I was in the air travelling to the US at the time enduring more than 30 hours’ chock-to-chock travel time. I filed a brief ‘public interest’ article shortly after touchdown based solely on a syndicated release that I had received.
Trolls and Apple aficionados savagely bit back.
The criticism that I had not further researched the article before publication is justified – although you need to know that this article has taken over five hours of solid research and writing time that I did not have at that time.
Had I not been so jet lagged I may have vaguely recalled the SS7 vulnerability could affect most varieties of smartphone – I did not. I apologise unreservedly for that oversight, and I have corrected that in this article.
However, one commenter who uses the nom de plume Robert Shenken (note the initials are RS – curiously the same as mine) hides gutlessly behind anonymity instead of registering with Disqus as regular commenters do, accused me of anti-Apple bias. Shenken - whoever he is – has such a pro-Apple fan boy bias that I cannot begin to take him seriously. Readers simply have to look at this article on the declining tablet market and see this troll’s unwarranted vitriol against Microsoft and the unnecessary personal slander against me in many articles.
Shenken should unreservedly apologise to iTWire readers for the absolute crap he delights in subjecting them to. Regular iTWire readers want these unmoderated Forums to add further value to the story – not to contain incessant, unsubstantiated, blatantly biased, diatribe.
For the record, I rigorously abide by the journalist’s code of ethics trying to present fair and unbiased articles based on known information at the time. When I add a personal observation, I always place it at the end of the article under the heading comment or opinion so the reader can easily distinguish between reported news and my hopefully, added value.
Shenken, as you are so aggrieved by so much of what I report I invite, no formally request, you to log a complaint with the Media, Entertainment and Arts Alliance. Unlike you, they know who I am and where to find me and I would respect an unbiased umpire's opinion.
So back to 60 Minutes, the iPhone hack, and SS7 which aired on 17 April (US time). If you have not seen it, I strongly suggest you read the report and view the 13-minute segment before continuing with this article.
SS7 according to Wikipedia is a set of signalling protocols that underpin most of the world’s landline and mobile networks.
In this context, the simplest description is that SS7 routes a call to a mobile number that can be on any network, anywhere in the world – it controls roaming, billing, caller ID, call history, call forwarding, geo-location, and more.
Since 2008 it has been reported that several vulnerabilities allow:
- Mobile phones to be secretly tracked.
- Eavesdropping by using it to forward calls (to another handset – cloning)
- Accessing recorded calls by using each caller’s carrier temporary encryption key
The 60 Minutes iPhone hack involved willing participant US Congressman Ted Lieu. After he said, “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. ... The vulnerability has serious ramifications not only for individual privacy but also for American innovation, competitiveness, and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”
The vulnerability he was referring to is something called an S7 Probe which can be used by both criminals and law enforcement alike to intercept the delivery of calls and data. As stated in the original 60 Minutes article ‘The theory is that the SS7 flaw is well known within the government, but it’s a hole that security agencies might not want plugged since it provides access to everyone’s phone.'
As a result of the 60 Minutes of hysteria the US Federal Communications Commission has initiated a review into the use of a mobile network technology with a vulnerability that allows hackers to access others' wireless data using nothing but a phone number.
FCC Public Safety Bureau Chief David Simpson said he had asked his staff to review SS7. "The 60 Minutes report highlights the inherent risk encountered when an end-of-life technology is incrementally replaced by a new one," Simpson said.
But 20,000 hackers at the recent white hat DefCon in Las Vegas say SS7 is just one of hundreds of hacks that apply to Android and iOS devices (there is no mention of Windows 10 Mobile or Blackberry 10 or its PRIV on Android – more on that later).
A noted white hat hacker John Hering says: "It is very easy to hack smartphones and get email, texts, contacts, passwords, banking details, record audio and video, etc.”
“There are only two types of people – those whose phone has been hacked and know it and those that have been hacked and don’t know,” he added.
Let’s now look a little further afield.
The majority of ‘hacks’ are via user-installed malware on a smartphone. Lesser used vectors are Bluetooth (Beaming and NFC/touch), poisoned chargers, abuse of enterprise certificates, and Wi-Fi spoofing (Man-in-the-middle attacks).
By market share Android has the largest attack surface. Frankly this OS was rushed to market in 2008 to counter Apple’s iPhone. To give you an indication of its immaturity and the known 245 CVE vulnerabilities it has had the following versions:
- Wearable extensions 4.4W, 4.4W1/4.4W.2
Android’s main flaw is that Google cannot issue over the air updates (OTA) except to its own Nexus devices, as each device manufacturer customises the User Experience (UX and apps) and each carrier makes radio (band) and other modifications like lock-ins and apps.
Over time, Google has regained some control of this essentially ‘free’ OS, and you will see more of these modifications as overlay apps. Hopefully, soon it will gain the ability to do OTA updates on a wider range of pure Android devices, and that will reduce the fragmentation issue as well.
Google has taken extreme measures to secure version 6.x and to its credit works closely with anti-virus/malware companies. The paid versions of products like AVG, Avast, Norton, Bitdefender, McAfee, and Kaspersky (to name a few popular ones) do an excellent job of defending against malware. Regrettably it is not mandatory to use AV software.
By virtue of the market share and the socio-economic group that owns iPhones, malware has begun to focus on iOS with a vengeance. It is a given that cybercriminals go where the money is – ergo iPhone users allegedly have more money so are more likely to pay to unlock ransomware. Or they may have more influential contacts, or bigger bank accounts, etc., worth stealing.
iOS (all versions) has 857 CVE vulnerabilities. CVE is a database of all vulnerabilities and its hard to isolate vulnerabilities by version – 45 have been discovered in 2016 so far and 384 in 2015.
To Apple’s credit, it appears to react quickly to update iOS. It started with version 9.0 in September 2015. Since then to fix vulnerabilities, system bugs, and add improvements we have seen nine updates: 9.0/9.01/ 9.0.2/9.1/9.2/9.2.1/9.3/9.3.1/9.3.2 – more than any previous iOS version.
Depending on your point of view this is great as Apple can issue OTA updates to make it more secure. Alternatively it could reflect poor quality control - let the users find the bugs - that was not evident in the Steve Jobs era. Pre-2011 (up to the iPhone 4S) there were 69 vulnerabilities – pretty damned good for a relatively new OS.
The reality is that it is not a nice world, cyber criminals are well funded, well organised, and Apple’s iOS, and to a lesser extent OS X, are now victims of their success. Apple steadfastly refuses – as is its right - to allow third party anti-virus/malware providers access to its kernel to provide additional layers of protection.
Personally I think it should be mandatory to allow legitimate AV companies access because, to date, I don't think Apple's efforts have been comprehensive enough and 'many hands make light work'.
BlackBerry 10.x has had 32 version updates from its release in March 2013 to date. The majority of these were functional enhancements as there have only been four CVE vulnerabilities discovered to date and no known hacks.
BlackBerry on Android (PRIV handset) is an unknown quantity at present. It is not revealing what it has done to the Android 5.x and soon 6.x kernel, but one must assume it has addressed all known CVE listed vulnerabilities. BlackBerry’s biggest reputational risk is that it must not succumb to an Android hack.
Windows 10 Mobile
Windows 10 Mobile is a completely new mobile OS released in November 2015. While it was claimed to be ready for ‘release to market’ Windows insiders (a Microsoft sponsored user engagement program) knew otherwise and have been extraordinarily busy requesting features and getting the OS ‘right’. Since release it has had ten ‘bug fix’ updates to take it to the real ‘market release’ of ‘Redstone 1’ on 19 February (when the Lumia 950 became readily available) and seven releases focusing on ‘user experiences and features’.
In that time, no security vulnerabilities have been discovered. Eugene Kaspersky has stated, "Windows [10 Mobile] is a much better operating system than the rest [iOS and Android] that [suffer] more and more -- millions of brutal attacks -- not safe." As W10M runs on an ARM processor (not x86) Windows virus/malware will not execute so it is not fair to compare it with any Windows history in that regard.
As a frequent user of Windows 10 Mobile (and Android) I have seen major added functionality and it is quickly maturing into an enterprise level OS.
Opinion – if you have an emotive comment direct it at this segment
60 Minutes presented this in as sensational a manner as possible. The iPhone was hacked under specific circumstances that may not apply to the real world – but never-the-less it was hacked, and I reported that.
I did not mention in the original article that Android and other operating systems were affected as I did not know at the time what I now know a scant five days later.
I found the scariest thing was a 60 Minutes question to Hering.
Sharyn Alfonsi: Is everything hackable?
John Hering: Yes.
Sharyn Alfonsi: Everything?
John Hering: Yes.
Sharyn Alfonsi: If somebody tells you, "You can't do it."
John Hering: I don't believe it.
All smartphones need to have a graphic warning label – just like cigarette packets – “WARNING: Any device can be hacked. Do not use this device for sensitive voice or data if you are seriously concerned about information security.”
In looking at privacy software solutions for iOS and Android, there is frequent mention of a program called Signal Private Messenger. It uses end-to-end encryption via its own VPN/VoIP servers in 10 countries and is endorsed by whistle-blower Edward Snowden.
iTWire has not used, nor reviewed it, at this time. There is more at Wikipedia.
If readers would like to add value, please use the comments section below.