Connect with us

Technology

US Federal Agencies Are Spending Millions To Hack iPhones

Published

on

ICE bought a hacking tool that would allow them to hack locked iPhones.

When people on the streets tell you that the government is spying on you, they might be right in saying that. Law enforcement and other federal agencies have been purchasing several technologies that would allow them to check up on Americans – even against their will.

A recent $1.2 million purchase was made by the U.S. Immigration and Customs Enforcement (ICE) for a technology that would essentially hack into a locked iPhone. The acquisition underscores how law enforcement and other federal agencies are using technology in violation of Americans’ rights to privacy.

The said contract has two components. The first one, valued at $384,000 and was made in September 2018, and another made this month for $819,000. Sources revealed that the said hacking equipment will go to the agency’s Homeland Security Investigation unit. The unit focuses on the investigation on immigration crimes, drug trafficking, child exploitation, and money laundering, according to Thomas Brewster from Forbes.

Nonetheless, the ICE refused to disclose how the equipment will be used and for what purpose will it serve, but according to Washington Post, the contract come amid heightened and pervasive concern about the warrantless searches of phones and laptops that ICE and Customs and Border Protection conduct at airports and other points of entry following the stringent immigration crackdown by the Trump administration.

The American Civil Liberties, who sued the US government over the warrantless searches in the airport by two federal agencies said that they found that “CBP and ICE are asserting near-unfettered authority to search and seize travelers’ devices at the border.” That includes “for purposes far afield from the enforcement of immigration and customs laws” including “investigating and enforcing bankruptcy, environmental, and consumer protection laws.”

The said contract of ICE is with a company known as Grayshift. The company is known for marketing tools to law enforcement specifically those that can hack into locked iPhones. They have been involved in so many conflicts with Apple as the tech company develops encryptions that would block Grayshift’s ability to hack into the device, but Grayshift seems always to find a new way to get in.

In the past, Grayshift has signed contracts with different federal agencies since 2017 including ICE, the Secret Service, the FBI, and the Drug Enforcement Administration. The total amount of deal the company inked with the U.S. government reaches $2.6 million according to the information on a government spending database.

In 2015, the FBI had waged a high-stakes lawsuit against Apple, the manufacturer of iPhones, because according to them, the security features in the phones make it hard for law enforcement and investigation agencies to bypass. According to the FBI, the advanced encryption systems in iPhones are hurting their investigations and are allowing criminals and terrorists to “go dark” online. They have been complaining that tech companies have been very uncooperative in helping them bypass those encryptions and now it seems that they are turning into another technology to avoid them without the permission of the user or the phone manufacturer.

Despite the hot water that federal agencies have been bathing in as the issue on hacking and encryption breaking becomes more public, the FBI, among other federal agencies in question, is yet to prove that their inability to bypass the said encryption systems thwarts their investigation.

In fact, in the 2015 lawsuit that FBI filed to compel Apple to help them decrypt the iPhone used by San Bernardino shooter Syed Farook, the bureau ultimately withdraw its demand due to the lack of proof of the necessity of decryption. Sources suggest that an unnamed third party offered to help the agency hack into the iPhone for a hefty price.

The specific “help” that the third party offered was to disable a safeguard that would have wiped the phone’s contents after too many wrong password guesses. Interestingly, this method is similar to what Grayshift is offering. When this safeguard is disabled, federal agencies can run a program that tries all possible password combinations until they finally land on the right one without the risk of the content being wiped out.

Critics argue that the rush to litigate their demands against Apple is aimed not to hack the specific iPhone used by the shooter in the case but instead to set a precedent that would make it easier for them to request from the court a similar demand in the future.

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama. I also own a cybersecurity blog called Zero Day.

Technology

‘Critical’ VLC Zero-Day Warning Raised

Published

on

Photo: VLC Website

Cybersecurity researchers have warned users of the popular multimedia player, VLC, of a “critical” vulnerability that could expose them to potential risks once exploited by threat actors.

The German cybersecurity firm, CERT-Bund, detailed in a cybersecurity warning that their researchers have flagged a vulnerability in VLC’s system, which can be used by hackers and other malicious entities to compromise a device where the media player is installed.

The researchers from CERT-Bund said that users could be hijacked into running malicious codes in their VLC-installed computers because a flaw enables remote code execution (RCE), unauthorized modification and disclosure of data/files, and overall disruption of service. This means that the user will unknowingly run the malicious codes in their device that could expose them to multilayered risks.

The vulnerability known as CVE-2019-13615 is found in the software’s latest version VLC Media Player version 3.0.7.1. The flaw has been rated 9.8 in NIST’s National Vulnerability Database, which indicates that the flaw is in ‘critical’ level.

While there is still no known exploitation happening in the wild, the researchers are warning users to avoid updating their software or downloading the new version of the media player.

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” reads the CERT-Bund disclosure.

Interestingly, while the vulnerability is detected in many environments such as Windows, Linux, and UNIX versions, the macOS version of VLC seems to be unaffected by the vulnerability.

The VLC 3.0.7 Vetinari is the seventh version of the software in its Vetinari line which was released earlier last month. VLC Media Player is one of the most popular media players in the market, priding itself with more than 3 billion downloads. The popularity of the media player came from it is free, open-source, and portable.

The VLC Media Player, owned by VideoLAN, a non-profit organization, can run in different environments like Windows, macOS, and Linux, with versions created for Android and iOS. It is also one of the available media players that can read a variety of audio and video files, which makes it one of the most popular third-party media player in the market.

With the combined number of active users of VLC Media player and the total download it gets, an exploit in the discovered vulnerability can cause a massive cyber attack outbreak.

Last month, VLC patched two major vulnerabilities in their system with a similar implication. The vulnerabilities a remote user to create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow into a targeted system.

The researchers said that successful execution of the malformed file in the target users’ device could cause, in the best case, VLC to crash, and in the worst, could provide hackers special privileges to exploit the user’s device. They warned that a hacker could simply trick a target or a potential victim into opening a seemingly unsuspicious video in the VLC for the hacker to carry out his plan.

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins) until the patch is applied,” they said in a security advisory. This vulnerability was patched when VideoLAN released version 3.0.7, but apparently, a similar flaw would also affect the new version.

Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the program. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and ten rated low. These fixes include:

  • Improvements for HDR support on Windows, including for HLG streams
  • Improvements on the Blu-ray support, notably for menus
  • Fixes for some 10bit and 12bit rendering on Windows 10
  • Fixes for UPnP discovery on MacBooks with a TouchBar
  • Numerous security issues: One high-security issue, 21 medium, and 20 low-security issues were fixed, ranging from integer overflow to buffer overflows, with out-of-read violations and stack overflows.

VideoLAN advised users that they have been working on a patch for the new flaw in version 3.0.7 for the past four weeks and they are currently 60 percent through it.

Continue Reading

Technology

Chinese Fugitive Caught By Police Using Facial Recognition

It’s part of China’s project called “Sharp Eyes.”

Published

on

Photo by Bill Oxford on Unsplash

With a bunch of reports detailing the ills of facial recognition systems that have dominated the conversation around the unregulated technology, a breath of fresh air comes after a fugitive has been caught by a facial recognition system in China earlier this week.

Chinese police officers arrested an unnamed fugitive at a Cantopop star’s concert in Zhanjiang city at the southwestern end of Guangdong province. The arrest was highly attributed to the facial recognition system used by Chinese law enforcement in concerts and crowded gatherings to spot fugitives and wanted criminals. The said system has already been in used since late 2017.

The Zhanjiang public security bureau has released the video of the arrest in the law enforcement’s official TikTok account.

The suspect was reportedly a die-hard fan of the pop group, and as he was standing in line to get in the concert, his image was caught by the camera in the concert’s ticketing booth and was eventually matched to a fugitive in the database. The police apprehended him in the middle of the show.

Chinese police are using facial recognition to arrest suspects in concerts

This is not the first time that a suspect has been apprehended while attending a concert in China. Between December 28 and 30 in 2018, more than 22 wanted men were identified at a concert by Hong Kong Cantopop star Jacky Cheung Hok-Yau in Suzhou, a city west of Shanghai.

In May 2018, a man was also arrested when a facial recognition system identified his photo while he was attending a crowded concert in China. The suspect was identified with the surname Yu and was under investigation since 2015 for allegations of stealing more than $17,000 worth of potatoes.

“A few minutes after he passed through the security checkpoint, our system issued a warning that he was a wanted person,” said Shen Yueguang, an official from the Nanhu District Public Security Bureau referring the May 2018 arrest.

In the same month, another man wanted for “economic crimes” was arrested in Jiangxi province in southeast China after facial recognition cameras detected his presence at a Cheung concert attended by 60,000 people.

The arrests are emblematic of China’s growing eagerness to establish a nationwide surveillance system with plans from the government to integrate an array of camera systems that monitor roads, shopping malls, transportation hubs, and buildings.

The project, known as “Sharp Eyes,” aims to target criminals, arrest fugitives, predict crime and monitor the habits of the country’s 1.4 billion people.

The United States is doing it too

China isn’t the only one with this plan. The United States has long been working in establishing a surveillance network like this. The FBI’s Next Generation Identification system uses face recognition to match crime scene images to a national database of mug shots.

However, the academic sector still insists on the risks that come with using facial recognition in fighting crimes. They raise the concern of how inaccurate these systems are and the unregulated nature of how it is being used.

A study conducted by Clare Garvie from Georgetown Law Center revealed that police departments are feeding celebrity images, artists sketches, and unconventional photos to facial recognition system to generate a match. These images are called “probe photos” and are matched against the police mugshot and drivers’ license database.

“The stakes are too high in criminal investigations to rely on unreliable—or wrong—inputs. It is one thing for a company to build a face recognition system designed to help individuals find their celebrity doppelgänger or painting lookalike for entertainment purposes. It’s quite another to use these techniques to identify criminal suspects, who may be deprived of their liberty and ultimately prosecuted based on the match. Unfortunately, police departments’ reliance on questionable probe photos appears all too common,” Garvie wrote in her study.

“NYPD officers arrested after texting a witness a single face recognition “possible match” photograph with accompanying text: “Is this the guy…?” The witness’ affirmative response to viewing the single photo and accompanying text, with no live lineup or photo array ever conducted, was the only confirmation of the possible match before officers making an arrest,” she added.

Along with the apprehensions on how the police and the government use facial recognition technology, they are also still insisting on focusing on regulating these systems. Garvie said that even if the FBI can potentially improve the accuracy of the algorithms in the systems they use, none of it will matter as long as regulation still lags in making sure that they won’t be abused.

Continue Reading

Technology

North Carolina Passes Bill To Stop Robocalls And Scammers

The law also applies to text solicitors.

Published

on

Photo by Rock'n Roll Monkey on Unsplash

Robocalls have become the target of recent legislation and regulations — both in the federal and state level after the House — and the Senate has both released their versions of a robocall deterrent law that would impose sanctions on illegal call practitioners. This time, tired of the slow progress of federal regulating bodies, the state of North Carolina has drafted their law targeting robocallers and scammers with fines and penalties.

On Monday, North Carolina passed a bill that would require callers to use their real name and number or the information of the business they’re representing. Primarily, the law aims to stop the practice of “call spoofing,” where companies are hiding their identities from their consumers to trick them into answering their robocalls.

In a unanimous 45-0 vote, the new law has been passed in Senate after passage by the House last month. Now, the new law is waiting for the decision of Gov. Roy Cooper on whether the law will be implemented or not — for the state to begin enforcing penalties the law has drawn against violators.

Under the new bill, call spoofers and robocallers who do not disclose their real numbers and the businesses they represent will be fined with a maximum of $5,000. While call-spoofing is already illegal on the federal level, this new bill will give North Carlina’s authorities to go after solicitors and robocallers.

Additionally, the new law will not only target callers but will also penalize those who use text messaging as their platform of soliciting or harassment.

According to State House Speaker Tim Moore, who sponsored the bill back in May, robocallers are priority concerns for his constituents, especially those who are elderly.

“When I went out campaigning this last year … I heard more about people getting scammed phone calls than any single thing else,” he said.

Rep. Chris Humphrey, a Lenoir County Republican also said that the new New Carolina bill would give the state and the authorities new tools to enforce a heavier crackdown against robocallers. “The penalties are civil at this point and will begin to make spammers reconsider when making these annoying calls,” he wrote in an email.

Humphrey said that the new law would not eliminate all spam calls that are plaguing North Carolina residents. Many of these calls originate from outside the country and is hard to trace, let alone to prosecute. However, he is optimistic that the new bill could lighten the load of calls his constituents get from scammers.

In the status quo, consumers can choose to be included in a state’s Do Not Call registry to prevent telemarketers and robocallers from calling them. However, amidst the law that prohibits companies from calling numbers in the DNC registry, North Carolina has received 168,022 “Do Not Call Registry” complaints in 2018 based on the numbers provided by the Federal Trade Commission.

For the past year, both the FTC and the Federal Communication Commission has been in a strengthened crackdown against call spoofers and robocallers. However, amidst their efforts, the nation’s robocalling problem still persists. Numbers reveal that consumers are receiving at least five million robocalls every month, and the problem has even affected basic services like the healthcare industry.

As a response, both the House and the Senate have drafted laws to penalize robocallers and to empower regulating bodies such as the FTC and the FCC in enforcing regulations against violators.

In a bipartisan bill called the Stopping Bad Robocalls Act, the Senate aims to stop bad calling practices and impose penalties on violators. It will also empower the FCC and the FTC to impose more onerous regulations to halt the robocall problem.

Similarly, the House also voted the passage of the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act which would put more onus on major telecom and cell service provider to address the problem and do a better job of authenticating calls.

As part of their efforts to stop robocalls, the Federal Communication Commission has also voted to allow service providers to block robocalls by default. A move which many of the service providers have already followed through by releasing free robocalling features in their services.

Continue Reading

Trending