Cisco Talos today warned of a flaw in the X.509 certificate validation feature of Apple macOS and iOS that could let an attacker remotely execute code and steal information. X.509 security certificates are widely used and integral to many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure web browsing protocol.
“For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are.Read more
Last week, experts demonstrated a piece of Android malware that can remotely turn on a smartphone's microphone, track the user's location, and intercept phone calls. When buying similar spyware for iPhones, attackers typically need to jailbreak the device first so they can then install unauthorized apps — a technical barrier that may take some time.
But companies do offer monitoring solutions for iPhones that apparently work on iOS 10 devices and don't require a jailbreak. Instead, they take advantage of another aspect of Apple products that some users may overlook — iCloud backups.Read more
While developing a tool for evaluating mobile application security, researchers at Sudo Security Group Inc. found out something unexpected.
Seventy-six popular applications in Apple's iOS App Store, they discovered, had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. The applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet. The discovery was initially the result of bulk analysis.Read more
The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public. In January, experts reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite.
The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia. Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools.Read more
Apple is introducing a new analytics section to its iOS privacy settings where it will ask for permission to analyze iCloud account data to improve Siri and other smart features.
Apple has been critical of Silicon Valley's addiction to harvesting and monetizing user data for ads, but it appears Apple sees some sense in accessing user data and will be seeking to use more of it in the near future. An iOS 10.3 beta released last week contained a note under the title 'iCloud Analytics & Privacy', explaining that Apple wants to analyze iCloud account data to improve intelligent features such as Siri.Read more
A three character-long text message can temporarily disable iPhones, a hacker has shown. On receiving the message, iPhones instantly freeze for around a minute, and sometimes users are forced to restart.
Besides blocking the number that the malicious messages come from the victim has no way of preventing the attack, although its effects are temporary and do not work on the most recent version of iOS. The bug is the latest in a series of strange text-message vulnerabilities that have affected iPhones in recent years. The offending message appears to contain just three characters - a white flag emoji, a “0” and a rainbow emoji.Read more
A lock is only good at protecting things if it actually stays locked. The activation lock in iOS, for example, makes it very hard for someone other than the owner to wipe an iPhone or iPad and set it up as a new device. Very hard, but not impossible.
Two different bugs have recently been discovered that could allow someone to bypass Apple’s activation lock. One impacts devices running iOS 10.1 and another on the most current version of the software, iOS 10.1.1. Expert workaround exploited a weakness in the iOS device setup process, and he tested it on a locked iPad he purchased from eBay.Read more
A team of computer hackers have demonstrated how the Tesla Model S can be located, unlocked and driven away without the key. By compromising the car's companion smartphone application, they used a laptop to remotely unlock the doors, start the electric car and 'steal' it from a colleague.
The hack exposes the internet weaknesses of products which can be accessed via apps and the internet. The Tesla app is commonly used by owners to check the battery level and charging status, see the location of their car, as well as set the climate control before getting in, and flash the lights to help find the car in a car park.Read more
A corrupted video being shared online will crash any iPhone or iPad it is played on, and in some cases causes the device to switch off and become unresponsive. The video is a file which can be played in the iOS Safari web browser, but quickly slows the device to a crawl, before causing it to lock up and freeze.
The flaw is being described as "completely crazy" and will crash any iOS device. It comes a year after a certain text message was discovered to crash and reboot iPhones whenever it was received. But where the text bug caused the iPhone to reboot, the newly discovered video file crashes the phone to such an extent that only a hard reset will bring the phone back to life.Read more
Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your personal details. However, it's pretty much easy for anyone with access to your iPhone to bypass the passcode protection and access your personal photos and messages.
A new critical security flaw discovered in iOS 8 and newer, including 10.2 beta 3, allows anyone to bypass iPhone's passcode and gain access to personal information using the benevolent nature of Apple's personal assistant Siri. The security glitch has been discovered by EverythingApplePro and iDeviceHelps and now that they have gone public with a video.Read more