Apple opens annual applications for free hackable iPhones
ALSO: Brazilian stalkerware database ripped by the short hairs, a fast fashion breach, and this week's critical vulns
Infosec in brief The latest round of Apple's Security Research Device (SRD) program is open, giving security researchers a chance to get their hands on an unlocked device – and Apple's blessing to attack it and test its security capabilities.
"iPhone is the world's most secure consumer mobile device, which can make it challenging for even skilled security researchers to get started," Apple oh-so-humbly states in its description of the program on the application page.
To make it easier for researchers to stress test Apple's iOS security features, chosen applicants will be handed "a specially-built hardware variant of iPhone 14 Pro that's designed exclusively for security research," Apple explained in a blog post.
Thse SRD devices, Apple said, include options to configure or disable iOS security settings that can't be changed on retail devices. In addition, researchers can install and boot custom kernel caches, run arbitrary code with any level of entitlement they want, set NVRAM variables and even install and boot custom firmware for new iOS 17 security features.
That said, Apple doesn't want researchers toting the vulnerable-by-design devices around with them, and states on the application page that the device "must remain on the premises of program participants at all times." Access to the device must be restricted to approved participants as well – so no showing it off.
Apple said it approves applicants "based on a track record in security research, including on platforms other than iPhone," and it'll accept applications from institutions too.
Any flaws found in iOS security software as part of the SRD program must be reported to Apple and are eligible for a bug bounty; Apple upped its max bounty to $500,000 last year, with bonuses available depending on the severity of the issue.
"Since we launched the program in 2019, SRD program researchers have discovered 130 high impact, security-critical vulnerabilities," Apple said, which have resulted in "over 100 reports from our SRDP researchers, with multiple awards reaching $500,000 and a median award of nearly $18,000."
Applications for the SRD program are due by October 31. Chosen participants will be notified in early 2024.
Critical vulnerabilities: VMware's bad week
We kick off this week's list of critical vulnerabilities with some serious (CVSS 9.8) issues discovered in VMware's Aria network monitoring tool. If exploited, they can give an attacker access to Aria Operations for Networks' command line interface. The root cause is an authentication bypass vulnerability "due to a lack of unique cryptographic key generation," VMware said.
VMware released a second security update this week. While not as serious – rating just a 7.5 on the 10-point CVSS scale – it's still an issue for those using VMware Tools, which contain an SAML token signature bypass vulnerability.
Juniper also merits a special mention this week, as a series of vulnerabilities affecting "all versions of Junos OS on SRX and EX series" firewalls and switches was reported that collectively earn a CVSS score of 9.8. By chaining the vulnerabilities together, an unauthenticated attacker "may be able to remotely execute code on the devices," Juniper said.
- Mozilla released security updates for several products to address vulnerabilities that would allow an attacker "to take control of an affected system."
- CVSS 8.8 – CVE-2023-4296: PTC's Codebeamer application lifecycle management platform is vulnerable to cross-site scripting attacks if users click on malicious links, allowing attackers to inject arbitrary code into web browsers on target devices.
As always, get patching, and thank your stars that it appears to be quiet going into a long weekend for US IT professionals.
Hackers purge Brazilian spyware firm's device database
No one likes "legitimate" spyware – a.k.a., stalkerware – including a group of hackers who reported this week that they'd broken into systems owned by stalkerware firm WebDetetive and wiped its system of victim devices.
The unknown cyber vigilantes explained they exploited vulnerabilities in WebDetetive's systems to siphon nearly 77,000 device records from its databases, though they allege they didn't steal the contents of victim devices.
WebDetetive bills itself as "the #1 Spy App in Brazil," and describes its software as a way to "see the truth" and "find out what the person is doing on their phone and they won't even know they are being monitored."
Unfortunately, it doesn't appear WebDetetive put the same thought into protecting its own systems. The hackers claim they severed connections between devices on the network at the server level – effectively killing the platform's functionality and preventing any additional data from being uploaded from victim devices.
Why did the unidentified hackers do it? "Because we could. Because #fuckstalkerware," they said in a note included with a 1.5GB data dump from the platform.
Fast fashion pwn: Forever 21 employee data stolen in breach
Despite learning of a security breach that compromised personal identifiable information on more than half a million employees in March, fast fashion chain Forever 21 is only just now notifying them about it.
According to a breach notification letter [PDF] set to go out to 539,207 employees, some juicy details were exposed: names, social security numbers, birthdates, bank account numbers, and health plan data were all stolen.
Forever 21 stated that the breach began in January, and that attackers accessed its systems "at various times" between then and March 21, when the retailer identified the incident and presumably plugged the leak.
It's not clear from the breach notification letter what happened, but we can speculate.
"We have no evidence to suggest your information has been misused for purposes of fraud or identity theft as a result of this incident – and no reason to believe that it will be," the fashion flogger said.
That sounds suspiciously like the sort of response one would expect when a ransom was paid, which Forever 21 hasn't admitted was the case. ®