OUR SERVICESSERVICESFollow usPREMIUM AREAWhitepaperEventsWebinarCHANNELSNational cybersecurityMalware and attacksRegulations and adjustmentsCorporate solutionsCyber cultureThe expert answersNews analysisAbout ussecurity updatesHomeMalware and hacker attacksShare this article
Check out an update to iOS systems to fix a vulnerability that was putting the safety of users worldwide at risk. For a zero day like Pegasus (and maybe just one of those). But that's not enough: the cybersecurity model of the giants, Apple in the lead, needs to be reviewed. Here because
28 Jul 2021SMarco SantarelliExpert in Network Analysis, Critical Infrastructures, Big Data and Future EnergiesA new update to iOS systems unexpectedly arrived to fix a vulnerability that was endangering the safety of users worldwide.
To be clear, it's like one of those zero days that Pegasus was based on (and maybe just one of them).
Let's see what it is and what the consequences are.
Topics indexUnexpected updates for iOS
Apple has just released, in a completely unexpected way, an update for iPad, iPhone and Mac, namely iOS 14.7.1, iPadOS 14.7.1 and macOS Big Sur 11.5.1, the latter following the very recent macOS Big Sur 11.5, released only last week. The goal is to solve a so-called "zero-day" vulnerability that allows hackers to act freely "in the wild", worldwide. We are talking about the CVE-2021-30807 vulnerability, which could allow an attacker to execute arbitrary code with kernel privileges, essentially allowing him to hijack the attacked device in a basic way.
WHITEPAPERWhat are the strategies to follow to defend against phishing attacks?SecurityCybersecurityDownload the WhitepaperLet's see what we read in Apple's report: "Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Impact: The application may be able to execute arbitrary code with kernel privileges Apple is aware of a report that this issue is being actively exploited. Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30807: Researcher unidentified”.
It is not yet clear who is responsible for the attack, but from anonymous sources inside Apple, we get the feeling that there are some notable and precise suspects. While it's very likely that this "zero-day" is a new exploit used by the iOS jailbreak community to root iPhones, it's also not clear if zero-day is somehow related to NSO Group, the Israeli company that sells iPhone hacking tools to governments around the world, which has recently been the focus of a large number of investigative reports that exposed some previous hacking operations
https://www.cybersecurity360.it/nuove-minacce/pegasus-intercettazioni-e-trojan-di-stato-ecco-perche-nessuno-smartphone-e-al-sicuro/
A "zero-day" vulnerability, what is it
The journalist Nicole Perlroth, an expert in computer security, explains well what is meant by zero-day vulnerability in her book “This is how they tell me the world ends. The Cyber weapons arms race”, released last February.
In any simple "zero-day", a zero day, a hacker, through a software bug, manages to sneak discreetly inside your smartphone, to pass all the security checks of a chemical plant, to alter the results of a political election, to shut down an electricity network (see the case of Ukraine) or to attack water treatment plants (see the recent one in Oldsmar, Florida, USA). For many years, due to non-disclosure agreements, US government agents paid good money to hackers to keep silent, then they lost control and now these famous "zero-days" are in everyone's hands
https://www.agendadigitale.eu/sicurezza/cyber-war-siamo-davvero-vicini-al-punto-di-non-ritorno-gli-scenari/
Apple most secure system in the world? the Trezor case
But how to interpret these events?
Many experts, following the Pegasus case which strongly affected Apple systems, wanted to strongly deny the (vulgate) thesis according to which Apple systems are more secure than Android/Windows.
Another example comes from a recent story. A few months ago, an app appeared on the Apple application store with a logo that recalled the famous digital cryptocurrency wallet Trezor, which offers only hardware solutions and no applications for smartphones and mobile devices.
Phillipe Christodoulou, thinking that it was really an application associated with Trezor, reviewed, among other things, with five stars, when he decided to download it to check how many bitcoins his savings once amounted to entered with his credentials and entered his security seed phrase, 17.1 bitcoins were seen to vanish in an instant, equivalent at that time to about 600,000 dollars, today more than a million dollars.
Trezor itself had reported the problem to both Apple and Google, officially declaring that the app was a scam and had no relation to SatoshiLabs and Trezor and that reports had already been sent to the Google team.
Experts, although there is always talk of greater security regarding Apple devices, explain that it is not so difficult to hack them in reality: once an application is approved, the bad guys subsequently turn it into a phishing tool to steal the personal data of users.
In the case of the fake Trezor app it went like this, it was approved as an encryption app to store your passwords and later changed to a cryptocurrency wallet. Apple is aware of this weakness of its system and immediately eliminates the apps that are reported as unsafe, the problem is the time between the publication of the app and its removal and it is exactly the time trap that Phillipe Christodoulou fell into . In that time the app was downloaded 1,000 times on Android and remained available on the App Store for more than 10 days before being removed.
Another striking case happened to an American citizen who, after buying Ethereum and Bitcoin for 14,000 dollars, acquired a Trezor wallet to ensure the highest level of security, but he too, after downloading the offending app, he realizes that he no longer has anything in his pocket.
Who protects us? If the Apple system is a double-edged sword
We are faced with a kind of hoax: the giants of technology, who before the users themselves, are mocked at the moment of the approval of applications by include in their stores.
If an app can figure out how to get past the "sandbox" phase undisturbed, the security model needs to be revised. The sandbox is the test environment extraneous to the environments that are part of the development flow of an application or its modification (development environment, the development environment; test environment, test environment; quality environment, quality environment ; live environment or production environment, production ambietye). Experiments are carried out in the sandbox which may not even lead to the opening of a development phase, so it serves to investigate the effects of any changes or developments still in the "feasibility study" or "cost-benefit analysis" phase.
Some experts, downstream of the Pegasus case, have noted that the closure of Apple is a double-edged sword. Once someone enters the sandbox it is impossible for the user to discover that the device has been compromised. The lack of transparency at that point plays in favor of the attacker.
Improving the bug bounty system
Not only that. To try to contain the spread of bugs and nip them in the bud, the model called "bug bounty" has been adopted for some time, already started by Facebook, Yahoo!, Google, Reddit, Square, Oracle Corporation and NordVPN. This is an agreement proposed by numerous websites and software developers through which an individual can receive recognition and monetary rewards for reporting bugs, especially those related to exploits and vulnerabilities.
These programs allow developers to discover and fix these bugs before they are public knowledge, preventing potentially large-impact issues.
But still for the logic of security by obscurity it is a model still foreign to Apple.
Not that it's much better with the others. Usually the bounty figures are quite ridiculous, for example an exploit similar to the one Israeli company NSO Group used would require a bounty of around $250,000, which would barely cover the cost of the salaries of the team that worked to track it down. not to mention the ability to beat the competition, which wants the same vulnerability for darker purposes.
iOS 14 and security
iOS 14 is the mobile operating system that was launched by Apple last fall and which, before being made public, was carefully analyzed, as indeed happens before every new launch.
Among the novelties, an update of the iCloud keychain, which saves all our passwords that we use every day to access apps and websites, synchronized with every Apple device that we use with the same personal account. In iOS 14 and iPadOS 14 there is the "Security Recommendations" item, a menu in which only "potentially exposed"/appearing in a data breach/at risk passwords are collected, for example those consisting of a sequence that is too simple or easily understood. One of the many examples of how much the Cupertino company aims to protect the security of its users' data. Despite this, however, iOS does not remain unscathed by hacker attacks: many applications in the Apple Store can deceive.
WHITEPAPERWhy set up a server maintenance strategy?DatacenterSecurityDownload the Whitepaper@RESTRICTED REPRODUCTIONPeopleMMarco SantarelliTopicsAApplicationsBBitcoinCCryptographyDData BreachDPersonal dataFfacebookHHackerHHackingPPasswordPphishingTtrojanChannelMalware and hacker attacksNews analysisRansomwareINFORMATION SECURITY