Simple Cyber Defense weekly updates for July 30th 2021.
Welcome back to the Simple Cyber Defense Podcast. This week we have some interesting topics we are discussing the Wi-Fi crash bug and the Facebook phone numbers exposure.
My name is Carl, joined with Ahmad.
And we’re going to get started right now.
Earlier this year there was a researcher who was messing around with a bunch of iPhones and he noticed that if he set his SSID, which is kind of like the name of your Wi-Fi Internet, and if you created it in such a way the iPhone will would automatically crash and freeze up.
The format that he did was %P %S %S %S %S %N. What was really bad about this is nothing would fix this. He tried rebooting his phone, he tried connecting to a different Wi-Fi network, but no matter what he did. It just kept crashing and didn’t work. So what he ended up having to do was he had to flush his network settings, which is being done by going to the settings à general à reset à and reset network settings. What this did was basically deleted every single Wi-Fi he connected to ever.
Everyone thought OK, good, so this issue has is just more of an annoyance and the reason why this worked was because the percent character is an object in Objective C. Objective C is the programming that’s used to create the iOS platform and these objects that use the percent sign can either declare a variable name or a command. So, this % P is like a print command almost and it’s and the %S and %N are telling the iPhone to go to this particular place and print out these commands. But unfortunately, the iPhone can never find these directories because they don’t exist. So, it’s in the endless loop of trying to find those directories and it just hits long crashes. Starts up again OK. Got the command again, hits the wall, crashes. Now everyone thought that this was just, you know, more of an annoyance.
But a few weeks later, it turned out that this could actually be used more maliciously. So an attacker can use a different type of SSID name in order to create a malicious access point so that once your iPhone connects to it, it will doubtless start downloading malware onto the iPhone. And since it’s using the Objective C program in the same program that it’s inside the iOS, the iPhone would just think, oh, these are just commands from the operating system, so I can just run the commands as it’s being presented to me depending on what the attacker wants to do. He could either spy on you or steal any data they want from you from these simple meaningless looking commands that people may not understand what they are. They think, oh look free Wi-Fi OK, and connect to it and then all of a sudden boom their iPhone is attacked. Luckily, Apple has released a patch for this particular hack that attackers have actually been using in the wild.
The patch is in the 14.6 version of iOS. Right now, the current version is 14.7.1, so the best way to prevent this from happening is just update your iOS to the latest version and that will stop these SSID’s using the Objective C programming language in their Wi-Fi names to be able to attack your iPhone or iPad or any other iOS device.
Now if you have an iOS device that does not or cannot get updated to support at least 14.6 I’d probably consider replacing that device if you can. If you can’t replace it, just be very careful not to connect to any Wi-Fi connections that have % in them at all. Because if you can’t patch it, then you’re going to be vulnerable and there’s going to be a lot of iOS devices because they’re so expensive that people are like I know that I’m not up to date, but I really can’t afford to get a new one because they’re like really high in price. So, if you’re in that situation, the best thing to do is just be very careful what Wi-Fi connections you connect to. If you see a % sign in it, do not connect to it at all.
Now, Carl, you mentioned that this was used out in the wild, but earlier you mentioned that a security researcher discovered it. Did he discover the actual post?
He discovered it. Yeah, he discovered it and publish a paper on it. And then Apple did an initial patch, but it didn’t patch the malicious side of it. People didn’t realize it was malicious until a couple months after he put his research paper out there and then the attackers were like, OK, so what if we do this and then they realize, oh, we can actually inject a malicious payload in here. Because the iPhone thinks, oh, these are just the operating systems giving me commands because it’s the same language that’s used in the iPhone.
Yeah, you know it shows how important it is to keep our devices updated, just turn auto update on and apply the updates.
Yeah, just update and if you can’t update all the way, either replace the phone or find other ways to make it more secure.
Alright, so Are you ready to get onto the Facebook and the phone linkage.
Yeah, so deck Crunch reported that there are 419,000,000 Facebook user phone numbers publicly exposed. Uh, saying that there’s an unsecured server exposed 419,000,000 phone numbers belonging to Facebook users. Also, in some information is actually found in a database that was not secured by a password, then now we see right here, immediately it is human error and it’s something that as a user, you really don’t have any control over, right? It said that each record held an individual Facebook ID and a Facebook ID is something that that identifies you. It’s usually in the URL and number connected to the person phone number and some of them connected to the person’s name and gender and location.
After this was discovered, you know that server was taken was taken offline. This is the first type of attack on Facebook since 2018. OK, they said that up until 2018, Facebook gave phone number access to developers and they don’t do that anymore. So, what now about Facebook? Facebook was contacted about that and they say that they’re, you know they haven’t seen any indication that the user accounts have been compromised. One of the things that we need to understand is that if you were one of those people whose number was exposed, there’s something that’s called a SIM swapping attack and we all know about spam calls.
If that number is leaked that the least thing that can happen, is it can be sold to somebody and they can do spam calls all day. And we know how annoying that is. Then you’d have to invest in you know, uh, caller ID and number of launching service, etc. It’s a cost that you’d have to, you know, incur if you want to keep that same phone number. Uh, the second problem, which is, SIM swapping. Uh, and it’s also known as a port out scam or a SIM splitting type of an accounting info. Uh, it’s a fraud that usually also handles like the weakness of two factor authentication. If somebody has access to your phone, then they can use the two-factor authentication that you have set up on other services to gain access to it through your phone. Now that they have swap. The way the method of SIM swapping is like this.
We know how easy it is for a user to transfer service to another SIM card. You call your provider, and you say, hey, this is so and so, I lost my phone, my number got stolen, my phone got stolen etc. I want to switch my number. I want to keep my number but put it on this SIM card. And usually this will happen with most companies after authentication. And how do they authenticate the authenticate with your name, address, your birthdate, etc. Well.
A lot of those things are available through Facebook.
A lot of the things we’re exposed as well, right? So now they can call and then pretend that they are you and now they take control of your phone and you can have control of it for an hour, for two hours, or for a day. You will notice once you see that you have no service on your phone and then you realize, hey, why am I not getting any of my text, or you can be on Wi-Fi all day and never find out what’s going on? And you know, once that’s one way that you know a processor can take control of your number and in many other cases SIM numbers are changed directly by the Telecom company employees that are bribed by the criminals. So, there is, you know, from every angle there is, there’s an attack vector that’s coming porting.
When and like I said, to notice this you will see that you lost phone connection. You know data can’t be received, you know, phone calls. Now one of the ways that you can prevent this from happening is you need to set up a PIN number that you can authenticate yourself through the phone provider. So, if somebody calls to authenticate to do a SIM swap, then they ask for a phone number or they ask for a PIN number. Now, the way you need to save that pin number, because now people, what we call the social engineers, can get your information or they have your information through just having access by luck to that list of phone numbers. They can’t figure out your PIN number is. If you use your birth year, if you use your birthday, if you use your street address, there is a way, and it’s just human nature.
You know we are pretty much the weakest link. We can’t blame technology all the time. Technology is here to help us be more secure. Use the password manager. You can use your password manager to put your PIN numbers in there. You can say OK, my phone provider is Verizon and under Verizon my pin number is such and such. You can put that in your in your password manager. Just like you put all your other passwords that you use to login into your email or bank account, and we talked about password manager. So, this is pretty much the due diligent, always make sure that you always phone company access (data and cell service), not just Wi-Fi and have a pin number with your service provider and make sure you put that PIN number in a password manager.
Yeah, this concludes my talk.
Well on that topic when you were talking about the phone numbers in plain sight. Remember in 2019 Facebook also had many, many, many, passwords in plaintext on an unsecured server too. So, it seems like Facebook is a very weak link in security so I would be very careful about what data I’d even trust with Facebook at this point. Because if they can’t even secure passwords and phone numbers, what else is there going to be then? There’s the analytica thing where millions of profiles were scraped to get targeted for different political ads or something. And imagine how much data is out there now.
And with the SIM swopping issue is there are some providers that don’t even go through those security loops, like they don’t even ask you what your pin number. It’s like, so, what I would do is I would actually call up my carrier, pretending that I’m not me and see if I’m able to go through without being asked those security questions. And if you don’t have to have security questions. I wouldn’t recommend doing things like what Street did I work or grew up on or what’s my mother’s maiden name? What I would probably do, like, you said the previous ones just lie about those security questions, like what’s my mother’s maiden name? cats. What Street did I work or what street did I grow up on? I don’t know. Blue or something silly like that. It has no link to you. And creating pins and creating passwords are pretty similar to do with bitwarden you can actually have it create PIN numbers for you and you can save those in your password manager so you don’t have to sit there and think, OK? What numbers should I do? You just go in there and say, OK, generate a pin number. It spits out a pin number, or you save it into your password manager, so you never have to remember it. And then you just give it to them. Say, OK, my pin number is XYZ ABC or whatever.
And again, it’s saved in the password manager, so you don’t have to remember it. So, if you’re calling up them, you can go open up your laptop, or computer, or something, and just look at your password manager. Say OK, that’s my pin number. I’m going to put it in there, I’m good to go.
Yeah, right yeah.
One of the things I was also thinking about is adding another layer of security is using another password manager to save the password for the password to your main password manager.
Well, security is about layers so. If you’re willing to go through the hoops, I say go for it. I mean, why not? I mean, there’s many password managers out there to choose from, many of whom are free.
And so, the biggest thing is just make sure you can keep everything straight. And if you can do that. Then I’d say go for it.
Yeah, right, so I think that’s Really good this week, so I guess this concludes this week in this in this podcast. If you have any suggestions from listeners, you can go to the simplecyberdefense.com and make any suggestions or topics that are interested in for you. We always listen to and are always open to suggestions. If you have a topic that you want us to cover. Other than that, we’ll see you in the next episode.
If you like what was in this episode, please consider liking subscribing and sharing with others. For more information to suggest a topic or to donate, head over to simplecyberdefense.com.
That iPhone WiFi crash bug is far worse than initially thought – https://therecord.media/that-iphone-wifi-crash-bug-is-far-worse-than-initially-thought/
Turns Out That Low-Risk iOS Wi-Fi Naming Bug Can Hack iPhones Remotely – https://thehackernews.com/2021/07/turns-out-that-low-risk-ios-wi-fi.html
Security Now Show Notes – https://www.grc.com/sn/sn-828.htm
419M Facebook User Phone Numbers Publicly Exposed – https://www.darkreading.com/risk/419m-facebook-user-phone-numbers-publicly-exposed/d/d-id/1335740