5G Security Flaw
A flaw was recently discovered in the new 5G protocol that could allow a third party to use IMSI catcher like devices to snoop on data on this new protocol. Four researchers at SINTEF Digital Norway, ETH Zurich Switzerland, and Technische University Berlin Germany discovered the vulnerability, which effects not only 5G, but is also backwards compatible with 3 and 4G protocols as well. It affects the Authentication and Key Agreement (AKA for short) - the technique between your phone and a cellular network that allows them to communicate securely. AKA is supposed to negotiate and establish a key exchange between the phone and carrier to encrypt the link. 5G-AKA is supposed to thwart IMSI catchers, but the vulnerability opens up a potential entry point for newer devices to spy.
Data about a users activity, such as numbers of texts or calls received and sent, could be used by an attacker to profile a victim. And if you take your phone away from the signal of a newer IMSI catcher? Well, the moment you come back within it’s vicinity, it can pick up where it stopped and continue tracking. This could be used to track political figures or officials in targeted attacks, not only to see amounts of calls, but also to track physical location between fake base stations.
The researchers responsibly disclosed their findings to 3GPP (the 3rd Generation Partnership Project) and GSMA, and the parties are taking steps to remedy the situation before the end of 2019.
Last week, a major bug surfaced by 9to5Mac, detailing how iPhone users could use FaceTime group chats to snoop on the audio from other phones without their knowledge. All someone would have to do is call another user using FaceTime, and they would immediately hear the audio from the receivers phone before they accepted or rejected the call. The ringer rings as normal, so the receiver would know someone was calling, but they wouldn’t be able to tell if you could hear their audio before they actually picked up.
Many iphone users took to social media expressing their concerns at the ease of this vulnerability. Put simply: you’d first have to start a FaceTime Video Call to an iphone contact, then, when it’s dialing, swipe up from the bottom and tap Add Person. Add your own phone number on the Add Person screen, then start a group FaceTime call with yourself and the audio of the contact.
To make matters worse, this flaw could also be used to snoop on the video feed of the user. To do this, all a user would have to do is press the power button while on the lock screen, which also would send their video to the caller. According to BuzzFeedNews, pressing volume down did similar. While the underlying cause wasn’t specified, security researchers think that bad logic coding of the group FaceTime processes could be the problem.
After this news broke, it was discovered that a 14 year old boy found this flaw over a week prior to the news article, while playing Fortnite with his friends. The boy stumbled upon the bug on January 19, while trying to initiate a group FaceTime call. His mother reported this problem to Apple through a series of posts and emails, but to no avail. It appears Apple knew or should have known about the problem for a week before actually getting around to fixing it. While they did respond to one of her reports on January 23, it was not clear to the mother that they were fixing it.
Apple disabled the group FaceTime feature on January 29, and it has since been listed as temporarily unavailable on their system status page. Before that disabled the feature altogether, the best option was just to disable FaceTime in the iOS settings.
Apple is now experiencing legal concerns related to this bug. They have been sued by a Houston based lawyer, who claims someone eavesdropped on a conversation. New York Attorney General Letitia James has also initiated a formal investigation into the bug.
A software patch will be made available to users this week in iOS 12.1.4, and to update, simply go to your settings app, general, and software update.
Facebook Loves Your Data
Facebook isn’t out of the security headlines yet… no surprise. Facebook uses an Apple program called the Developer Enterprise Program to create and manage apps that aren’t found in the Apple App Store, but are available for download. This is usually used by companies to create internal apps used for internal capabilities. Facebook used the Developer Enterprise Program to create and distribute an application to the masses that allows them to obtain user data while paying that user $20 a month. Since Apple has pretty strict privacy rules for their App Store, this is a loophole that Facebook was able to take advantage of to track users data. The “Facebook Research” app used Root Certificates to collect data on users. This could be browsing history, time spend on apps or sites, purchases made, private messages, location data, and network data just to name a few. Since Facebook Research also enabled their own VPN network, this also gave them the ability to view anything that would normally be kept private under a VPN service.
Since this is in violation of Apple’s guidelines, Apple revoked Facebook’s enterprise certificates, which also broke some of Facebook’s internal team apps. Beta versions of apps like Instagram, Messenger, and the Facebook app would also stop working, since those were all part of the enterprise program. After some time, Apple restored Facebook’s access to the Enterprise Program. Your version of the social media apps if downloaded from the App Store, are not affected.
With Facebook came similar news from Google. Google’s Screenwise Meter app was also available in this format that allowed them to analyze and monitor user data. Google removed their application from download, and made a statement regarding the iOS app saying that it was a mistake.