i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

App Store expels iOS hacker

Charlie Miller, a well known Apple hacker who has exposed a large number of vulnerabilities in Apples software has been ousted from the iOS Developer Programme by Apple.  This happened after he published an app that exposes a serious bug in new iPhones and iPads.

 

InstaStock app, which had been accepted and approved by the App Store back in September, is a program that tracks stock prices in real time.  However there is also a secret hack that bypassed protections built into iOS devices that prevent code from running on them unless it has been signed by Apple’s official cryptographic seal.  As a result the app is capable of other things including downloading pictures and contact details from iPhone’s and iPad’s.

Apparently a few hours after Miller revealed the ‘extra’ functionality of his app he received an email stating that Apple was terminating him from the iOS Developer Program for violation of a clause in the program’s license in which he agreed he wouldn’t “hide, misrepresent or obscure any features, content, services or functionality” of applications he submitted.

 

Miller’s code-signing bypass exploits a change introduced in iOS 4.3 that for the first time created a small region in iPhones and iPads where unsigned code downloaded from the internet could be executed. The exception was designed to improve the performance of Safari by allowing it to do just-in-time compiling. To prevent the exception from being abused, Apple tightly restricted it to Safari, and even then only in certain cases.  Miller discovered a flaw in the way the checks are run though.

 

Miller said he’s concerned that his excommunication will hinder his ability to find security bugs in Apple software until it has become publicly available. A case in point is iOS version 5.01, which is currently in beta testing.  Now no longer part of the developer program Miller no longer has access to beta code and therefore will have to wait until the code is publicly available before he can check for vulnerabilities.  By which time it will probably be too late.

Skype Flaw Allows IP Address and Location Tracking

A newly discovered flaw in Skype allows tracking of Skype users by IP address.  
The serious breach in the popular, Internet video chat program means that any person could potentially hunt down users’ whereabouts, according to a study co-authored by an NYU-Poly professor.

The flaw in Skype could allow a skilled hacker to find out the IP address from which a user has logged in to Skype, thereby determining the location of Skype users, which is a massive breach of privacy and security. However just by having the IP address doesn’t mean you can be tracked to your home address.  This is more just being able to locate you to a certain area and a certain ISP.

The company is trying to downplay the flaw, claiming that the ability to derive IP addresses was common with all web based communication clients.

The flaw can reportedly be exploited without the user’s knowledge, and can be executed on a large scale. The research team demonstrated this by scheduling hourly calls to tens of thousands of Skype users.

Adrian Asher, Skype’s chief information security officer, said that IP addresses are easily uncovered in most web communications clients.”Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP addresses. Through research and development, we will continue to make advances in this area and improvements to our software,” he told.

The IP address that you are using is usually from a pool of IP’s that your ISP is giving out.  By locating a Skype users’ IP address a hacker could work out their ISP and a rough location, potentially shown by the ISP, but don’t worry you won’t get someone knocking at your door because you told them off on Skype , they may just know which part of the country you are in 🙂

iPad2 iOS5 Lock Screen Vulnerability

ipad2 imageAs soon as iOS5 was released people were already looking for issues with it.  One of the first discovered on the iPad2 was an issue with the screen lock functionality.

Marc Gurman has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s locked screen. Anyone with a Smart Cover on their iPad can gain access to the previously-open app (or the home screen if no app was open).

Simply hold the power button to bring up the ‘Power Off’ screen, close the smart cover, re-open it, and click cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Address Book (or any other app) was the open when the device was locked, then the attacker would have access to that app.

From a locked iPad 2:

1) Lock a password protected iPad 2
2) Hold down power button until iPad 2 reaches turn off slider
3) Close Smart Cover
4) Open Smart Cover
5) Click cancel on the bottom of the screen

Obviously with more and more iPad’s being used in the business world and also in education you can probably imagine the issues this type of vulnerability could cause.  Just imagine if your email was the last app open, or your address book with all of your customers 🙂

For now the only way to stop this happening is to disable the “Smart Cover Unlocking” feature, which can be found in Settings>General.

Although I’m sure Apple will be working on a fix for this already.

Massive security hole in HTC Android devices

A new piece of software pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private information on the handset.

Trevor Eckhart discovered the the vulnerability and informed HTC about it but after five days without a response he decided to go public with it.

He made demonstration code available for it and a video showing how an application that is supposed to see almost nothing can now see almost everything.

So an application that is supposed to be restricted to accessing the internet – a common ability requested by freebie apps to collect advertisements – can also access the user’s location and details of all their synchronised accounts, not to mention the list of running tasks, the state of Wi-Fi connections, and system logs.

A system package called HtcLoggers.apk is collecting the data this is installed by HTC onto a range of Android handsets for reasons that have not been identified. The logging package accumulates data all the time, but it also has an accessible interface that other applications can use to request specific information – the is even has a “help” command for those who don’t know what it is they want to know.

The type of information collected includes system information as well as the account and location data, which is probably deemed sensitive by most users, and the internet privileges requested also mean the application can send the data off to unknown parties

Eckhart produced a demonstration app, and is asking people with HTC handsets to take a look and help establish how widespread HtcLoggers.apk is.

This appears to be a serious issue, especially given the fact that free apps often ask for internet privileges to collect embedded adverts. Such an app could now harvest data to use in other types of attack.  Also bear in mind that as the code is now publicly available, I imagine someone somewhere is working on this already.

If you have an HTC handset, it may be worthwhile not installing any new free apps until HTC have fixed this issue.