Search Results for “Ars Technica”

September 28, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Researcher Releases ‘Permanent Unpatchable Bootrom’ iOS Exploit Checkm8 That Could Cause Serious Problems for iPhone, iPad Hardware

An iOS security researcher who goes by axi0mX on Twitter and Github posted a new software tool called Checkm8 that he claims uses a “permanent unpatchable bootrom exploit” that could bypass boot security for millions of Apple devices, from the iPhone 4S to the iPhone X. The researchers did not release a full jailbreak, but an exploit that can be used it to dump SecureROM [the boot ROM code], decrypt keybags [the escrow memory with the keys for all encrypted data on the device] with AES engine, and demote the device to enable JTAG. It’s possible other researchers have found the exploit and are already using it, especially via tools used by intelligence and law enforcement agencies, such as GreyShift’s GreyKey.

Related: ZDNet Security, Cyberscoop, Security Affairs, iPhone Hacks, The Verge, The Hacker News, Redmond Pie, Malwarebytes Unpacked, The Mac Observer, Dark Reading: Vulnerabilities / ThreatsFull Disclosure, US-CERT Current Activity, Reddit-hacking,, Ars Technica, ThreatpostSecurityWeek

Tweets:@axi0mX @lilyhaynewman @andreabarisani @campuscodi @thomasreed @dangoodin001

ZDNet Security: New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips
Cyberscoop: ‘Unpatchable’ iOS exploit sends jailbreak enthusiasts into a frenzy
Security Affairs: Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
iPhone Hacks: Breaking News: Unpatchable Bootrom Exploit Could Lead to Permanent iPhone Jailbreak
The Verge: New ‘unpatchable’ iPhone exploit could allow permanent jailbreaking on hundreds of millions of devices
The Hacker News: Hacker Releases ‘Unpatchable’ Jailbreak For All iOS Devices, iPhone 4s to iPhone X
Redmond Pie: Checkm8 Bootrom Jailbreak Exploit Makes iPhone X To iPhone 4S Pwned For Life For Jailbreaks, Downgrades, Custom Firmwares, More
Malwarebytes Unpacked: New iOS exploit checkm8 allows permanent compromise of iPhones
The Mac Observer: Hacker Claims New ‘checkm8’ Exploit Can Lead to Permanent Jailbreak
Dark Reading: Vulnerabilities / Threats: Apple Patches Multiple Vulnerabilities Across Platforms
Full Disclosure: APPLE-SA-2019-9-26-7 Xcode 11.0
US-CERT Current Activity: Apple Releases Security Updates

@axi0mX: EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
@lilyhaynewman: today a researcher dropped a really rare type of exploit that can be used to jailbreak EIGHT generations of iPhones *and* the vuln is unfixable. so that's a thing now.
@andreabarisani: What was I saying recently about unpatchable bootrom exploits?We find them constantly in automotive grade SoCs. Consumer products have even larger attack surface...Future hacks will more and more target the code embedded in the silicon.
@campuscodi: NEW: New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips-works on iPhones 4S up to iPhone 8 and X -doesn't support A12 and A13 chipsets -code available on GitHub -uses "a permanent unpatchable Bootrom exploit"
@thomasreed: If you haven’t heard yet, an exploit was dropped on Twitter this morning capable of modifying the bootrom on nearly all iOS devices except the most recent. Learn about the possible implications here:
@dangoodin001: Good writeup for anyone trying to understand the security consequences of the Checkm8 exploit.

October 11, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Attackers Exploited Stealthy Zero-Day Flaw in iTunes and iCloud to Infect Windows Computers with BitPaymer Ransomware

Attackers exploited a zero-day vulnerability in Apple’s iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported. The bug, known as an unquoted service path, is in the Bonjour component on which both iTunes and iCloud for Windows rely. When it’s in a trusted program such as one digitally signed by a well-known developer like Apple, attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious. Morphisec discovered in August that the attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry and reported it to Apple. Apple patched the vulnerability in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14. The iTunes uninstaller doesn’t automatically remove Bonjour, so anyone who has ever installed and later uninstalled iTunes should inspect their PCs to ensure Bonjour is not present.

Related: ZDNet, SC Magazine, Ars Technica,,, Security Affairs, The Hacker News, Born’s Tech and Windows World, Dark Reading: Threat Intelligence, Morphisec, Threatpost

September 9, 2019
Kate Cox / Ars Technica

Kate Cox / Ars Technica  
Equifax Settlement Administrator Says Breach Victims Seeking Cash Must Jump Through Additional Hoop and Provide More Information

The Equifax settlement administrator is forcing the millions of Americans who requested cash compensation from the settlement reached between the Federal Trade Commission and Equifax as a result of the credit rating agency’s massive data breach to now jump through another hoop by certifying before October 16 that they already have some form of credit monitoring services in place. Because the $31 million reserved for paying cash compensation was dwarfed by the sheer number of claimants, the FTC is hoping to winnow down the number of cash claimants through this additional step. Those who requested compensation can alternatively apply for free credit monitoring, a choice that the administrator indicates is likely the better option.

Related:, Vox, The Register – SecurityTIME, CNBC, CNBC, The VergeSlashdot, The Verge

September 21, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Controversial Cryptography Company Crown Sterling Touts Decryption Accomplishment, Experts Immediately Deride Company’s Claim

Controversial digital cryptography company Crown Sterling issued a press release claiming that it had decrypted two RSA 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer before a gathering of what the press release says is “approximately 100 academics and business professionals,” a claim met with great derision among experts who understand cryptography. Crown Sterling also released a video of the decryption demonstration. Crown Sterling has been promoting its “Time AI” cryptographic system which it says will fix the breakable-ness of RSA cryptography by using an entirely different method of generating keys, one that doesn’t rely on factoring large prime numbers. The company is suing cybersecurity conference Black Hat for alleged breach of contract over a sponsored presentation it gave at the event in August, which generated jeers from the presentation attendees.

Related: Schneier on Security, Yahoo Finance

Tweets:@thepacketrat @thepacketrat @lesleycarhart @TheSweetKat @gregotto @LargeCardinal @henrykploetz @erratarob @malwaretechblog @matthew_d_green @XorNinja @taviso

Schneier on Security: Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago
Yahoo Finance: Crown Sterling Decrypts RSA Asymmetric Public Keys in Live Demonstration

@thepacketrat: Sooooo. Anyone available to comment on this?
@thepacketrat: Video here.
@lesleycarhart: Wow, the hole just gets deeper and deeper...
@TheSweetKat: Breaking news: Crown Sterling cracks symmetric encryption method known as ROT-13
@gregotto: Crown Sterling (the company that is suing Black Hat) just sent out a press release saying it decrypted RSA keys Thursday in front of a room full of academics in California yesterday.If you were in that room, I would like to speak with you
@LargeCardinal: I think @matthew_d_green has done stuff on this, but these numbers don't seem that impressive... Doing some digging now.
@henrykploetz: Well, this is Sagemath on my Ultrabook (X1 Carbon 2017). I'm assuming the default implementation is single-threaded. So, "50 seconds" is exactly the expected performance on a 4-core laptop.
@erratarob: Cracking 256-bit RSA keys is simple and not a convincing demonstration. Whatever you demo in a controlled setting with a laptop is not believable, since you can cheat. This means nothing.Solving any real-world problem, such as the above key, is what would convince people.
@malwaretechblog: Who exactly are they trying to impress? You can factor 256 bit RSA on a smartphones in < 1h, and 512 bit is doable in a few mins with a EC2 cluster.
@matthew_d_green: These Crown Sterling people are going to launch a cryptocurrency, mark my words.
@XorNinja: Say what you want about Crown Sterling, but this is definitely a breakthrough in cryptography bullshit
@taviso: I googled some of the strings in the output, it looks like a modified version of cado-nfs, e.g. the tasks.threads message comes from here ?;a=blob;f=scripts/cadofactor/;hb=6b6df64249cf60eeace0f7611a266d972af74d56#l806

September 4, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Glut of Working iOS Exploit Chains Prompts Zerodium to Pay Higher Price for Android Zero-Days for the First Time Ever

For the first time ever, the security exploit broker Zerodium is paying more for zero-day attacks that target Android than it pays for comparable attacks targeting iOS according to the company’s updated price list. Zerodium will now pay $2.5 million for each “full chain (Zero-Click) with persistence” Android zero-days compared with $2 million for iOS zero-days that meet the same criteria. The previous price for an iOS exploit was $2 million but Zerodium made no mention of Android. According to Zerodium founder and CEO Chaouki Bekrar, a glut of working iOS exploit chains has coincided with the growing difficulty of finding comparable exploits for versions 8 and 9 of Android.

Related: ZDNet Security,, Wired,, Cyberscoop, Slashdot, Computer Business Review, Security Affairs, iTnews – Security, ForbesSecurityWeek, GBHackers On Security,The Register – Security, Zerodium

Tweets:@campuscodi @zerodium

ZDNet Security: Android exploits are now worth more than iOS exploits for the first time Zerodium Makes Android Zero Days More Expensive Than iOS
Wired : Why ‘Zero Day’ Android Hacking Now Costs More Than iOS Attacks iPhone Hacks Are Flooding the Market, Says iOS Exploit Buyer
Cyberscoop: Zerodium offers $2.5 million for Android zero-days, in keeping with market rates
Slashdot: Android Exploits Are Now Worth More Than iOS Exploits for the First Time
Computer Business Review: Android Zero Days Now Worth More than iOS: Exploit Broker
Security Affairs: Android Zero-Day exploits are the most expensive in the new Zerodium price list
iTnews – Security: Android exploits now pay more than iOS ones
Forbes : Why Zerodium Will Pay $2.5 Million For Anyone Who Can Hack Android But Only $2 Million For iPhone
SecurityWeek: Zerodium Offers Up to $2.5 Million for Android Exploits
GBHackers On Security: Zerodium Now Paying You $2.5 Million For Android Zero-day Exploit and $1.5 Million for WhatsApp RCE Exploit
The Register – Security: Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly there
Zerodium: Changelog / Sep 3rd, 2019

@campuscodi: Exploit broker Zerodium increases zero-day prices for Android exploits, which are now worth more than iOS for the first time-Android 0-click exploit with persistence=$2.5m -similar iOS exploit worth $2m -Zerodium: it's "in accordance with market trends"
@zerodium: Announcement: We've updated our prices for major Mobile exploits. For the first time, we will be paying more for Android than iOS. We've also increased WhatsApp & iMessage (0-click) but reduced the payout for iOS (1-click) in accordance with market trends:

August 23, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Would-Be Digital Cryptography Firm Crown Sterling Sues Black Hat Conference Organizers, Ten ‘Doe’ Defendants Over Disruption at Sponsored Presentation

After almost getting booed off the stage at Black Hat, “emerging digital cryptography” firm Crown Sterling is suing conference company UBM alleging that its Black Hat USA event had breached “its sponsorship agreement with Crown Sterling and the implied covenant of good faith and fair dealing arising therefrom.” The company also accuses the conference organizers of “other wrongful conduct” connected to events surrounding the presentation of a paper by Crown Sterling CEO and founder Robert E. Grant. In addition to legally targeting the conference, Crown Sterling has also filed suit against 10 “Doe” defendants, who it claims orchestrated disruption of the company’s sponsored talk at Black Hat. Before, during and after the conference, cryptographers were extremely skeptical with what Crown Sterling was pitching, with some referring to the talk as “snake oil crypto.”

Related: U.S. District Court (PDF), Business Wire, Cyberscoop

Tweets:@malwarejake @gossithedog @jwgoerlich @J0hnnyXm4s @oscaron @matir @halvarflake @betoonsecurity @snlyngaas @thepacketrat @JGamblin @fs0c131y @shotgunner

U.S. District Court Southern District of New York: Complaint (PDF)
Business Wire: Crown Sterling Files Complaint Against UBM — Owner and Organizer of Black Hat USA 2019 Cryptography Industry Conference
Cyberscoop: The company behind ‘Time A.I.’ is suing the company behind Black Hat

@malwarejake: Does Crown Sterling know there are photos and videos of the room? Because you can call this room a lot of things, but "filled to capacity with conference attendees" isn't one of them...
@gossithedog: Remember the TIME AI(tm) people, Crown Sterling, who bought a talk at Black Hat and then presented laughable rubbish buzzword nonsense? They’re suing Black Hat. If this was a smaller con it would finish them. Never give Crown Sterling a stage again, any and every event.
@jwgoerlich: Remember waaay back at ?Black Hat, when there was a crazy five dimension “crypto” talk, TIME AI, and ? @dguido ? called them out?Well. The TIME AI guys are back. And they brought lawyers.(via ? @thepacketrat ?)
@J0hnnyXm4s: This is the best they could come up with: Holding Black Hat responsible for the conduct of its attendees. GLHF
@oscaron: The only guy I saw complaining was THIS guy....who is connected to Crown Sterling
@matir: Crown Sterling is like a flat earther who read a math textbook while on LSD.
@halvarflake: The Crown Sterling thing is the Infosec variant of the Trump administration :-). Don't reply plz, this is a statement and not an invitation to discuss.
@betoonsecurity: Crown Sterling is a fraud. Not allegedly. I am actively accusing them of being frauds and charlatans.
@snlyngaas: The COO referred Jeff to the lawsuit, but also didn't fail to mention that Crown Sterling has an "exciting" new product set to take the cybersecurity industry by storm.
@thepacketrat: From the lawsuit: "Excitement over Crown Sterling's presence had been building..."
@JGamblin: If 5D encryption doesn't work for Crown Sterling I think they have the Laapr (Lawsuit as a Press Release) market cornered.
@fs0c131y: Seriously? These guys have no shame
@shotgunner: Never fails to amaze me how stupid companies are and those that control them. Crown Sterling is apparently going all out on the stupidity path lol.

August 28, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
App With 100 Million Downloads on Google Play Store, CamScanner, Included Malicious Trojan Dropper That Executed Secret Payloads

An app, CamScanner, with 100 million downloads contained a malicious component that downloaded secret payloads onto infected Android devices, according to researchers at Kaspersky. Although a legitimate app that provided useful functions for scanning and managing documents for most of its life, CamScanner changed at some point to include an advertising library that contained a malicious module known as a “Trojan dropper,” which executed code from a designated server and then decrypted and executed it on an infected device. Kaspersky calls the module Trojan-Dropper.AndroidOS.Necro.n.

Related:, Securelist, Kaspersky, TechSpot, NewsBytes App, GBHackers On Security, TechNadu, Memeburn, The Next Web, Infosecurity Magazine, The Register – Security, IT Wire, BGR, IBTimes India, Android Police, fossBytes, DNA India, : Top News, Tech.CoNDTV, SlashGear » security, Android Trojan Infects Tens of Thousands of Devices in 4 Months
Securelist: An advertising dropper in Google Play
Kaspersky: Malicious Android app had more than 100 million downloads in Google Play
TechSpot: Malware discovered in Google Play app with over 100 million downloads
NewsBytes App: You need to uninstall the CamScanner app now: Here’s why
GBHackers On Security: Beware!! 100 Million Users Downloaded CamScanner PDF App Drops a Malware in Android Phone
TechNadu: Popular Android App ‘CamScanner’ Spreading Malware to Millions
Memeburn: CamScanner installs malware to your Android smartphone, security firm warns
The Next Web: Malware found in CamScanner’s document scanning Android app, which has over 100M downloads
Infosecurity Magazine: Trojanized CamScanner App Had 100 Million Google Play Downloads
The Register – Security: Android PDF app with just 100m downloads caught sneaking malware into mobes
IT Wire: CamScanner on Android contains malware
BGR : CamScanner removed from Google Play Store after it was found carrying malware
IBTimes India: CamScanner malware attack puts millions at risk: What should you do
Android Police: CamScanner booted from Play Store after discovery of malicious code
fossBytes: CamScanner Android App With 100M Downloads Found Loaded With Malware
DNA India: CamScanner removed from Google Play Store : Top News: 100+ million users installed this PDF creator app with dangerous malware from Google Play
Tech.Co: One Google Play Malware App Saw Over 100 Million Downloads
NDTV CamScanner App With Over 100 Million Downloads Removed From Google Play Store Over Advertising Malware
SlashGear » security: Popular CamScanner PDF OCR Android app discovered with malware inside Malware Discovered in Popular Android App CamScanner

September 25, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Card-Skimming Malware Operators Magecart 5 Appear to Be Targeting Level 7 Routers Associated With Wi-Fi Networks Used at Airports, Hotels, Resorts and Some Retail Environments

A known group of criminal Web malware operators called Magecart 5 appears to be targeting commercial layer 7 routers typically associated with Wi-Fi networks commonly used to provide free or paid Wi-Fi Internet access at airports, hotels, resorts, and even in some retail environments, researchers at IBM X-Force IRIS report. Magecart 5 is one of many groups associated initially with the Magecart card skimming malware. The IBM researchers also found that the group is corrupting an open-source mobile application library used to create touch “sliders” to allow users to swipe through galleries “to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of user data of those using the finished product.”

Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Threat Group Tortoiseshell Is Targeting U.S. Military Veterans and Companies With Malicious Employment Site, Installs Spyware to Collect Data About Target Systems

A threat group, Tortoiseshell, previously identified as being behind a set of attacks on IT providers in Saudi Arabia, has now been spotted targeting US military veterans and companies with a malicious webpage,, that purports to be an employment site, according to Cisco Talos. The bogus site offers a free desktop client which is, in reality, a spyware installer. Tortoiseshell is reported to be behind attacks on eleven companies in Saudi Arabia. All of the attacks used the same remote access tool, Backdoor.Syskit by Symantec, coded in both Delphi (the Object Pascal programming language introduced by Borland) and Microsoft .NET. A similar backdoor, named “IvizTech” in this case, is part of a package dropped by the website discovered by Talos. When the installer connects, it downloads two files from a server hosted by a company in Atlanta: a reconnaissance tool and the backdoor. If it fails to install, the backdoor sends an email to a Gmail address from another Gmail address (, the credentials for which are hard-coded in the installer. The reconnaissance tool, with the filename “bird.exe,” is internally named Liderc, collects data about the infected system, including date, time, installed drivers, patch level, network configuration, domain controller, name of the administrator account, and a list of other accounts available.

Related: ZDNet Security, Techaeris, SecurityWeek, Cisco Talos

Tweets:@campuscodi @joetidy

September 6, 2019
Sean Gallagher / Ars Technica

Sean Gallagher / Ars Technica  
Flagstaff Cancels Classes in Its School District Due to Ransomware Discovered During Routine Maintenance

All classes were canceled September 5 at Flagstaff Unified School District (FUSD) schools in Arizona after the discovery of a ransomware attack against the district’s servers during routine maintenance on Wednesday, September 4. The district says all FUSD issued devices, including laptops, at all sites need to be updated and asked all FUSD employees to bring any Windows-based laptops to Sinagua Middle School by 9 a.m. Friday. Officials say they have to “break the connection” from the Internet to all school devices to mitigate the issue.