It has not been a good week for Apple, at least from the security point of view. Two recent stories impacted the high tech giant that tear at the very heart of Apple's privacy and security infrastructure.
The first breaking news was a major flaw in Facetime, a video telephony product allowing users to connect and communicate through their iPhones. There is a major flaw in FaceTime that was discovered by a teen trying to play a game with friends. What makes matters worse is that Apple failed to respond to the error report and even placed roadblocks up rather than fix the problem.
The teen reportedly added a friend to a group Fortnite conversation and suddenly found that they were able to listen in to conversations. The monitoring took place through the iPhone's mic despite his friend not having answered the call.
The unauthorized monitoring could be used illegally by a third party by calling a contact on FaceTime, swiping up for Group FaceTime and then adding the caller's number to the call. The party can then hear the recipient even when the call is unanswered.
Apple clearly had a problem and the teen's mother, Michele Thompson, an Arizona-based lawyer, filed a report with the company in early January. However, even after reporting the problem, Thompson noted that Apple did nothing to correct the situation.
In fact, Apple told Thompson she needed to register as a developer in order to report the bug to the company. Thompson complied, registering and re-filing the report with the company. She finally got a response on January 23 and it became clear that Apple was not really interested in fixing the error so she decided to make a public declaration.
When the problem hit the Twitterverse and was confirmed by a number of security researchers Apple suddenly sprang into action. Apple has since pulled the group feature from FaceTime, promising a fix but it was too late. Several states and many lawyers are now embroiled in legal action against the company, including New York.
New York Attorney General Letitia James (D) and Gov. Andrew Cuomo (D) announced legal action on Wednesday, saying they will launch an investigation into Apple's "failure to warn consumers about the FaceTime bug and slow response to addressing the issue."
Just when Apple execs thought things could not get worse...
A team of former U.S. government NSA employees working for the middle-eastern nation of the United Arab Emirates were accused of hacking into the iPhones of activists, diplomats and rival foreign leaders using another flaw in Apple products. In this case, the flaw became an exploit tool named Karma.
Karma was sold by the independent contractors to the UAE as a means to spy on IPhone users. Karma apparently utilized an exploit discovered almost two years ago that allowed the attacker to take over an iPhone by sending a simple malformed file. The bad file would then blast its way out of the operating system, allowing the attacker to take over the iPhone. The first format that was exploited is called a TIFF. The Tagged Image File Format or TIFF is a file format that is popular with graphic artists, photographers and the publishing industry because of its ability to store images. TIFF files are also often associated with popular fax software formats. TIFF was created to try to establish a common scanned image file format in the mid-1980s.
In 2016 the Cisco Talos group discovered vulnerability in the way in which a specially crafted TIFF image file could be used to create a buffer overflow and crash the iPhone operating system. This overflow basically left the system in a state that allowed the attacker to execute remote programs planted on the device after the crash.
This vulnerability is especially concerning as it can be triggered by crafted iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image process for rendering these types of files. Worse still, the exploit does not require the iPhone user to do anything since many Apple applications automatically attempt to render images when they are received in their default configurations.
The silent "Karma" exploit tool allowed the UAE to listen in on hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents. According to Reuters, Karma was employed by the Emirati security officials and the former NSA employees working for the UAE.
NUNYA ENCRYPTED SMS FOR ANDROID