6-5-4-2-3-1-9-7)

The only important is that whenever you use any of these just note down the number sequence. You can refer your number sequence if in case you get in your own trap.

The post 10 impossible mobile patterns to break appeared first on Information Security Newspaper | Hacking News.

Microsoft security experts said on Wednesday that a Russian state-sponsored hacking outfit named by Microsoft as “Midnight Blizzard,” but more generally known as APT29 or Cozy Bear, was responsible for the “highly targeted” social engineering attack.

APT29 hackers started attacking sites at the end of May, and they created new domains with a technical help theme by using accounts for Microsoft 365 that had been hijacked in earlier attacks. By using these domains, the cybercriminals sent messages via Microsoft Teams that were designed to trick users into giving acceptance for multifactor authentication prompts. The hackers’ ultimate goal was to get access to user accounts and steal critical information.

The actor utilizes Microsoft 365 tenants that belong to small companies that they have previously infiltrated in other attacks in order to host and launch their social engineering attack. This helps the actor carry out their attack more easily. The malicious actor first renames the compromised tenancy, then establishes a new onmicrosoft.com subdomain, and then installs a new user linked with that domain from which to deliver the outbound message to the target tenant. In order to provide the impression that the communications are legitimate, the bad actor creates a new subdomain and a new tenant name by using keywords with a product name or security-related topic. Their investigation is still continuing, and it includes looking at these precursory attacks that were aimed at compromising legal Azure tenants as well as the use of homoglyph domain names in social engineering lures. Microsoft has taken precautions to prevent the perpetrator from making use of the domains.

Chain of attacks using social engineering

Within the context of this activity, Midnight Blizzard has either obtained valid account credentials for the users they are targeting or they are targeting users who have passwordless authentication configured on their account. In either case, it is necessary for the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app that is installed on their mobile device.

When a user tries to log in to an account that requires this kind of MFA, they are shown a code that they must input into their authenticator app. This happens after the user has already attempted to authenticate themselves to the account. The user is presented with a popup on their device asking them to enter a code. After that, the actor will send a message to the user who is being targeted using Microsoft Teams, requesting that the user input the code into the prompt that is shown on their device.

The first step is for teams to request to speak.

It’s possible that an external user posing as a member of the security or technical support team will send a message request via Microsoft Teams to the user who is the target.

The second step is to request authentication from the app.

If the target user accepts the message request, they will then get a message from the attacker in Microsoft Teams. In this message, the attacker will try to persuade the user to input a code into the Microsoft Authenticator app that is installed on their mobile device.

Third Step is Authentication with the MFA Completed Successfully

The threat actor will be provided a token to authenticate as the targeted user if the targeted user accepts the message request and inputs the code into the Microsoft Authenticator app. Following successful completion of the authentication process, the actor is granted access to the user’s Microsoft 365 account.

After that, the actor will continue to perform post-compromise behavior, which will often entail the theft of information from the Microsoft 365 tenant that was hacked. It is probable that the actor is attempting to overcome conditional access controls that have been defined to limit access to certain resources to managed devices only by adding a device to the organization as a managed device through Microsoft Entra ID (previously Azure Active Directory). This occurs in some instances.

The post Phishing attack over Microsoft Teams allows getting MFA from victim appeared first on Information Security Newspaper | Hacking News.

This side-channel attack affects almost all cellular networks across the world since it generally targets GSMA. Despite the availability of other communication options, such as 3G and 4G, the researchers were interested in studying SMS because of its prevalence as a way of 2G communication among the general public. The researchers made the observation that the SMS Delivery Reports that are inevitably created after receiving an SMS message cause a timing-attack vector to be triggered. Knowing the timings of message delivery and estimating the time gap between message sending and receiving might assist a sender establish the location of the receiver if the sender has enabled SMS Delivery Reports. since of the way the SMS Delivery Reports feature operates, the user of the recipient cannot prohibit harmful use of this tool since it is outside of the recipient’s control. The approach, in its most basic form, makes use of the temporal signatures associated with a particular site.

The more exact the data that the attacker has on the whereabouts of their targets, the more accurate the location classification results that the ML model will provide for its predictions when it comes to the attack phase.

The data can only be obtained by the attacker sending several SMS messages to the target, either by disguising them as marketing communications that the target would ignore or discard as spam or by utilizing quiet SMS messages. A silent SMS is a “type 0” message that has no content and does not create any alerts on the screen of the target device; nonetheless, its receipt is still confirmed by the device on the SMSC. The authors of the research conducted their studies by using ADB to send bursts of 20 silent SMSes every hour for three days to several test devices located in the United States, the United Arab Emirates, and seven European nations. This experiment covered ten different operators and a wide range of communication technologies and generational differences.

By sending SMS messages to the target user at a variety of different times and places, an adversary may acquire numerous timing signatures associated with the person. The sender may be able to determine the location of the recipient by analyzing them at a later time. To carry out this attack, the adversary need only be in possession of the cell phone number of the victim they are targeting. Even though it is a time-consuming process, collecting and analyzing the timing signatures of the target user might provide an adversary the ability to discover a previously unknown or new location of the individual they are targeting. This operates correctly regardless of the user’s location, whether it in the United States or elsewhere in the world. The amount of time that passes between when an SMS is sent and when it is received might be helpful here.

Even while the researchers were able to reach a high level of precision when carrying out their side-channel attack, it does have a few drawbacks. This is due to the fact that there are a variety of variables that might influence the empirical measurements in a real-world exploit. Even in a hypothetical situation in which the globe is locked off, the still-unachievable accuracy of more than 90 percent presents a risk to individuals’ privacy. In terms of the countermeasures, the researchers noted that the current ones to avoid similar attacks do not apply to this unique side-channel attack. This is because the novel attack uses a side-channel that does not present in the related attacks. Not delivering Delivery Reports or altering them with a random delay are also potential tactics that might be used in the fight against delays in UE processing. As for the delays that are caused by the network itself, modifying the SMS timings, installing spamming filters on the core network, or at the very least turning off quiet messages will help reduce the likelihood of an attack of this kind happening. Nevertheless, turning off the component that generates delivery reports may be the only practical preventative action. Before making this study available to the general public, the researchers acted appropriately and informed the GSMA about the situation. In response, the GSMA accepted their results (which were given the identifier CVD-2023-0072) and evaluated a variety of preventative actions.

The post How to hack & track anybody’s phone location via silent SMS messages appeared first on Information Security Newspaper | Hacking News.

The United States targeted iOS devices using malware that had not been seen before, according to a statement that was released by the FSB on Thursday. The Russian cybersecurity firm Kaspersky published a report on iOS malware that originated from an unknown source on Thursday as well. Initially, a spokesperson for Kaspersky indicated that the business was unable to verify whether or not the two attacks were related. However, an hour later, she gave an amended reply in which she noted that Russia’s computer security agency has previously officially acknowledged that the signs of breach in both reports are the same.

According to allegations from Russian media, in March the administration of the Russian president reportedly gave its personnel the instruction to dispose of any Apple devices they may have. There will be no more iPhones. According to the article, one of the administration’s staffers advised the individuals to “either throw them away or give them to your kids.” The Federal Bureau of Investigation did not disclose any specific information on the suspected victims or the malware’s technical aspects.

“due to the absence of technical details reported by them,” the representative for Kaspersky said, the company was unable to validate all of the FSB’s conclusions. According to the FSB, the virus did not just affect users located inside Russia; it also targeted international numbers and wireless customers located outside of the country who use SIM cards registered with diplomatic missions and embassies located within Russia. On the list were nations from both the post-Soviet area and the NATO alliance, in addition to China, Israel, and Syria.

According to reports from Russian intelligence, the inquiry allegedly uncovered evidence that Apple is working along with the National Security Agency (NSA) of the United States. The Financial Services Board (FSB) noted that this demonstrates that Apple’s declared commitment to preserving the privacy of user data is, in reality, dishonest.

The NSA did not want to comment on the matter. Reporters have received an email from Apple with a declaration to the effect that the company does not collaborate with governments in order to include backdoors into its devices. The Federal Bureau of Investigation did not disclose any specific information on the suspected victims or the malware’s technical aspects.

The post Throw away your iPhones Says Putin to Russians & claims NSA has a backdoor in iPhones appeared first on Information Security Newspaper | Hacking News.

This approach sidesteps user authentication, therefore providing unauthorized access and complete control over the device that is the focus of the attack.Researchers from China were able to undertake brute-force attacks and acquire unauthorized access to accounts, systems, and networks by effectively circumventing the current security mechanisms on smartphones, such as attempt limitations and liveness detection, by exploiting two zero-day vulnerabilities. This enabled the researchers to gain unauthorized access to accounts, systems, and networks.The following zero-day vulnerabilities have been exploited, and we have listed them below:

Cancel-After-Match-Fail (CAMF)
Match-After-Lock (MAL)

In addition, researchers found a potential vulnerability in the protection of biometric data that was being communicated by fingerprint sensors via the Serial Peripheral Interface (SPI).In order to analyze the efficacy of BrutePrint and SPI MITM attacks, a thorough test was run on 10 different types of smartphones that are quite popular.

The findings showed that these attacks were effective in allowing an infinite number of tries on any Huawei device running Android or HarmonyOS; however, iOS devices indicated a restricted vulnerability, allowing for just an extra 10 attempts to be made.
The primary idea of BrutePrint is to send an unconstrained series of fingerprint image submissions to the device that is being targeted. This process is repeated until a match is discovered with the user-defined fingerprint, and there are no restrictions placed on the number of times the process may be carried out.

An attacker can launch a BrutePrint attack on a target device by first gaining physical access to the device, then gaining access to a fingerprint database, and finally using equipment that costs around $15. This allows the attacker to manipulate the False Acceptance Rate (FAR) in order to increase the acceptance threshold for fingerprint matches and achieve easier unauthorized access.

By exploiting the CAMF issue, BrutePrint injects a checksum mistake into the fingerprint data. This enables it to circumvent security mechanisms and gives attackers the ability to try an endless number of fingerprint matches on smartphones without being discovered.By exploiting the MAL vulnerability, attackers get the ability to determine the authentication results of the fingerprint photographs they test on the target device, even while the device is in a “lockout mode” state of operation.The BrutePrint attack sidesteps the lockout mode by exploiting a process known as MAL. It also makes use of a method known as “neural style transfer” to change fingerprint pictures in the database so that they more closely match sensor scans taken by the target device. This increases the probability that the authentication will be successful.

The researchers found that every Android and iOS device they tested had a vulnerability to at least one known vulnerability after running a series of tests on those devices. The tests were carried out on a selection of 10 different mobile devices.

The researchers found that certain iPhone models are susceptible to CAMF, but due to the limited number of fingerprint attempts (up to 15), it is impractical to brute-force the owner’s fingerprint. Additionally, the researchers found that all tested Android devices are susceptible to the SPI MITM attack, with the exception of iPhones, which encrypt fingerprint data on the SPI, rendering any interception ineffective.

BrutePrint may appear to have limitations due to the requirement that it must have prolonged access to the device it is targeting; however, its potential for enabling thieves to unlock stolen devices and extract private data, as well as the ethical concerns and privacy rights implications for law enforcement during investigations, raise significant issues regarding rights violations and the safety of individuals in countries with a dominant political or economic position.

The post Unlock any Android Smartphone with this fingerprint hack appeared first on Information Security Newspaper | Hacking News.