iOS Mail app flaws may have left iPhone users vulnerable for years

A pair of vulnerabilities in the default email app on iOS devices is believed to have been exploited against high-profile targets.

By Amer Owaida

Apple’s iOS Mail app, which comes pre-installed on all iOS devices, has been found to contain two severe security vulnerabilities that, if exploited, could enable hackers to steal the victims’ data.

In fact, the attackers have leveraged these flaws for attacks against various targets, including a European journalist, a Japanese executive, and individuals from an undisclosed Fortune 500 company among others, said ZecOps researchers, who uncovered the flaws. Some of the attacks are thought to go back all the way to January 2018.

“Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability,” said the company.

The security flaws allow attackers to remotely compromise a device by sending an email that will consume high amounts of the device’s memory – without actually requiring a large email to do so. The vulnerability can be triggered before the whole email is downloaded, although the trigger varies depending on the iOS version the device is running.

On devices running iOS 13, the vulnerability is triggered by an unassisted attack, also known as a ‘zero-click’ attack, which means the Mail app has to be running in the background. On iOS 12, meanwhile, the victim would have to click on the email. These aren’t the only two iOS versions vulnerable; devices running iOS 6 and above are all susceptible to the attack, while older versions haven’t been checked.

Once the vulnerability has been exploited, on iOS 12 the email app would appear to be sluggish and sometimes even crash. On iOS 13, it would manifest as a temporary slowdown of the mail app. In case of a failed attack, the emails send by the hacker would show “This message has no content.”

ESET Security Specialist Jake Moore said that the flaw is unlikely to have been used to target people en masse: “For complete remote access to occur under the radar it will have most likely been used for highly-targeted attacks on high-profile victims. Although this is a very professionally designed secret hack, it would be very unlikely that it was used on mass. Some flaws are kept even further underground amongst cybercriminals and keep certain exclusive vulnerabilities to themselves, so law enforcement and developers are kept in the dark – hence this particular defect has not been spotted for years. This particular flaw will be patched in the next update, so make sure you have your phone set to auto-update to the next version.”

The researchers alerted Apple to the two vulnerabilities and it has developed a fix that is currently available as iOS 13.4.5 beta. As a result, the patch is not readily available yet, since beta versions are mainly aimed at developers. For the time being, you can mitigate the issue by using other email clients.

Last year, Apple had to rush a fix for a FaceTime spying bug.

Following ESET’s discovery, a Monero mining botnet is disrupted

ESET researchers discover and play a key role in the disruption of a 35.000-strong botnet spreading in Latin America via infected USB drivers

By Alan Warburton

ESET researchers recently discovered a previously undocumented botnet that we have named VictoryGate. It has been active since at least May 2019 and, since then, three different variants of the initial module have been identified, in addition to approximately 10 secondary payloads that are downloaded from file hosting websites. The initial module is detected by ESET security products as MSIL/VictoryGate.

This botnet is composed mainly of devices in Latin America, specifically Peru, where over 90% of the compromised devices are located. We’ve been actively sinkholing several command and control (C&C) domains, allowing us to monitor this botnet’s activity. The combination of the sinkhole data and our telemetry data allows us to estimate the botnet’s size to be at least 35,000 devices.

To control its botnet, VictoryGate used only subdomains registered at the dynamic DNS provider No-IP. ESET reported the malicious subdomains to No-IP, who swiftly took them all down, effectively removing control of the bots from the attacker. Also, ESET is collaborating with non-profit Shadowserver Foundation by sharing sinkhole logs in an effort to further remediate this threat.

Read the complete article on:

https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Buying a second hand device? Here’s what to keep in mind!

If you are trying to be responsible towards the planet, also be responsible to yourself and take these steps so that the device doesn’t end up costing you more than you’ve saved?

by Amer Oweida

 According to a report released by the World Economic Forum, the world produced an estimated 50 million tons of electronic waste in 2018. This figure is expected to double in the upcoming years if we don’t change our consumer behaviour. In a bid to reduce the stress on our planet, many people have started “going greener”. They have reduced their meat consumption, started to buy less “fast fashion” products and even increased their efforts in recycling… all in a bid to reduce their carbon footprint.

Another way to reduce waste and save your hard-earned money is by buying second hand electronic devices, notably computers and smartphones – an option that’s especially worth discussing since today is Earth Day.

However, purchasing a second hand device bears a certain risk since you don’t really know what the device has been through and how it has been used over its months or years of service. But the risks can be mitigated; read on.

Buying the device

When you’re choosing to buy a used device, you have a variety of sources to choose from. The first and probably the best choice is buying a refurbished device from an authorized seller. This basically means that the device has been cleaned and checked by the seller, both from the hardware and software sides. In some cases, you might even get a warranty on the device, which saves you from a headache if it starts failing shortly after purchase.

Alternatively, the other choice is resorting to buying from advertising websites and online marketplaces. In this case, you probably won’t have a chance to inspect the device personally before you order it. If you opt for this scenario, you should definitely use a reputable marketplace that has security measures to deal with scammers. Research the seller, look at their reviews and ask them questions about the device. When you’ve made up your mind, you should use a payment service that has purchase protection just to be safe.

What to do if I bought a second hand computer?

If you didn’t buy refurbished, then purchasing the computer or laptop is just half of the battle. Now you have to check if everything is in running order. You basically purchased a cat in a bag and you shouldn’t just rush into using the computer. If you turn it on it already has a running operating system, you don’t rush headlong into downloading your favourite programs or go about checking your social media. First, check that there aren’t any remnants of the previous owner’s data on the hard drive. Then try downloading and installing a reputable endpoint security product to scan the computer.

“Why?” you may ask. Well, you have no other reasonable way of knowing whether the seller installed any malicious code on the computer in an effort to defraud you. The computer may have a key logger installed to gain access to the credentials of all your accounts or perhaps some other form of malware that can steal your data and transfer it to a remote server. Alternatively, any of the previously mentioned things can be present due to the owner failing to take the right precautions.

A green option – compared to replacing the hard drive in the computer with a new one – would involve wiping the drive. Hard drive manufacturers offer utilities that allow you to wipe your drive with varying degrees of security ranging from a single overwrite to multiple passes with random data and even specific security protocols. Once you’ve chosen and done one or the other, you should proceed and do a clean install of the OS of your choice. Adding an endpoint security solution to your computer for added protection will be more than a nice final touch, and you should be ready to go.

What to do if I bought a second hand smartphone?

As with the case of computers, the same logic applies for smartphones: if you haven’t bought it refurbished with a warranty, you have to get your hands dirty. After the smartphone checks out and has no signs of hardware damage, it’s time to see how the software is doing. If you start it up and it readily goes through the booting process and doesn’t walk you through a setup process, you should immediately be suspicious. The former owner may have been lazy and not gone through the wiping process properly or alternatively or the device may contain some form of malware.

To wipe the phone securely, start by checking whether all of the services have been signed out; once you’ve done that, you should remove all the accounts associated with the phone. The next step is to encrypt the phone’s data. Since you don’t know what kind of data has been stored on the phone, it’s probably safer that way. You’ve finally made it to the factory reset step. The name of the option may vary from manufacturer to manufacturer but in the end, it should always do the same thing: reset the smartphone to factory settings. That means that everything is deleted or wiped, and it should revert to the state it was in when it came out of the box.

Hopefully these tips will help you on your quest to buy a second hand device and we applaud you for being responsible to our planet. After all, it is the only one we have.

Work from home: should your digital assistant be on or off?

Being at your beck and call is central to the “personality” of your digital friend, but there are situations when the device could use some time off.

Do you start the day with “Alexa, what’s the weather today?”

Many of you may have a digital friend at home, an Amazon Alexa, Google Assistant, Apple’s Siri or Microsoft Cortana (does anyone actually use this?). Has your digital friend ever interrupted your conversation or randomly spoken up despite not being hailed? The answer is likely to be yes, and your response has probably been just to dismiss the interruption as unwanted.

 

Just say the word(s)

A recent study by Imperial College London and Northeastern University examined how many times digital assistants activate without the wake-up word being used. The devices were subjected to 125 hours of Netflix content from numerous shows; the verbal content was analyzed with the closed caption text from the show to remove the instances when an actor may have used the actual wake-up word. The devices wrongly interpreted a word and activated up to 19 times per day.

The experiment was repeated 12 times with the same content and the result showed little to no consistency, less than 9% of all the “misheard” dialog that activated a device did so in 75% or more of the replication runs. Some devices activated on word patterns or specific letter sounds – for example, Alexa activated on words that contain a “k” and sound similar to Alexa, such as “exclamation” or “Kevin’s car”. Not being able to replicate the test result consistently suggests that there is a level of randomness to the unwanted activations. So, don’t take it personally the next time your digital assistant interrupts.

When the digital assistant is awoken and springs into life, the interaction is captured so it can be analyzed and the instruction, if there is one, is acted upon. Some of the systems retain a voice recording or a text transcript of the interaction either until you decide to delete it or the vendor’s policy removes it, based on time or other criteria.

At the moment of an unexpected activation, or if you don’t want any other activation stored, then each assistant has the ability to delete the last interaction. For example, if during a TV show the device mistakenly awakens, a response from you of “Alexa – delete what I just said” will remove the last interaction. For the more privacy conscious then, an “Alexa – delete everything I said today” might be part of the good night routine.

RELATED READING: Privacy by Design: Can you create a safe smart home?

If you have introduced the digital assistant to additional digital friends, such as a home automation system, then the interaction is analyzed and the instruction or request is transferred to the third party. What data is being shared with the third party will depend on the functionality of the additional services or devices.

Your digital friend is listening constantly, is activated on demand or randomly and is potentially storing the interaction forever. And in some circumstances, maybe chatting with other digital friends to fulfill your requests. If only human friends were that attentive.

So, how does this relate to working from home?

Hopefully, you have adopted a routine and start work at a regular time and maybe even kick-off with a team call to sync with colleagues. I suspect that, like me, you then have a varied set of calls and video meetings throughout the day; some more sensitive than others. If you work in a collaborative open office space in normal circumstances, then you probably utilize a private space to participate in the more sensitive or confidential calls to avoid any inadvertent sharing of information.

But what if you’re working from home and know that the digital assistant is constantly listening, is extremely attentive, and is not an employee of the company bound by any confidentiality agreement? Then additional caution beyond what you practice in the office should be applied.

When conducting a sensitive call while working from home, switch off the digital assistant’s microphone and camera to avoid potentially sharing sensitive material. If you find it difficult to adopt an “as needed” approach to switching the digital friend off, I recommend giving your digital assistant the day off while you work.

The risk is not only from oversharing with your digital assistant’s vendor; there is also a risk that a bad actor could gain access to your account or, worse still, inflict a data breach on the vendor and have access to all previous interactions.

This could have been a short article, unplug the digital assistant, open the front door and throw it in the street, but I know my own paranoia will probably not resonate with that many of you.

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.

Try our extended 90-day trial for free.