ROAMING MANTIS MALWARE EVOLVE TO PREYS ON PC, ANDROID AND IOS USERS

Recently, researchers unveiled a DNS hijacking campaign that was found to spread malware from banking Trojans to Android smartphone users mostly in Asia, which has now extended its reach to iOS and PC users.

Mantis Roaming malware now targets IOS devices for phishing attacks. A publication of Kaspersky Lab in April, gave details about the Mantis Roaming malware that performs targeted operations to hijack Android devices. The information security experts said that the malware is evolving and its objective is to capture confidential data of the user infecting.

mantis

“The landing pages and apk files now support 27 languages covering Europe and the Middle East, and malicious actors added an option for phishing to iOS devices and cryptography capabilities for PCs,” says Kaspersky’s Lab publication.

Now, you can perform various functionalities, as they are; the extraction of cryptocurrencies and the phishing of iOS devices; is also capable of targeting Android devices to steal information. Suguru Ishimaru, a Kaspersky Lab researcher, said the company also analyzed the previous Campaign Roaming Mantis and the findings were detailed in his blog.

It expanded to 27 different languages, including English, Hindi, Russian, Chinese and Hebrew. Initially, the malware was distributed in only five languages, but now the range is widened using an automatic translator, information security experts commented.

mantis 1

Experts explain that it was designed to be distributed through DNS hijacking, for now, this malware is more active in Asian regions, such as; Bangladesh, India, Japan and South Korea. Although, there are reports of the malware targeting devices in the Middle East and Europe.

According to information security experts, Roaming Mantis, works by redirecting victims to a malicious web page through the hijacking of DNS while the page is distributed through a fake Facebook or Chrome application (‘facebook.apk’ or ‘ chrome.apk ‘). This application contains an Android Trojan-Banker, and must be installed manually by the victim. The professionals also noted that the comments are published in simplified Chinese.

To hijack iOS devices, a page that mimics Apple’s official website that claims to be ‘security.app.com’ is distributed. Upon entering the page, you are required to provide user ID, passwords, CVV, card expiration and card number. This site supports 25 languages.

The information security researchers say that Roaming Mantis is able to steal private and confidential data from Apple and Android mobile phones, and that cryptocurrency mining is done in the inclusion of a script in the HTML source code of the malware, which runs every time open the browser.

mantis 2

A Coinhive Javascript miner runs to exploit the device’s CPU and extract the Monero cryptocurrency. The professionals also commented that the cryptocurrency mining of Mantis Roaming is quite subtle. Since most users may not realize that the resources of their device are being used.

So far, more than 150 successful attacks have been observed, but this could represent only a small fraction of the overall picture, since DNS hijacking is quite difficult to identify.

Advertisements
Posted in Uncategorized | Leave a comment

IBM IMPROVES ITS SECURITY AND PROHIBITS THE USE OF USB DRIVES THROUGHOUT THE COMPANY

IBM recently banned all removable storage, throughout the company; this is a new policy that aims to avoid financial and reputational damage from a lost or misused USB drive.

Shamla Naidoo, IBM’s chief information security officer, told staff in an internal email that the company “is expanding the practice of banning the transfer of data to all portable removable storage devices such as USB, SD card and flash drive”.

Some areas already had this policy but, “in the coming weeks we are implementing this policy around the world,” said Naidoo.

ibm bann

This new policy has a simple and well-justified objective in a world full of data breaches: “the possible financial and reputational damage due to lost, lost or misused extractable portable storage devices should be minimized”, the CISO clarified.

A while ago, Stuxnet was written to “jump” from one terminal to another through USB drives that move between them as attack vectors. Only some of the networks they targeted were isolated, which means they had no direct access to the outside world. To prevent such an event on their networks, information security professionals recommend specialized USB devices to prevent malware from being configured on USB drives.

Posted in Uncategorized | Leave a comment

TOOL TO PERFORM BRUTE FORCE ATTACKS ON SSH, SMTP, FACEBOOK AND INSTAGRAM- BRUT3K1T

As an introduction, brut3k1t is a bruteforce module on the server side that supports dictionary attacks for various protocols, information security experts say.

BRUTE3 1

Some of the current protocols that are complete and compatible are:

  • ssh
  • ftp
  • smtp
  • XMPP
  • instagram
  • Facebook

There will also be implementations of different protocols and services including Twitter, Facebook and Instagram.

The professionals tell us, that the installation is very simple. brut3k1t requires several dependencies, the program will install them if you do not have them.

  • argparse – used to analyze command line arguments
  • paramiko: used to work with SSH connections and authentication
  • ftplib: used to work with FTP connections and authentication
  • smtplib: used to work with SMTP connections (email) and authentication
  • fbchat – used to connect with Facebook
  • selenium: used to scrape the network, which is used with Instagram (and later with Twitter)
  • xmppy – utiized for XMPP connections .

The download is simple. git clone https://github.com/ex0dus-0x/brut3k1t

Change to directory:

cd /path/to/brut3k1t

We will talk about the use. Using brut3k1t is more complicated than just running a Python file, say information security professionals. By typing python brut3k1t -h it shows the help menu.

BRUTE3 2

The researchers give us some examples of its use, cracking the SSH server running on 192.168.1.3 using root and wordlist.txt as a list of words.

python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt

The port will be automatically set to 22, if it is different, specify with -p indicator.

Cracking email test@gmail.com with wordlist.txt on port 25 with a delay of 3 seconds. For email, experts say that the SMTP server address should be used. As an example, Gmail = smtp.gmail.com. You can investigate this with Google.

python brut3k1t.py -s smtp -a smtp.gmail.com -u test@gmail.com -w word list.txt -p 25 -d 3

Cracking XMPP test@creep.im with wordlist.txt on port 5222. XMPP is similar to SMTP, you must provide the XMPP server address, creep.im.

python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txt

Cracking Facebook is more complicated, it will require the target user ID, not the username.

python brut3k1t.py -s facebook -u 1234567890 -w wordlist.txt

Instagram cracking with username test with wordlist.txt and 5 seconds delay

python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5

Here we will leave some notes to take into account. Use this article for educational purposes, as well as for the learning code and safety-oriented practices.

In the case where the port indicator -p is not provided, the default port for that service will be used. It is not necessary to provide it for Facebook and Instagram, says the information security researcher.

In the absence of the delay indicator -d, the default delay in seconds will be 1.

Experts say to use the SMTP server address and the XMPP server address for the address -a, for SMTP and XMPP, respectively.

Some protocols are not based on the default port. An FTP server may not be on port 21.

Posted in Uncategorized | Leave a comment

HOW TO MAKE A SUBDOMAIN TAKEOVER ATTACK

A team of information security experts tells us that sub-domain acquisition vulnerabilities happen whenever a subdomain points to a service (for example, GitHub pages, Heroku, etc.) that has been removed or removed. This may allow an attacker to configure a page in the service that was being used and direct his page to that subdomain. As an example, if subdomain.example.com was pointing to a GitHub page and the user decided to remove their GitHub page, an attacker could create a GitHub page, add a CNAME file that contains the subdomain.testing. com and claim the subdomain.testing. com.

subdomain

A subdomain that points to a GitHub page is www. testing. com. If someone decides to remove https:// github. com/test0x01/testing and does not delete the DNS entry that points to this page, you can post content at www. testing. com.

Some hackers use sub-domain and brute force scraping tools such as Sublist3r to find the sub-domains of a target, say information security professionals. Then the DNS records will be verified and / or a screen capture script will be used to detect vulnerable subdomains. A subdomain that points to a GitHub page that returns a 404 can be an indicator that can be claimed on GitHub.

subdomain 1

Now we will talk about Sublist3r. It is important to know that Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Information security researchers tell us that it also helps penetration verifiers and bug hunters collect sub-domains for the domain they point to. In addition, Sublist3r lists subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. On the other hand, it enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

Experts comment that subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved word list.

Installation: git clone https://github.com/aboul3la/Sublist3r.git

subdomain

subdomain 2

About the security impact; a subdomain control takeover could allow an attacker to publish content in the subdomain, information security experts said. In the case where a subdomain is a secondary domain of the base name of the service, the attacker can also read and set cookies in the base name: subdomain.example.com can set cookies for example.com.

We have a real case of a subdomain acquisition made by Frans Rosén on inside.gratipay.com. Researchers tell us that, Frans posted a page on a hidden route (login123) instead of posting content on the landing page. This is the best way to avoid damaging the image of the company.

It is important to remove the DNS entry in the subdomain that points to the deleted service to make sure no one can take over.

subdomain 3

Posted in Uncategorized | Leave a comment

HOW TO HACK ANY CAR WITH THIS TOOL

First we will see the topics that will be covered by the information security experts in this test / course of auto hacking: Configuration of virtual environments for tests, Sniffing CAN Traffic, Analyzing CAN Traffic, Inverse Engineering CAN IDs, Denial of service attacks, Reproduction / Traffic injection, Coding your own tools CAN Socket in python, Attacks directed against the components of your car and Transitioning this to attack a real car with hardware.

 

hack carrr

Before going into specific details of vehicle hacking, we will explain what CAN is; is to start your laboratory. In this occasion we are going to run a simple simulated CAN Bus network that controls several features of your simulated car. Experts always tell us that it is better to learn by doing than sitting down and saying a lot of network terms.

For this project you are not expected to buy too much hardware and jack in your real car immediately. Instead, there are options that can start hacking cars following this tutorial.

To begin with, information security researchers say you need to configure yourself with an Ubuntu VMware installation and load it. Optionally, you could also use VM Kali Linux, however, you may have copy problems and it is believed that Kayak was giving installation problems. It is also known that Kali works well with the virtual OpenGarages car.

Install PreReq libraries: Once loaded, you will install the CAN utilities and prerequisite libraries. This is really easy to do with the following Apt-get commands:

sudo apt-get update

sudo apt-get install libsdl2-dev libsdl2-image-dev can-utils

Then we will deploy the ICSimulator repository:

git clone https://github.com/zombieCraig/ICSim.git

Start the simulator: now we can start the simulator by changing the directories to the downloaded repository and executing the following 2 commands, which will configure a virtual CAN interface and a simulator GUI cluster:

Run the configuration script to get the vcan0 interface:

root @ kali: ~ / ICSim # ./setup_vcan.sh

root @ kali: ~ / ICSim # ./icsim vcan0

In a new terminal tab, open the simulator controller with the following command:

root @ kali: ~ / ICSim #. / controls vcan0

Professionals comment that the controller should be the GUI screen in focus to send keyboard commands to the simulator.

hack car 1

To use the simulator; experts in information security tell us that the simulator has a speedometer with turn signals to the right and left, doors, etc. There is a list of commands to control the simulator when the control panel is focused.

The up and down keys control the speedometer of the meter groups

Left and right keys Controls the flashing lights

Shift right + X, A or B open doors

Left shift + X, A or closed doors

Experiment with some of the previous commands, for example, Shift + X, you can see that the interface changes.

Now you have your own car to hack. It is important to note that in the configuration commands above we use a VCan0 interface. Run Ifconfig and you will see that it has a new network interface that speaks to the CAN network through VCan0.

ficti0n @ ubuntu: ~ / Desktop / ICSim $ ifconfig vcan0

vcan0 Link encap: UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-

UP RUNNING NOARP MTU: 16 Metric: 1

RX packages: 558904 errors: 0 discarded: 0 overshoots: 0 frame: 0

TX packages: 558904 errors: 0 discarded: 0 overshoots: 0 operator: 0

Collisions: 0 txqueuelen: 1

Bytes RX: 3663935 (3.6 MB) Bytes TX: 3663935 (3.6 MB)

Researchers comment that the networks of cars are executed in a variety of more common protocols that are CAN. You can think of a CAN Bus as a network center where everyone can see the traffic of the whole world. This is true up to a point, although you may not see all the traffic if you are not connected to that particular bus. You can think of a type of CAN traffic similar to the UDP in which it is sent and forgotten, the main difference is that the parts of the CAN bus network do not really have addresses and everything is executed with IDs and arbitration priorities.

Now, let’s check if you can see our CAN traffic from our virtual car through the CanDump utility, which you installed as part of the previous CanUtils package. Using the following command in the vcan0 interface that our simulator uses, you can see a traffic sequence:

ficti0n @ ubuntu: ~ / Desktop / ICSim $ candump vcan0

hack car 2

Now we can see CAN frames, and if we perform actions on the vehicle, we will see changes in the data values ​​in the CanDump output. However, experts say that this can happen very quickly and we may not be able to see if we have unlocked the door of our simulators. This happens because things change constantly in the idle state of cars.

To capture and play CAN actions; an option would be to perform an action and reproduce it, you should see that the actions happen again in the repetition if the traffic for the action that we recorded is in the same bus network in which our device is connected. There are a lot of networks inside a car and our network tap is not guaranteed, an OBD2 port connector is connected to the same network as the door we open.

Another useful tool included with the CanUtils package is CanPlayer to reproduce traffic, say information security experts. If the functionality we are trying to capture is in the same Bus as the adapter connected to the car, or in this case our Virtual CAN interface, we can use CanDump to save the traffic in a file. Then we use CanPlayer to reproduce the traffic on the network. An example, run CanDump, opens a door and then replays the functionality with CanPlayer.

Lab 1 steps:

Run CanDump

Right Shift + X to open a door

Cancel CanDump (ctrl + c)

Left Shift + X to close the door

Run can the player with the dump saved and will replay the traffic and open the door

Record of the opening of the door: (-l for the record)

ficti0n @ ubuntu: ~ / Desktop / ICSim $ candump -l vcan0

Playback of the CanDump file: (use the file created by your Can dump)

ficti0n @ ubuntu: ~ / Desktop / ICSim $ canplayer -I candump-2018-04-06_154441.log

At this point you should see that your door is open again. CAN networks are not like TCP / IP, they are more like UDP in that you send your request and do not expect a response. Then, it is lost and you have to send again. It is likely that you were sending something with higher priority on the network at the time of its reproduction and your traffic was overshadowed by it.

hack car 3

Interacting with Can Bus and Reversing Traffic; this is good, but, CanDump is not very useful for this, it moves quickly so we can learn a lot from. Instead, we can use CanSniffer with colored output to show us the bytes inside the packets that change.

To start CanSniffer execute the following:

ficti0n @ ubuntu: ~ / Desktop / ICSim $ cansniffer -c vcan0

hack car 4

Now you will see Time, ID and Data. The most important part for our use is the ID and Data fields.

The frame ID is associated with the device in the network that is made by the box that is sent. Identification also determines the priority of the framework in the network. The smaller the CAN-ID number, the higher priority it will have on the network and the more likely it will be to handle it first. The data field is the information that is sent to change some parameter, such as unlocking a door or updating the output. The values ​​in red are the values ​​that are changing during the inactive state in which you are currently.

Determine which ID and Byte control the accelerator; with the sniff window of the terminal open, put the simulator and controller in the foreground, with the controller as the window in which you clicked and selected. Pay attention to the CanSniffer output while pressing the UP ARROW and look for a value that is white but is now red and increases in value as the accelerator goes up, say information security researchers.

hack car 5

Select values with filters; to select the accelerator value, click on the terminal window and press -000000 followed by the Enter key that will erase all the values that are displaced. Then press +244 followed by the Enter key, which will add the accelerator identification again. Now you can click on the controller again and increase the speed with the up arrow button without all the noise obscuring your view. Instead, as shown below, you will only have ID 244 in your result.

hack car 6

To retrieve the IDs again, click on the terminal window and enter +000000 followed by the Enter key. Now you should see the entire exit as before. Essentially 000000 means to include everything. When you put a minus sign in front of it, it denies everything and clears your terminal window by filtering all the values.

Determine the Blinker ID; discover identification for the flashing lights. If you press the left or right arrow with the selected control window, you will see a completely new ID appear in the list, ID 188 shown in the following image, which is associated with the flashing light.

hack car 7

This ID was not mentioned, since it was not used in data output until you pressed the flashing light control. Let’s drop this value by pressing -000000 followed by +188. As in the example of the accelerator, your terminal should only show ID 188; initially it will be shown with values ​​of 00 bytes.

Pressing the left and right flashing light, you can see the first change of Byte from 00 to 01 or 02. If none of them is pressed, it will be 00. The identification will remain visible as 00 until the time expires and disappears from the list when it is not active.

It’s time to do some protocol inversion. This lab will give you an idea of ​​how to reverse all the functionality of the car and associate each action with the correct ID and BYTE. In this way, you can create a map of the desired functionality changes. We have already done some steps on how to determine which byte and ID are associated with an action. Now it’s time to map with all the remaining functions before moving on to attack individual components.

Attacking the functionality, with all the assigned functionality, we can now address several devices on the network directly without interacting with the GUI of the controllers. Perhaps we entered the car through the OnStar cellular connection or the central console units of the BLE connection that was connected to the CAN network in some way.

After an exploit we have direct access to the CAN network and we would like to take actions. Or maybe you have installed a wireless device in an OBD2 port under the board.

Using data from the CAN network reversal lab, we can call these actions directly with the appropriate CAN-ID and byte. Since we are far from the goal, we cannot simply reach out and grab the steering wheel or squeeze the accelerator; instead, we will send your CAN structure to make the change.

One way we can do this is through the CanSend utility, say information security researchers. Take the information from our laboratory above and make the left turn signal flash with the next ID 188 for the turn signal by changing the first byte to 01, which indicates that the left signal is pressed. CanSend uses the ID # Data format.

ficti0n @ ubuntu: ~ / Desktop / ICSim $ cansend vcan0 188 # 01000000

hack car 8

Now you should have noticed that the left signal flashed. If this did not happen, try again or make sure you have used the correct ID and changed the correct byte. This will do the same with the accelerator and try to adjust the speed to something with ID 244 that we determined was the accelerator.

ficti0n @ ubuntu: ~ / Desktop / ICSim $ cansend vcan0 244 # 00000011F6

Nothing will happen because it is so fast that the needle will not jump to that value. So, try repeating this over and over again with a bash loop.

ficti0n @ ubuntu: ~ / Desktop / ICSim $ while true; cansend vcan0 244 # 00000011F6

hack car 9

Now you may notice that the needle jumps back and forth a little. The needle bounces back and forth because normal CAN traffic is sent telling the car that it is actually set to 00 between its frames, which means it is 30 mph. Now the speed of the car has changed and the flashing light has been turned on without using the normal turn signal controls.

One way to handle this problem is to monitor the CAN network and when you see a sent ID, it will automatically send the corresponding ID with a different value. At this point we will try to modify the speed output by monitoring the changes. Next, we simply run CanDump and analyze the ID 244 in the record output, which is the value of the accelerator that tells the car the speed. When a device in the car reports ID 244 and its value, we will immediately send our own value saying that the speed is 30 mph with the value 11, said information security researchers.

ficti0n @ ubuntu: ~ / Desktop / ICSim $ candump vcan0 | grep “244” | while reading the line; cansend vcan0 244 # 00000011F6

With this operation after a few seconds you will see that the speed is adjusted to around 30 MPH once you capture a legitimate CAN-ID 244 network traffic and send your own value immediately afterwards.

While the previous command is still working, click on the controller window and start holding the arrow up with the controller in focus. After waiting a few seconds, when the speed exceeds 30 MPH you will see the needle fighting for the highest real value and adjust back to 30 MPH as your command continues to send its value as a replacement for the actual speed.

This is a way to monitor the network and react in a very crude way to what you see. Maybe someone stole your car and you want to control if there is an open door and if they try to open the door, it immediately locks them up

Posted in Uncategorized | Leave a comment

HACK ANY WIRELESS NETWORK USING ALL IN ONE TOOL: HIJACKER

To begin with, the experts explain that Hijacker is a graphical user interface for the penetration test tools Aircrack-ng, Airodump-ng, MDK3 and Reaver. This application offers a simple and easy user interface to use the tools without writing commands in a console and copying and pasting MAC addresses.

The information security professionals comment that this application requires an Android ARM device with an internal wireless adapter that supports the monitor mode. Some Android devices can do it, but none of them natively. This means that you will need a custom firmware. A device using the BCM4339 chip set (MSM8974, such as Nexus 5, Xperia Z1 / Z2, LG G2, LG G Flex, Samsung Galaxy Note 3) will work with Nexmon. Also devices that use BCM4330 can use bcmon.

An alternative that the experts give is to use an external adapter that supports the monitor mode in Android with an OTG cable.

The necessary tools are included for the armv7l and aarch64 devices as of version 1.1. The Nexmon driver and the administration utility for BCM4339 and BCM4358 are included.

Information security researchers say that root access is also necessary, since these tools need a root to function.

Characteristics

Information gathering

  • See a list of access points and stations (customers) around you, including hidden ones
  • View the activity of a specific network measuring beacons and data packets, and their clients
  • Statistics on access points and stations
  • Consult the manufacturer of a device from the OUI database
  • See the signal strength of the devices and filter the ones that are closest to you
  • Save the captured packets in the .cap file

Attacks

  • Disabling all clients of a network, either for each of them or without a specific objective
  • Disabling a specific client from the network to which you are connected
  • MDK3 Beacon Flooding with custom options and SSID list
  • MDK3 Authentication DoS for a specific network or for each nearby AP
  • Capture a WPA handshake or join IV to break a WEP network
  • Reaver WPS cracking

Other

  • Leave the application running in the background, optionally with a notification
  • Copy commands or MAC addresses to the clipboard
  • Includes the necessary tools, without the need for manual installation
  • Includes the Nexmon driver, required library and administration utility for devices BCM4339 and BCM4358
  • Set commands to enable and disable the monitor mode automatically
  • Crack .cap files with a custom word list
  • Create custom actions and easily execute them at an access point or client
  • Sort and filter access points and stations with many parameters
  • Export all collected information to a file
  • Add a persistent alias to a device for easier identification

interfaz de usuario

For the installation, experts comment that you must ensure that:

  • you are on Android 5+
  • is rooted, SuperSU is required, if it is in CM / LineageOS install SuperSU
  • you have a firmware to support monitor mode on your wireless interface

Whenever you run Hijacker for the first time, you will be asked if you want to install the Nexmon firmware or go to the start screen. If you have installed your firmware or use an external adapter, you can go to the home screen. Otherwise, and if your device is compatible, click on ‘Install Nexmon’ and then ‘Install’. Then, you will land on the home screen and airodump will start. Information security professionals say you should make sure you have enabled your WiFi and it is in monitor mode.

It is also important to know that on some devices, changing the files in / system could trigger an Android security feature and the partition of your system will be restored when you reboot the system.

For the problems solution. This application is designed and tested for ARM devices. All the included binaries are compiled for that architecture and will not work on anything else. You can check if your device is compatible in Settings: if you have the option to install Nexmon, then you are in the correct architecture, otherwise you will have to install all the tools manually (busybox, aircrack-ng suite, mdk3, reaver, wireless tools, library libfakeioctl.so) in an accessible PATH directory and set the option ‘Prefix’ for the tools to preload the library they need: LD_PRELOAD = / path / to / libfakeioctl.so.

In configuration, you will find an option to test the tools. If something fails, you can click on ‘Copy test command’ and select the tool that fails. This will copy a test command to your clipboard, which you can manually run in a root shell and see what is wrong. In the case where all the tests pass and you still have a problem, do not hesitate to open a problem here to solve it, or use the option “Send comments” in the configuration of the application.

If the application should fail, a new activity will be started that will generate an error report in your external storage and give you the option to send it by email. The report is displayed in the activity so you can see exactly what will be sent, say information security researchers.

Keep in mind that Hijacker is just a GUI for these tools. The way you run the tools is pretty simple, and if all the tests happen and you’re in monitor mode, you should get the results you want. Information security professionals tell us to also keep in mind that these are audit tools. This means that they are used to test the integrity of your network, so there is a possibility that attacks will not work on your network. This is not the fault of the application; it is really something to be happy about.

Posted in Uncategorized | Leave a comment

TRUSTJACKING ATTACK ALLOWS HACKERS TO HACK IOS DEVICES

Symantec professionals have found a vulnerability that could allow hackers to compromise iOS devices without the owner’s knowledge.

This iOS attack named as “Trustjacking” by information security researchers exploits a vulnerability in iTunes Wi-Fi Sync, a special feature that allows iOS devices to synchronize with iTunes without having to physically connect the device. This feature can be enabled by physically connecting an iOS device to a computer, specifying that the iOS device can trust the computer, and then enable iTunes Wi-Fi Sync from the PC. Once a reliable Wi-Fi Sync connection is established, the hacker could have access to the user’s computer; the hacker could secretly spy on the iOS device or record and control any type of activities remotely.

trustjackingg

“With this the computer could access the photos on the device, make a backup, and install applications and much more, without requiring another confirmation by the user and without any noticeable indication. It also allows activating the function “iTunes Wi-Fi synchronization”, which allows continuing this type of communication with the device even after it has been disconnected from the computer, provided that the computer and the iOS device are connected to the same network. It is important to mention that enabling “iTunes Wi-Fi synchronization” does not require the approval of the victim and can be carried out purely from the side of the computer, “wrote Roy Iarchy, head of research at Modern OS Security.

Adi Sahabani, senior vice president of modern security for the operating system at Symantec, said it is “extremely shocking.” Adi was the one who revealed the findings at RSAC 2018 last Wednesday along with his colleague Iarchy.

The report states that once the malicious computer is authorized, there is no means to prevent continued access to the device. The information security expert said that users do not receive any message or notification when authorizing the computer; they allow access to their device even after disconnecting the USB cable.

“Even if the device is only connected for a very short time, it may be enough for an attacker to maintain visibility of all actions performed on the device after disconnecting it,” Iarchy wrote. The professionals revealed the vulnerability to Apple, which addressed the problem by adding an additional layer of protection in iOS 11. The new layer requires the iOS user to enter their password when they trust a computer. However, information security researchers believe that such measures are inadequate.

“The user is told that this authorization is only relevant while the device is connected to the computer, this makes the user believe that unplugging his device guarantees that nobody can access his private data,” Iarchy writes in a publication. “While we appreciate the mitigation that Apple has taken, we would like to emphasize that it does not address Trustjacking in a holistic way. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work. ”

Information security analysts suggest that users enable encrypted backups in iTunes and select a secure password to protect their devices. The users should also go to Settings> General> Reset> Reset location and privacy, and reauthorize previously connected computers.

Posted in Uncategorized | Leave a comment