Budget Android devices were found harboring another cybersecurity risk, this time with an Android backdoor that could allow an attacker to gain root access.

Researchers at AnubisNetworks said the flaw, located in the firmware from Chinese company Ragentek Group, could affect as many as three million devices and allow for man-in-the-middle attacks. Although the issue affects a similar set of low-cost hardware, including smartphones from BLU, and the vulnerability is related to the over-the-air (OTA) update mechanism in firmware built by a Chinese company, AnubisNetworks said this Android backdoor is unrelated to the spyware found last week. According to AnubisNetworks, this flaw "appears to be an insecure implementation of an OTA mechanism for device updates associated to the software company, Ragentek Group, in China."

"All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol," researchers wrote in a blog post. "One of these commands allows for the execution of system commands. This issue affected devices out of the box."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity the Android backdoor should not be underestimated.

"Considering that a man-in-the-middle attack could potentially alter the firmware of an Android device, potentially enabling him to gain unfettered root access, this is a pretty bad hiccup," Arsene said. "Not relying on code-signing to authenticate legitimate apps, not encrypting over-the-air communication, and hardcoding unregistered domains are a full recipe for security failure."

AnubisNetworks said it "observed over 2.8 million distinct devices, across roughly 55 reported device models" but there could be more smartphone models affected. One device, the BLU Studio G, could be purchased in retail stores in the U.S., but most other vulnerable devices came from manufacturers targeting developing regions outside of the U.S.

Arsene said recent events should make enterprises looking towards budget devices to consider the security implications.

"While most enterprises usually opt for mid-range or high-end devices for employees, recent findings regarding budget phones should probably have companies on their toes," Arsene said. "Not because they could also be using some of these devices, but because of the nature of the vulnerability and the lack of control when it comes to fully managing Android devices. In light of recent events regarding budgets phones, it seems that users worried about security should probably think twice when going for really low budget devices."

Next Steps

Learn more about the Pork Explosion Android backdoor vulnerability.

Find out about Android Stagefright and its effect on 1.4 billion Android devices.

Get info on why risk management is key to smartphone security issues.

SearchSecurity: Security Wire Daily News

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Backdoor Found in Firmware of Some Android Devices

November 21, 2016 , 3:20 pm

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am

Threatpost | The first stop for security news

As the biggest shopping weekend of the year in the US approaches, Skycure is advising shoppers to beware of mobile threats while browsing in both physical and online stores.

riskiest shopping malls

Researchers found that mobile shopping dangers are not limited to dangerous Wi-Fi in malls. Malicious apps masquerading as legitimate online stores or ways to get online shopping bargains also appear this time of year, hoping to lure unsuspecting shoppers eager to make a quick purchase on their phones or tablets.

“Black Friday and Cyber Monday are a recipe for cyber-scams,” said Yair Amit, CTO and co-founder of Skycure. “The first brings large groups of people using their mobile phones to one place. The second attracts people who might overlook security to get a better deal. Unfortunately, mobile threats exist for shoppers whether they’re shopping in a store, or on a mobile device from the comfort of their own home or workplace.”

Top 10 riskiest shopping malls for mobile

According to industry statistics, 90 percent of shoppers used a mobile phone inside of a physical store to either look up product information, compare prices or check reviews online in 2015. But before pulling out their mobile phones, shoppers should beware of joining risky Wi-Fi networks while out shopping this holiday season.

Malicious Wi-Fi are set up by cyber criminals specifically to steal shoppers’ data, while risky Wi-Fi networks are misconfigured and expose sensitive mobile data to hackers. Both are dangerous and put mobile shoppers at risk. The most popular data to steal are usernames and passwords.

Below is the list of the top 10 malls with highest number of suspicious Wi-Fi networks. All the shopping centers listed below were found to have five or more risky Wi-Fi networks:

  • Fashion Show, Las Vegas, NV
  • Tysons Corner Center, McLean, VA
  • Yorktown Center, Lombard, IL
  • Town Center at Boca Raton, Boca Raton, FL
  • Sawgrass Mills, Sunrise, FL
  • Mall of America, Bloomington, MN
  • Houston Galleria, Houston, TX
  • King of Prussia Mall, King of Prussia, PA
  • Westfield Garden State, Paramus, NJ
  • Memorial City Mall, Houston, TX.

Avoid malicious commerce apps

Criminals know that people are shopping for bargains around the holidays, and there are many ways to lure people with fake coupons or too-good-to-be-true offers. One way is to offer apps that look like they are from legitimate online stores, either designed to make shopping easier, or to offer discounts or rewards.

Researchers found multiple examples, including the following:

  • A repackaged Starbucks app. Repackaged apps look exactly like the official apps offered by legitimate retailers and other businesses, but have a small amount of malicious code added in.
  • An app called “Amazon Rewards” which is actually a trojan that spreads using SMS messages that fake Amazon vouchers with a link to a fake website. It accesses the user’s contact list so that it can send SMS messages to even more people.

Both apps are examples of ways that hackers use trusted brands and shoppers thirst for deals to infiltrate a mobile device, then steal user data, banking, and/or credit card information.

riskiest shopping malls

Safety tips for shoppers

Skycure offered the following quick tips for mobile users traveling to high-risk destinations:

1. Avoid “Free Wi-Fi” networks (10 percent of malicious networks have the word “Free” in their name).
2. If you see a Wi-Fi that is named as if it is hosted by a store, but that store is nowhere nearby, don’t connect. Skycure found multiple networks named “Apple Store” or “Macysfreewifi” where the named stores were nowhere nearby. Remember that mobile devices automatically join “known” Wi-Fi networks without any user intervention.
3. Only download mobile apps from reputable app stores such as the Google Play store and Apple’s App Store.
4. Read the warnings on your device and don’t click “Continue” if you don’t understand the exposure.
5. Update your device to the most current operating system.
6. Disconnect from the network if your phone behaves strangely (e.g. frequent crashes)
7. Protect your device with a mobile security app.

Help Net Security

The insecure implementation of the OTA (Over-the-air) update mechanism used by numerous Android phone models exposes nearly 3 million phones to Man-in-the-Middle (MitM) attacks and allows adversaries to execute arbitrary commands with root privileges.

The vulnerable OTA update mechanism is associated with Chinese software company Ragentek Group, which didn’t use an encrypted channel for transactions from the binary to the third-party endpoint. According to security researchers at AnubisNetworks, this bug not only exposes user-specific information to attackers, but also creates a rootkit, allowing an adversary to issue commands that could be executed on affected systems.

Android OTA Updates The code from Ragentek contains a privileged binary for OTA update checks as well as multiple techniques to hide its execution. Located at /system/bin/debugs, the binary runs with root privileges and communicates over unencrypted channels with three hosts. Responses from the remote server include functionalities to execute arbitrary commands as root, install apps, or update configurations.

The issue, tracked as CVE-2016-6564, is that a remote, unauthenticated attacker capable of performing a MitM attack could replace the server responses with their own and execute arbitrary commands as root on the affected devices.

Similar to the issue found in Android devices running firmware coming from Shanghai ADUPS Technology Co. Ltd., the bug in Ragentek’s Android OTA update mechanism is included out of the box. The two issues aren’t related, but they are similar to a certain point, as both allow for code execution on smartphones. The ADUPS firmware was found to siphon user and device information in addition to allowing the remote installation of apps.

The CERT advisory associated with this vulnerability reveals that multiple smartphones from BLU Products are affected, along with over a dozen devices from other vendors, namely Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. BLU is said to have already issued a software update to resolve the issue, but the remaining devices might still be affected.

While analyzing the bug, AnubisNetworks discovered that the unencrypted data transmission starts soon after starting the first-use setup process, and that the inspected device, a BLU Studio G, attempted to contact three pre-configured domains. Two of them were unregistered and the researchers acquired them, which provided them with visibility into the population of affected devices.

This also provided security researchers with the ability to check the type of commands that are supported in the vulnerable setup. One of the interesting findings was that an explicit check was created to mask the fact that “/system/bin/debugsrun” and “/system/bin/debugs” were running. Their presence would be hidden or skipped in the user output, the researchers also say.

Deeper analysis revealed that the Java framework too has been modified to hide references to this process. The researchers found a modified next() method in the core java.util.Scanner class to exclude references to the aforementioned binary names and say that the nextInt() method was modified to always return a pid of 10008 for the processes. What’s more, the local sqlite database that the binary logged events, stored system and user information and fetched from, was located at /system/bin/unint8int, the researchers reveal.

Although the researchers have no explanation on why the author of the process attempted to purposely hide the presence of both the process and local database on the device, they do say that the attempt wasn’t a comprehensive one.

Overall, over 2.8 million distinct devices, across around 55 reported device models, were observed connecting to the researchers’ sinkholes. Interestingly enough, some of the provided device models couldn’t be linked to real world devices, and the security researchers included all of them in an “Others” category.

Related: Backdoor in Some Android Phones Sends Data to Server in China

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Android spyware secretly collecting user data was found preinstalled on a budget smartphone sold through various retailers and although the company responsible claimed it was standard data collection, one expert said this software went overboard.

Researchers at Kryptowire, a mobile security firm jumpstarted by the Defense Advanced Research Projects Agency and the Department of Homeland Security, based in Fairfax, Va., said they first came across the mobile spyware on a $ 59 BLU R1 HD smartphone bought from Amazon. The Android spyware "collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent" under the guise of offering better spam filtering.

"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. The firmware could target specific users and text messages matching remotely defined keywords," Kryptowire wrote in a blog post. "The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity there are less invasive ways to provide spam filtering.

"Filtering out spam messages and calls is a nice to have feature, but there are other technical approaches towards doing it besides forwarding full text messages and contact details, infringing on users privacy," Arsene said. "That's why metadata and message fingerprinting technologies exist, so that users' personal data is never sent as-it-is, protecting their privacy."

The company behind this firmware and to whom the user data was sent was Shanghai ADUPS Technology Co. Ltd., commonly known as ADUPS, which provides professional firmware over-the-air (FOTA) update services for smartphones. According to the ADUPS website, the company has 700 million active users wordwide.

ADUPS said BLU objected to the Android spyware collecting data without user consent in June 2016 and "ADUPS took immediate measures to disable that functionality on BLU phones." There was no comment on the use of this firmware on other Android devices, but ADUPS assured customers that "no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a BLU phone during that short period was deleted."

Arsene said the speed of the fix was commendable.

"From a technical perspective, declaring to have disabled the feature and removed all collected data in such a short time is commendable," Arsene said. "This means they knew what the problem was and how to quickly fix it."

ADUPS said in a statement that it takes "user privacy very seriously" and claimed the software in question was designed to help eliminate spam.

"In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution for ADUPS FOTA application," ADUPS wrote in a blog post. "The customized version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience. ADUPS FOTA application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."

Arsene said data collection in general is not uncommon and can help to accurately deliver updates to specific devices in case security issues arise."

"However, users should always be notified when such information is being collected, as some might want to opt out and dismiss such features," Arsene said. "It's mandatory for any software provider to inform its customers in regards to what type if information they're collecting -- whether for marketing, commercial or for offering various functionalities. The fact that such a disclaimer was missing is a big deal as it borders [on] espionage malware practices."

Next Steps

Learn more about China targeting Hong Kong protestors with Android spyware.

Find out about Android spyware possibly linked to the Hacking Team.

Get info on the danger of dormant Android permissions. 

SearchSecurity: Security Wire Daily News

Networked security cameras are the most likely to have vulnerabilities when it comes to securing Internet of Things devices in the enterprise, according to a new report by Zscaler.

“I would consider the entire video camera category as particularly dangerous,” said Deepen Desai, director of security research at Zscaler.

[ Get the scoop on the internet of things at its most fundamental level and find out where it's headed, in InfoWorld's downloadable PDF and ePub. | Pick up the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

Take, for example, the Flir FX wireless HD monitoring camera. Researchers found that the camera communicated with the parent company in plain text and without authentication tokens.

“The firmware that was being updated was not being digitally signed,” said Desai.

That means that attackers have the opportunity to introduce their own, malicious firmware instead, he said.

GET YOUR DAILY SECURITY NEWS: Sign up for CSO’s security newsletters

Another camera, the Foscam IP surveillance camera, connects to a web server to stream video to users’ desktops or smartphones. That can be a useful feature, but the user credentials, including the password, are transmitted in plain text, over HTTP, right in the URL.

The Axis camera has a remote management console, but it uses basic HTTP authentication, allowing sniffing and man-in-the-middle attacks.

Zscaler also found that consumer devices frequently appeared inside enterprises, such as the Chromecast and Roku media players and smart TVs.

Zscaler didn’t find any security issues with either the Chromecast or the Roku, but the smart TVs used outdated libraries which could be used to get control of the system.

Late last month, a botnet that infected networked devices, cut off access to large areas of the Web. But this isn’t actually the biggest threat that vulnerable IoT devices pose for enterprises, Desai said.

But when Zscaler analysed the traffic from enterprise devices, and correlated it with DDoS attacks, there were no spikes.

“Based on the analysis that we did, none of the devices that were in our customers’ enterprise networks were affected,” Desai said. “My take on that is that enterprises had their IoT devices properly segmented in the network. The way that the Mirai botnet was propagating, it was preying on weak and default connections.”

But just because the most recent round of attacks did not reach these devices, doesn’t mean that companies should get complacent. And the risks are much higher than simply having a device in a network that acts as a DDoS message relay.

An infected device can be an access point into an enterprise network. And an infected camera can do even more damage.

“If an attacker got access to your video camera, they could see what’s going on in the environment,” he said.

So for example, they can see when particular areas are unguarded, to plan both physical attacks and cyber attacks.

Desai suggested that enterprises restrict access to IoT devices as much as possible, by blocking external ports or isolating devices on isolated networks, to prevent lateral movement. They should also change default credentials, and set up a process to apply regular security and firmware updates.

This story, "Surveillance cameras most dangerous IoT devices in enterprise" was originally published by CSO.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

The Arduino team is using Kickstarter to crowdfund their latest project: the ESLOV IoT Invention Kit.

ESLOV is a system of intelligent modules that can be connected in an endless variety of ways, and is meant to simplify the creation of Internet-connected devices.

Arduino's new open source kit makes creating IoT devices easy

The connected modules are plugged into a Wi-Fi and motion hub, which will connect the device (project) to the Internet. Then, the hub has to be connected to the user’s PC so that it can be programmed.

Programming it is extremely easy, though – in fact, no actual programming knowledge is required. By using the ESLOV’s visual code editor, which recognises the modules automatically, the user needs to simply draw connections between them, and the device is ready to be used.

Once the device is connected to the Arduino cloud, the user can control it and interact with it from anywhere, via a computer or smartphone, through a user-friendly interface.

The ESLOV kit consists of the wireless hub and 25 modules. The team welcomes third-party modules – design files and documentation for all modules will be made publicly available, to make it easier for creative people to design and create their own.

The ESLOV kit consists of the wireless hub and 25 modules

The Arduino team needs to raise $ 500,000 to finish the development and production of the ESLOV kit. Potential funders can choose to receive kits of different sizes, priced from $ 49 (you receive just the Wi-Fi hub) to $ 499 (PRO kit: Hub + 22 modules). The various kits can also be combined.

Delivery of the hardware to the backers is scheduled for June 2017.

More technical information can be head on the Kickstarter project page or this blog post.

Help Net Security

Security researchers have been warning for years that poor security for internet of things devices could have serious consequences. We're now seeing those warnings come true, with botnets made up of compromised IoT devices  capable of launching distributed denial-of-service attacks of unprecedented scale.

Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

According to Klaba, the attack targeted Minecraft servers hosted on OVH's network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.

The OVH incident came after, cybersecurity journalist Brian Krebs' website, was the target of a record DDoS attack that flooded the site at a rate of 620Gbps. The attack eventually forced content delivery and DDoS mitigation provider Akamai to suspend its pro bono service to Krebs, pushing the site offline for several days.

According to Krebs, the attack was nearly twice the size of largest attack Akamai had seen before, and would have cost the company millions of dollars if it had been allowed to continue.

"There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called 'Internet of Things,' (IoT) devices -- mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords," Krebs said in a blog post after his website came back online under the protection of Google Project Shield.

On Thursday, antivirus and security vendor Symantec published a report warning that insecure IoT devices are increasingly hijacked and used to launch DDoS attacks. The company has seen the number of cross-platform DDoS malware programs that can infect Linux-based systems soar in 2015 and continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices.

Symantec's data shows that most of these systems are not compromised through sophisticated or device-specific vulnerabilities, but due to a lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials. That's unfortunately all it takes today to build a large IoT botnet.

And while IoT-powered DDoS attacks have now reached unprecedented size, there have been warning signs for several years that they were coming. In October 2015, security firm Incapsula mitigated a DDoS attack launched from around 900 closed-circuit television (CCTV) cameras and in June DDoS protection provider Arbor Networks warned that there are over 100 botnets built using Linux malware for embedded devices.

A security researcher unveiled a new iOS attack technique called SandJacking, which allows someone with physical...

access to an unlocked iPhone to load malicious apps on the device. The SandJacking attack uses a flaw in XCode 7 regarding certificates. How does the attack exploit this flaw, and how dangerous is SandJacking compared to other iOS threats?

To keep its ecosystem malware free, Apple requires all apps to be distributed via its official App Store. Each app is reviewed to ensure it is reliable, performs as expected and is free of offensive or malicious features; it also runs in a sandbox to prevent other processes from accessing it and its associated data. Each app has to be signed with an Apple Developer ID certificate. These are only available to members of Apple's Developer Program, who have to go through a verification process, which can include having to provide government-issued photo identification like a driver's license or passport. On the whole, these security controls work very well, though there have been some notable cases where malware has still managed to infect numerous iOS devices: WireLurker, XcodeGhost and AceDeceiver. SandJacking is now another example.

Before the release of iOS 8.3, one attack technique was to replace a legitimate app with a rogue version by simply assigning the malicious app a similar identifier, known as a bundle ID, and overwriting the original application. IOS 8.3 now prevents the installation of an app that has an ID similar to an existing one. However, while this check prevents a legitimate app from being overwritten and replaced during the installation process, it doesn't provide any safeguard during the restore process.

Chilik Tamir from Mi3 Security recently demonstrated how an attacker with physical access to an unlocked iPhone can create a backup, remove the legitimate app, install his rogue version of the deleted app and then restore the backup. This SandJacking attack works on non-jailbroken iPhones and gives the attacker access to the sandbox data of the app it replaces. The malicious app still has to be signed, but in Xcode version 7 -- a suite of software development tools created by Apple -- programmers are allowed to create iOS apps using unvalidated certificates that can be obtained by simply providing an Apple ID and then distributing them directly, avoiding Apple's application review and store restrictions. Creating an Apple ID is a simple process requiring only a name and an email address.

Although apps created with these unvalidated certificates have limited capabilities compared to regular apps where the developer has been through the formal verification process to obtain a certificate -- they can't access Apple Pay or in-app purchase features for example -- they can still access personal data such as the victim's address book and calendar. They're also likely to go undetected by the user, who would have to check the app's certificate and the device's provisioning settings to verify the developer's identity.

The SandJacking attack itself is not as dangerous a threat as other iOS threats, such as YiSpecter, XcodeGhost and Backdoor.MAC.Eleanor, which offer the attacker full control of the compromised device, because the attacker would need physical access to the device to pull a SandJacking attack off. It could be used while a phone is being repaired, or by a family member or law enforcement agency who has access to the device. But any type of smartphone that is unlocked and in the possession of someone other than the owner has to be regarded as potentially compromised. What the attack shows is how reliant the internet and technology as a whole is becoming on digital certificates when deciding whether something or someone should be trusted or not. Those who issue digital certificates need to ensure the internet and security systems can actually trust them.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how a pirated app beat Apple's App Store security

Learn how to avoid mobile application malware and security risks

Discover how your enterprise can defend itself against fake apps

This was first published in September 2016

SearchSecurity: Security Wire Daily News

Securing the internet of things should become a major priority now that an army of compromised devices – perhaps 1 million strong - has swamped one of the industry’s top distributed denial-of-service protection services.

A giant botnet made up of hijacked internet-connected things like cameras, lightbulbs, and thermostats has launched the largest DDoS attack ever against a top security blogger, an attack so big Akamai had to cancel his account because defending it ate up too many resources.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

It wasn’t that Akamai couldn’t mitigate the attack – it did so for three days – but doing so became too costly, so the company made a business decision to cut the affected customer loose, says Andy Ellis the company’s chief security officer.

+ MORE: Homeland Security issues call to action on Internet of Things security +

The delivery network has dropped protection for the Krebs on Security blog written by Brian Krebs after an attack delivering 665Gbps of traffic overwhelmed his site Tuesday. The size of the attack was nearly double that of any Akamai had seen before.

An IoT botnet generating this much traffic is a bellwether event that Ellis says will take some time to analyze to come up with more efficient mitigation tools.

Its impact is similar to the 2010 attacks by Anonymous using the open source, low-orbit ion cannon tool, or the 2014 DDoS attacks launched from compromised Joomla and WordPress servers, he says.

The lesson for enterprises is that the DDoS protections they have in place need to be tweaked to handle higher attack volumes, he says.

IoT exploited

The massive Krebs on Security assault is the work of a botnet made up primarily of internet of things devices, according to Akamai. So many devices were used, in fact, that the attacker didn’t have to employ common tactics that amplify the impact of individual devices, Ellis says.

The number of machines in the latest botnet is still unknown, and could be as large as a million. “We’re still trying to size it,” he says. “We think that might be an overestimate but it’s also possible that will be a real estimate once we get into the numbers.”

With estimates of 21 billion IoT devices by 2020, the scale of botnets that might be created by these relatively unprotected machines could be enormous, says Dave Lewis, a global security advocate for Akamai who spoke Thursday at the Security of Things Forum in Cambridge, Mass.

INSIDER: 5 ways to prepare for Internet of Things security threats

“What if an attacker injects code into devices to create a Fitbit botnet?” he says. Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds, he says, so the possibility isn’t fantastic.

Some of the attacking machines are running clients known to run on cameras, he says. “It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks,” he says. “There are indicators that there are IoT devices here, at scale”

The attack didn’t use reflection or amplification, so all the traffic consisted of legitimate http requests to overwhelm Krebs’s site, Ellis says. “It’s not junk traffic.”

A lot of things about the attack are still unknown such as who’s behind it and what method the botmasters used to infect the individual bots.

Ellis says some other providers Akamai had contacted report similar but smaller attacks likely from the same botnet. Many of them were aimed toward gaming sites, and Krebs has written about such attacks, so there may be a connection there, he says.


Akamai will analyze the attack and devise tools to fight similar attacks, Ellis says.

Krebs has tweeted about the attack after Akamai stopped protecting his site. “I can't really fault Akamai for their decision. I likely cost them a ton of money today,” he wrote. “So long everyone. It's been real.”

This story, "Largest DDoS attack ever delivered by botnet of hijacked IoT devices " was originally published by Network World.

InfoWorld Security