Security

An explosive report from Amnesty International interpreted device logs to reveal the scope of targeted malware attacks in active use targeting Android and iPhone devices, since July 2014 and as recently as July 2021. Exploited devices can secretly transmit messages and photos stored on the phone, as well as record phone calls and secretly record from the microphone. The attack is sold by Israeli firm NSO Group as ‘Pegasus’.

Whilst the company claims to only sell the spyware software for legit counterterrorism purposes, the report indicates it has actually been used to target human rights activists, lawyers and journalists around the world (as many have long suspected).

While Apple constantly works to improve the security of its devices, hackers are always looking for new ways to crack the security systems found in the iPhone, iPad, Mac, and other devices. Earlier this year, an exploit found in Apple’s WebKit (which is the Safari engine) allowed hackers to extract login information from iOS devices.

A couple of disturbing reports revealed the comparative ease with which criminal gangs were able to use stolen iPhones to access the owner’s bank accounts. The initial report didn’t explain the method used, but a subsequent one did: swapping the SIM to a new device in order to reset the Apple ID password.

Apple is already working on one security measure – making it easier for users to remotely wipe data from a stolen iPhone – but the reports also highlight a security weakness that seems worryingly common among non-techies: using the Notes app to store passwords …

Android and iPhone spyware sold by NSO Group enables state terror attacks in multiple countries, according to a new database released by Amnesty International and partner organizations.

NSO uses zero-day exploits to develop spyware for both iPhones and Android smartphones, allowing users to read text messages and emails, monitor contacts and calls, track locations, collect passwords, and even switch on the smartphone’s microphone to record meetings …

I’ve argued for years that moving beyond passwords is something that urgently needs to happen from both a security and usability perspective.

The technical framework to make it possible to abandon passwords – WebAuthn – was agreed back in 2018, and Apple added support for it in Safari last year. Adoption is as yet close to zero, but all that looks set to change, thanks to the latest move by Apple …

Apple today released macOS Big Sur 11.4, which comes with expanded support for external GPUs, bug fixes in Safari, and more. However, this update also makes the system more secure as it patches an exploit that let malware take screenshots without the user’s knowledge.

Apple released its 2021 Platform Security guide back in February with new details on M1 Macs, iOS 14, macOS Big Sur, watchOS 7, and more. Now the guide has been updated with specifics on how Touch ID on the new Magic Keyboard works, how iPhone unlock with Apple Watch in iOS 14.5 cryptography works, and more.

A security researcher with a solid track record in discovering Wi-Fi vulnerabilities has discovered new ones, some of which are part of the core security protocols of the Wi-Fi standard, so are present in virtually every device from 1997 onwards.

The flaws could be exploited to steal sensitive data, control smart home devices, and even take over some computers. There are, however, two pieces of good news. First, the real-life risks for ordinary users are very small. Second, it’s easy to protect yourself against even these small risks …

You may not remember, but a modified copy of Xcode that surfaced on the web in 2015 was responsible for injecting malware into several iPhone and iPad apps that were subsequently uploaded to the App Store. Now, thanks to the Epic vs. Apple trial, internal Apple emails have revealed that more than 128 million iOS users were affected by the “XcodeGhost” malware.

An award-winning iPhone hack was used by the Chinese government to spy on Uyghur Muslims, giving Beijing total control of their phones.

A detailed report says that Chinese white-hat hackers used to participate in the annual Pwn2Own contest designed to uncover and exploit zero-day security vulnerabilities. The hackers win cash prizes, and the issues are reported to the companies concerned so that they can be fixed before details are shared publicly …

A new study published today takes an in-depth look at how apps used in schools are sharing children’s data with third parties. The research found the majority of school apps transmit data and that Android is 8x more likely to be sending that data to “very high-risk” third parties than iOS.

Apple released updates for iPhone, iPad, Mac, and Apple Watch today with multiple security updates. The patched flaws involved malicious web content that could lead to arbitrary code execution – and Apple says they may have been actively exploited.

The Cellebrite Physical Analyzer – the most intrusive phone-cracking tool offered by the company – no longer supports the direct extraction of iPhone data, according to a document shared with us. This follows the discovery and exploitation of a vulnerability by secure messaging app Signal.

Signal discovered multiple security vulnerabilities in Cellebrite’s software, and was able to find a way to booby-trap iPhones to corrupt the results of a scan using Physical Analyzer …

US military movements in Syria were revealed by location info available for purchase from smartphone apps, says a new report today. This included enough information to identify the location of an undeclared US military base in the country.

The sensitive location information was harvested from weather, games, and dating apps on the phones of US soldiers, and appears to include special ops personnel …