Nothing About E2E Encryption – Week 13

Nothing, the vendor of Nothing Chat a re-skin of Sunbird app, was discovered to provide a subpar E2E encryption chat app for Android users, in this ArsTechnica.com article: https://arstechnica.com/gadgets/2023/11/nothings-imessage-app-was-a-security-catastrophe-taken-down-in-24-hours/ Nothing has suspended their app, until they can fix their security issues, which were discovered by the broader Internet community.

The following issues were identified with Nothing’s E2E app:

  1. Apple ID and password shared with site,
  2. Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store,
  3. Authentication tokens were sent over unencrypted HTTP (TCP-80/HTTP) so this token could be intercepted and used to read your messages, and
  4. “When a message or an attachment is received by a user, they are unencrypted on the server side until the client sends a request acknowledging, and deleting them from the database. This means that an attacker subscribed to the Firebase Realtime DB will always be able to access the messages before or at the moment they are read by the user.” 

Conclusion

Per the article, “Içöz recommends that any Sunbird/Nothing Chat users change their Apple password now, revoke Sunbird’s session, and ‘assume your data is already compromised.'” Frankly, I’m amazed the Apple and Play Store don’t start having developers answer a quiz to determine whether their app merits posting into their “Walled Garden,” but perhaps, they already do and this is merely a response by the Internet community that does check each apps claims regarding “security standards” or claims.

For those interested, there are several things they should be ensuring (encryption) secure data “at rest,” “in use” (in memory), and “in motion.”

Security “at rest” is as you’d expect. It ensures that the data stored on the hard drive, when it’s not part of the “hot”/”active” data set is properly encrypted and secured. Security “in use” (or in memory) is ensuring that snooping can’t occur while the user is using it; it’s often associated with sessions. Unfortunately, the Intel Spectre, Intel Meltdown, and “AMD RETbleed” vulnerabilities open this problem because if the processor can be attacked to divulge data in (active) memory, all data on the system is vulnerable. In some cases, Intel or AMD can release microcode for x86 Chipset architectures so check with your motherboard vendor to ensure proper U/EFI (or BIOS) patching; ARM/RISC-V systems haven’t been identified as being vulnerable to these attacks, yet. And finally, security “in motion” is associated with transport data; security on this perspective is often handled through TLS/SSL encryption of the transport layer within the TCP/IP stack.

iOS 17 Users Are Vulnerable to Bluetooth Flipper Zero SPAM Flood Attacks – Week 11

TL;DR – The only method to avoid this attack, while on iOS 17, is to disable Bluetooth per https://www.theverge.com/2023/11/3/23944901/apple-iphone-ios-17-flipper-zero-attack-bluetooth The good news is that previous versions of iOS, such as 16, have not been demonstrated to be vulnerable.

The Flipper Zero, touted as a Swiss Army knife for radio attacks, has demonstrated that with a custom firmware on the Flipper Zero, it can attack unsuspecting iOS 17 users.

Van der Ham discovered that the attacker, another passenger on the train, was using a Flipper Zero device with custom firmware to send a combination of Bluetooth low energy (BLE) alerts to nearby iPhone handsets running iOS 17

The Flipper Zero is “a small orange and white plastic gadget with a 1.4-inch display that looks like it could be a child’s toy. The Flipper Zero is a multi-tool for hacking, as it talks to sub-1GHz devices like old garage doors, RFID devices, NFC cards, infrared devices, and of course, Bluetooth devices.”

Although the article is geared toward awareness of iOS users, Android and Windows laptop users can also experience a similar issue; however, Android and Windows users are less likely to require a restart. “On Android, head to Settings → Google → Nearby Share, and turn the toggle on Show notification to the ‘Off‘ position.”