This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.

Be On Twitter Without Being On Twitter

Social media can connect us to a vibrant worldwide community, but it is also a huge time sink as it preys on both our need for attention and our insatiable curiosity. Kept on a leash by those constant notification sounds, we can easily look up from our phones to find half a day has gone and we’re behind with our work. [Laura Lytle] has a plan to tackle this problem, her OutBox project involves a single button press machine that posts a picture to Twitter of whatever is put in it. It’s not just another gateway to social media addiction though, she tells us it follows Design For Disuse principles in which it must be powered up and adjusted for each picture, and that it provides no feedback to satisfy the social media craving.

Under the hood of the laser-cut housing reminiscent of an older hobby 3D printer is a Raspberry Pi 3 Model A+ and a webcam, with a ring of LEDs for illumination. On top is the only interface, a small “arm” button to set things up and a big red arcade button to do the business. The software is in Python, and provides glue between resizing the photo, uploading it to a cloud service, and triggering ITTT to do the Tweeting. You can see the whole thing in the video below, and the result is a rather eye-catching device.

Of course, there are other ways to keep yourself off social media.

Continue reading “Be On Twitter Without Being On Twitter”

Tweetbot Expresses Twitter Emotions

When reading textual communications, it can be difficult to accurately acertain emotional intent. Individual humans can be better or worse at this, with sometimes hilarious results when it goes wrong. Regardless, there’s nothing a human can do that a machine won’t eventually do better. For just this purpose, Tweetbot is here to emotionally react to Twitter so you don’t have to.

The ‘bot receives tweets over a bluetooth link, handled by a PIC32, which also displays them on a small TFT screen. The PIC then analyses the tweet for emotional content before sending the result to a second PIC32, which displays emotes on a second TFT screen, creating the robot’s face. Varying LEDs are also flashed depending on the emotion detected – green for positive emotions, yellow for sadness, and red for anger.

The final bot is capable of demonstrating 8 unique emotional states, far exceeding the typical Facebook commenter who can only express unbridled outrage. With the ‘bot packing displays, multiple microcontrollers, and even motor drives, we imagine the team learned a great deal in the development of the project.

The project was the product of [Bruce Land]’s ECE 4760 course, which has shown us plenty of great hacks in the past – Bike Sonar being one of our favorites. Video after the break.

Continue reading “Tweetbot Expresses Twitter Emotions”

Shakespeare In A Zip In A RAR, Hidden In An Image On Twitter

Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program. If you did, though, you’d wind up with a bunch of RAR files that you could unrar and get the complete works of the Immortal Bard in a single Tweet. You can also find the source code — where else — on Twitter as another image.

What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.

The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.

Continue reading “Shakespeare In A Zip In A RAR, Hidden In An Image On Twitter”

CD Image Via Twitter: A Handcrafted Game Disc

Humans can turn anything into a competition. Someone always wants to be faster or drive a ball farther. Technical pursuits are no different, which is why a lot of people overclock or play regular expression golf. [Alok Menghrajani] sets himself some odd challenges. A few years ago, he hand-built a bootable floppy image that had a simple game onboard and managed to fit it in a Twitter message. Twitter has increased their number of characters, so — you guessed it — this time he’s back with a CDROM image.

His tweet is a command line that starts with perl. The text is base64-encoded binary and if you run the Tweet from a shell — which is an odd thing to do with a Tweet, we grant you, you’ll be rewarded with a file called cd.iso. You could burn that to a CDROM, but it is more likely you’ll just mount in a virtual machine and boot that. [Alok] says it does work in QEMU, VirtualBox, and — yes — even a real CD.

Continue reading “CD Image Via Twitter: A Handcrafted Game Disc”

Boozer Tells The Internet How Much You Drink (If You Want It To)

Over the past few years, Reddit user [callingyougoulet] has created Boozer, a DIY beer dispenser that keeps track of how much of your brew you have left in your kegs. Installed in a Keezer (a freezer that contains beer kegs and faucets) [callingyougoulet]’s dispenser uses a Raspberry Pi to keep track of things. A series of flow sensors determine how much liquid has passed through them and, when the drink is poured, can calculate how much you poured and how much you have left.

Starting with a chest freezer, [callingyougoulet] built a nice wooden surround as well as installed a tower on top to hold the faucets. The top of the freezer has nice granite tiles covering it, and some LED accent lighting adds to the end product. However, taking the granite off in order to get at the kegs inside takes some time (about 20 minutes.)

Inside the freezer is the Raspberry Pi and four flow sensors, each one connected to a GPIO port on the Pi. After some calibration, the Python code running on the Pi can calculate a pretty close estimate of the amount of liquid poured. There’s also a temperature sensor in the freezer, so that you can tell how cool your beer is.

If the build had stopped there, it would have been a great project as-is, but [callingyougoulet] added twitter, Slack and MQTT outputs as options, so that a home automation system (or the entire internet) can tell how much and when you’ve been drinking and, more importantly, you can know how much is left in your kegs! There are some very cool keg cooling builds on the site, such as, a kegerator built from the ground up, and a very elegant kegerator built on the cheap check them out for ideas!

Via Reddit.

Hackaday Belgrade Is On: Join LiveStream And Chat!

Good morning Hackaday universe! Hackaday Belgrade 2018 has just started, and we’re knee-deep in sharing, explaining, and generally celebrating our craft. But just because you’re not here doesn’t mean that you shouldn’t take part.

Come join us!