The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

TAG | apple

Feb/14

23

Apple SSL vulnerability

Cracked EncryptionEverybody has been talking about the Apple SSL vulnerability, but just in case you have missed it….

It turns out that for several years Safari has failed to properly check the cryptographic signatures on Server Key Exchanges allowing attackers to mount man in the middle attacks against your browser sessions. Anyone with the ability to intercept your traffic could read and modify the data to or from any secure website you visit (of course they can always do it with insecure websites). This would include any WiFi you are using, the local ISP, backbone ISPs, and government entities wherever you might be, or anywhere along the path yo the server you are trying to reach.

This vulnerability impacts both iOS as well as Mac OS X. You can test whether you are vulnerable here.

There is a patch already available for iOS so update your device now!

If you are on a Mac, switch to using some browser other than Safari. Chrome and Firefox are both safe from this particular attack.

If you are on Windows, Linux, BSD, or Android, you would appear to be safe.

· ·

The Chaos Computer Club (CCC) in Germany recently announced its successful bypassing of the new iPhone 5S fingerprint scanner.

Despite many media claims that the new scanner worked on deep layers in the skin, and was not vulnerable to simple fingerprint duplication, that is exactly what succeeded. 

The CCC used a high resolution photo of a fingerprint on glass to create a latex duplicate, which unlocked the phone. It strikes me as particularly problematic that the glass surface of an iPhone is the perfect place to find really clear fingerprints of the owner.

· · ·

Play

Welcome to the June edition of the Privacy Blog Podcast, brought to you by Anonymizer.

In June’s episode, I’ll discuss the true nature of the recently leaked surveillance programs that has dominated the news this month. We’ll go through a quick tutorial about decoding government “speak” regarding these programs and how you can protect yourself online.

Later in the episode, I’ll talk about Facebook’s accidental creation and compromise of shadow profiles along with Apple’s terrible personal hotspot security and what you can do to improve it.

Thanks for listening!

· · · · ·

Cnet reports that an internal DEA document reveals that the DEA are unable to intercept text messages sent over Apple’s iMessage protocol.

The protocol provides end to end encryption for messages between iOS and Mac OS X devices.

This is not to suggest that the encryption in iMessages is particularly good, but to contrast with standard text messages and voice calls which are completely unprotected within the phone company’s networks.

It appears that an active man in the middle attack would be able to thwart the encryption, but would be significantly more effort. The lack of any kind of out of band channel authentication suggests that such an attack should not be too difficult.

If you really need to protect your chat messages, I suggest using a tool like Silent Text. They take some steps that make man in the middle attacks almost impossible.

· · · ·

NBC News is reporting that the iOS UDIDs leaked last week were actually stolen from Blue Toad publishing company. Comparing the leaked data with Blue Toad’s data showed 98% correlation which makes them almost certainly the source.

They checked the leaked data against their own after receiving a tip from an outside researcher who had analyzed the leaked data.

It is certainly possible that this data had been stolen earlier and that, in tracking that crime, the FBI had obtained the stolen information. This strongly suggests that this is not a case of the FBI conducting some kind of massive surveillance activity.

The other possibility is that Anonymous and Antisec are simply lying about the origin of the information as part of an anti-government propaganda campaign.

Either way, it is a big knock on their credibility, unless you think this whole thing is just a conspiracy to protect the FBI.

· ·

Forbs is reporting that Anonymous and Antisec have dropped a file with a million Unique Device ID (UDID) numbers for Apple iOS devices. They claim to have acquired an additional 11 million records which they may release later.

In addition to the identifiers, the file is said to also contain usernames, device names, cell numbers, and addresses. It is this additional personal information that seems to be the real threat here.

The Next Web has set up a tool for checking to see if your information is in the leaked data. You don’t need to enter your full UDID into the field, just the first 5 characters. That way you don’t need to trust them with your information either.

None of my iOS devices showed up on the list, so I downloaded the entire file to look it over. You can see the release and download instructions here.

Looking through the document, I don’t see any examples of particularly sensitive information. In the first field are the claimed UDID. The second field is a 64 digit hex string. After that is the name of the device, frequently something like “Lance’s iPad”. Finally is a description of the device itself: iPad, iPhone, iPod touch.

SHA hashes are 64 hex digits long, and are widely used in forensics to verify that captured evidence has not been changed. My intuition is something like that is what we are seeing in that second column.

I have no idea where the claims about addresses, and account names came from. I am not seeing anything like that.

It is interesting that Anonymous / Antisec claim that this data came from the hacked laptop of an FBI agent. This certainly raises big questions about why he would have this information on his laptop, and why the FBI has it at all.

While 12 million is a big number, it is a tiny fraction of the over 400 million iOS devices sold to date. Still, that would represent a shockingly wide dragnet if these are all being monitored in some way by law enforcement.

Of course, for all we know this list was captured evidence from some other group of hackers.

So, short answer (too late!), you probably don’t have anything to worry about here, but you might want to check to see if your device is in the database anyway.

UPDATE: It appears that the UDID may tie to more information that was immediately apparent. While Apple’s guidelines forbid tying UDIDs to specific account, of course that happens all the time. My friend Steve shared a link with me to an open API from OpenFeint which can tie a UDID to personal information. Certainly there are others which would reveal other information. The existence of these, and the leaked list of UDIDs would allow an app developer to tie a user’s real identity to their activity and use of the app on their iOS device.

UDATE 2: I find it impossible to actually read documents from Anonymous and Antisec, they are just so poorly written. It seems I missed their statement in lines 353,354 of the pastbin where they say that they stripped out the personal information. The 64 digit block is actually the “Apple Push Notification Service DevToken”. SCMagazine is reporting that the FBI is denying the laptop was hacked or that they have the UDIDs.

· · · · ·

<< Latest posts