Archive for August, 2013

Here’s a not so fun fact … apparently now you can’t even trust the charger you have your phone plugged into to not attack. OK, before you break out the tin foil hats, it might not be as bad as all that but there is a bit of fire amidst all the smoke.

A researcher at Georgia Tech revealed details at the latest Black Hat security conference that a modified USB charger could install malicious apps on a connected iPhone. According to a PCWorld article:

Once you plug your iPhone, the Universal Device ID (UDID) can be extracted just as long as the device doesn’t have a passcode unlock. The Mactans then claims your device as a test subject with any validated Apple developer ID and you can’t reject it since it doesn’t ask for their permission or offer any visual evidence that there’s anything going on in the background. 

So far there is no evidence that anyone has actually tried to exploit this vulnerability and the good news is that Apple says they have a fix coming in iOS 7 which will notify you before it’s too late. Also, you can help yourself considerably by adding a passcode to the phone, which is something you should do anyway.

The reason I find this interesting is that it exposes yet another area of “presumed security.” No one thinks that a charger could do harm to your phone (assuming it doesn’t zap the circuitry). In fact, most don’t even consider the fact that the same connection that supplies power is also used for data transfer — a great idea for simplifying the design of mobile devices but not so good from a security perspective, where isolation of functions is preferable.

We are conditioned to think of a power outlet as a relatively passive connection that does nothing more than supply juice to our gadgets but, in reality, it can do much more and, since it can, just as we all leverage that fact to our advantage, you can bet that a bad guy will try to do the same.

So the lesson here is not so much about iPhone chargers as it is about questioning long held assumptions because that what the hackers are already doing. The only thing in doubt is which side will figure this stuff out first…

If you thought your choice of operating system, hardware platform, middleware stack or applications would shield you from malware, think again. If it’s operational, it can be hacked. Period. Certainly some configurations are more vulnerable than others but there’s no such thing as a “secure” system — just varying degrees of INsecurity.

I remember a protracted email debate I had with a colleague many years ago on this subject. His claim, essentially, was that the security model of Linux made it immune to malware. As a security guy, I knew better.

At the time Windows was being ravaged by viruses and Linux was emerging as a more stable, secure alternative. Some were speculating that it would supplant Windows as the leading desktop OS within a few years. Of course, that didn’t happen — at least not yet. Linux has some very clear advantages. Some derive from a kernel for which secure design was not an afterthought and yet others from the collective talents and contributions of the open source community.

Still it isn’t perfect as this story from PCWorld shows. In what is just the latest development in the never ending malware saga, the “Hand of Thief” Trojan, which specifically targets Linux, is starting to pop up. As the article says…

Hand of Thief operates a lot like similar malware that targets Windows machines—once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to antivirus update servers, virtual machines, and other potential methods of detection.

Clearly, there are far more instances of malware for Windows than Linux — far more — but equally clearly, Linux is not immune. Neither is Mac OX nor Android nor iOS nor any other OS you’d like to name. In fact, the first malware I personally ran across infected the VM operating system on mainframes back in 1987. Yes, 1987. Years before the press would start reporting on the latest virus scare and long before commercial anti-virus tools even existed and all of this on a platform that was considered quite secure and unlikely to be compromised easily.

The article goes on to say…

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows installed base.

That last phrase is important. It basically is saying that part of the reason Linux hasn’t had a lot of malware really has nothing to do with the merits of it’s innate security capabilities, but rather, due to the fact that it simply hasn’t had as big of a bull’s eye painted on it. Mac OS has historically benefitted from the same “security by obscurity” model but it’s not one you want to bank on. Not surprisingly as Mac’s have become more popular in the marketplace, they have also become more popular in the malware threatspace. Ditto for Linux. Ditto for iOS and Android.

Call it the price of success. If a platform becomes popular it can’t hide from hackers as easily. So, the best thing to do is to take prudent precautions regardless of what OS you’re running on because, as Motown figured out a long time ago,  there really is “nowhere to run to, nowhere to hide…”