iPhone Hack Serves as a Wake-Up Call for Users

Last week, Google’s counterespionage group Threat Analysis Group (TAG) published findings of malware attack that targeted iPhones for “at least two years.” The hack consisted of what is known as a watering-hole attack, where hackers install malware onto specific websites and visitors of those sites unknowingly download the malware to their device. Once installed, hackers were able to monitor user activity and export sensitive information such as passwords, contacts, messages (including encrypted conversation through apps like WhatsApp), and location data.  

Google’s TAG team discovered the attack this past January. They notified Apple of the issue on the 1st of February and Apple released a security update seven days later that brought an end to the vulnerability. However, while the updated removed the malware from infected iPhones, any information taken by the attackers remains in their hands.  

Despite the in-depth look at the attack that Google released, information on who was behind the attack, what websites were infected, and whose data was stolen have not been verified by either Google or Apple. However, since Google’s report, a number of news sources have started to fill in the pieces. Because of the highly sophisticated nature of the attack, many quickly speculated the attack was nation-state backed. Then, over the weekend TechCrunch released an article with sources claiming the attack infected websites designed to target China’s Uyghur minority. A day later Forbes confirmed TechCrunchreportalso reporting the attack targeted Android and Windows users too. Google and Apple, for their part, have not confirmed these reports.  

Unanswered Questions 

News of the attack has raised a lot of questions. Among them, why are we just learning about all this now? While Apple did make note of the exploits in their February update announcement, the language used was such that the scope of the attack was completely unknown until now. While it is always important to apply updates to any device as quickly as possible, it’s possible that without understanding the severity of the attack, many users could have left themselves exposed by putting off the update for another day. 

Another reason this news is so important is that Apple is often considered to have some of the most advanced cybersecurity defenses out there. Because of the perception that Apple products — and iPhones in particular — are safe from attack, user’s may not properly understand the risks posed. As Ian Beer, author of the Google report, says, “real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

While this news doesn’t mean iPhone users should go throw their phones away, it does serve as a wake-up call. No matter the device, all users need to take steps to ensure their information is remaining protected, the least of which by updating devices quickly. Because, as Beer states, for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”  

Robocalls Might Be in Trouble

You may have forgotten just how terrible looking at your email inbox used to be. Not too long ago, email spam cluttered our inboxes, making it next to impossible to wade through all of our emails and figure out which ones were legitimate and which ones to delete. And while with email this is largely a thing of the past, the problem has carried over into a new medium: our cellphones.  

Pesky phone calls aren’t anything new, but in the last few years the situation has become rather drastic. According to one report, there was a total of 26.3 billion robocalls placed in the U.S. in 2018 — a staggering 46% increase in just one year. And while almost all of these calls are technically illegal, technology has accelerated to such a degree that it’s become extremely difficult for lawmakers and regulatory agencies to keep up.  

Why This is Happening 

It’s an old cliché: technology can be used for good and for bad. But recent advancements in calling services certainly prove this to be true. One of the main causes of the increase in robocalls is what’s called Voice over Internet Protocol (VoIP). Services offered by Skype and Google utilize this technology to help users communicate with one another at low costs. However, bad actors have learned to automate this technology in order to place thousands of calls to anywhere in the world at a rapid pace.  

Alongside VoIP, spammers have also harnessed a technique called “spoofing,” which allows callers to use a fake number when placing a call. You’ve probably learned by now that if you receive a call from a number that looks similar to your own, it’s going to be a robocall. This is because spammers are using spoofing technology to carry out “neighbor spoofs,” a method that replicates your area code and sometimes your exchange number to trick you into picking up.  

And while it’s not too difficult to learn to spot these tricks, spoofing can be used in even more nefarious ways. Because of the ease with which someone can mimic any phone number, spammers can have a call look like it’s coming from a local business or even the IRS. Or worse, if a spammer has gained access to your contact list, they can spoof calls to look like they’re coming from someone you know personally.  

A Reason for Hope? 

According to the FCC, 60% of all complaints filed are related to robocalls. And, given how pervasive the issue is, it can be extremely frustrating that not more is being done to tackle the problem. This month, however, there has finally been some movement from both the FCC and phone carriers to do something about it. 

Earlier this monththe FCC unanimously voted to prohibit foreign callers from spoofing U.S. numbers, telling phone carriers that they have until the end of the year to implement technology to determine the legitimacy of calls. 

The technology they are referring to is called STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs). In essence, STIR/SHAKEN attaches a certificate of authentication to phone numbers that is then verified by phone companies when a call is placed. Phone carriers can use this technology to add check marks next to verified calls and warn you when a number is unverified. 

AT&T and T-Mobile have since announced plans to implement this technology within the coming months. If you have either carrier you might already be seeing warning such as “SPAM RISK” or “FRAUD ALERT” appear on your screen when you get certain calls.  

Of course, this technology doesn’t actually stop you from receiving robocalls. But maybe — just maybe — we’re moving in the right direction. After all, the decline of spam emails wasn’t because email providers outright blocked spam. As an article in NY Magazine points out, “The key insight that defeated email spam was that it would be nearly impossible to stop email spammers…But it was possible to make it so that the average person never saw that spam.” 

The hope, therefore, is that call verification technology will make the business of robocalls less lucrative, and, overtime, the number of such calls will naturally decrease. Only time will tell how successful this will be, but this certainly seems to be a step in the right direction. When it comes to cybersecurity, there haven’t been a lot of hopeful stories recently, so we’ll take what we can get. 

Bugs in-not-on the Mobile Windshield

These days, our smart phone is literally our life.  Everything we need (or think we need) is in it.  Everything we want to know or do can be done with it.

Of course, it is also a great way for the bad guys to get to you.   You may think you are downloading a “clean app” only to find it’s infected as last month’s news about the 25 million android phones infected with a whatsapp malware illustrates.

But in some cases, even if you are extra careful about downloading apps, your phone may already be infected.  The reason is that the smartphone you buy may already have 100 to 400 preinstalled apps that  were selected by the phone manufacturer.  As noted in a BlackHat presentation, these preinstalled apps have become a target of hackers because its a great way to distribute their malware as far and as fast as possible.  What can this malware do?  It could provide a means for remote access, key-logging or activity monitoring for starters.  Not necessarily what you want when your whole life revolves around your phone.

One key point is that hackers are not just focusing on the end-user, they are focused on embedding their malware through the supply chain, knowing that ultimately it will wind up with the target they are after.  Companies have to thoroughly vet the secure of the technologies they are using to build products and services for their customers.

And, of course, with smartphone users, practice good mobile hygiene by periodically pruning the apps you have on your phone, running anti-virus software (certainly for Android phones), keep the operating system up-to-date, use a password manager and VPN service when you are on the road.  And, like the airplane pre-flight instructions say, take care of your own phone first (but then) assist others — like with your children and their phones.