Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Three technologists in India used a homemade Faraday cage and a microwave oven to get around Apple’s location blocks.

When Apple released a software update at the start of November that enabled its new hearing aid features in AirPods Pro 2 earbuds, Rithwik Jayasimha immediately went out with his dad to buy a pair for his grandma. “We came back home, we took them out of the case, and I was looking for the feature and it was just missing,” Jayasimha says. India, where Jayasimha and his family live, is not one of the many countries where Apple’s hearing aid features are available. “It was a huge bummer,” Jayasimha says.

Instead of abandoning the headphones, Jayasimha and two friends, Arnav Bansal and Rithvik Vibhu—both of whom say they have grandmas who use hearing aids as well—hacked a way to bypass Apple’s location restrictions and enable their hearing aids in Bangalore.

To dodge Apple’s geolocation restrictions, the trio built a rudimentary, signal-blocking Faraday cage on top of a microwave with aluminum foil, which ultimately allowed them to enable the hearing aid settings. “We don’t even think it’s Apple’s fault. The feature is amazing,” Jayasimha says.

One of the older hearing aids that was replaced with an Apple’s AirPods Pro 2.Photograph: Lagrange Point/Rithwik Jayasimha

The group members, who have a mix of hardware and software skills and first detailed their hack as part of a technology collective called Lagrange Point, say a couple of dozen people have contacted them asking for help with their AirPods. “We’ve got a huge amount of interest from folks in India who have these AirPods or whose grandparents need them and they’ve not been able to use them,” Jayasimha says. Others have documented the same issue in social media posts.

The researchers demonstrated that they could bypass Apple’s geographic restrictions with a set of AirPods Pro 2 connected to a 10th generation Wi-Fi-only iPad. They note that it would be possible to do the workaround on an iPhone or iPad connected to a mobile carrier as well, but it would be more involved.

To find the workaround, the researchers first looked at the different ways that iOS establishes where a device is in the world. For Wi-Fi-only devices, there are a few checks. The server looks at which Apple Store region the device is connected to, as well as the time zone, language, and region the device is set to. Additionally, the operating system sends a simple web request to an Apple web service that then responds with the country code of the country the device appears to be in based on the location associated with its IP address.

The researchers first tried manually changing the time zone and region settings for the iPad, but it ultimately wasn’t clear whether this impacted their ability to hide the iPad’s true location. When masking the iPad’s IP address so it would appear to be connected in the United States didn’t work, the researchers assessed other metrics the device might be using to establish its geographic location. It turns out that iOS also examines Wi-Fi “service set identifiers,” or SSIDs, that help devices connect to the right Wi-Fi network when there are many network signals in the air—like in an apartment building or at a coffee shop.

The operating system also uses GPS triangulation and device identifier “MAC addresses” of nearby devices, including routers, to establish a device’s location. In other words, even if a person in Bangalore uses a proxy to make it seem like their iPad has a US-based IP address, all the nearby routers and devices are associated with India-located IP addresses that give the real location away.

To deal with this, the researchers rigged up a Faraday cage, which blocks electromagnetic signals, to isolate the iPad from the other devices and wireless networks around it. They built their aluminum-foil-clad enclosure on top of a regular kitchen microwave and then turned on the microwave whenever they wanted to block signals to the iPad. The setup worked because consumer microwaves heat food using electromagnetic waves that are at the same frequency as Wi-Fi signals—2.4 GHz. Essentially, the researchers had turned their microwave oven into a Wi-Fi jammer.

The hackers first built a Faraday cage using a cardboard box and several sheets of aluminum foil, and placed it on top of a microwave to further block wireless signals.Photograph: Lagrange Point/Rithwik Jayasimha

“We put several layers of aluminum inside and outside \[a cardboard box\] and we’d see some signal strength drop,” Bansal says. “Of course, it’s not going to be great, but combined with the microwave, it worked.”

Ultimately, the researchers designed a less ingenious, but simpler and more reliable Faraday cage to make their manipulation more practical. With the iPad placed in its own shielded bubble, the researchers used an open source Wi-Fi location database and Wi-Fi SSID cycling tool to trick iOS into locating the iPad in California. With this complete, the AirPods could work as hearing aids in India.

Apple offers the hearing aid features in more than 100 countries, and it has great promise as a tool for making hearing aid tech more accessible—and more palatable—to millions of people around the world. But the company isn’t able to offer the feature everywhere and restricts access in certain countries, like India, likely because of regulatory hurdles related to medical devices. The fact that it’s possible to circumvent these restrictions may offer a solution, at least temporarily, for people in blocked countries who are looking for a workaround.

Apple did not return WIRED’s request for comment about the findings, but the researchers note that it seems like it would be possible for Apple to close the loophole they discovered fairly easily. They say they haven’t heard from the company.

Alan Woodward, a cybersecurity professor at the University of Surrey, says their work is “very interesting” and demonstrates how there may often be ways around “safeguards” put in place by Big Tech. “It shows that those with the technical understanding can bypass the geofencing of apps relatively simply,” Woodward says. “Not that everyone could do it, but they probably know someone that can.”

“I’m not sure how many people realize the number of variants in something like iOS even on what is apparently the same version—the build number is what really matters,” Woodward says. “It’s more a lesson to people that you have more than you realize on your phone.”

The second version of the Faraday cage, which the researchers plan to use to run more experiments.Photograph: Lagrange Point/Rithwik Jayasimha

Services offered by Big Tech companies such as Apple and Google often have had staggered launches around the world as lawmakers have introduced regulations to control technology companies’ power and protect people’s rights. In the EU, for instance, several AI products have been delayed or not launched due to strict privacy laws. Apple has also been required to allow alternative App Stores due to EU rules. At the same time, right-to-repair movements have grown in popularity, and people have increasingly been hacking into the products they buy.

While the three researchers in India believe that it is likely Apple’s hearing aid features will officially come to the country in the coming months, they plan in the meantime to help the dozens of people they say have reached out to them about their own headphones. They also plan on using the second version of the Faraday cage to set up people’s AirPods. From their own grandmas’ experiences, the hearing aid features appear to be valuable in their everyday lives.

Bansal says his grandma has some hearing loss and other health challenges, but has typically worn hearing aids while watching television. “She used to wear her old clunky hearing aids, and they were really problematic because they had these tiny little buttons on them,” Bansal says. “But now she uses the AirPods, we’ve set it up with her hearing profile, and she can use it to watch the TV just fine and it’s a lot nicer. She doesn’t feel like a patient wearing it.”

These Guys Hacked AirPods to Give Their Grandmas Hearing Aids

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

The Power of the Purse: How to Ensure Security by Design

Threat actors with ties to the Democratic People's Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices.
Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built

North Korean Hackers Target macOS Using Flutter-Embedded Malware

Donald Trump has vowed to deport millions and jail his enemies. To carry out that agenda, his administration will exploit America’s digital surveillance machine. Here are some steps you can take to evade it.

The WIRED Guide to Protecting Yourself From Government Surveillance

Plus: Hot Topic confirms a customer data breach, Germany arrests a US citizen for allegedly passing military secrets to Chinese intelligence, and more.

Maybe you already heard, but Donald Trump will be president of the United States again. The far-right is celebrating by calling for mass executions. The left is responding with their own election conspiracy theories. Convicted January 6 rioters are banking on a pardon. And women who oppose Trump have frankly had enough.

Ahead of Election Day, WIRED found that an “election integrity” app made by True the Vote, a right-wing group that helped popularize election denialism around the 2020 election, was leaking the emails of its users. In one instance it revealed an election officer in California who appeared to be engaged in illegal voter suppression.

Disinformation and other forms of election interference have been a major issue since Russia’s hack of the Democratic National Committee in the lead-up to the 2016 election. But 2024 appears to have been the worst yet, with US officials warning that Russia had amplified its efforts to unprecedented levels.

In non-election news, Canadian authorities arrested Alexander “Connor” Moucka, who is accused of hacking a slew of Snowflake cloud storage customers earlier this year. Security experts who’ve long followed the exploits of a hacker who went by the handle Waifu—whom authorities say is Moucka—believe him to be “one of the most consequential threat actors of 2024.”

A federal judge in Michigan sentenced Richard Densmore to 30 years in prison after he pleaded guilty to sexually exploiting a child. Densmore was highly active in 764, an online criminal network that the FBI now considers to be a “tier one” terrorism threat.

Finally, in WIRED’s first story published in partnership with 404 Media, reporter (and 404 co-owner) Joseph Cox took a deep dive into the world of infostealer malware—the same kind used in all those Snowflake account breaches Moucka is accused of committing.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Some iPhones that police have in their possession for forensic examination are suddenly rebooting themselves, making it more difficult for investigators to access their contents, reports 404 Media. Police use tools like Cellebrite to essentially hack into phones, but this is typically done when a device is in the so-called After First Unlock (AFU) state. Once they reboot, iPhones are put into Before First Unlock (BFU), which makes them much harder to access with forensic tools.

According to a document obtained by 404, police believed the sudden reboots stemmed from the fact that the devices run iOS 18, Apple’s new mobile operating system. The police suspected that iOS 18 contains a secret feature that allowed the impacted devices, all of which were in airplane mode, to communicate with other nearby iPhones, which sent “a signal to devices to reboot after so much time had transpired since device activity or being off network,” the document reads.

They're half right. 404 reported Friday evening that multiple experts have discovered a new feature in iOS 18 called “inactivity reboot,” which appears to force iPhones to reboot on the fourth day after being locked—no secret signal-sending required. While the feature could help prevent robbers from using stolen iPhones, it's clearly giving the cops a headache, too.

Bad news, kids. The retail chain Hot Topic confirmed this week that it suffered a data breach that exposed the personal information of some 54 million customers. The stolen data includes email addresses for all 54 million people, 25 million “lightly encrypted” credit card numbers, the names, phone numbers, and birthdays of 20 million customers, and even the home addresses of 10 million people. While the hackers behind the breach claimed to have data on far more people than the dataset contains—350 million customers—the exposed data could still be used for identity theft and other malicious activities. Not cool!

Authorities in Germany this week arrested a US citizen for allegedly giving American military secrets to the Chinese government. Identified only as Martin D. due to German privacy laws, prosecutors say he recently “worked for the US armed forces in Germany” and “obtained the information in question during his work with the US armed forces,” according to NBC News. Prosecutors claim that Martin D. “contacted Chinese government agencies and offered to provide them with sensitive US military information for forwarding to a Chinese intelligence service.” Martin D.’s arrest comes just a month after German authorities arrested a woman on suspicion of passing information about arms deliveries to Chinese intelligence.

The FBI is investigating whether Chinese state-backed hackers breached the iPhones of senior staff members in either the Kamala Harris or Donald Trump presidential campaigns, Forbes reports. The CEO of security firm iVerify, Rocky Cole, tells Forbes that his company’s software identified strange changes to the settings on the iPhones of campaign staff “in patterns that are not observed on healthy devices.” (Cole declined to identify which campaign’s staff was impacted.) The FBI told Cole that the affected iPhones belonged to known targets of Chinese hacker group Salt Typhoon, which reportedly breached several US telecom networks including AT&T and Verizon.

Auto-Rebooting iPhones Are Causing Chaos for Cops

Direct cyberattacks on vehicles are all but unheard of. In theory though, the opportunity is there to cause real damage — data extraction, full system compromise, even gaining access to safety-critical systems.

Source: Marin Tomas via Alamy Stock Photo

Six unpatched vulnerabilities in a Mazda in-vehicle infotainment (IVI) system could be exploited with a simple USB in a moments' time, and one of them has legitimate consequences to vehicle safety.

These days, cars are just computers on wheels, and IVIs are their user interface. The IVI in most Mazda vehicles of recent years — like the Mazda3 and CX-3, 5, and 9 — are built with the Mazda Connect Connectivity Master Unit (CMU), developed by the Michigan-based Visteon Corporation. The CMU is a core hardware component that enables various connectivity services: smartphone integration, a Wi-Fi hotspot, and various remote monitoring and control features.

Recent research through Trend Micro's Zero Day Initiative (ZDI) has surfaced half a dozen vulnerabilities in the Mazda IVI. A few of them enable full system compromise, and access to various sensitive data. One of particular note could enable an attacker to pivot to the vehicle's Controller Area Network (CAN) bus — the central nervous system connecting its various component parts.

None of the vulnerabilities have been assigned a value according to the Common Vulnerability Scoring System (CVSS) yet. All of them remain unpatched as of this writing. On the plus side: They all require that an attacker physically insert a malicious USB into the center console. Such a scenario — carried out by a carjacker, or possibly a valet or dealer — is essentially unheard of in the real world to date.

Dark Reading has reached out to Visteon for further comment on this story.

**6 Mazda IVI Security Bugs**

Three of the vulnerabilities — CVE-2024-8358, CVE-2024-8359, and CVE-2024-8360 — target functions used to locate and extract specific files during software updates. Because the provided file path is not sanitized, an attacker can step in with their own malicious injection, which gets executed at the root level of the system. With a specially crafted command, this one-step hack could facilitate a full system takeover.

Another way to skin this cat would be to take advantage of CVE-2024-8357, affecting the CMU's System on Chip (SoC) running Linux. The SoC's boot process has no authentication in place, so an attacker with the ability to execute code can take advantage to manipulate files, establish persistence through reboots, and establish control over the system even before it boots up.

The Mazda IVI; Source: Trend Micro's ZDI

CVE-2024-8355 might seem at first a bit different from the rest but, in reality, it's caused by the same underlying problem: lack of sanitization of input data.

To establish a connection with an Apple device, the CMU will request the device's serial number. Because it doesn't apply scrutiny to that value, a spoofed device can send specially crafted SQL code instead. The system's DeviceManager will run that code at the root level, enabling all kinds of malicious outcomes: database exposure, arbitrary file creation, etc.

Last, but certainly not least, is CVE-2024-8356, a missing verification during the CMU software update process. This one, however, affects the unit's other processor, the Verification IP Microcontroller Unit (VIP MCU). The VIP MCU is designed to be separate from the SoC for security purposes, because instead of running the operating system, it connects to the vehicle's CAN bus. The CAN bus, in turn, connects the rest of the vehicle: everything from climate control to the engine and airbags. With a tampered firmware image, ZDI demonstrated that one can jump the SoC to manipulate the VIP MCU, and from there reach the CAN bus.

**Serious, But Unlikely Consequences**

"In truth, it's hard to predict what an attacker could do once they have access to a CAN bus," says Dustin Childs, head of threat awareness at ZDI. "Since the CAN bus serves as the nervous system of the vehicle, a threat actor could potentially impact whatever electronic control units (ECUs) or components that interact with the CAN bus." Translation: Attackers can subvert just about any conceivable part of the vehicle.

"The worst case scenario would be an attacker impacting the driving characteristic of the car, rendering it unsafe to operate," he adds.

Still, the threat is immaterial. For all of the exploits demonstrated by researchers, actual criminals still consistently stick to those older tried-and-true methods of compromise: a stolen set of keys; an unfurled clothes hanger slipped artfully in between a window and a door frame; or a rock, a window, and a good baseball toss.

"At this point, there isn't a lot of real-world impact," Childs admits. "However, as cars become more connected, remote exploitation becomes more realistic. In the last Pwn2Own Automotive, the team from Synacktiv exploited the modem of the Tesla Model 3 over-the-air to reach and interact with the onboard systems of the vehicle. It's just a matter of time until a complete, remote vehicle takeover becomes a real possibility."

He adds, "That's why manufacturers should build in security to each component and not rely on the defenses of other modules. A vehicle should have a multilayered protective system that assumes every message may be from a compromised source. The more we get ahead of the problem now, the easier it will be to react to it in the future."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising…

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising your car’s security and putting you at risk.

Cybersecurity researchers at ZDI (Zero Day Initiative) have identified several critical vulnerabilities in Mazda‘s infotainment systems, specifically in the Connectivity Master Unit (CMU) installed in multiple Mazda car models, including the Mazda 3 from the years 2014 to 2021.

These vulnerabilities, caused by “insufficient sanitization” when handling attacker-supplied input, could allow a physically present attacker to exploit them by connecting a specially crafted USB device to the target system. Successful exploitation could result in arbitrary code execution with root privileges.

****The Target****

The CMU unit, manufactured by Visteon Corporation, an anutomotive technology company, and initially developed by Johnson Controls Inc (JCI), runs on the latest available software version (74.00.324A). However, earlier software versions down to at least 70.x may also be affected by these vulnerabilities. The CMU is part of an active “modding scene” where users release software tweaks to alter the unit’s operation, often exploiting such vulnerabilities.

****The Vulnerabilities****

There are multiple vulnerabilities identified in the CMU system. The details of each are as follows:

*   **SQL Injection (CVE-2024-8355/ZDI-24-1208)**: An attacker can inject malicious SQL code by spoofing the iAP serial number of an Apple device. This allows the attacker to manipulate the database, disclose information, create arbitrary files, and potentially execute code.
*   **OS Command Injection (CVE-2024-8359/ZDI-24-1191)**: The REFLASH\_DDU\_FindFile function in the libjcireflashua.so shared object fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **OS Command Injection (CVE-2024-8360/ZDI-24-1192)**: The REFLASH\_DDU\_ExtractFile function in the libjcireflashua. so shared object also fails to sanitize user input, allowing an attacker to inject arbitrary OS commands that can be executed by the head unit OS shell.
*   **Missing Root of Trust in Hardware (CVE-2024-8357/ZDI-24-1189)**: The application SoC is missing any authentication of the bootstrap code, allowing an attacker to manipulate the root filesystem, configuration data, and potentially the bootstrap code itself.
*   **Unsigned Code (CVE-2024-8356/ZDI-24-1188)**: The VIP MCU can be updated with unsigned code, allowing an attacker to pivot from a compromised application SoC running Linux to the VIP MCU and gain direct access to the connected CAN busses of the vehicle.

****Exploitation****

An attacker can exploit these vulnerabilities by creating a file on a FAT32-formatted USB mass storage device with a name that contains the OS commands to be executed. The filename must end with .up for it to be recognized by the software update handling code.

Once the initial compromise is achieved, the attacker can gain persistence through manipulation of the root file system or install a specially crafted VIP microcontroller software allowing unrestricted access to vehicle networks.

****Associated Risks****

According to ZDI’s blog post, the attack chain can be completed in a few minutes in a lab environment, and there is no reason to believe it will take significantly more time against a unit installed in a car.

This means that the vehicle can be compromised while being handled by a valet, during a rideshare, or via USB malware. The CMU can then be compromised and “enhanced” to attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc. The worst part of it is that these security vulnerabilities remain unpatched.

> _“This research effort and its output highlighted the fact that high-impact vulnerabilities can be found even in a very mature automotive product that has been on the market for a number of years and with a long history of security fixes. To date, these vulnerabilities remain unpatched by the vendor.”_
> 
> ZDI analyst Dmitry Janushkevich 

****Conclusion****

The discovery of these vulnerabilities shows the importance of considering the whole system’s security and security-testing complete production systems in all their operational modes. The use of memory-safe languages or other security tools does not guarantee that deployed systems are secure. It is important to ensure system integrity at all runtime stages and for all components to guarantee downstream security properties of languages and their compilers.

1.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
2.  App Flaw Let Honda and Nissan Cars Hack by Knowing VIN
3.  Tesla cars can be remotely hacked using drone, WIFI dongle
4.  Hackers Remotely Control Kia Cars by Exploiting License Plates
5.  High severity Intel chip flaw left cars and IoT devices vulnerable

Hackers Can Access Mazda Vehicle Controls Via System Vulnerabilities

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#apple