Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable.


A security researcher speaking at the Chaos Computer Congress in Hamburg demonstrated a hack that rewrites an Intel Mac’s firmware using a Thunderbolt device with attack code in an option ROM. Known as Thunderstrike, the proof of concept presented by Trammel Hudson infects the Apple Extensible Firmware Interface (EFI) in a way he claims cannot be detected, nor removed by reinstalling OS X.

Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

Apple has already implemented an intended fix in the latest Mac mini and iMac with Retina display, which Hudson says will soon be available for other Macs, but appears at this stage to provide only partial protection…

Once installed, the firmware cannot be removed since it replaces Apple’s public RSA key, which means that further firmware updates will be denied unless signed by the attacker’s private key. The hacked firmware can also replicate by copying itself to option ROMs in other Thunderbolt devices connected to the compromised Mac during a restart. Those devices remain functional, making it impossible to know that they have been modified.

The good news is that the attack method requires physical access to your Mac, and Hudson is not aware of any Mac firmware bootkits in the wild. He notes that there is no way to be sure, however.

It was previously suggested that the NSA used similar attack methods, physically intercepting shipments to install bootkits before computers reach their buyers. Once out in the wild, the hacked firmware could be easily spread by something as seemingly innocuous as a Thunderbolt monitor in a hotel business center.

The slides from Hudson’s presentation are available on Flickr, and a video is now available. Hudson says that he has been in contact with Apple regarding EFI vulnerabilities, and that his slides provide sufficient ‘pseudo-code’ to allow others to verify the hack without making it too easy for others to exploit.

The presentation follows an earlier one in which the hacker who last year used lifted fingerprints to fool Touch ID suggested that it may be possible to repeat the attack using only a photograph of a finger.

Petcube: Watch and play with your pet when youre away.

Petcube (US$199.00) is a webcam with a difference. It is aimed at pet owners who want to keep track of their pets, communicate with them, and even play with them when you are away. Who doesn’t wonder how their dog, cat or bird is doing when you are away? Petcube is designed to solve that problem.

Specifications: The camera is in a 4x4x4 aluminum housing. It has a 138 degree field of view and streams 720P video. The Petcube requires an iOS app which is free. Connection is through WiFi and Petcube plugs into AC with a 110/240 power adapter. The camera weights 1.3 pounds, and has a standard mounting bracket for attachment to a tripod. It has a built-in 5 mW 3R class laser w/certification — more about that below.

Design: Aluminum case, smoked black front for camera and laser.

Functionality: Setting up the Petcam is easier than most WiFi cameras I’ve dealt with. Download the free app and follow instructions, which involves pressing a button on the back of the camera, finding the camera by name on your WiFi network, and letting the camera pair with your home network. From then on, the camera is available to you, and anyone else you designate. If you want to make your camera public (not a good idea in my view) you can share it with the world. Happily, you can limit the time the camera is online for people. You can also create a list of family and friends who can check out the view. To share, they must be signed up (free account) and have the iOS or Android app.

One of the unique features of this camera is a two-way speaker/microphone. You can listen to your pet and chat back. The other feature is the camera features a built-in laser pointer, something that cats in particular seem to enjoy. By tapping your finger on the iPhone screen, you can move the laser beam anywhere in the camera field of view. While the laser is an interesting feature and certified as safe, avoid pointing it into the eyes of your pets.


I liked the Petcube. It was easy to set up, worked reliably, and offered some features pet owners will surely like. I used it to keep an eye on my parrot, but he was really aggravated with the laser. One thing to remember: the camera doesn’t move or rotate, so your pet has to be where the camera is pointing. Given the features, and the very decor friendly design, I think the Petcube is worth serious consideration. It sold out of its first shipment, and more should be available direct or from online merchants like Amazon soon. One competitor is the Motorola PetScout66, for $99.99, but it requires a subscription setup. It has a two-way microphone/speaker, but no laser. It’s also in short supply. Pet cams must be a hot item this holiday season.

Apple iPhones allow extraction of deep personal data, researcher finds.

The exploded view of the home button which doubles as a fingerprint sensor is seen on an image of the new iPhone 5S at Apple Inc's media event in Cupertino, California September 10, 2013. REUTERS/Stephen Lam

Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week.

The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the “trusted” computers to which the devices have been connected, according to the security expert who prompted Apple’s admission.

In a conference presentation this week, researcher Jonathan Zdziarski showed how the services take a surprising amount of data for what Apple now says are diagnostic services meant to help engineers.

Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections.

“There’s no way to `unpair’ except to wipe your phone,” he said in a video demonstration he posted Friday showing what he could extract from an unlocked phone through a trusted computer.

As word spread about Zdziarski’s initial presentation at the Hackers on Planet Earth conference, some cited it as evidence of Apple collaboration with the National Security Agency.

Apple denied creating any “back doors” for intelligence agencies.

“We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple said. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data.”

But Apple also posted its first descriptions of the tools on its own website, and Zdziarski and others who spoke with the company said they expected it to make at least some changes to the programs in the future.

Zdziarski said he did not believe that the services were aimed at spies. But he said that they extracted much more information than was needed, with too little disclosure.

Security industry analyst Rich Mogull said Zdziarski’s work was overhyped but technically accurate.

“They are collecting more than they should be, and the only way to get it is to compromise security,” said Mogull, chief executive officer of Securosis.

Mogull also agreed with Zdziarski that since the tools exist, law enforcement will use them in cases where the desktop computers of targeted individuals can be confiscated, hacked or reached via their employers.

“They’ll take advantage of every legal tool that they have and maybe more,” Mogull said of government investigators.

Asked if Apple had used the tools to fulfill law enforcement requests, Apple did not immediately respond.

For all the attention to the previously unknown tools and other occasional bugs, Apple’s phones are widely considered more secure than those using Google Inc’s rival Android operating system, in part because Google does not have the power to send software fixes directly to those devices.

Camera Lock for OS X keeps prying eyes from spying on you.

There was a flurry of stories some months back about rogue programs or hackers activating webcams that were external or built-in on desktop and Mac laptops. The stories left a lot of people with a queasy feeling, and recent NSA revelations have also called into question the security of our computers and mobile devices.

Camera Lock (US$2.99, currently 40% off) is an interesting Mac utility that enables you to lock out your camera and refuse access by any app. If the camera was already in use, the video freezes and the green LED starts flashing.

The app operates from the Mac menu bar, and lets you lock or unlock access to the camera. If unlocked, the app alerts you that someone or some app is trying to access the camera. The Camera Lock app can be launched at login, and there is a log that shows recent activity.

I tried the app on my MacBook Air and it worked as advertised. When locked, the camera simply would not work with apps including FaceTime and Messages. When unlocked, the green LED flashed when I accessed the camera.

Unsurprisingly, Camera Lock worked in an identical manner on my Mac Pro, which uses a Logitech external USB webcam. The LED flashed when it was accessed, but when the lock was on no other app could get to the video. When cameras are locked and unlocked, you get an on-screen notification and a sound.

I’m not sure how much of a threat people spying on you from your webcam is, but certainly it has been done and Camera Lock seems to prevent it smoothly and effortlessly. Of course any system can be bypassed by knowledgeable hackers, so the best protection against camera intrusion is to have no camera at all or put a piece of tape over it.

Camera Lock requires OS X 10.9 or later and a 64-bit processor.

Weekend App: viaProtect will give you some strong hints about your iPhone’s security status.

viaProtect is a free app that will take a look at where your iPhone data is going, and where it is coming from. The app also says it can point you to apps that tend to leak data or are otherwise insecure. The app will look at what is being encrypted from your device, and finally, it will provide a risk profile for your iPhone.

You can register your device with viaForensics, the developer of the app, or use it without registration. If you register, you can have web access to some of your device statistics.

The main screen of the app is called the dashboard. After a minute or so of analysis you’ll get a risk score for your phone. I got a minimal at risk rating (thankfully) and I could see that my data was going to the continental U.S. The app also runs some background processes to give reports on SSL certificates, any processes that are running, a DNS resolver, and a report on network connections. The app uses GPS for some of its analysis, so it may impact battery life.

viaProtect won’t solve your security problems, but it will certainly give you a heads up about what is going on with your iPhone and let you take steps to stop any potential security or privacy problems. The company behind the app, viaForensics has been providing mobile security apps and assessing risks for many large companies and providing best practices to keep company information secure.

viaProtect is not a universal app. It’s designed for the iPhone, although it will run on any iDevice that has iOS 6 or later. It is optimized for the iPhone 5.

How to set up a complex passcode on your iOS device.

passcode ios 7 screenSmartphones and tablets these days store an incredible amount of information, and with much of it sensitive and personal, many users like to keep their device somewhat private by limiting who has access.

With the introduction of Touch ID on the iPhone 5s, Apple sought to make iOS devices more secure by making security as simple as a fingerprint. But with Touch ID currently an iPhone 5s-only feature, where does that leave all other iOS users?

Thankfully, there’s a solution.

The default passcode setting in iOS 7 only allows for a 4-digit numeric string, otherwise known as a simple passcode. But when you’re really serious about device security — or just want to be extra sure no one finds out about your Taylor Swift app or questionable weekend photos — iOS 7 offers more complex passcode protection.

With a complex passcode, you can pick a passcode that includes letters, numbers, and special characters. What’s more, a complex passcode can be much longer than just four characters. In iOS 6, the string limit was 37 characters long. But in iOS 7 I was able to enter in over 90 characters without receiving a warning about having too long of a passcode. This makes the task of guessing another’s passcode exponentially more difficult.

Time to get started.

To set a passcode that can include numbers, letters, and special characters, go to Settings > General > Passcode Lock. If you’ve grown weary of Touch ID and would like to do this on an iPhone 5s, it’s listed under Settings > General > Touch ID & Passcode.

Next, simply toggle off the “Simple Passcode” setting. If you haven’t set up a passcode at all yet, you’ll first have to select the “Turn Passcode On” option located near the top of the settings pane.

simple passcode ios

Upon doing so, you will be prompted to enter a complex passcode with the ability to choose from an array of numbers, letters, and special characters. You’ll be prompted to enter the passcode twice, the first time you tap ‘Next’ to continue and the second time you tap ‘Done.’

While you can insert special characters like ñ or é in a complex passcode, you unfortunately cannot use emoji icons. Which is a damn shame because a passcode like this would be pretty cool.

emoji ios icons

As is always the case, it’s important to make sure that your passcode is hard for others to guess but easy for you to remember.

After setting up a complex passcode, your new passcode lock screen will look like this, offering up a full text-and-number keyboard for your passcode entry.

ios 7 complex passcode entry

Is a Complex Passcode even necessary?

With a 4-digit numeric passcode, there are potentially 10^4 (10,000) different passcode options. That sure seems like a lot, but a study on common iOS passwords reveals that many people still rely on passcodes that aren’t terribly hard to guess. Some common passcodes to avoid include 1234, 0000, 2580, 1111, 5555 and 5683 (which spells out ‘love’). Also try and avoid passcodes that represent (easy to guess) birth years such as 1949, 1985, and 1999.

When using a complex passcode, however, the number of possible passcode combinations increases exponentially. With about 77 characters (numbers+letters+special characters) to choose from, and a passcode that can be as long as 50 characters (at least), that’s already 77^50 possible permutations right there, making it effectively impossible for anyone to ever guess your passcode without peering over your shoulder. Even opting for a slightly longer 6 character passcode increases the number of possible passcode combinations from 10,000 to 208.4 billion (77^6).

And with that, may your device always remain secure from prying eyes.

As a final note, this comic strip about password strength from XKCD is on topic and worth sharing.

Apple explains how the iPhone’s fingerprint sensor keeps your info secure.

Touch ID sensor on the Apple iPhone 5s

If you’ve ever wanted to know how the iPhone 5s’ Touch ID fingerprint security works beyond a basic overview, you’ll be glad to hear Apple has just delivered a motherlode of new details. An updated version of its iOS Security white paper (PDF) explains much of what happens to your finger data after you touch the sensor. In short, your information may be more hack-resistant than it seems at first glance. Each A7 chip has a unique secure space that neither the A7 nor Apple can read, and every authentication session is encrypted end-to-end. The company is also offering a deeper explanation of what it does with your fingerprint image, noting that the print only lasts in memory until it’s turned into a decryption key. As we’ve known for a while, there are safeguards that wipe out that key after 48 hours of inactivity, a reboot or five failed login attempts. While the new insights will only have so much usefulness whendevelopers can’t use Touch ID for their own apps, they suggest that there’s little to no chance of fingerprint theft or a large-scale data breach.