Last week media reports on security loopholes for Apple and Samsung devices received public attention. In the case of Apple computers and mobile devices, it is said that hackers have succeeded in stealing passwords and confidential data. What’s behind all this?
Six researchers from the USA and China published in the middle of June a whole set of security loopholes in the Apple operating systems iOS and Mac OS X designated as „XARAâ€œ.
Affected is, among other things, the keychain, the data in which the applications on Apple operating systems write passwords and other secrets. Due to a design error, a harmful program succeeds in deleting the key chain entry of another program. Afterwards, it replaces it with an entry constructed in the same way, which it can access itself. At the same time, the malware also gains access to the legitimate program. This stores from that moment on the secret information into the compromised key chain entry. With this trick the researchers arrived to access data of Apps such as iCloud, Gmail or Facebook. Likewise, they succeeded in reading the access data to all password-protected services, which were used in the Chrome browser. Since under iOS an App can only access its own key chain entry, mobile devices are not affected by this weak point.
A further problem, which arises only under Mac OS X, comes from the embedded help programs in Apps. Normally Apps can access exclusively their own data. That is guaranteed, through storing these in a data catalog, whose name corresponds with the bundle ID (BID) of the App. Before the publication of a program in the Mac App Store, Apple guarantees that this BID is unique. The embedded help programs of the Apps, however, possess their own BID and these are not examined by Apple. A harmful software can therefore contain a help program with the BID of another App. Through this help program, it obtains access to the data catalog of other Apps. Researchers show this by giving the example of Evernote. The malware succeeded in selecting all contact details and notes from the data catalog of Evernote.
As if this would not already be bad enough, the communications of the programs gets mixed among them. Particularly, browser extensions often use help applications, with which they exchange data through the WebSocket protocol. Communication takes place through a fixed TCP port. A bad-willing App can implement itself, by occupying the port, before the legitimate help program is started. The discoverers mention the example of 1Password, a Browser extension for password management. This stores the passwords through its help application 1Password mini on the hard disk. If the malware succeeds in occupying the TCP port 6263, used for communication, before 1Password mini, it can grab all the passwords entered in the browser.
Another possibility of programs for exchanging data among themselves are URLs. The URL pattern (the part of the URL before the colon) determines, which program will be used for the processing of a URL. A malware can intrude in the communication, by registering the URL pattern of another program for itself. This URL pattern hijacking is mainly significant under iOS, since iOS Apps frequently use URLs for communication. The researchers have presented Pinterest as an example. This uses Facebook for the authentication of the user. The malware registers for itself the URL pattern, which the Facebook App uses, in order for the access token to hand them over to the Pinterest App, and intercepts this in such a way. Obviously vulnerable in this way on iOS – among other things – are also online banking Apps, the PayPal and the Amazon App.
The discoverers of the Xara leakage successfully located the programs for using these security gaps despite strict security examination made by Apple, in the App Store and in the Mac App Store. In October 2014 they informed the computer company about the security problems. The firm gave itself a period of six months for solving this security problem. After the loopholes were not yet repaired by the middle of June, the security researchers informed the public.
Simultaneously, a security gap became known to the public, which concerns over 600 million Samsung Smartphones, among them the models Galaxy S6, S5 and S4. The pre-installed SamsungIME keyboard carries out updates of the language packages unencrypted. It should be possible, according to the discoverer Ryan Welton from the security company NowSecure, to put underneath the update process an unchecked program code, which is then implemented with system rights. Thus it is possible for an attacker that controls the network traffic, to install malware on the mobile phone. After Samsung already delivered a patch in March to the mobile phone operators, the Smartphone manufacturer wants to offer shortly an Over-the-air-update for the final users.
These security gaps – they are so different – show:
Badly configured Windows computers and servers are not any longer the only targets for hacker attacks. With increasingly spreading, Apple computers and mobile devices are also exposed to attacks. It is more and more important for enterprises to thoroughly secure the access to data and communication. How dangerous communication can be in unsecured networks, such as public WLAN Hot spots, reveals straight the security gap of the Samsung mobile phones. In unsecured networks, using a VPN connection is therefore an absolute must. The different ways to steal passwords in Apple systems, bear, besides, impressive witness of the borders of an authentication exclusively through user names and password. Today it is essential to protect the access to data through a multi-factor authentication. The second factor in addition to the user names and password, cannot be stored in the system. A hardware token is best suitable for it.