June 26, 2018

Episode 2: FlightRadar24 Data Breach, iPhone Passcode "Bypass" and Smartphone Batteries Leaking Your Data

Let's start with Flightradar24 Data Breach and see how they responded to the incident, next we will have a deeper look at iPhone passcode bypass and see if you should really be worried about it, last but not least let's see how much of your data can smartphone batteries leak.

Episode 2: FlightRadar24 Data Breach, iPhone Passcode "Bypass" and Smartphone Batteries Leaking Your Data

In today's episode we will have a look at major developments from past week. We will start with the Flightradar24 Data Breach and see how they responded to the incident, next we will have a deeper look at iPhone passcode bypass and see if you should really be worried about it, last but not least let's see how much of your data can smartphone batteries leak.

Other ways to listen:

Anchor    Apple Podcasts (iTunes)    Google Podcasts    Breaker    CastBox    Pocket Casts    Radio Public    Spotify    Stitcher    RSS

Transcript

FLIGHTRADAR 24 DATA BREACH

Do you remember when you are in an airport, waiting for your plane, you continuously open your flight providers app to have a look at the map showing location of your plane? There is a high probability that you were using flightradar24 for getting this data.

On Wednesday last week it was reported that popular Flight Tracker Flightradar24 Suffered Data Breach. A data breach that may have compromised email addresses and hashed passwords. Apparently flghtradar24 did not bother much to publicly admit the data breach via their official channels, instead they started sending out emails with password reset links, asking customers to change their passwords. The email indicated itself that data breach would affect users who registered prior to March 16, 2016. Which gives us a hint that company might not have been too careful with encryption prior to that period, thus allowing attackers to gain access to compromised data. 

A company representative highlighted that no personal information was compromised, and noted that payment information is not stored on its systems. Strangely enough Flightradar24 said it was confident that the incident had been contained after the targeted server was “promptly” shut down after the intrusion was detected. 

The company claimed that the breached passwords were hashed, though it did not specify the hashing algorithm or if they were protected using a salt, which adds an extra layer of security to your hashed passwords. 

The company has not said how many users are impacted – it’s notification only mentions that the incident affects a “small subset of Flightradar24 users.” However, considering that the service has over 40 million users per month and its mobile applications are among the most installed apps on Google Play and the Apple App Store, even a “small subset” could be a significant number. 

To protect accounts of its customers, in case hackers manage to crack some passwords from the list, Flightradar24 has already expired previous passwords for the affected user, forcing them to set a new password before accessing their accounts. FlightRadar24 says it has notified the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR). 

It’s good to know that company has quickly discovered and responded to the incident, however they could have published more information about it, since the limited information that was shared by FlightRadar24 does not really place customers in a more comfortable situation. Ambiguousness in security is probably one of the worst ways to handle data breach situations. 

Although it’s understandable from the marketing perspective that you want to inform only those users who might have suffered the breach, it would be much more professional behavior to published information on official channels. 

Anyway, you are advised to change your passwords on other online services and platforms as well, if you share the same credentials. Make sure to use complex and different passwords on your services, try to use password managers and have a peek at haveibeenpwned.com, a website operated by security professional Troy Hunt, where you can check if your accounts have been compromised in latest data breaches. 

iPhone Passcode Bypass

All major smartphone manufacturers are concerned with security, especially when it comes to selling you something. Apple is notorious for advertising how secure their iPhone flagships are, especially after the debate in 2016. Back then, the debate was about if manufacturers should aid law enforcement officials in unlocking criminals' phones became very heated, as the FBI took Apple to court over its refusal to unlock the San Bernardino shooter's iPhone. At the time, the agency said that Apple was its only shot at getting access to whatever was stored on Syed Farook's iPhone 5c, but it later used an outside vendor to crack the phone and get to its data. That's why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter's iPhone, and why they are buying an affordable iPhone cracker called GrayKey.

I’ll give you a short backstory here, Apple started encrypting iOS devices back in 2014. In order to access that encrypted information, iPhones and iPads require users to enter a four- or six-digit passcode to protect the device on the first setup. If the passcode is entered incorrectly on 10 occasions, Apple’s operating system wipes the device and deletes the information forever. Similar techniques are also implemented in other major flagships. 

However, on June 22nd last week a security researcher named Matthew Hickey has allegedly discovered that it's not that difficult to bypass the passcode lock, even if it's running the latest version of Apple's smartphone operating system. As it appears, one only requires working locked phone with a lighting cable attached to it. 

Mathew tweeted that he discovered a way to bruteforce 4 and 6 digit pins without limits and posted a video demonstration of his findings. 

The interesting demonstration show how the attack works. Basically, when the iPhone or iPad is plugged in, an attacker can use keyboard inputs to enter passcode guesses instead of tapping the numbers on the device’s screen. When the keyboard inputs occur, it triggers an interrupt request that takes priority over everything else happening on the device. An attacker could create a massive string of inputs and send them all at once and iOS would allow an endless string of guesses without erasing the device. 

However, after comments from other security researchers Apple itself who stated that "The recent report about a passcode bypass on iPhone was an error, and a result of incorrect testing,” Security researcher went back and reanalyzed his findings only to discover that the passcodes entered from keyboards don't always go to the Secure Enclave Processor in some instances so although it 'looks' like pins are being tested they aren't always sent and so they don't count against maximum attempts. This means that the attack is much slower than initially expected and entering just one passcode every three to five seconds, meaning that only about 100 four-digit codes can be tested every hour. 

Some of you are probably wondering what's Secure Enclave Processor? The Secure Enclave is part of the A7 and newer chips used for Touch ID. Within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the Secure Enclave thus making fingerprint data walled off from the rest of the A7 Chip and the rest of iOS. Secure Enclave is separated and has its own OS called SEPOS. Unfortunately there is a very limited data available about Secure Enclave. 

I think we should applause every security researcher who finds out vulnerabilities or in this case ways to bypass the implemented security measures even if those bypasses are not 100% effective. This will allow us to become better at security, improve products and increase awareness. This is one of the most successful ways to get secure and privacy-oriented products in the future. 

Also keep in mind that Apple is rolling out a new feature, called USB Restricted Mode, in its upcoming iOS 12 update, which is said to make it far more difficult for police or hackers to get access to a person's device -- and their data. So let's see how the story develops and what

Apple will have to offer, meanwhile make sure that you are using different and complex passcodes and passwords on all your devices. 

Smartphone Batteries Leak Data

Mobile devices are equipped with increasingly smart batteries designed to provide responsiveness and extended lifetime. However, such smart batteries may present a threat to users’ privacy. 

A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption. Apparently, phone’s power trace sampled from the battery at 1KHz holds enough information to recover a variety of sensitive data. 

Researchers show techniques to infer characters typed on a touchscreen; to accurately recover browsing history, detect incoming calls and the photo shoots including their lighting conditions. Combined with a novel exfiltration technique that establishes a covert channel from the battery to a remote server via a web browser, these attacks turn the malicious battery into a stealthy surveillance device. Researchers deconstructed the attack by analyzing its robustness to sampling rate and execution conditions. To find mitigations they identified the sources of the information leak-age exploited by the attack. It was discovered that the GPU or DRAM power traces alone are sufficient to distinguish between different websites. However, the CPU and power-hungry peripherals such as a touchscreen are the primary sources of fine-grain information leakage. Therefore power-hungry phone components can reveal user activity. 

To sum it up researchers show the feasibility of turning the malicious battery into a spy by implanting a microcontroller to sample power flowing in and out at a 1 kHz sample rate. According to tests, attackers can – with various degrees of accuracy – deduce characters typed via the touchscreen and get their hands on users browsing history, calls and photos. Exfiltrating the data is also possible, one bit at a time, through the device’s web browser. 

Since almost phone all activity is exposed it becomes a very attractive attack vector. By correlating power flows with a keystroke, the context of the keystroke (like if someone is visiting a Website at the time?) and “the events that preceded or followed it” (such as taking a photo or making a phone call), attacker can reconstruct a coherent portrait of the user’s activity, thus dramatically amplifying the power of individual attacks. 

From a real-world attack perspective, for a successful exploitation attacker would need to insert their malicious battery by breaching physical security controls, but this can be relatively easy in case if user leaves a phone for repair with an untrusted service provider.  I guess we all remember how law enforcement used GeekSquad of eBay for unethical, spying activities. 

After successfully overcoming physical obstacles, there is a need for something that would analyze power traces, a software or an offline AI. If an attacker overcomes this obstacle as well, then the exfiltration part is relatively easier, since this can be done via Web Battery API where user visits a malicious website. 

Web Battery API is one of the major privacy leakage "features" allowing websites to monitor battery status. This API exposes three parameters: time to full charge and discharge, battery level, and charging state. Experts showed that the charging state parameter (which has a value of 0 or 1 when the battery is charging or discharging) can be manipulated for data exfiltration via the wireless charging technology. 

Firefox browser from Mozilla has discontinued support for Battery API and encourages to avoid using it. It is also absent in Webkit which is a browser engine used in Apple's Safari. But still available in Chrome. 

So to wrap it up, do not panic because for now the attack is only at the stage of a decently-tested theory and it is definitely not that feasible to realize. But it is still a good idea not to hand over your favorite devices to untrusted companies or vendors and be aware of malicious links and websites. If you are concerned about your privacy switch to Firefox or Brave browsers, as in my opinion they provide good balance of privacy and features. 

Don't forget to subscribe below, stay up-to-date with latest podcasts and other developments!