Nothing About E2E Encryption – Week 13

Nothing, the vendor of Nothing Chat a re-skin of Sunbird app, was discovered to provide a subpar E2E encryption chat app for Android users, in this ArsTechnica.com article: https://arstechnica.com/gadgets/2023/11/nothings-imessage-app-was-a-security-catastrophe-taken-down-in-24-hours/ Nothing has suspended their app, until they can fix their security issues, which were discovered by the broader Internet community.

The following issues were identified with Nothing’s E2E app:

  1. Apple ID and password shared with site,
  2. Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store,
  3. Authentication tokens were sent over unencrypted HTTP (TCP-80/HTTP) so this token could be intercepted and used to read your messages, and
  4. “When a message or an attachment is received by a user, they are unencrypted on the server side until the client sends a request acknowledging, and deleting them from the database. This means that an attacker subscribed to the Firebase Realtime DB will always be able to access the messages before or at the moment they are read by the user.” 

Conclusion

Per the article, “Içöz recommends that any Sunbird/Nothing Chat users change their Apple password now, revoke Sunbird’s session, and ‘assume your data is already compromised.'” Frankly, I’m amazed the Apple and Play Store don’t start having developers answer a quiz to determine whether their app merits posting into their “Walled Garden,” but perhaps, they already do and this is merely a response by the Internet community that does check each apps claims regarding “security standards” or claims.

For those interested, there are several things they should be ensuring (encryption) secure data “at rest,” “in use” (in memory), and “in motion.”

Security “at rest” is as you’d expect. It ensures that the data stored on the hard drive, when it’s not part of the “hot”/”active” data set is properly encrypted and secured. Security “in use” (or in memory) is ensuring that snooping can’t occur while the user is using it; it’s often associated with sessions. Unfortunately, the Intel Spectre, Intel Meltdown, and “AMD RETbleed” vulnerabilities open this problem because if the processor can be attacked to divulge data in (active) memory, all data on the system is vulnerable. In some cases, Intel or AMD can release microcode for x86 Chipset architectures so check with your motherboard vendor to ensure proper U/EFI (or BIOS) patching; ARM/RISC-V systems haven’t been identified as being vulnerable to these attacks, yet. And finally, security “in motion” is associated with transport data; security on this perspective is often handled through TLS/SSL encryption of the transport layer within the TCP/IP stack.

iOS 17 Users Are Vulnerable to Bluetooth Flipper Zero SPAM Flood Attacks – Week 11

TL;DR – The only method to avoid this attack, while on iOS 17, is to disable Bluetooth per https://www.theverge.com/2023/11/3/23944901/apple-iphone-ios-17-flipper-zero-attack-bluetooth The good news is that previous versions of iOS, such as 16, have not been demonstrated to be vulnerable.

The Flipper Zero, touted as a Swiss Army knife for radio attacks, has demonstrated that with a custom firmware on the Flipper Zero, it can attack unsuspecting iOS 17 users.

Van der Ham discovered that the attacker, another passenger on the train, was using a Flipper Zero device with custom firmware to send a combination of Bluetooth low energy (BLE) alerts to nearby iPhone handsets running iOS 17

The Flipper Zero is “a small orange and white plastic gadget with a 1.4-inch display that looks like it could be a child’s toy. The Flipper Zero is a multi-tool for hacking, as it talks to sub-1GHz devices like old garage doors, RFID devices, NFC cards, infrared devices, and of course, Bluetooth devices.”

Although the article is geared toward awareness of iOS users, Android and Windows laptop users can also experience a similar issue; however, Android and Windows users are less likely to require a restart. “On Android, head to Settings → Google → Nearby Share, and turn the toggle on Show notification to the ‘Off‘ position.”

Thousands of Android/TV Ship with Malware – Week 7

It would appear that the supply chain has come under attack again for Android users, https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/ And it’s confirmed by MalwareBytes: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon

Indicators of Compromise

Root Access

It would appear that in the Android About system settings, a “root switch” has been added to compromised devices. If this is found, then it’s safe to initiate a return or replacement.

Shell Games

If you connect to the device to adb, and you run the shell utility. The compromised systems (via adb shell pm list packages -f) are identifying as “walleye” within the shell, which is an old Google Pixel 2

CoreJava Directories Ought Not Be There

On the Android’s filesystems, compomised hosts have a directory called: /data/system/Corejava. It contains malicious file objects, Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:

hxxps://dy.kr.wildpettykiwi.info/dykr/update

Conclusion

The MalwareByes article: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon offers steps to remediate this on the compromised device. Despite the fact that this may be a dirty deal, it seems common for unsuspecting users on a budget to fall victim to these attacks.