Checkm8 jailbreak and AltStore put cracks in Apple’s walled garden

By Danny Bradbury

Jailbreaking iPhones has become a lot harder with each new version of the hardware, but this weekend saw two new announcements that enable people to install apps on their phones. One of them is a traditional jailbreak, while the other is an alternative app store that uses a loophole in Apple’s code-signing process.

Jailbreaking is a form of privilege escalation. Hackers figure out ways to change the operating system kernel, unlocking features that Apple had locked down. One of its most common uses is to install apps that Apple doesn’t allow into its app store because they fall outside the company’s strict developer review policy.

On Twitter last Friday, iOS security researcher @axi0mX released a jailbreak bug that affected devices from Apple’s iPhone X all the back to the iPhone 4S running Apple’s A5 chip, which the company released in 2011. It doesn’t hit the iPhone 11 family announced this month, powered by the company’s new A13 chip.

The code, released on GitHub for free, relies on a race condition in Apple’s bootrom. This is the first piece of hardware that the iPhone loads code from when it is turned on, and it’s a read-only part of the hardware that Apple can’t patch.

To prove the point, @axi0mX also tweeted a video of an iPhone booting in verbose mode, using the latest iOS 13.1.1 version. They labelled the jailbreak checkm8, and said that it is a “permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.”

Read more at https://nakedsecurity.sophos.com/2019/09/30/checkm8-jailbreak-and-altstore-put-cracks-in-apples-walled-garden/

Social media manipulation as a political tool is spreading

By Lisa Vaas

Social media manipulation is getting worse: as more governments use it to manipulate public opinion, it’s becoming a rising threat to democracy, according to a new report from the Oxford Internet Institute.

There’s nothing new about political parties and governments using propaganda, but the new normal includes toxic messaging that’s easy to spread on a global scale with the brawny new tools for targeting and amplification, they said.

According to the University of Oxford’s Computational Propaganda Research Project, the use of algorithms, automation, and big data to shape public opinion – i.e. computational propaganda – is becoming “a pervasive and ubiquitous part of everyday life.”

For its third annual report, the project examined what it calls “cyber troop” activity in 70 countries. Cyber troops is the collective term for government or political party actors that use social media to manipulate public opinion, harass dissidents, attack political opponents or spread polarizing messages meant to divide societies, among other things.

Over the past two years, there’s been a 150% increase in the number of countries using social media to launch manipulation campaigns, the project found.

The use of computational propaganda to shape public attitudes via social media has become mainstream, extending far beyond the actions of a few bad actors. In an information environment characterized by high volumes of information and limited levels of user attention and trust, the tools and techniques of computational propaganda are becoming a common – and arguably essential – part of digital campaigning and public diplomacy.

What accounts for the growth?

Part of the growth can be attributed to observers getting more sophisticated when it comes to identifying and reporting such manipulation campaigns, given digital tools and a more precise vocabulary to describe the cyber troop activity they uncover, the researchers said.

Read more at https://nakedsecurity.sophos.com/2019/09/30/social-media-manipulation-as-a-political-tool-is-spreading/

Is the era of social media Likes over?

By Lisa Vaas

Cast your mind back to 2014, and you might recall Mark Zuckerberg mulling the public’s desire to have a “dislike” button on Facebook.

During a public Q&A, the CEO presented button semantics as being something like a Marvel comics battle between good and evil, with the Like button presumably being, to his mind, a “force for good”:

There’s something that’s just so simple about the ‘like’ button’ … but giving people more ways of expressing more emotions would be powerful. We need to figure out the right way to do it so it ends up being a force for good, not a force for bad and demeaning the posts that people are putting out there.

But now, as a mounting body of research points to the number of content Likes – or lack thereof – negatively influencing some users’ self-esteem, it may be time to question whether the Like button might have turned out to be a force for bad.

Recent studies have linked increased depression, poor sleeping habits, and unhealthy body image in children and teens with higher use of social media and digital devices.

To address the mess they’ve made, at this point, Instagram – which a 2017 study found to be the worst social media app for young people’s mental health – and Facebook are taking a serious look at the possibility of doing away with Likes.

In April 2019, Instagram announced that it was running a test in Canada: it was hiding Like counts on some users’ photos and videos as an experiment to try to lessen competitiveness on the platform.

The idea: to make us feel less envious, less ashamed, and more focused on self-expression rather than like we’re vying in a personality competition. It’s all about getting people to focus on the content they share, not the likes, a spokesperson said when news about the test was announced at F8, Facebook’s annual developers conference:

Read more at https://nakedsecurity.sophos.com/2019/09/30/is-the-era-of-social-media-likes-over/

‘Fleeceware’ Play store apps quietly charging up to $250

By John E Dunn

Imagine an Android GIF-making app available on Google Play that automatically charges €214.99 ($253) to continue using it beyond its three-day trial period.

Or how about a completely unremarkable QR code reader app, whose developer thinks that a charge of €104.99 is a fair price to continue using it 72 hours after it was downloaded.

If you think these prices sound far-fetched, we have news – researchers at SophosLabs have discovered at least 15 apps which have been downloaded millions of times between them charging these extraordinary prices under Google’s nose.

The most unexpected part of this discovery? By exploiting a loophole in the Play store licensing regime, this behavior appears to be legal.

Getting away with it

The scam works by exploiting the legitimate app behavior of allowing users to download apps under a trial license period which, in this case, ends after a few days.

There is nothing obviously malicious about the apps, which mostly work as advertised, albeit that their features are identical to advertising-supported apps that cost nothing.

Importantly, the apps ask users to submit their payment details during the trial period, which most users probably assume won’t apply if they de-install the app.

Because the huge annual subscription price is only mentioned in small print, users probably assume the cost will be a few dollars or euros.

SophosLabs’ researchers discovered three apps charging €219.99 for full licenses, with another five charging €104.99, and one charging €114.99.

One of these ‘fleeceware’ apps had more than 10 million downloads, two had 5 million, with the rest between 5,000 and 50,000.

Read more at https://nakedsecurity.sophos.com/2019/09/27/fleeceware-play-store-apps-quietly-charging-up-to-250/

Apple users, patch now! The ‘bug that got away’ has been fixed

By Paul Ducklin

Remember the Black Hat conference of 2019?

Chances are you didn’t attend – even though it’s a huge event, the vast majority of cybersecurity professionals only experience it remotely – but you probably heard about some of the more dramatic talk titles…

…including one from Google with the intriguing title Look, no hands! – The remote, interaction-less attack surface of the iPhone.

The talk was presented by well-known Google Project Zero researcher Natalie Silvanovich, and it covered a wide-ranging vulnerability research project conduced by Silvanovich and her colleague Samuel Groß.

They decided to dig into the software components in your iPhone that automatically process data uploaded from the outside, to see if they could find bugs that might be remotely exploitable.

Silvanovich and Groß investigated five message-handling components on the iPhone: SMS, MMS, Visual voicemail, email and iMessage.

The idea was to search not for security bugs by which you could be tricked into making a serious security blunder, but for holes by which your device itself could be tricked without you even being involved.

They found several such flaws, denoted by the following CVE numbers: CVE-2019-8624, -8641, -8647, -8660, -8661, -8662, and -8663.

Read more at https://nakedsecurity.sophos.com/2019/09/27/apple-users-patch-now-the-bug-that-got-away-has-been-fixed/

Chrome cripple’s movie studio Mac Pros

By Danny Bradbury

It’s not often that a single software bug can bring an entire industry to a virtual standstill, but it happened this week – and experts finally found an unlikely culprit.

The problem began on Monday 22 September when reports emerged of a problem with Macs running Avid software.

Avid is an editing suite that production companies use to put movies and TV programs together. A few days ago, movie editors started reporting that Mac Pros running Avid software were crashing. If users tried to restart their machines, they wouldn’t reboot.

Here’s one tweet from Shane Ross, staff editor at Prometheus Entertainment, as the situation broke:

Imagine how you’d be feeling if you were working on something with a deadline of hours, like a news segment.

Props to Avid, which was all over this problem from the beginning, dropping everything to work out the issue, in a perfect example of how to handle a technical issue properly. The company even put up a video:

Read more at https://nakedsecurity.sophos.com/2019/09/27/chrome-cripples-movie-studio-mac-pros/