Tag Archives: Fails
Good morning, Cyber Saturday readers.
A month ago I was milling about a hotel room in New Orleans, procrastinating my prep for on-stage sessions at a tech conference, when I received a startling iMessage. “It’s Alan Murray,” the note said, referring to my boss’ boss’ boss.
Not in the habit of having Mr. Murray text my phone, I sat up straighter. “Please post your latest story here,” he wrote, including a link to a site purporting to be related to Microsoft 365, replete with Microsoft’s official corporate logo and everything. In the header of the iMessage thread, Apple’s virtual assistant Siri offered a suggestion: “Maybe: Alan Murray.”
The sight made me stagger, if momentarily. Then I remembered: A week or so earlier I had granted a cybersecurity startup, Wandera, permission to demonstrate a phishing attack on me. They called it, “Call Me Maybe.”
Alan Murray had not messaged me. The culprit was James Mack, a wily sales engineer at Wandera. When Mack rang me from a phone number that Siri presented as “Maybe: Bob Marley,” all doubt subsided. Jig, up.
There are two ways to pull off this social engineering trick, Mack told me. The first involves an attacker sending someone a spoofed email from a fake or impersonated account, like “Acme Financial.” This note must include a phone number; say, in the signature of the email. If the target responds—even with an automatic, out-of-office reply—then that contact should appear as “Maybe: Acme Financial” whenever the fraudster texts or calls.
The subterfuge is even simpler via text messaging. If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone’s suggested contacts feature should show the entity as “Maybe: [Whoever].” Attackers can use this disguise to their advantage when phishing for sensitive information. The next step: either call a target to supposedly “confirm account details,” or send along a phishing link. If a victim takes the bait, the swindler is in.
The tactic apparently does not work with certain phrases, like “bank” or “credit union.” However, other terms, like “Wells Fargo,” “Acme Financial,” the names of various dead celebrities—or my topmost boss—have worked in Wandera’s tests, Mack said. Wandera reported the problem as a security issue to Apple on April 25th. Apple sent a preliminary response a week later, and a few days after that said it did not consider the issue to be a “security vulnerability,” and that it had reclassified the bug as a software issue “to help get it resolved.”
What’s alarming about the ploy is how little effort it takes to pull off. “We didn’t do anything crazy here like jailbreak a phone or a Hollywood style attack—we’re not hacking into cell towers,” said Dan Cuddeford, Wandera’s director of engineering. “But it’s something that your layman hacker or social engineer might be able to do.”
To Cuddeford, the research exposes two bigger issues. The first is that Apple doesn’t reveal enough about how its software works. “This is a huge black box system,” he said. “Unless you work for Apple, no one knows how or why Siri does what it does.”
The second concern is more philosophical. “We’re not Elon Musk saying AI is about to take over the world, but it’s one example of how AI itself is not being evil, but can be abused by someone with malicious intent,” Cuddeford said. As we continue to let machines guide our lives, we should be sure we’re aware how they’re making decisions.
Have a great weekend—and watch out for imposters.
Maybe: Robert Hackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Taking a look back at another week of news from Cupertino, this week’s Apple Loop includes the latest renders of the new iPhone X for 2018, the hardware that wasn’t announced at WWDC, why iOS 12 stands for stability, the renewed focus on iPhone security, the disappointment of no new MacBooks at WWDC, and all the spoof products announced on the internet.
Apple Loop is here to remind you of a few of the very many discussions that have happened around Apple over the last seven days (and you can read my weekly digest of Android news here on Forbes).
First Renders Of The New iPhone X
As part of Apple’s push to expand the iPhone line-up (and increase sales of the iPhone family after years of declining share), the geekerati are expecting a budget version of the iPhone X (not to be confused with an update of the iPhone SE). What will it look like? Forbes’ Gordon Kelly reveals new renders of the budget iPhone X:
What Hemmerstoffer’s images and video (embedded below) show, is a 6.1-inch design which blends the chassis of the iPhone 8 and a single rear camera with the fascia of the iPhone X, complete with Face ID facial recognition module and the distinctive notch. On the flipside, this means no Touch ID fingerprint sensor.
…Hemmerstoffer notes this currently unnamed budget iPhone X (my naming bet is simply ‘iPhone’), will also pack wireless charging, stereo speakers and a new A12 chipset. So this is basically a single-camera iPhone X for over $ 200 less.
What Wasn’t Announced At WWDC
Lots of news to come out of this week’s Worldwide Developer Conference from Apple, but before we get to what did appear, it’s important to realise what was not on show. Apple refused the opportunity to show off any new hardware. No iPads, no Macs, no MacBooks, no peripherals, and perhaps most importantly, no mid-range iPhones to replace the iPhone SE. And WWDC was the best time to announce this upcoming smartphone, as I discussed earlier this week:
Assuming Taniyama-Shimura, there are enough signs in the supply chain that an update to the iPhone SE is coming. So the question becomes not of ‘will it arrive’ but ‘when will it arrive.’
…its non-appearance at WWDC tells us a lot about the handset. iPhone sales this year need a boost. The iPhone X has not delivered the super-cycle it promised and sales are flat to slightly down year-on-year. Market share is approaching single figures, and relying on high-end handsets with high margins may be delivering financial success… but it doesn’t provide for growth or entry into new markets. The iPhone SE 2 can help balance the equation of revenue and market share by offering a low-priced gateway into Apple’s world of smartphones.
Twelve Stands For Stability
Almost all of the focus at WWDC was on software, and the vast majority of that focus was on iOS. There have not been any major changes or additions, Apple has focused on the stability of the code to rebuild the bulletproof perception of the iPhone’s operating system. Zach Epstein is glad the new release is just ‘meh’:
It’s no secret that iOS 11 has been a complete mess for Apple. It’s not the travesty that whiny anti-Apple bloggers would have you believe, of course, but there’s no question that Apple made some big mistakes in iOS 11. It has had more security holes, annoying bugs, and performance issues than any version of iOS from recent history, and many of those problems still exist in iOS 11.3 and iOS 11.4 now, more than 8 months after the software’s initial release.
We learned many months ago that performance and overall user experience were going to be Apple’s main points of focus in iOS 12. In fact, insider reports stated that Apple decided to delay the addition of several big new features in iOS 12 and push them back to subsequent releases, or maybe even until next year’s iOS 13 update. This way, Apple’s various iOS engineering teams could focus on improving performance in iOS and on refining the user experience, rather than on integrating complex new features.
Next: Security is key, a requiem for macOS, and Conan O’Brien’s new iPhone…
There’s a user-friendly way to hack into people’s iPhone contacts, messages and photos, a researcher claims. Indeed, his exploit, working on the latest iOS, version 9.0.1, is now available on YouTube and is getting a lot of interest…