Category Archives: Cell Phone (iPhone, Android, windows mobile)

Please be vigilant. Spyware will be installed on your phone at any time – Oct 2019

Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.

Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.

Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.

The reasons why cyber criminals want to hack your phone?

  • To eavesdrop on calls
  • To steal money
  • To blackmail people

So the Federal Trade Commission recommended Smartphone users who suspect an illegitimate stalking app on their device should consider their recommendations. Refer to URL for more details. https://www.consumer.ftc.gov/blog/2019/10/stalking-apps-retina-x-settles-charges

Reflection – Crafted emoji cause WeChat application (for Android) service crash.

Preface: When mobile computing born, cyber attack (botnet attack) and data leakage rapidly growth. Do you think this is the destiny.

Observation: A proof of concept shown that a technical limitation occurs on TenCent WeChat 7.0.4 (android version). When a stranger send a craft emoji to WeChat user. The WeChat application will be crashed once open the emoji file. The security expert found the following reason:

vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service

Refer to attached diagram, the 1st phase of attack should get the IMEI. Perhaps the specify attack has per-requisite. So it let the people feeling that it is only an idea and therefore may not pay attention in high pioritty. But it is an alert signal to WeChat users. Why? Wechat’s plug-ins are encapsulated in jar files and so files in the / assets / preload directory (see attached diagram). Security expert found technical limitation on vcodec2_hls_filter in libvoipCodec_v7a.so. From technical point of view , attacker can be develop attack technique ride on this issue. Stay tuned.

End.

Who is right, who is wrong. Who know?

Preface: Spy Chip Scandal Amplifies Concerns over Huawei’s 5G Equipment on last year (2018).

Doubt – Is it safe to use Huawei phones and should the manufacturer be trusted to make 5G network equipment?

Reality: A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution. It looks that this technical flaw not resolve yet!

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839/

What is your decision? I am a mobile phone users, a lot of time I forget about surveillance scandal. But 5G phone it is expensive in the moment, I do not have money to buy!

Does QR Codes can pose a risk to your security and safety?

Preface:
QR codes have become common in consumer advertising. Friendly speaking, it make your finger and mouth more relaxed!

Is the QR code safe?
Most risks with QR Codes stem from QR Codes not being readable to humans. Since the QR codes not being able to easily identify a code as the original where the problems arise. As a result, the mobile application authentication design will be a key factor for security protection.
In addition, malware hidden in the QR-Reader app can infect your smartphone. Malware known as ‘Andr/HiddnAd-AJ’ was able to load itself onto a number of apps designed to read QR-Codes. And compromise your smartp

Realistic:
Even if it involves risk, the modern world likes to take a risky approach. So how to enhance the QR code system security?

Possible ways:

  1. QR code system uses fingerprints and face recognition.
  2. Awareness training
  3. Mobile device management especially patch management and antivirus system.

Should you have interest to find out more, please refer below url for reference:
Security Considerations of Using QR Code – https://www.polyu.edu.hk/its/general-information/newsletter/144-year-2018/feb-18/732-security-considerations-of-using-qr-code

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil

 

 

Integrated GPU may allow side-channel and rowhammer attacks – 03 May 2018 | Last revised: 03 May 2018

The side-channel attack looks never ending in CPU world.
So called rowhammer attack jeopardize to the cyber security world today especially smartphone. The worst is that it can altering the information saved in a computer’s memory once attack successful.

An academic paper describes an attack called “GLitch,” which leverages two different techniques to achieve a compromise of a web browser using WebGL (see below url for reference).

https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf

Impact

The attacker may be able to bypass security features provided by the web browser.

Observation:

Microsoft and Cisco announce that they will intend to integrate New Intel Threat Detection Technology to Help Defend Against Advanced Security Threats last month.
I think they have to consider this technincal problem before click start of their project.

https://newsroom.intel.com/editorials/securing-digital-world-intel-announces-silicon-level-security-technologies-industry-adoption-rsa-2018/

Status:

 

Vendor Status Date Notified Date Updated
Google Affected 16 Mar 2018 03 May 2018
Mozilla Affected 16 Mar 2018 03 May 2018
Microsoft Not Affected 16 Mar 2018 25 Apr 2018
AMD Unknown 16 Mar 2018 16 Mar 2018
Apple Unknown 16 Mar 2018 16 Mar 2018
Arm Unknown 26 Apr 2018
BlackBerry Unknown 16 Mar 2018 16 Mar 2018
Brave Software Unknown 16 Mar 2018 16 Mar 2018
Broadcom Unknown 16 Mar 2018 16 Mar 2018
IBM, INC. Unknown 26 Apr 2018 26 Apr 2018
Imagination Technologies Unknown 16 Mar 2018 16 Mar 2018
Intel Unknown 16 Mar 2018 16 Mar 2018
NVIDIA Unknown 16 Mar 2018 16 Mar 2018
Opera Unknown 16 Mar 2018 16 Mar 2018
QUALCOMM Incorporated Unknown 16 Mar 2018 16 Mar 2018

Realistic threats exists in NFC. Are they all secure?

The mobile payment is aggressive in some sort of area. As seen, it fully utilized in China market. From the economey point of view, this new payment design driven the retail business in parallel. The traditional banknote concept convert to digitalization silently.Is this a prelude of digital currency? The people doubt of the NFC (near field communcation) technology embedded in Visa payment earlier. As times goes by, it is popular today. The new smartphone market similar pushing the NFC techonology into next phase. The new form of payment method integrated both smartphone (iPhone and Android) and payment card with near field communication. How Secure Are NFC Payments? NFC technology comes with a range of security features that help protect financial data from stolen. But are they capable to avoid modern cyber attack? Perhaps if the computer product contains Java programming element. It is hard to avoid vulnerability. As a matter of fact, Java bytecode Verification is a key element in Java world. If this feature applied in the overalll design. It will significant reduce the malware infection because it is not easy to execute the malicious code. Do you have doubt after this discussion?

Firebase Analytics – To be compliance or not to be compliance on personal privacy

Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic.  Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It  allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.

CVE-2018-3561 – Is this a hiccups or it will maintain longer?

Retrospectively, the annual revenue growth of smartphone chips vendor on 2017 Q3. Samsung is the winner.Qualcomm growth only 23% but apple only growth of 12%. From my personal point of view, even though operating system or vulnerability on iPhone looks mystery. Perhaps it is a business strategy in order to avoid competitor know the details. By the way, Qualcomm techincal design limitation lure my interest. Regarding to the CVE 2017-15834 it proof that there is a vulnerability occur in kernel let it encountered potential heap overflow. But this bug found last year, however I believe that it will continous expose something bad until MDM9615 and MDM9x07 end of life.The MDM9615 appears to be a Qualcomm chip. But apple iPad deployed it. Android phone is the biggest comsumer of MDM9615 and MDM9x07 so far. A new vulnerability identify by US-CERT on Mar 2018 with vulnerability record reference no. CVE-2018-3561.The issue is that Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition. Stay alert and update your Android phone once patch for security update available.

Do you concerns of your e-wallet?

Electronic wallets play an important role in our daily lives. Perhaps the demand of e-wallet market in Hong Kong cannot compare with Greater China market. However mobile phone itself like computer device will encounter Zero – day. This week I keen my personal interest review the TNG wallet design. I am concerning the vulnerability (CVE-2016-5195) on android OS in past. TNG wallet is able to working with armeabi-v7a and armeabi.

From cyber security perspective, it is highly recommend TNG e-wallet user follow the security advice of mobile phone vendor. It is better to update OS once it is available. For more details, please refer to below diagram for reference.