Preface: To protect the safety of customers, Apple will not disclose, discuss or confirm security issues until the investigation is completed and patches or updated versions are provided.
My observations on CVE-2021-30737:
Background: PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT.
Vulnerability details: A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code. The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 Generalized Time decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution.
Preface: Vendor insists to fix the cyber security weakness of CVE-2020-27929 & CVE-2020-27930. However, this iOS upgrade action was caused the specify iPhone product encounter operation difficulties especially 6s.
Observation 1: On 5th November, 2020, apple implement security update to enhance the cyber security protection on their products. This enhancement including an remediation action to two different vulnerabilities. However quite a lot of user including myself encountered technical problem. For instance, the touch screen service on iPhone 6s suspended intermittent.
Observation 2: When I connect my iPhone 6s to my notebook. The touch screen service malfunction problem not been happen in frequent But still occur intermittent. The symptom looks that it is related to a daemon (com.apple.mtmergeprops.plist). Do you think this problem cause by missing a step to check ios device chip model (A9 or a10). Whereby causes memory mapping problem occurs.
Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.
Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.
Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.
The reasons why cyber criminals want to hack your phone?
Preface: When mobile computing born, cyber attack (botnet attack) and data leakage rapidly growth. Do you think this is the destiny.
Observation: A proof of concept shown that a technical limitation occurs on TenCent WeChat 7.0.4 (android version). When a stranger send a craft emoji to WeChat user. The WeChat application will be crashed once open the emoji file. The security expert found the following reason:
“vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service”
Refer to attached diagram, the 1st phase of attack should get the IMEI. Perhaps the specify attack has per-requisite. So it let the people feeling that it is only an idea and therefore may not pay attention in high pioritty. But it is an alert signal to WeChat users. Why? Wechat’s plug-ins are encapsulated in jar files and so files in the / assets / preload directory (see attached diagram). Security expert found technical limitation on vcodec2_hls_filter in libvoipCodec_v7a.so. From technical point of view , attacker can be develop attack technique ride on this issue. Stay tuned.
Preface: Spy Chip Scandal Amplifies Concerns over Huawei’s 5G Equipment on last year (2018).
Doubt – Is it safe to use Huawei phones and should the manufacturer be trusted to make 5G network equipment?
Reality: A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution. It looks that this technical flaw not resolve yet!
Vulnerability Note VU#790839 Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.
Preface: QR codes have become common in consumer advertising. Friendly speaking, it make your finger and mouth more relaxed!
Is the QR code safe? Most risks with QR Codes stem from QR Codes not being readable to humans. Since the QR codes not being able to easily identify a code as the original where the problems arise. As a result, the mobile application authentication design will be a key factor for security protection. In addition, malware hidden in the QR-Reader app can infect your smartphone. Malware known as ‘Andr/HiddnAd-AJ’ was able to load itself onto a number of apps designed to read QR-Codes. And compromise your smartp
Realistic: Even if it involves risk, the modern world likes to take a risky approach. So how to enhance the QR code system security?
QR code system uses fingerprints and face recognition.
Mobile device management especially patch management and antivirus system.
As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.
Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market. The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 220.127.116.11 indicate the address confirmation including SMS. (below hyperlink for official document download).
Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.
SMS messages system design limitation (see below):
SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
ASN.1 design flaw
Should you have interest of item 2 and 3? Please refer below:
The side-channel attack looks never ending in CPU world.
So called rowhammer attack jeopardize to the cyber security world today especially smartphone. The worst is that it can altering the information saved in a computer’s memory once attack successful.
An academic paper describes an attack called “GLitch,” which leverages two different techniques to achieve a compromise of a web browser using WebGL (see below url for reference).
The attacker may be able to bypass security features provided by the web browser.
Microsoft and Cisco announce that they will intend to integrate New Intel Threat Detection Technology to Help Defend Against Advanced Security Threats last month.
I think they have to consider this technincal problem before click start of their project.
The mobile payment is aggressive in some sort of area. As seen, it fully utilized in China market. From the economey point of view, this new payment design driven the retail business in parallel. The traditional banknote concept convert to digitalization silently.Is this a prelude of digital currency? The people doubt of the NFC (near field communcation) technology embedded in Visa payment earlier. As times goes by, it is popular today. The new smartphone market similar pushing the NFC techonology into next phase. The new form of payment method integrated both smartphone (iPhone and Android) and payment card with near field communication. How Secure Are NFC Payments? NFC technology comes with a range of security features that help protect financial data from stolen. But are they capable to avoid modern cyber attack? Perhaps if the computer product contains Java programming element. It is hard to avoid vulnerability. As a matter of fact, Java bytecode Verification is a key element in Java world. If this feature applied in the overalll design. It will significant reduce the malware infection because it is not easy to execute the malicious code. Do you have doubt after this discussion?
Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic. Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.