Free Interview, Copied Fingerprints, and Super Cookies! – Mobile Security Weekly

Lacoon Mobile Security.” width=”115″ height=”75″ /> Ohad Bobrov is co-founder and CTO at Lacoon Mobile Security.

Despite many of us taking time off for the holidays and the new year, the world of mobile security didn’t take a vacation. In our first weekly summary of 2015 we see another spillover from the Sony hack, of one of the biggest cyber security news events of 2014, as well as a story that raises urgent issues regarding the future of using biometric scanners. Finally, we get a reminder that iOS’s “secure-ness” isn’t always a good thing.

Release of Controversial Movie “The Interview” Inspires Malware Campaign

The fallout from the Sony cyber-attack seems to be never ending. But as we enter 2015, Sony is no longer the only victim. Threat actors in South Korea have taken advantage of Sony’s decision to release the movie online and have been distributing fake copies and fake apps promising access to the film.

One of the illegal torrents that is being distributed in South Korea poses as an Android app that enables the user to download the movie. In reality the app is a banking trojan (specifically  Android/Badaccents) designed to target customers of a number of Korean banks, as well as CitiBank, and appears to have infected around 20,000 devices.

Why is this Significant?

Beyond the general message (i.e It’s only the 1st of January and we already have our first mobile malware campaign!), this is an example of just how savvy and aware attackers have become. The much hyped release of “The Interview” was the perfect opportunity to infect innocent users and as we see, it was gladly taken. The fact that this all starts with piracy is just another reminder of the importance of using only official sources and marketplaces.

Researchers Demonstrate how to Reproduce Fingerprints Using Public Photos

At a recent conference in Germany, members of the The Chaos Computer Club (CCC) claim they can reproduce fingerprints to overcome biometric security measures from simple photos of a user’s fingers.

Last year, the same group showed just how easy it was to overcome Apple’s TouchID with a photo of the original user’s fingerprint. Their latest endeavour requires even less – no more need for a the hacker to physically obtain a photo of the fingerprint, merely the finger. By using commercial fingerprint software to map out the contours of a thumbprint before printing it out on a flexible material with a laser printer and tricking an iOS device.

Why is this Significant?

The implications of this story are huge. The researchers say that a similar process could be performed to trick more advanced biometrics like iris scanners, essentially placing a huge question mark over the future of using biometrics for security. This hack also highlights one of the biggest issues with biometrics — false negatives or a legitimate person being denied access because their own biometric measurement failed. Since biometric systems by definition have to tune out false negatives (i.e lowering sensitivity), this opens the door to attacks. Whether the recreated fingerprint is an exact copy or not is irrelevant, the fact is that it works.

Apple iOS Users vulnerable to “Super Cookies”

A newly discovered security flaw can potentially enable threat actors to secretly track users of almost every modern web browser, regardless of whether they implement some form of “private” browsing.

Essentially, a vulnerability in a web security feature called HTTP Strict Transport Security (HSTS) enables websites to plant “super cookies” that can be used to track browsing habits even when private browsing is enabled. Although this affects all users, Apple users are particularly vulnerable as their devices do not have a function that lets users delete super cookies from their browsers.

Why is this Significant?

Android sometimes gets criticized for being much more open and modify-able than iOS. In this case, that’s exactly what enables users to protect themselves. The fact that Apple doesn’t allow iOS users to completely control their browser puts them at risk. Though perhaps not the most serious of threats, the lack of control in iOS can be a negative as well as a positive and it’s important to remember this.