UPDATE–As the debate over potential government interference with encryption technologies rages in countries around the world, Congress is now going down a different path, asking technology companies whether it’s feasible and potentially effective for certificate authorities to restricting the way that government-owned CAs can issue certificates. Members of the House Committee on Energy and Commerce […]
Tag Archives: Apple
Apple Watch: nothing prevents thieves from resetting the password and using a stolen one (even for shopping)
It is one of the longest awaited gadgets in recent times and is set to become one of the technological gadgets of the year, but it has already given rise to the first scare: Apple Watch is vulnerable.
Apple’s smart watch, which has been on the market for just over a month, has given a hint to the public of its security flaws: security gaps which can end up being expensive for this wearable first buyers.
Apple Watch lacks an Activation Lock feature
On the one hand, Apple’s watch may become an object of desire for thieves, something the iPhone tried to prevent with certain security measures. The smart watch lacks of an ‘Activation Lock’ feature, which was created to dissuade criminals from illegally obtaining one of the company’s devices.
This feature first appeared with iOS7, and makes that the only way of disabling the ‘Find my iPhone’ option –which allows the user knowing where his device exactly is- is with the user’s Apple ID and password. In other words, unless the thief has your username and password, he won’t be able to disable the option that will allow you to find your stolen iPhone.
However, the smart watch doesn’t have the ‘Activation Lock’ feature. In addition, resetting the device and erasing all data- password included- is simple, even without having the PIN code which protects the watch, as you can see in the following video:
Shopping at your expense
A second vulnerability of the Apple Watch may work out to be even more expensive for the pioneers who have already bought it.
Thanks to its sensors the device detects when it is placed on a user’s wrist. While it is being worn it doesn’t require a password to unlock it, to enable its owner to access the screen and to make payments with Apple Pay.
If we take the watch off our wrist, Apple Watch will ask you to re-enter the password, so that, if it gets stolen, your data is safe, especially your financial one.
However, the watch’s sensors have a delay of about a second to re-enable the PIN code and, in addition, they don’t detect whether the watch is on the wrist or on any other body part, so some crafty thieves can take the watch off of a wearer’s wrist and then quickly cover the sensors with his fingers to keep the watch from locking.
Here the thief was not only able to access the information stored in your Apple Watch, but also to make purchases with your Apple Pay account.
So, the cracks in the security of the so long awaited Apple Watch are starting to undermine the fame of the device that Apple fans wanted to have on their wrists. The fact that with some tattoos the sensors of the Apple’s Watch don’t work is just a mere anecdote, now the security of its users is at stake.
The post Apple Watch: nothing prevents thieves from resetting the password and using a stolen one (even for shopping) appeared first on MediaCenter Panda Security.
Apple Pushing Developers Toward HTTPS Connections From Apps
Apple is encouraging developers who create apps for iOS to begin moving their apps to an HTTPS-only model as soon as possible in an effort to thwart eavesdropping on insecure, plaintext HTTP connections. The move is yet one more sign that major Internet and technology companies are becoming ever more resistant to large-scale, passive surveillance […]
What Can Siri Help You With Today?
This post is about cool things you can do with Siri, and some you might wish it didn’t do. Stick with me to the end of this post, and I’ll even share with you a funny video of what Siri “really” looks like…
“Siri, please save my iPhone from the messages of death”
This somewhat melodramatic title was posted on TheRegister and reports incoming messages that trigger a bug in the iOS, inducing applications to crash…
The solution?
Apple suggests Siri as a temporary fix (full instructions here). One of the options includes asking Siri to “reply to the malicious message”. That’s right – if you’re being picked on by a big bad hacker who is sending you “messages of death”, get big sister Siri to reply with a digital tongue-lashing – sweet!
“Siri, please turn on the light, switch on the stero and start my car”
Back in 2014, there was excitement surrounding the application called GoogolPLex, which hooked up a hacked version of Siri to the Internet of things. Suddenly you could use Siri for all sorts of applications, as seen in this video:
What’s particularly clever, is the name: “GoogolPlex, turn on the lights” is actually understood by Siri as “Google, please turn on the lights”. Then, instead of running a Google search, GoogolPlex redirects the requests to its servers and uses API’s that interact with your hardware to process your requests.
GoogolPlex, beam me up!
Siri, stop recording our conversations…
You love using Siri? She is a great listener (granted, with dubious hearing). However, if you’re also a staunch believe in privacy, you might want to reconsider what it is exactly you tell your beloved assistant. As reported in this post, all voice recordings are stored for 6 months, after which time they keep the recording for another 18 months but delete the number associated with it… In case you’re now thinking of switching to Microsoft’s equally friendly Cortana, the policy is very similar…
.
And now, for a look at what Siri looks like, as seen in Raj’s vivid imagination (from the Big Bang Theory):
The post What Can Siri Help You With Today? appeared first on Avira Blog.
Don’t Let Your Mac Fall Asleep: It Might Dream Up A Rootkit
Just last month we talked about how the “Unicode of Death” crashes your iPhones and Apple Watches, how easily Apple Safari can be manipulated via URL-Spoofing and the Ex-NSA guy who pointed to Mac security flaws.
Now Pedro Vilaca, a security expert who is deep into Mac OS X and iOS security, found another not so great looking vulnerability. Take a look at what he wrote on his blog: “Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#.
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”
Wow. So basically it is possible to install a rootkit on a Mac without much of an effort. Just wait until the machine enters sleep mode for at least 30 seconds or more so the Flash locks are removed. Once gone the device is yours. With the Flash locks gone you can play around with the UEFI code and well … for example install a rootkit. The only way to protect yourself from it is to never let your Apple device go into sleep mode.
Luckily not all devices seem to be affected. Vilaca tested the issue against a MacBook Pro Retina, a MacBook Pro 8,2, and a MacBook Air, all running the latest EFI firmware available. All of them were vulnerable. There is a shimmer of hope though: The latest MacBooks might have been silently fixed by Apple, since the security expert was not able to replicate the vulnerability there.
The post Don’t Let Your Mac Fall Asleep: It Might Dream Up A Rootkit appeared first on Avira Blog.
Apple Blocks Outdated Flash Player Versions in OS X, Safari
Apple announced that it will block out of date versions of Flash Player after a major update to the Adobe software two weeks ago.
“Unicode of Death†Crashes Your iPhone
The newly discovered security flaw on iOS crashes different messaging apps (like iMessage and your SMS app – basically all apps that use Apple’s CoreText library) on your iPhone and possibly your Apple watch when being sent a specific string of text. In addition to that it causes your mobile to reboot immediately. The bug was first reported on Reddit.com where some people were complaining about it.
According to TheRegister, this is what happens once your mobile receives the message containing the “Unicode of Death”, a string of text including Arabic characters and different symbols: “The bug causes CoreText to access memory that is invalid, which forces the operating system to kill off the currently running program: which could be your text message app, your terminal, or in the case of the notification screen, a core part of the OS.”
And sickestdancer98 from Reddit explains: “I can tell you it is due to how the banner notifications process the Unicode text. The banner briefly attempts to present the incoming text and then “gives up” thus the crash. On a jailbroken device, this ultimately leads to safe mode. However, on a stock iOS device, there is no safe mode hence the respring after the crash. That is why this only happens when you are not in the message because the banner is what truly crashes the entire system. Is this a possible vulnerability? Maybe. Has this been around already? Roughly since iOS 6. Can it be fixed/patched? That, my friends, is up to Apple. I hope I cleared things up a little bit if it did help in anyway, shape, or form.“
Apple is already working on fix which they’ll make available in an upcoming software update. Until then there are a couple of workarounds floating around online, one if them being to just turn off the lock screen notifications for now.
The post “Unicode of Death” Crashes Your iPhone appeared first on Avira Blog.
Bug causes iPhones to crash when sent malicious text message
An exploit has been discovered that causes iPhones and iPads to reboot when sent a string of malicious text.
The post Bug causes iPhones to crash when sent malicious text message appeared first on We Live Security.
Apple bolsters app store security with 2FA and Touch ID
A new update to the Apple Store app for iPhone and iPad has bolstered its security features, adding two-factor authentication (2FA) and increased Touch ID support.
The post Apple bolsters app store security with 2FA and Touch ID appeared first on We Live Security.
Watch OS 1.0.1 for the Apple Watch Released
With Watch OS 1.0.1 Apple has released the first update for its watch. While it doesn’t include any flashy new features you should definitely make sure to install the patch as soon as possible, since it includes fixes for several critical security issues.
One of them is the well known FREAK bug, the SSL/TSL vulnerability which was disclosed in March. The vulnerability can allow hackers to perform a Man in the Middle (MITM) attack on traffic routed between a device that uses the affected version of OpenSSL and many websites, by downgrading the encryption to an easy to crack 512 bits (64KB).
Other than that the update includes fixes for vulnerabilities that could lead to arbitrary code execution, disclose information, cause a denial of service, redirect user traffic to arbitrary hosts, and bypass network filters.
According to Macworld Watch OS 1.0.1 also improves your Apple Watch’s performance, adds seven new languages, and support for new emoji.
To install the new Watch OS just do the following: Open your Apple Watch app on your iPhone and go to My Watch > General > Software Update. Make sure that the watch is within range of the iPhone and connected to a charger. It should also be at least 50 percent charged.
The post Watch OS 1.0.1 for the Apple Watch Released appeared first on Avira Blog.