Loose Leaf Security Weekly, Issue 5

Happy October from Loose Leaf Security! Or, at least, our calendars say it's October even if the weather here in New York still says it's summer. Regardless, it's always security season.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

In the news

An unfixable jailbreak: The big news in iPhone security is a "boot ROM" exploit against all devices with the A5 through A11 chipsets - which is every iPhone and iPad on the market up to the iPhone X series. (The A12 chipset, used in the iPhone XS and 11 series onwards, does not have the bug.) The boot ROM is the very first code executed by the iPhone when it turns on and cannot be updated except by buying newer hardware. It's responsible for verifying the authenticity of the firmware and OS (which can be updated) and also supporting emergency updates to the firmware and OS, if they get corrupted.

The bug is in the update code: specifically, to fix an otherwise-unbootable iOS device, you can connect it via USB to iTunes and upload clean firmware to the iPhone. You need to place the phone in Device Firmware Upgrade mode, which causes the boot ROM itself to wait for iTunes to connect over USB instead of booting up the phone. However, you can send specific, invalid USB messages to the boot ROM to cause it to corrupt its memory and start running your code without any validation - ultimately letting you run an OS that hasn't been verified by Apple.

It's quite frustrating that there's no way to fix this bug besides buying new hardware, but it's not that likely of an attack for most people. In order to trigger the bug, you have to power off the phone and hold down some buttons while turning it back on to place it in DFU mode, so this bug can't be exploited by malicious websites, apps, or even charging cables. However, if your phone leaves your control and gets rebooted (e.g., at a customs checkpoint from a hostile government) then this bug could be used as an attack. If that's a realistic worry for you, you might want to get a phone with an A12 chipset: for instance, security research firm Trail of Bits says they "strongly urge all journalists, activists, and politicians to upgrade" to such a device. For the rest of us, you probably don't need to run out and replace your phone immediately.

On the other hand, the bug seems potentially useful for voluntary jailbreaks where the owner of the phone wants to install a modified OS. Jailbreaks generally require leaving some bug unfixed so that you can run your own code on the device, and that carries the risk that an attacker could exploit the same bug. Given the limited attack surface of this bug, it's probably one of the safer ones to leave unfixed. Our upcoming episode is about jailbreaks and security updates, and we'll talk more about this particular exploit and the tradeoffs of jailbreaking in general there.

Ain't no party like an iOS update party: iOS 13.1.2 is out, the fourth version in under two weeks. 13.1.1 fixed a failure to sandbox third-party keyboard apps: if you'd chosen to prevent a keyboard app from contacting the internet, that restriction wasn't actually taking effect in iOS 13 and 13.1. Fortunately, none of the bug fixes in 13.1.2 are security issues - though you should still update because chances are Apple is likely focusing attention on the latest version of iOS alone. (If any code has been rewritten in the update, it's less likely they'll issue a security notice for the old version if the bug isn't present in the newest version.) We'll talk about this in more detail in our upcoming episode, too.

Apple also notably released iOS 12.4.2, which fixes a vulnerability that was also fixed in the iOS 13.0 release. (Also, the iOS 13.0 security notes have been published now, too.) This is one of the very few times Apple has released an update for an old version of iOS to fix issues on devices that can't run the latest version - they've done it only four times before for security issues (iPhone OS 1.1.5 in 2008, iOS 4.2.7 through 4.2.10 in 2011, iOS 6.1.6 in 2014, and iOS 9.3.5 in 2016), and once earlier this year for a non-security issue to make sure GPS kept working past November in iOS 9.3.6 and 10.3.4. In the lead-up to iOS 13, there was a lot of concern that Apple would drop support for the still-popular (actually pocket-sized) iPhone SE, so we're happy that they didn't and that they released a security update for the devices they did stop supporting.

Where the privacy ends: Amazon announced a new long-distance wireless protocol for Internet of Things devices that they're calling "Sidewalk." Wired UK has a good discussion of the privacy implications of both this technology and Apple's new short-range location sensors that use frequencies on the other end of the spectrum. Notably, Amazon was able to get coverage of all of Los Angeles by just sending devices to their employees who lived in the area. We also liked this Twitter thread from AI activist/technologist Liz O'Sullivan about device tracking, Amazon's Ring cameras, and the potential surveillance network Amazon could easily build now with Sidewalk and these other technologies.

Hacking ISIS is just like hacking us: NPR published a detailed account of how the U.S. Cyber Command and the NSA worked together to take down ISIS's media network. The story itself is fascinating, and it also illustrates that even though we generally picture the government using advanced techniques and backdoors to get into people's accounts (which is part of what they do), a lot of that work also uses the same, less sophisticated methods regular attackers use to get into our personal accounts like phishing, malware, and guessing poor answers to recovery questions. If you're concerned about governments getting into your data, you can actually take meaningful steps that help keep them out by practicing good digital hygiene like using a password manager extension and security keys to help protect against phishing attacks and only downloading software from trustworthy sources to avoid malware.

23andCops: The U.S. Department of Justice put some limits on how family tree DNA databases can be used to track down criminals, hoping to "balance the Department's relentless commitment to solving violent crime and protecting public safety against equally important public interests." These guidelines say that police departments should try traditional crime solving methods before using non-police genealogy databases and state those databases should typically be used only to solve violent crimes such as rape and murder and to identify human remains, unless a particular database allows broader use by law enforcement.

In particular, when the new policy goes into effect on November 1, U.S. police forces will no longer be able to upload crime scene data with a fake profile to identify relatives of suspects like they did to track down the Golden State Killer. This new policy is an improvement for privacy, and Science has a good summary of the privacy issues at hand. This policy also serves as a reminder that while most privacy related decisions you make largely only affect yourself and those close to you, decisions about how private you keep your DNA have much broader implications for your extended family.

And I see your face in every crowd: Nonprofit organization Fight for the Future launched a new campaign to ban facial recognition at live shows and festivals. Fight for the Future's deputy director Evan Greer says this surveillance "doesn't keep fans or artists safe, it just subjects them to invasive, racially biased monitoring that will inevitably lead to fans getting harassed, falsely arrested, deported, or worse," and we agree. If you'd like to be able to go to Taylor Swift concerts without having your photo taken and uploaded to some undisclosed facial recognition system, you can see Fight for the Future's list of festivals that have committed to not using facial recognition at their events.

Lightning, very very frightening: It looks like security researcher MG's malicious Lightning cable prototypes aren't just prototypes anymore - they're going to be mass-produced, sold, and readily available to attackers who want to exploit USB bugs similar to the new boot ROM bug. We're not really believers in exploiting a vulnerability just to prove a point, but MG has certainly proved the point that you can't trust someone else's cable. As we mentioned in our very first newsletter, the safest thing is to carry your own cable that you bought in a sealed package from a reputable store.

Sad Mac, powered by Google: If you couldn't reboot your Mac last week, it might have been because of a buggy Google Chrome update. This article includes Google's older suggestion to manually fix things up via an emergency console, but Google now recommends that you just reinstall macOS from macOS Recovery. Yikes, but at least you don't need to reformat (erase) your disk to fix it. By the way, this is one of the reasons we like the trend towards running software in sandboxed environments - not only is it very helpful in restricting attackers who find security bugs in the software, it also prevents non-malicious bugs like this one where unrelated, important files are accidentally modified or deleted.

BitLockest: In our episode "Malware, antivirus, and safe downloads," we mentioned that BitLocker, the Windows drive encryption tool, trusted hard drives that said that they had built-in encryption features, even though there was no particular guarantee that the encryption was good - and typically, the encryption wasn't actually good. The latest Windows update now defaults to using good-quality software encryption on all BitLocker drives, whether or not the drive claims to support encryption itself. If you're using BitLocker, you might want to check whether you have hardware encryption in use. If you do, it might be worth taking this update and then disabling and re-enabling BitLocker, because the change only applies to newly encrypted drivers. Note that if you temporarily decrypt your drive, it's possible but unlikely that a section of your disk can fail during that time, leaving whatever data was there at the time vulnerable. However, if your drive is currently using poor-quality encryption, your data is already vulnerable, so it's probably worth taking this risk to secure your files going forward.

An emergency patch for IE: Another important Windows update was released last week outside of the usual schedule, fixing a serious security bug in Internet Explorer. This bug was reported by Google's Threat Analysis Group, which looks for vulnerabilities that are actually being exploited. Because this bug is already being used in real attacks, it's particularly important to update. If you're still using IE, it's worth seeing if you can switch to Edge or another browser with more robust security design, but you should still update even if IE isn't your usual browser because significant parts of IE are tied to Windows internals, so you may still be at risk.

Doctor, it hurts when I don't take backups: Some hospitals' normal operations have been interrupted by ransomware attacks, and patients have been turned away as a result. It's unclear how sophisticated these attacks are: ransomware usually doesn't do anything other than encrypting all the files it sees, but if their backups were on drives that they kept connected, it would be easy for ransomware to infect the backups, too. While this happened in a hospital, it could hit individuals at home just as easily, so it's a good reminder to think about your backups. Also, one thing that's convenient about backing up personal devices instead of an entire hospital network is that it's a lot easier to make at least one backup that is offline on an external hard drive - in the event all devices on your network are hit with ransomware or malware, you'd still be able to recover from that offline, external hard drive.

That wraps it up for this week - thanks so much for subscribing to our newsletter! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com. See y'all next week!

-Liz & Geoffrey