In this week’s Cyber Blurbs Roundup, we look at how Signal is fighting back against a hacking group, the latest legal battle involving TikTok, the problem with Apple’s AirDrop, and Apple’s run-in with ransomware.
Signal Hacks Back
As you may have surmised from several of our previous blog posts, Signal is widely considered to be one of the most secure and reliable messaging platforms for privacy enthusiasts. Providing end-to-end encryption alongside a familiar UI, Signal has become the go-to for plenty of users over the last 12 months.
It’s become such a staple for the privacy community that it’s also become a target for hackers looking to make a name. Enter Cellebrite, a cell phone hacking company known for partnerships that allow governments and law enforcement agencies around the globe to bypass security measures on confiscated password-protected mobile devices. Late last year, Cellebrite announced it had successfully created a way for its Physical Analyzer to lawfully access Signal.
Fast forward a few months and Signal creator Moxie Marlinspike announced in a blog post that he and his team have turned the tables on Cellebrite, accessing the company’s hacking kit and detecting a handful of vulnerabilities.
“There are virtually no limits on the code that can be executed,” Marlinspike wrote.
“For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.”
Marlinspike also noted that his team would update Signal to prevent Cellebrite’s seemingly short-lived access into the app. You can read Marlinspike’s full blog post here.
TikTok Facing Massive Lawsuit… Again
TikTok may soon find itself back inside the courtroom (perhaps virtually) and reaching for that checkbook. Last week, Anne Longfield, the former Children’s Commissioner for England, filed a lawsuit against the popular social media platform, alleging that the company illegally collected and made use of data belonging to underage users.
If this sounds familiar, that’s because it should — a US-based class-action lawsuit successfully sued TikTok to the tune of $92 million earlier this year. That lawsuit also revolved around the illegal collection and use of children’s usage data. This time, we visit a courtroom across the pond… and this time the plaintiffs are seeking billions.
The lawsuit will represent all children under the age of 16 in the EU, as well as all children under the age of 13 in the UK, who have used TikTok and/or its predecessor Musical.ly dating back to May 2018.
“The claim alleges that TikTok and ByteDance have violated UK and EU children’s data protection law (GDPR), and deceived parents about how exposed their children’s private information is when they use the app,” the lawsuit’s website reads.
The lawsuit alleges that TikTok illegally collects the following information on the children who use its app:
Information provided about the child’s sexual orientation or religious beliefs
Media uploaded
Advertisements watched
Content liked
Survey responses
Cookies
Browsing history
Date of birth
Email address
Telephone number
Profile pictures and/or videos
Location of the child’s device
Biometric data (such as facial recognition)
Bio description (even for private accounts)
The website also claims TikTok fails to provide adequate transparency on its collection habits.
Despite its legal battles and general concerns from privacy-focused users, TikTok remains arguably the most popular social media platform for underage users.
Apple Hit with $50M Ransomware Attack
Apple has a pretty big problem on its hands — about “eight figures” big. The Silicon Valley giant has been targeted in a ransomware attack seeking $50 million after a slew of product schematics were stolen from Quanta, a Taiwan-based company that manufactures MacBooks for Apple. Quanta has refused to pay the sum, hoping Apple will take the reins.
REvil, a Russian hacking group, is threatening to leak Apple schematics daily unless the company pays up. Apple is said to have a deadline of May 1 to pay up. REvil began leaking images on April 20, coinciding with Apple’s big “Spring Loaded” event that saw the company unveil numerous new products.
Thus far, the hacking group has released documents relating to the upcoming 2020 MacBook Air, 2021 MacBook Pro, and recently revealed 2021 iMac redesign.
This marks REvil’s highest-profile ransomware attack to date, previously having targeted other tech companies such as Acer and pharmaceutical group Pierre Fabre.
Apple has yet to comment on the matter, but Quanta has confirmed the breach exists.
Apple’s AirDrop Leaks User Data
More bad news from Apple: AirDrop, one of the least talked about but generally appreciated features of the Apple ecosystem, isn’t all that secure.
The feature, which allows users to wirelessly transfer files between Apple devices (such as Mac and iPhone), is leaking user contact information. Without getting too deep into the weeds (because the good folks over at ArsTechnica already did), AirDrop’s method of communicating between devices to ensure a secure connection actually has the potential to expose a user’s email address and phone number.
TU Darmstadt’s SEEMOO, the researchers responsible for the finding, notified Apple in May 2019, but the company has yet to implement a fix.
iOS 14.5 Goes Live This Week
After almost an entire year of anticipation, iOS 14.5 is nearly upon us. The latest iPhone and iPad OS going live this week, finally allowing users to accept or deny requests for tracking. Consider giving it a day or two before updating to the new OS, letting the more eager users deal with potential bugs that may be linked to the update.
For those who do update, expect to be hit with a notification the first time you open an app post-update. Some apps have started asking for permission even before the update goes live.
UPDATE: iOS 14.5 was rolled out Monday. For those who have already decided and simply want to deny all tracking, go to Settings>Privacy>Tracking and disable Allow Apps to Request to Track. This will automatically notify all apps that you do not want to be tracked. That menu page will also allow you to individually control which apps have your permission for tracking.