Android Phone “Face Unlock” Feature Fooled by Picture

Looks like the Face Unlock feature on the new Galaxy Nexus is more of a novelty item than a security feature. In the video above you can see the phone being unlocked by a picture from another cell phone.

According to PacketStorm Security this could be a security risk, “With your face literally all over the internet (think Facebook, Twitter, LinkedIn, etc.), this could be a potentially serious flaw in Android 4.0, codenamed Ice Cream Sandwich and unveiled last month in Hong Kong.”

Though facial recognition is cool, with smart phones already being touch sensitive, it would seem like finger print recognition (Like on the Motorola Atrix) would be a much better bet.

iPhone 4 and Blackberry fall at Day Two of Pwn2Own

The annual Pwn2Own contest is going on at the CanSecWest conference in Vancouver. Pwn2Own is an interesting contest where security experts are unleashed upon the software products that we use everyday. If the products can be hacked, the succesful exploiters win cash, hardware and bragging rights.

Day one was browser attack day and the Safari browser was the first to fall followed by Internet Explorer 8:

The first browser to fall in the three-day hacking contest was Safari, running on 64-bit version of Mac OS X. It was cracked by a team from Vupen Security in five seconds – all the team had to do was point the browser at a site containing their malicious code to take advantage of a vulnerability in WebKit.

That flaw was yesterday fixed by Apple, but the patch came too late to make it into the browser for the contest.

The second browser to fall was IE8 running on a 64-bit version of Windows 7. It was hacked by researcher Stephen Fewer using a trio of vulnerabilities.

Chaouki Bekrar, who successfully hacked Safari on a fully patched MacBook, explains the hack on e-week:

The winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X. The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.

“The victim visits a Web page, he gets owned. No other interaction is needed.”

Internet Explorer 8 was compromised by a combination of 3 attacks, 2 of which were zero-day exploits. Chrome and Firefox were also on the list for day one, but no challengers came forth.
Day two was all about smartphones. The iPhone 4 and RIM’s BlackBerry Torch both fell to the hackers. Windows Phone 7 and Android went unscathed as yet again no challengers showed up to attack them:
The iPhone 4 was taken out by Charlie Miller, setting a record by winning for a fourth year in a row. The flaw he and partner Dion Blazakis used has already been mitigated by Apple’s iOS 4.3 release.

Another team of researchers, Willem Pinckaers and Vincenzo Iozzo, managed to crack a BlackBerry Torch 9800. Each team takes home $15,000 and the handset.

The contest is not all about hacking. The exploits used in the contest are turned over to the sponsor, who in turn releases the information to the manufacturer so security adjustments can be made.

Chinese based Android Trojan Dubbed “Most Sophisticated” Found to Date

We all love our games, but buyer beware. An Android Trojan has been discovered in some Chinese games. “Geinimi” not only steals personal data from the phone, but even has some Botnet like command and control features:

Geinimi is also capable of receiving commands from remote servers controlled by hackers, this botnet-style functionality together with the use of code obfuscation techniques leads mobile security firm Lookout to describe the malware as the most sophisticated to appear on Android devices to date.

According to Lookout Mobile Security, when Geinimi is installed it:

  • Collects location coordinates & device identifiers from the phone
  • Collects a list of installed Apps
  • Connects to a remote server at 5 minute intervals to transfer information
  • Can download apps it chooses
  • Prompts user to remove apps it doesn’t want on the phone

According to reports, Chinese and even Russian trojans like Geinimi seem to be locale based. Downloading apps from recognized and approved sources is the safest way to avoid these types of viruses.

Malware seems to be a growing problem with smart phones. Phandroid reports that 9% of Android users have been affected by an SMS bug that sends out the message “My boss is an A$$!” to random people from your contact list.

If this is trend continues, looks like even our phones will need constant system and virus protection updates.

How to be a Victim of Cyberstalking on Twitter & Facebook

Today we have a tutorial on how to make it easier to become a victim of a cyber stalker on any of your favorite social media sites. To simplify things, I have included step by step directions, please follow along.

STEP 1: Take a picture using any smart phone – iPhone, Blackberry, Android, etc. This can be a picture of your dog, cat, wife, kids, computer, house, favorite pet, annoying neighbor, or a combination of any two.

STEP 2: Upload the picture to your social media site.

That’s it, thanks for joining us. Today’s broadcast was brought to you by… What? You want to know more? How does just taking a picture and uploading it to a social media site give away any personal data?

Okay, I will tell you, here is the problem. Most new “smart phones” come with geo tracking enabled by default. So, when you take a picture, your location, in longitude and latitude is automatically added to the metadata of the picture. Metadata is just additional information that is tagged onto the picture and can be viewed. Kind of like the picture “properties”.

When the picture is uploaded, the metadata goes right along with it. So basically, every picture taken with a smart phone gives away the location where it was shot and it can be viewed by anyone on the web.

Now, what if someone were to make a program to sweep the social media sites just looking for pictures that contain geo location data? Then, what if, hypothetically speaking, they take your name, the picture and your profile picture and post it? Now, since we started down this bunny trail, what if they also were nice enough to also include a Google Map showing exactly where the picture was taken?

No one would be that sinister you say? Oh contraire, let me introduce you to I Can Stalk You. The website was created by security specialists to raise the awareness of inadvertant information sharing. Though I am not 100% sure that they are truly revealing the actual location data, it is still kind of creepy.

How can you stop giving away your location with each photograph? The “I Can Stalk You” site contains instructions on how to turn off the Geo Tagging on the most popular phones.

It is amazing how much personal information we give away online, and sometimes we don’t even know it.