September 19, 2014

Apple Releases iOS 4.3.3 to Fix Locationgate Bugs

iOS 4.3.3 has been released to fix the so-called Locationgate tracking bugs that have caused Apple so much recent controversy. This update fixes the bugs which caused iPhones to store up to a years worth of cell tower information which is then synced with iTunes.

A few weeks ago Alasdair Allan and Pete Warden released a proof-of-concept application for Mac OS X that demonstrates how the iPhone is tracking its location.

Apple responded with a press release saying that the iPhone is not logging its location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers to help the phone rapidly and accurately calculate its location when requested. In other words a cache. They also promised a software update which is what has been released today.

The update contains changes to how iOS manages this crowd-sourced location database cache. Specifically the update:

  • Reduces the size of the cache
  • No longer backs up the cache to iTunes
  • Deletes the cache entirely when location services is turned off

Apple to Issue Software Update to Clear Cell Tower Cache

In the continuing controversy, that has now been dubbed Locationgate, about iPhones storing up to a years worth of cell tower information and syncing this with iTunes, Apple has now issued a press release to try and clarify the situation. In summary Apple is saying that the iPhone is not logging its location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers to help the phone rapidly and accurately calculate its location when requested. In other words a cache.

The press release also deals with why this cache contains entries for more than a year. Apples answer, “the reason the iPhone stores so much data is a bug.” According to ZDNet, Scott Forstall (the senior vice president of iOS Software) has revealed that the problem is actually the size of the cache and not explicitly how long it holds entries for, “we picked a size, around 2MB, which is less than half a song. It turns out it was fairly large and could hold items for a long time.”

OK, but when a user turns off Location Services, why does the iPhone sometimes continue updating its Wi-Fi and cell tower data?  Apple says, “It shouldn’t. This is a bug, which we plan to fix shortly.”

Apple’s argument is that it is legitimate to store cell tower information on a short term basis n the phone but because of bugs in iOS too much data is being stored. Apple is promsing an update to iOS in the near future which will

  • reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
  • cease backing up this cache, and
  • delete this cache entirely when Location Services is turned off.

Apple is also promising that in the next major iOS software release (4.4? 5.0?) the cache will also be encrypted on the iPhone.

So is this the end of Locationgate? Please comment below.

 

Your iPhone is Watching You! New Proof-of-Concept App Shows How Your iPhone is Tracking Your Every Movement

Alasdair Allan and Pete Warden have released a new proof-of-concept application for Mac OS X that demonstrates that your iPhone is tracking your movements and recording the information. We have tested the application and it is 100% true, Apple are watching you!

Since the release of iOS 4.0 the iPhone has started storing cell-phone tower information and this information is copied to your Mac or PC when you sync your phone with iTunes. The application that Alasdair and Pete have released searches through your old sync data on your Mac and finds this cell-phone tower information and then displays it on a map, courtesy of OpenStreetMap.

How bad is this?

  • Other applications on your Mac can access this data.
  • Apple shouldn’t be collecting this information. Mobile phone operators collect tower information as part of their operations but it is private and it normally requires a court order to gain access to it. Your iPhone tower information is available to anyone who can get their hands on your phone or computer.
  • By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.
  • If you sell or exchange your iPhone the tower data might still be on the phone. My iPhone is second-hand and I have discovered that I now have a map of the movements of its previous owner going back to October 2010.

Was it right for Allan and Warden to release this app? They mention this on their site:

We did hesitate over the right thing to do in this case, but when it became clear that “Individuals familiar with iPhone forensic analysis will be quite familiar” with it, as Ryan Neal puts it and that at least one other person had tried to alert the public but apparently failed to make it clear what was going on, a demonstration application seemed the lesser evil.

Note: The application available from the iPhone Tracker site is for 64-bit Macs. If you have an early Intel Mac it is 32-bit only. I have built a 32-bit version here.

Are you worried about this? Please leave a comment below.

Weaknesses in GSM Network Exposed Again

Last week’s Black Hat DC hacking conference saw a presentation by David Pérez and José Picó of the Spanish internet security company Taddong where the two demonstrated a practical attack against mobile phones using GPRS and EDGE.

The attack works on two levels. First a fake base station is setup (which costs under $10,000) to which victim’s phone then connects and so gives the attacker full control over the victim’s data communications. The second part of the attack is to jam the 3G signals in the area and force phones to switch to GPRS and EDGE (something that the majority of 3G phones do by default).

The reason the rogue base station is able to be introduced is that although mobiles need to authenticate themselves when connecting, base stations do not. Hence a base station can be introduced and the mobile phone has no way to verify its authenticity.

The only viable workaround today is to ensure that your phone only uses 3G protocols and never falls back on 2G. However this isn’t always practical as some phones, like the iPhone, don’t offer this as a option and it can leave you without connectivity in 3G black spots.

Online Banking SMS Authentication Messages Open To Attack

RSA LogoRSA are publishing a report warning of increasing attempts by cyber criminals to intercept online banking SMS messages which are used to authenticate users for online services.

Authentication tokens (normally a randomized six digit number or similar code) sent by SMS are becoming more and more popular. For example, The Commonwealth Bank of Australia claims that 80% of its online customers use their NetCode SMS service for authentication and have recently announced that the service will now be mandatory for “higher risk” transactions. The knock-on effect will be that hackers will increase their efforts to intercept these SMS messages to gain access to online accounts.

This warning comes at a time when it is now possible to eavesdrop GSM phones with cheap off-the-shelf equipment. Of course, a two step authentication process (username/password and then authentication token) is much better than just simple login authentication. However a better and more secure approach is the use of a hand held card reader which in combination with your bank card and PIN generate a unique, one-time code for use during login.

You can read more about this on ZDNet Australia.

GSM Phones Now Vulnerable To Eavesdropping with Cheap Off-the-shelf Equipment

The GSM phone network is based on technology which is over 20 years old. As a result it is now possible to eavesdrop phone calls using four $15 Motorola handsets, a medium-end computer and a 2TB hard drive.

Karsten Nohl and Sylvain Munaut gave a live demonstration of this new hack last week at the 27th annual Chaos Communication Congress in Berlin. The whole process takes about 20 seconds, enabling phone conversations and SMS messages to be recorded and decrypted.

This new GSM attack is based on research that was revealed at the 2009 Berlin conference where, with $4000 of equipment, phone calls could be intercepted and recorded. Previously to that, commercially available equipment capable of eavesdropping on other people’s phone calls would have cost more than $50,000.

The problem lies with the GSM encryption algorithm A5/1 which is now decades-old and has known weaknesses. By using a 2TB rainbow table the encryption can be easily broken.

The hack uses ‘silent’ or ‘broken’ SMS messages that do not show up on the phone to gather information about the phones location and other unique numbers needed to employ the hack.

H-online.com and Wired.com have more technical details here and here. Slides from the presentation are here.

Picture Source:[wikimedia.org]