iOS targeted malware in the wild, the simple approach to hacking electronic safes & how digital forensics prove a journalist was framed.

Plus your great questions, a packed round up & much more!

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Sophisticated, persistent mobile attack against high-value targets on iOS

  • “Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.”
  • “Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.”
  • “Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in “cyber war.” Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.”
  • “We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.”
  • The target of the attack was Ahmed Mansoor, an internationally recognized human rights defender
  • “On August 10th and 11th, he received text messages promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.”
  • “This marks the third time Mansoor has been targeted with “lawful intercept” malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.”
  • “Citizen Lab also found evidence that state-sponsored actors used NSO’s exploit infrastructure against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown target or targets in Kenya. The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.”
  • “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.”
  • “The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”
  • “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.”
  • CitizenLab report
  • Lookout Report PDF
  • Additional Coverage: Arstechnica: Apple releases iOS 9.3.5 with “an important security update”
  • Additional Coverage: NY Times
  • Additional Coverage: Motherboard
  • Additional Coverage: WaPo

Hacking Electronic Safes

  • An interesting bit of research was brought to my attention via Bruce Schneier’s blog
  • “On Friday, a hacker known as Plore presented strategies for identifying a safe custom-selected keycode and then using it to unlock the safe normally, without any damage or indication that the code has been compromised”
  • “Plore’s techniques interesting is what they lack: any physical or even algorithmic sabotage”
  • “Plore used side-channel attacks to pull it off. These are ways of exploiting physical indicators from a cryptographic system to get around its protections.”
  • “Plore was able to figure out the keycodes for locks that are designated by independent third-party testing company Underwriter’s Laboratory as Type 1 High Security. These aren’t the most robust locks on the market by any means, but they are known to be pretty secure. Safes with these locks are the kind of thing you might have in your house.”
  • “In practice, Plore was able to defeat the security of two different safe locks made by Sargent and Greenleaf, each of which uses a six-digit code. “I chose Sargent and Greenleaf locks due to their popularity. They are the lock manufacturer of choice on Liberty brand gun safes, among others, and safes featuring those locks are widely available at major stores,” Plore told WIRED”
  • “Plore said he didn’t have time before Defcon to try his attacks on other lock brands, but he added, “I would not be particularly surprised if techniques similar to those I described would apply to other electronic safe locks, other electronic locks in general (e.g., door locks), or other devices that protect secrets (e.g., phones).”
  • I am glad the 6 digit combination lock that protects my house is mechanical
  • “For the Sargent and Greenleaf 6120, a lock developed in the 1990s and still sold today, Plore noticed that when he entered any incorrect keycode he could deduce the correct code by simply monitoring the current being consumed by the lock.”
  • ““What you do here is place the resistor in series with the battery and the lock, and by monitoring voltage across that resistor we can learn how much current the lock is drawing at any particular time. And from that we learn something about the state of the lock,” Plore explained. As the lock’s memory checked the input against its stored number sequence, the current on the data line would fluctuate depending on whether the bits storing each number in the code were a 0 or a 1. This essentially spelled out the correct key code until Plore had all of its digits in sequence and could just enter them to unlock the safe. Bafflingly easy.”
  • “For the second demonstration, he experimented with a newer lock, the Sargent and Greenleaf Titan PivotBolt. This model has a more secure electronics configuration so Plore couldn’t simply monitor power consumption to discover the correct keycode. He was able to use another side-channel approach, though, a timing attack, to open the lock. Plore observed that as the system checked a user code input against its stored values there was a 28 microsecond delay in current consumption rise when a digit was correct. The more correct digits, the more delayed the rise was. This meant that Plore could efficiently figure out the safe’s keycode by monitoring current over time while trying one through 10 for each digit in the keycode, starting the inputs over with more and more correct digits as he pinpointed them. Plore did have to find a way around the safe’s “penalty lockout feature” that shuts everything down for 10 minutes after five incorrect input attempts, but ultimately he was able to get the whole attack down to 15 minutes, versus the 3.8 years it would take to try every combination and brute force the lock.”
  • This is why cryptography is usually implemented in ‘constant time’, where it is purposely slow. Both the right input and the wrong input take the same amount of time to return the result, so the attack can’t learn anything from the amount of time the response takes
  • ““Burglars aren’t going to bother with this. They’re going to use a crowbar or a hydraulic jack from your garage or if they’re really fancy they’ll use a torch,” Plore said. “I think the more interesting thing here is [these attacks] have applicability to other systems. We see other systems that have these sorts of lockout mechanisms.” Plore said that he has been trying to contact Sargent and Greenleaf about the vulnerabilities since February. WIRED reached out to the company for comment but hadn’t heard back by publication time.”
  • “Even though no one would expect this type of affordable, consumer-grade lock to be totally infallible, Plore’s research is important because it highlights how effective side-channel attacks can be. They allow a bad actor to get in without leaving a trace. And this adds an extra layer of gravity, because not only do these attacks compromise the contents of the safe, they could also go undetected for long periods of time.”
  • This practical example makes the software versions much easier to understand

Turkish Journalist Jailed for Terrorism Was Framed, Computer Forensics Report Shows

  • Turkish investigative journalist Barış Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer.
  • But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.
  • The attackers also attempted to control the journalist’s machine remotely, trying to infect it using malicious email attachments and thumb drives.
  • Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it’s been seen in the wild.
  • The attackers seemed to pull everything out of their bag of tricks,” Mark Spencer, digital forensics expert at Arsenal Consulting, said.
  • Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to a group accused of terrorism in Turkey.
  • It is not clear who perpetrated the attack, but the sophistication of the malware used, the tightly-targeted way Ahtapot works, and the timing of Pehlivan’s arrest suggests a highly-coordinated, well-funded attack.
  • A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware.
  • Spencer said no other forensics expert noticed the trojan, nor has determined accurately how those documents showed up on the journalist’s computer.
  • However, almost all the reports have concluded that the incriminating files were planted.
  • What baffled Spencer the most during the investigation was an unusual malware, one he hasn’t seen before. It was installed on Pehlivan’s computer on the evening of February 11, 2011, a Friday. The police raid took place on the following Monday morning.
  • Spencer called Gabor Szappanos, principal researcher at Sophos, who has been analyzing computer viruses for over two decades. They worked together to find out what happened.
  • This malware appeared to be in unfinished beta development. It was a Remote Access Trojan (RAT), a malicious software that allows attackers to control a computer without having physical access.
  • There are clues to suggest the malware is Turkish in origin, including Turkish words in Ahtapot’s code, yet security experts are almost always uncomfortable talking about attribution.
  • The Sophos researcher believes this Remote Access Trojan was rushed into use out of desperation, after several attacks failed to deliver expected results. “Looking at the code revealed some mistakes that are typical at the beginning of development processes [of a malware],” the researcher said.
  • Prior to bringing in Ahtapot trojan, the attackers relied on more common malware. First, they tried to infect Pehlivan’s computer with the Turkojan RAT through a thumb drive. Email attachments were also used.
  • Spencer said, attackers copied both malware and incriminating documents to Pehlivan’s hard drive the nights of February 9 and 11, to cover their bases in case they won’t be able to control the computer remotely using the malware.
  • They were smart enough to forge the dates associated with these documents, Spencer said. The key to his investigation was constructing the true timeline of the events.
  • He suspects the journalist’s PC was attacked locally during those two evenings of February 9 and 11, because previous attempts to remotely infect it with malware failed.
  • “There were about a dozen different malware samples found. Analyzing them in detail revealed that these were not independent incidents, we could find connection between them,” Szappanos said.
  • He believes this was an expensive targeted attack, which used malware samples and command and control servers dedicated to this case alone.
  • Most infosec professionals refrain from saying who the attacker is, as attribution is usually difficult to establish in the cyberworld. “We think it was developed by a Turkish speaking person/people. Internal texts found in the malware samples were all in the Turkish language,” Szappanos said.
  • Meanwhile in Turkey, Barış Pehlivan is getting ready for his next hearing, scheduled for September 21. He believes the trial could end this year, and hopes to be acquitted.


Round up:

Question? Comments? Contact us here!