Marc Rogers

September 23, 2014

Why I hacked TouchID (again) and still think it’s awesome

Last year, when the iPhone 5S was released, I showed how you could hack its fancy new TouchID fingerprint sensor. A year and one iPhone 6 later, I’ve done it again.

September 3, 2014

Uncovering how the recent celebrity image breach happened

This weekend close to 700 highly personal photos of more than 25 celebrities were leaked publicly.  We looked into the origins of this dump and the files inside it to shed some light into how they got there, particularly to understand how best to protect users against this sort of crime in the future.

March 26, 2014

Bitcoin malware: Beware the digital pickpockets

bitcoin

Bitcoin is a global phenomenon that’s driving a 21st century gold rush.

As it stands, Bitcoin is an easy target. It is little regulated and is a desirable target at $600-$700 a coin. Since 2011 there have been more than 30 heists resulting in high-value thefts of thousands of coins — amounts that could surpass $1 billion at today’s prices.

March 26, 2014

CoinKrypt: How criminals use your phone to mine digital currency

Digital Currencies

In order to add to their stockpiles, criminals are getting really inefficient: turning phones into digital currency-mining bots.

We recently saw several versions of this malware family we call CoinKrypt, which is designed to hijack your phone in order to use it to mine digital currency for somebody else. So far we have only found CoinKrypt in Spanish forums dedicated to the distribution of pirated software.

March 6, 2014

Dendroid malware can take over your camera, record audio, and sneak into Google Play

dendroid-malware

Remote access trojans that let criminals spy on you are a nasty issue, but when you find one in the Google Play store, it sounds off some alarms.

This week, researchers found Dendroid, a custom “Remote Access Toolkit” (RAT) for Android targeting customers from Western countries, and yes, it breached Google Play. A RAT is a type of malware that is used to remotely control the devices it is installed on. The toolkit is being sold for $300 to anyone who wants to automate the malware distribution process. The creator promises that the malware can take pictures using the phone’s camera, record audio and video, download existing pictures, record calls, send texts, and more.

All Lookout users are protected from this threat.

February 7, 2014

Better Safe Than Sorry: Tips to Protect Your Mobile Device at Sochi

It has taken 7 years and an unprecedented $51 billion dollars to prepare Sochi, Russia’s traditional summertime seaside resort for the 2014 Winter Olympics. Russia is deploying the biggest security force in the games’ history and the U.S. and other countries are also sending security teams of their own. Despite these precautions, Russia’s cybercriminals are already preparing for the Sochi Olympics.

Cybercriminals have a history of exploiting global high profile events. The Beijing Olympics is a great example where cybercriminals created fake websites that mimicked the legitimate event. Russian cybercriminals, in particular, are known to be highly experienced at this, and consequently US CERT is already issuing warnings about what to expect.

NBC’s news investigation into Russian malware at Sochi claimed that Sochi visitors would be targeted and their devices would likely be compromised within a matter of hours. Our perspective is slightly different. While it’s true Russia is a high risk environment, this doesn’t mean that you will be hacked the moment you step off the plane. In fact by just following a few common sense recommendations we believe that everything will be OK.

EOY_Lookout_Report

January 17, 2014

CES 2014 Through the Eyes of a Hacker

Connected things were in full force at CES 2014 and there was plenty of evidence that the Internet of Things (IoT) is upon us. Devices like Toshiba’s smart mirror and a slew of new intelligent robots spanned the showroom floor. Connected things were literally everywhere – and so were their sensors.

Untitled drawing (3)

Among the many connected things, was a section dedicated to medical devices, and unsurprisingly more than half of these were connected. I found no less than a dozen connected devices designed to manage diabetes, a handful of devices that track your medical history and literally hundreds that monitor your vital signs. We should anticipate that this data is going to be collected and that some of its uses may surprise us.

During CES 2014, Jim Farley, Ford’s Executive VP of Global Marketing Sales said, “We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing. By the way we don’t supply that data to anyone.”

Jim Farley’s statement came as a shock to many consumers who are unaware of the data being collected and stored. Clearly informing users about data collection and how that data will be managed is going to become one of the great challenges facing the IoT.

In order to understand this gap between traditional safety features and digital safety, I spent some time asking a sample of key vendors a handful of basic questions about the security baked into their products, including the types of data being collected and what steps were being taken to protect that data.

I scored these companies based on the quality of their responses: Does the answer make sense? Does the answer reveal that they’ve given some thought to solving the problem? Below are the questions I asked and the results I collected.

  1. Can you describe the safety features in your product?
  2. Can you tell me how your product is secured against hackers?
  3. What data do you collect & where do you store it?
  4. How do you protect this data from hackers?

Screen Shot 2014-01-17 at 4.00.19 PM

December 23, 2013

Update: Beware Geeks Bearing Gifts – How the Latest iPhone Jailbreak is Actually a Trojan

A new iOS 7 Jailbreak was released this week by the team known as Evad3rs and it’s considerably one of the most talked about releases. Considering that the last jailbreak took nearly 6 months* to develop, something that immensely frustrated many wannabe jailbreakers, it’s not surprising that this pre-Christmas gift caught everyone’s attention.

However, this latest release from the Evad3rs jailbreaking team is a significant departure from their usual jailbreaks. Unlike any of its predecessors, Evasi0n for iOS 7 includes hidden code from a third-party Chinese vendor. Furthermore, that code has been heavily obfuscated in order to resist analysis and tampering.

Read on for our initial analysis of this jailbreak and why we consider it to be be a risky proposition.

evaders

December 19, 2013

Security Alert: Shoot the Bulk Messenger

Executive Summary

With texting the national pastime, text messages are cheap and unlimited plans abound. But what can you do with all of the unused text messages left over from your plan? We’ve uncovered a rascally bulk SMS network, Bazuc, that lures in Android users by promising a ‘free money’ payout if a user allows the network to access their unused SMS messages. The app Bazuc was available in the Google Play Store and downloaded between 10,000 to 50,000 times, but this is likely the tip of the iceberg. The author claims to register 100 downloads of the app per hour, indicating that there may be plenty more third-party store downloads.

Free money is never free though, is it? Once you’ve downloaded the app, Bazuc can be used to send virtually untraceable SMS messages in bulk, which look like they came from your phone. In fact, they did come from your phone. The authors of Bazuc are charging companies to have users send out these cheap SMS messages on their behalf, helping the companies bypass spam detection and automated anti-fraud systems. This operation is putting personally identifiable information at risk, exposing targeted users to phone calls and SMSs from unknown people, and swindling operators out of money.

With so much at risk, Lookout investigated the SMS network and found a coterie of players wittingly and unwittingly involved in the ploy. These include bulk messaging providers, phishers, foreign spammers, American and African banks and smartphone owners. Read more as we dissect Bazuc, its authors, operations, the monetization strategy and the end game. We are rolling out protection to Lookout users as we speak.

What is Bazuc?

Bazuc is a pair of applications: “Bazuc Earn Money” and “Bazuc Free International SMS.” On the face of it, the “Bazuc Earn Money” app offers people an interesting proposition: the chance to sell the surplus of SMS messages that remain in their monthly quota after they have used their normal monthly amount. The “Bazuc Free International SMS” app uses the SMS allowance purchased by “Bazuc Earn Money” to enable users to send free SMS messages internationally.

At least that’s what the Bazuc Earn Money website suggests.

bazuc0

“Bazuc earn money” offers users $0.001 per message, and while the math won’t make you rich, many people will see this as “free money.”  Bazuc’s FAQ section suggests that you could earn $30. (But that means a person would need to send 30,000 messages from their phone a month.)

“We will pay you $0.001 per SMS that is sent through your phone, so you can earn up to $30 monthly for doing absolutely nothing but installing “Bazuc Earn Money on your Android phone.”

Free messages in bundle: 5,000

Normal monthly SMS usage: 2,000

“Surplus” messages to sell: 3,000

Likely potential monthly earnings 3,000 x $0.001 = $3.00

bazuc1

September 23, 2013

Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.

By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch.

The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution.

Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.