The Truth: iOS Jailbreak, Legally Binding Email Signatures, BitLocker Switching to Software Encryption

Monday, 30 September 2019

Welcome to a new week and some fresh tech news. Today, we have a lot of security-related news items on the docket. From SIM card vulnerabilities and an iOS jailbreak to BitLocker not trusting SSD vendor crypto. In other news, you might want to be careful about using email signatures in the UK now.

After the Simjacker vulnerability there has now been another disclosure of security vulnerabilities in software pre-installed on SIM cards. Whereas Simjacker exploits vulnerabilities in the SIMalliance Toolbox Browser (S@T), the new vulnerabilities are present in a piece of software called Wireless Internet Browser (WIB). It’s pretty unlikely that you will become a target of such attacks, though, as only a very small number of SIM cards are actually vulnerable. According to the security researchers who found the issue “none of the most recent SIM cards tested show the presence of the vulnerable applications or badly chosen security settings” needed to actually attack a phone. A limited number of attacks were previously observed, mostly in South America.

In the UK, email signatures are now legally binding for contracts. At least, that’s what a court in Manchester decided. And here I was, thinking one important point of signatures was to make sure that things were read and understood and not responded too in an automatic fashion…

There’s apparently a tethered jailbreak for older iPhones and iPads in the works that Apple has no way of preventing. All devices with the A5 to A11 chips seem to be vulnerable. That means devices that are older than two years, from the iPhone 4S to the iPhone 8 and X. According to The Register, “the exploit is a first stepping stone to properly jailbreaking the aforementioned vulnerable iThings via a USB connection. What’s said to be working exploit code targeting the Boot ROM flaw is now available on GitHub. While such an exploit will be of great use to hobbyists, it can be used by cops and snoops with physical access to a device to commandeer it and install spyware, though they will need to brute-force the passcode to decrypt any private data already encrypted by iOS.” It seems Apple fixed the ability to exploit the vulnerability remotely with a patch that called the problem to the attention of security researchers. It is not quite clear why Apple cannot patch the tethered method of exploiting the vulnerability. Security researchers are recommending an upgrade: “We strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU.” From Apple’s perspective, this is a great sales pitch. Get new phones, everyone!

Apparently this allegedly “bulletproof” Cyberbunker hosting operation that was raided by German police last week was completely shut down.

Microsoft’s full disk encryption BitLocker used to use the hardware encryption features of modern SSDs, but Microsoft has now stopped trusting hardware vendors. “Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change”, says Microsoft in their documentation. Apparently, this change was made because hardware vendors made lots of mistakes implementing their hardware encryption. So far there hasn’t been any reporting on how switching from hardware to software encryption impacts performance on these drives. Heise says (German) that modern CPUs have hardware support for AES primitives which would speed up the underlying crypto operations used by Microsoft’s software implementation and speculates that the performance impact would be “very slight”. They do not, however, back this up with hard data.

NASA head honcho to Elon Musk: Nice polished phallic Starship you have there. But what about getting crew to the ISS like you promised us? As The Register points out, he isn’t being entirely fair, though, as the delays are also Boeing’s fault, too.


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.