Secrecy, privacy, security, intrusion

“Has been exploited”.

Debugging registers or

Note: (old news 23 June 2023) ARNnet.

No need to speculate further or raise alarm unnecessarily, except to alert those who may not have updated their Apple devices in the prior 6 months.

Hopefully answers:

The hack, and it is quite a sophisticated and technically difficult one, appears to have been done with insider knowledge. The process had to follow non disclosed memory locations in a very specific order (including jump backs) and calls that would not be obvious unless the users had been primed already to those steps, it could have come about accidentally but as it is so technical it would seem to be very unlikely a chance happenstance What it did was take control of the device and keep control, totally without the owner having any alert that the phone was a zombie. The only way to avoid it was to make the phone a dumb phone with no telemetry at all to the net. MacOS has the same holes.

Is it possible to issue a patch, yes it is. Apple have already patched the first memory locations necessary for the hack to work into a table with a DENY entry. Without those locations the pathway does not exist. The problem is that Apple can issue a new patch that removes those entries and re-enables the pathway. These locations are built into the hardware, the CPU, it requires a re-build of the CPU to totally remove the vulnerability.

What is being asked by the discoverers is this an innocent mistake or was it intentionally built in and supplied to NSA or similar as a very obscure backdoor. Now discovery has made it obvious and something that will be now looked for, no longer obscure so no longer of use (until it is forgotten)… that may be the angle some are looking at as the reasoning for the patch and the holes.

2 Likes

To note:

In a blog post, Kaspersky explained that “the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge” and “did not require any actions from the user”.

Does turning off iMessage also offer a strategy to block the exploit infiltrating a device?

According to ARN linked in my previous post,

The campaign used two zero-click iMessage exploits and compromises without any user interactions based on a pair of bugs respectively in the kernel and Webkit.

The same article includes details of the Apple OS updates patched to block that step in that step in the exploit chain.

1 Like

Turning off iMessage only stops the unseen steps that introduce the hack, it seems that there may have been a number of possible initial attack vectors with some not being so “invisible”. Even the Safari hack was invisible to the user of the device, that could have been achieved by a malicious coding in a drive by of a coded page. The iMessage just ensured that the device that they wanted to target was captured and not millions of others that they would need to sift through.

3 Likes

In December a news article advised that Tik-Tok is being investigated by the Information Commissioner over mass breaches of privacy and siphoning and scraping of personal details of users and non users of the product.

It is disclosed that the use of tracking pixels is the method being used. A link to a discussion about tracking pixels for those who may be interested can be found at https://en.ryte.com/wiki/Tracking_Pixel

It will be interesting to see what action, if any, evolves out of the investigation.

3 Likes

Don’t just assume you’re not being tracked if you use a Chrome ‘private’ (aka ‘incognito’) window …

The private window prevents other users of the same machine from seeing your details, but (of itself) it doesn’t block tracking. Chrome is now supposed to tell you about this when you open a private window.

On the topic of tracking, your device’s microphone can hear ultrasound (and you can’t). Be careful which apps you allow to have microphone access:

4 Likes

A link to a post in the topic about data breaches which references a malware setup that could infect visitors to sites and would be hard to detect and remove. The initial para in the post is a bit biblical as it was a reply to a prior post :smile:, so you will need to follow the link to see the detail about the article on the malware. The link after that is to the company that has more detail on how the malware is used.

1 Like

Two articles that raise security concerns over Privacy policies and on-going data collection that look closely at car data collection Many privacy policies seem not to be really about protecting our privacy, but instead are about giving permission for businesses and Governments to have largely unfettered collection rights.

The first The New Daily item was from October 2023

The second The New Daily article refers to CHOICE and their call about the data collection and again it looks at Toyota as example of this collection and sharing of personal data.

Thank you CHOICE for further raising this issue.

For members of the Community and visitors do you own a Toyota?

Were you aware of the extent of the collection and sharing by Toyota?

If you own another manufacturer’s brand of vehicle do you have any idea of their privacy policy?

Do you know what the manufacturer collects and shares about you?

Feel free to leave your comments in response! (remember to remain civil)

3 Likes

We own two Mitsubishi Magnas - we liked the first so much we bought a second. These cars are old enough to lack modern tracking technology - but will eventually need to be replaced.

We are aware of car manufacturers’ desire for data about their customers, to use and sell as they see fit, and this will affect our decision-making when considering our next vehicle. Tesla is off the list, and Nissan and Toyota are looking like rather poor choices at the moment.

1 Like

Another factor to consider: As of a few years ago, all new cars sold in the EU must feature eCall (automated emergency calling). This implies, for all intents and purposes, that all such cars

  • have GPS (GNSS), and
  • have mobile network connectivity.

If this catches on in Australia, that would make your car as bad as your mobile phone, just another instrument of ubersurveillance.

Oh, I read that as: we liked the first so much we bought the company. :rofl:

1 Like

If I could afford Mitsubishi, I think I could do something about world peace and food insecurity.

2 Likes

More expensive a buy than just the one name. Nissan is a major shareholder. :wink:

Staying with the automotive and privacy theme. Noted Repco, Burson and other automotive parts suppliers have ready access to a reverse data base. Input a vehicle rego number and they know the exact model, year etc.

What other details might be linked?
Businesses often share various levels of information with aggregators in their chain or external data resource/analytics providers.

Customer loyalty schemes stand out. For those not a member how often are customers asked for more details to record against a sale for …. supposed customer benefit than legally necessary?

How aware is the average consumer of what they must provide verses what they do not?

If registering a warranty on line with a retailer or supplier there is hopefully an opportunity to first review the T&C’s plus privacy policy. Not so convenient if doing so across the sales counter in store. Assuming the store staff note to the customer they may like to see the same before doing so.