Tech News - Forensics

A new study by researchers at Cambridge University’s Computer Laboratory has revealed that an attack called calibration fingerprinting or SENSORID, allows iOS and Android devices to be tracked across the internet. The researchers stated that this attack is easy to conduct by a website or an app in under 1 second as it requires no special permissions, does not require user interaction, and is computationally efficient. Yesterday, at the IEEE Symposium on Security and Privacy, the researchers presented a research paper titled “SENSORID: Sensor Calibration Fingerprinting for Smartphones”, that introduces the calibration fingerprinting attack. In this paper, the researchers have demonstrated the effectiveness of this attack on iOS devices and found the lack of precision in the M-series co-processor helps the generation of such a fingerprint. “Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers”, the research report states. “According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones' sensors”, reports ZDNet. The researchers used a new method of fingerprinting devices with embedded sensors by carefully analyzing the sensor output. Sensors do not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device. It can be generated by both apps and mobile websites and will require no user interaction. When the attack was experimented on an iPhone 6S, it was found that that the GYROID contains about 42 bits of entropy and the MAGID provides an additional 25 bits of entropy. The study has demonstrated that the combination of the MAGID and GYROID – the SENSORID – is globally unique for the iPhone 6S. This did not change on factory reset or after a software update. This shows that the attack can also be applied retrospectively to a historic archive of sensor data. In addition to iOS devices, it has been found that Google Pixel 2 and Pixel 3 can also be fingerprinted by SENSORID attack. The researchers claim that all iOS devices that have a gyroscope or magnetometer can be fingerprinted by this approach, including the latest iPhone XS and iPhone XS Max. The mainstream iOS browsers- Safari, Chrome, Firefox, and Opera and privacy enhanced browsers- Brave and Firefox Focus are all vulnerable to this calibration based fingerprinting attack, even if the fingerprinting protection mode is turned on. They added, “We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SENSORID either.” The researchers notified Apple about this vulnerability in August 2018 and Google in December 2018. Apple patched this issue with the release of iOS12.2 in March 2019. However, Google has not taken any prompt action and have just informed the researchers that they will investigate this issue. With the latest iOS 12.2 release, the new iPhones and iPads will generate a new fingerprint with every sensor calibration query, making SENSORID type of user tracking useless. Further, Apple also removed access to motion sensors from Mobile Safari by default. The researchers anticipate that calibration information used in other embedded sensors can also be recovered and used as a fingerprint. Thus future research will successfully perform calibration fingerprinting attacks on other types of sensor. Any iPhone, is vulnerable to an attack, unless it has been updated to to iOS 12.2. If a user is using a Pixel 2 or 3, it's vulnerable to attack. But the vulnerability to an Android phone is not yet known fully, but there is a sure possibility to it. Read More Apple proposes a “privacy-focused” ad click attribution model for counting conversions without tracking users Introducing Minecraft Earth, Minecraft’s AR-based game for Android and iOS users Apple Pay will soon support NFC tags to trigger payments  

Have you heard about the latest VPNFilter Malware attack? In brief, the software networking firm and its network analysis department known as ‘Talos’ identified a malware known as VPNFilter a few weeks ago. Something about these attacks made them particularly risky. If you are an individual or any small or medium business organization accessing the internet using routers from companies such as Linksys, Netgear, QNAP, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE then you are vulnerable to the VPNFilter malware attack. Read on to understand where do you stand and what you can do to avoid falling victim of this vicious malware attack. How VPNFilter malware works? The first thing that you need to understand is that VPNFilter has a 3 stage attack procedure. The first stage, which is one of the most potent and dangerous one too, plants itself into the router firmware. In most malware attack cases, a reboot would make the malware go away. That’s where VPNFilter stands out. It persists through the reboot and after the reboot it initiates the second stage. The second stage is about spying on the user activity and data and then storing and accessing user data, tracking the URLs and getting to know more about the victim. The most terrifying factor is that the user never realizes that they have been attacked. The reason being that VPNFilter uses the technique of “Man in the Middle” or MitT attack. What happens in this form of cyber attack is that the spyware gets attached to the router and then collects user data and prepares for a larger assault while the user is completely unaware of it. The image below explains the process.     Source: Yeahhub.com If this seems scary to you then you haven’t yet heard the interesting bit yet. The third stage is about introducing different plugins which can perform different types of actions. One of them is it can downgrade the security level of your requests from HTTPS to HTTP protocol. This in turn makes your data unencrypted and also makes your passwords and other valuable data open to anyone who is snooping on your network. The rest of the hacking process then eventually becomes much easier. Imagine what could happen if you logged in to a social media platform or into your netbanking application and the data is phished away. The worst part is that you won’t even know that your account is hacked until the hackers expose themselves by making malicious transactions. The horror story doesn’t end here, it also comes with a “Remote Destroy” button. This enables the hackers to delete important network and configuration files from your router before destroying the malware and this means your router will be rendered useless after they choose to do so. This gives them the power to disrupt internet connectivity on a global scale since the number of routers presently affected can be anywhere around 500k. Is there a way out? How can you save your router from this onslaught. Rebooting doesn’t work. The only way that some groups have suggested is to restore factory defaults of your router, upgrade the firmware of your router, and log in with your credentials. This three step process might be the only way you can get away from this attack. How to know that your router is no good? Try updating it to the latest version of firmware, if it says unable to upgrade, you can be damn sure of the fact that it’s time for you to buy a new one. BeyondCorp is transforming enterprise security Top 5 cybersecurity assessment tools for networking professionals IoT Forensics: Security in an always connected world where things talk