Checklist 109: The Weakness is Wetware

Social engineering strikes again, the intersection of the digital world and constitutional law, and more — that’s the gist of the tour we’re taking around the headlines in today’s discussion. On our list for this week, we’ve got:

• The Weakness is Wetware
• Your Face and the Fifth Amendment
• Questions About Last Week’s Wi-Fi Questions

We’re kicking off this week with a look at a story from Cult of Mac with a scary headline you might have seen recently about a vulnerability that “lets hackers steal business passwords” from Apple machines. That headline was true. However, since it is a headline, it’s simplifying matters a bit to make a splash. The real headline might read: “social engineering lets hackers steal business passwords,” but that doesn’t have as much punch. Nonetheless, this is a serious story. What are the details?

The Weakness is Wetware

Security researchers hailing from a company called Duo Security recently announced they had discovered potential problems with Apple’s DEP, or Device Enrollment Program. The DEP is a tool used in businesses and other enterprise applications to allow companies to register, monitor, and otherwise oversee the security of the devices in use under the company’s umbrella. This could be a company-issued iPhone, an employee Macbook, or other Mac and iOS devices that might be in use. According to Duo Security, the attack method they figured out would allow the bad guys to exploit a company’s DEP to gain the ability to steal everything from Wi-Fi passwords to account credentials for company applications.

The attacker would need to be able to register a device with the company’s systems for mobile device management (MDM) — basically, a server that administers the DEP. To do so would require the hacker to have a valid serial number that had not already been registered with the system. Otherwise, the system won’t accept the device; you can’t register the same number twice for obvious security reasons. So how would the bad guys get their hands on such a serial number?

Social engineering is the first and most likely avenue of attack: they could simply contact someone within the company and con them into divulging a valid serial number. With social engineers able to do things like fooling telecommute companies into helping them bypass a target’s two-factor authentication, tricking an employee into sharing a serial number seems well within the realm of possibility. It’s not the only way they could get in, though.

They might scour the Internet, looking in discussion forums revolving around providing support for these types of devices — employees often post serial numbers as part of the troubleshooting process. Using brute force to try and guess a valid number could also be another to get into the system. Given the complexity of serial numbers, however, this is not a likely option due to the length of time it might take to find even one valid number. Once the phony device has been enrolled, it has access to a wide range of information within the company’s network — just as intended, since this is how DEPs are supposed to work in the first place.

So what does Apple have to do with all this? Not much, in the end. This is not a software bug or a security flaw that one can patch, and there’s nothing specific to Apple’s Device Enrollment Program that makes it vulnerable. It’s simply a basic issue with any DEP: if someone unscrupulous gets into the network, they can do bad things. To get there in the first place requires someone else to let their guard down. If everyone in an organization follows best practices, however, and stays alert to the dangers posed by social engineering online and over the phone, most DEPs — Apple’s included — are as secure as their designers intended. Speaking of social engineering, we did a whole show on that back in Episode 45 of The Checklist — head there if you’d like to learn more about these silvertongued tactics.

What can businesses do to guard against social engineering? The most common cause of problems for an enterprise concerned with security is simply when an employee accidentally shares information with someone they shouldn’t. Losing devices, like company phones, also poses a serious risk, especially when you haven’t used strong passwords to secure everything. Be aware that social engineers can often glean enough information about a person to start trying to guess common passwords they might use — that’s why a random string is such a valuable password.

Always beware when someone calls and starts asking for information they wouldn’t normally have access to; this can be a real scenario sometimes, but other times it might be someone trying to engineer deeper access. They may even have some relevant information that makes their case sound more legitimate. Whenever someone is looking for access they shouldn’t have, though, be suspicious and always follow proper procedures. Sometimes, trying to do the right thing in helping a customer could actually be doing the wrong thing.

Your Face and the Fifth Amendment

Well, it’s finally happened — here is a story that we should definitely look at more closely. According to a report by CNET, an individual in the custody of federal law enforcement was forced to unlock his iPhone for investigators through the use of FaceID. This is the first such incident that we know about due to public reporting, though for those who’ve been listening to the show for a while, maybe it won’t come as such a surprise. We’ve wondered about the potential for something like this just about from the first moment that Apple announced FaceID would be a thing.

In the US, you can’t legally be compelled to divulge a password or a PIN to the police, whether for your phone, a computer, or any other device. However, several courts have ruled that you can be compelled to use your fingerprint to unlock a device through something such as Touch ID. Whether or not the courts would uphold the Face ID usage isn’t a known quantity, especially as this is the first known occurrence of this tactic. While it’s hard to imagine that police somewhere haven’t already done this before, we know about this incident now because it was the only time the FBI could access the device.

At some point, the device became locked again (or perhaps lost power), meaning the only way to unlock the phone now is through the use of its PIN. With no access to it and the suspect refusing to cooperate, the FBI had to make a request to a police department in Ohio (where the suspects were arrested) for assistance. Why? Well — CNET says that the Columbus, Ohio police department has been known to use iPhone cracking devices in the past. The FBI is likely looking for access time on the PD’s device so they can get back into the suspect’s phone for further evidence gathering.

The offenses in question are serious; the suspect was picked up by the FBI in a child pornography investigation, and the initial look at the suspect’s device revealed incriminating chat logs. That puts this story in a difficult category. We want the guilty parties to go to jail in incidents like this, along with others involving murderers, drug dealers, and terrorists, and when gathering evidence is made more difficult, it can seem like the only option is to agree to a backdoor in the software.

While that’s not necessarily the right conclusion to draw, it’s not what we’re focusing our discussion on today. Instead, we want to focus on how the average individual user can give themselves some peace of mind if you feel unsettled about the fact that you can legally be required to unlock your device with Face or Touch ID. You have options you can explore.

The easiest way to avoid concerns altogether? Turn off these features completely. Apple makes it easy to disable these features, though you will sacrifice a little bit of convenience for the added security. The process is simple:

• Visit the Settings app on your device
• Look for Face ID & Passcode (or Touch ID & Passcode if you have an older phone)
• Choose “Reset Face ID” — this completely removes the saved information from the device’s Secure Enclave processor, meaning the PIN is now the only way to access the device

What if you only want to turn off Face ID for a short while? You can do that, too. Hold the Volume Up button while also pressing the phone’s power button. When the prompt to shut down your phone appears, press cancel. FaceID will now remain disabled until the next time you unlock your phone with your PIN.

For most people, TouchID and FaceID are fantastic conveniences that are very secure in and of themselves. Weigh the risk versus the reward for yourself, but don’t forget about the ability to temporarily disable the feature; if you do find yourself in a dangerous situation where you want to ensure your phone can’t be accessed without your consent, use it. Otherwise, you should feel relatively comfortable leaving the services enabled if you prefer not to type in your PIN every time you pick up your device.

Questions About Last Week’s Wi-Fi Questions

Last week, we built our entire show around questions from a listener named John and his concerns about using wireless networks while traveling. This week, we turn to a question from listener Andy, who has some questions of his own after listening to our episode. Andy writes:

I listened to [the How to Hotel Wi-fi] episode…  Great info…I travel a lot and I’m constantly concerned about hotel Wi-Fi.  You all did a great job providing limits when on hotel Wi-Fi and you provided good risk assessment, i.e. what to do and what not to do on hotel Wi-Fi.  August was very specific about stating that he does not do banking on open Wi-Fi even if he is on an encrypted (https) website. However, August did not provide an opinion as to whether he would change his opinion on doing financial business IF he was on an encrypted website AND he was using a trusted VPN.

So does the addition of a VPN into the equation change the risk/reward calculus when it comes to working on your finances over an open Wi-Fi network? Yes — with a caveat. It is still best to avoid doing this type of work on an open network whenever possible, simply as a matter of best practices. When it can’t be avoided, however, using a trusted VPN is definitely the right way to go. Note that we say trusted VPN; you need to find a provider that you can trust, and which does not analyze your traffic, like Facebook’s “VPN” does.

Andy asked one more question that, at first glance, we might have assumed he would already know from listening to this show — but it’s silly of us to assume that everyone always knows what the terminology we use means, especially when it can all get so confusing! So Andy asks:

What is the difference between malware and a virus and is this important to me?

Viruses are a type of malware, but not all malware is made up of viruses. Other forms of malware include Trojan horses, ransomware, spyware, and a host of other categories that all make up malicious software as a whole. Viruses are specifically designed to infect your computer before looking to infect other computers on your network, and they can do all kinds of nasty things from wrecking your operating system to logging keystrokes. So, will something that fights malware take care of viruses, too? It depends on the security software you use — so take a closer look at your provider and the information they provide to get some insight into what you need to keep yourself protected.

With that, we’ll put a bow on this week’s episode. Want to check out some of the episodes we’ve done in the past you haven’t heard yet? Maybe it’s time to take a deep dive on social engineering with Episode 45. You can do it all right here with our archives, where you can listen to every episode or skim through the show notes to get the key points right away. Check back every week to see the addition of our latest discussion.