Juice Jacking, Best Buy Phishing, and Garage Doors Redux – Intego Mac Podcast Episode 287
The FBI warns people not to use public charging stations; we warned about this five years ago. An interesting phishing attack leverages QuickBooks accounting software to send fake invoices to people. And what does a company do if its smart garage doors are hacked? Disable them.
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, April 13, 2023.
This week’s Intego Mac Podcast security headlines include: recent software updates from Apple provide urgent patches to exploited vulnerabilities; what’s next for Nexx, the company whose smart garage door opener was recently hacked. New FBI warnings about public recharging stations are really not that new, so-called “juice jacking” has been with us for years. A phishing scam hits home for the Intego Mac podcast staff; just in time for the final days of tax season, an e-file tax site gets hacked; and keyless car break-ins are getting too easier all the time. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:58
Good morning, Josh, how are you today?
Josh Long 1:00
I’m doing well. How are you, Kirk?
Kirk McElhearn 1:01
I’m in a good mood. We’ve got so many interesting things to talk about. Today, we want to do some updates on events that happened in the past. And one of them in particular is an Apple update to update the patch that Apple released last week. Now, they released a patch on Monday last week. We talked about it on the last episode of the podcast. And then Friday afternoon, my time, Friday morning, your time, I was surprised to see on Twitter that they released a new patch, which is…Actually, they listened to you ranting in last week’s episode about the fact that they hadn’t updated the other operating systems, which is what they did on Friday, isn’t it?
Josh Long 1:37
Right. Okay. First of all, we had patches that came out on Monday, March 27. So it was actually like a week and whatever, almost two weeks earlier. So that was macOS Ventura, 13.3, iOS 16.4, etc. And then just this past Friday, we got new patches for macOS Ventura and iOS 16. These were point-something-point-one patches. So these are like just bug fix and security fix updates. Apple said that they released this update to fix these two actively exploited vulnerabilities because why else would they release this on a Friday right? For the first one: This was a bug in IOSurfaceAccelerator, they say an app may be able to execute arbitrary code with kernel privileges. That’s pretty serious. And the second one is a WebKit. vulnerability, as we’ve talked about many times WebKit is the engine behind Safari and it’s used by many other operating system components as well as third party apps. The WebKit vulnerability it said processing maliciously crafted web content may lead to arbitrary code execution. And for both of these, Apple said it was aware of a report that this issue may have been actively exploited. Now there was a tweet that was put out by somebody who works for Amnesty International Security Lab, citing his own team’s research as well as Google Threat Analysis Group’s research. They came together and reported this to Apple after seeing some things in the wild that indicated that these were actively exploited vulnerabilities. And so Apple patched them. We don’t really have a lot of additional details about these bugs yet, which is unfortunate, because I always like to read these analyses of how this came to be discovered. But they haven’t released anything yet. I don’t know if they’re saving that for a future blog post or security conference talk or something we’ll see.
Kirk McElhearn 3:36
I find it interesting that Amnesty International has security researchers, I don’t know if this is new. It’s the first I’ve heard of it. But it makes sense because so many of these serious vulnerabilities are targeting people who are activists and journalists around the world that Amnesty International is trying to protect them. So I think it’s good that they’re being proactive like this.
Josh Long 3:55
Yeah, they’ve been instrumental in doing research behind, for example, Pegasus mobile malware campaigns that affected iOS and Android. So it’s good to see that there’s a lot of researchers from various disciplines that are all coming at this and contributing to this problem of active exploitation of vulnerabilities.
Kirk McElhearn 4:17
Okay, we want to follow up on a story we talked about last week, a smart garage company called next had a vulnerability where people anywhere in the world could open garage doors if they were using their so-called Smart garage door opener. Well, what would you do, Josh, if you were that sort of company, and you found out that there was this problem? And, well, people were worried about using your garage door technology, what would you do?
Josh Long 4:43
Well, I think that I would try to identify exactly what the problem was, which wasn’t hard because somebody had published research about this. And then I would fix the problem or hire somebody to fix it for me if I didn’t know how to fix it and didn’t have team members who could fix it. That’s not what Nexx did though.
Kirk McElhearn 5:01
No, they decided to just disable all the devices, which is kind of a, you bought a device that does something, and then the company says you can’t use it anymore. Now, to be fair, you can still use Bluetooth. So you have to be within technically 100 meters if you have the most recent type of Bluetooth and your device like the latest iPhones. But the whole point of a smart garage door is, I don’t know, you may want to turn it on as you’re rounding the corner before you get home, right when you’re a couple 100 feet away. So the garage door opens just as you drive up to it. Not first world problem, of course, but people want to do this. And now you have to wait till you get much closer, you have to do it with Bluetooth. Now the company says 30 to 50 feet again, depends on which Bluetooth they’re using. But that kind of defeats the purpose, why not just get one of those old garage door openers where you press a button on that big, I guess it’s a radio-frequency transmitting device.
Josh Long 5:56
So on the bright side, you’re not completely locked out of your garage. But at the same time, it seems like this is something they should be fixing. Right? It seemed like there was a problem with their back end system that should be fixable. I don’t know if maybe they outsourced the work on on this system. And they don’t know how to fix it. And I don’t know, it’s it’s kind of a weird approach to just say, oh, yeah, okay, well, we’re gonna take away functionality that you paid for.
Kirk McElhearn 6:24
And there was a security researcher who had alerted the company of this problem. And they didn’t do anything for two months. And then he went public. And I believe it was Motherboard—Vice Motherboard, who was the first to publish the information about it, the company only reacted after their article was published.
Josh Long 6:41
Which is really sad. And we talked about this last week. That all of a sudden, we got all this big press right? People became aware of this, nobody had ever heard of Nexx before, I certainly hadn’t.
Kirk McElhearn 6:51
Well, you don’t have a garage door, Josh.
Josh Long 6:53
No, I have a garage door, you don’t have a garage, I have a garage, [I don’t have a garage.] In any case, hopefully, they will do a better job. And they’ll actually fix this properly, rather than just limiting the functionality like they’ve done so far.
Kirk McElhearn 7:06
I wonder if we can get into a situation in the United States, in Europe, in different countries, where there is a legal requirement to fix vulnerabilities like this, because we’re talking about the security of your home, if I buy a lock from a reputable lock company, one with a key, I’m expecting it to work, and if there’s something wrong, that’s the company’s responsibility and their liability if someone gets in my house. So if they’ve been alerted by someone that there is a problem, and they did nothing. Isn’t that the same as like, when Toyota got alerted that the seatbelts weren’t working, but they didn’t repair them?
Josh Long 7:42
I think one could make that case in a court of law, right? If a class action lawsuit, or something was brought against the company, or it could be that somebody’s house got broken into. And they had a relatively compelling case that this company was liable that it was because of flaws that they knew about that someone was able to break into their house. That could be a problem for the company.
Kirk McElhearn 8:06
Okay, in the news this week, we learned that the FBI has been reading the Intego Mac Security Blog from 2018.
Josh Long 8:13
That’s right. So there were a lot of these headlines that started showing up in mainstream news, the FBI is warning against using public charging stations. And I was like, huh, that sounds kind of familiar. Exactly five years ago, almost to the day I published this on April 9 that—
Kirk McElhearn 8:33
And we discussed in Episode 124 of the Intego. Mac podcast, we’ll link to this article in the show notes.
Josh Long 8:38
This article was titled “iOS Trust Jacking: How Attackers Can Hijack Your Phone.” It described a technique and procedure that was based on Apple developed functionality, and how it could be abused by an attacker to do some really nefarious things with your phone. If you had ever plugged your phone into a computer, and clicked “trust”, it could potentially even be your own computer in certain circumstances. For example, if someone were able to hack into your computer, now they could hack into your phone and do some pretty serious things with it.
Kirk McElhearn 9:15
Now, to be fair, we weren’t the first to talk about this. We did some research, which means we looked on Google. And we found that Brian Krebs mentioned this in August 2011. It was at the DEFCON security conference, when some researchers set up a charging kiosk, and they wanted to invite people to charge their devices. And Krebs will seem to be one of the few people who hesitated. He mentioned that, you know, there are possible security ramifications. And they said, Are you a security professional? So we weren’t the first to discover this. And this is something that’s been going on for a while. And this is why Apple added this trust dialogue to all its devices. You get this on an iPhone and iPad or a Mac as well.
Josh Long 9:53
Right. This was introduced in iOS 11. And according to those researchers at RSA Conference 2018, which is Where this research was first brought to life. According to them iOS 11 has this trust dialog specifically because of this problem. So the researchers had been working with Apple, they notified them that, hey, it’s possible for people to use this intentional technology for really malicious purposes. And so Apple was like, okay, all right, I guess we’ll add a “trust this computer” prompt so people have to click on something whenever they want to synchronize their device with their own computer.
Kirk McElhearn 10:31
Do you know how annoying this is? I try to remember to backup my iPhone to my iMac once a month. I do iCloud backups will automatically but I want to back it up to my iMac because not everything gets backed up to iCloud. And every time I do it, I connect it, Do you trust this? Okay, trust on the phone, enter the passcode, trust on the Mac, enter the fingerprint, go back to the phone, trust it again. And you have to do like this dance. And if you don’t do it quick enough. The phone goes to sleep you have to unplug and start it over. And yes, it’s security. But it can be a little bit annoying. Graham Cooley on his blog, he asks, he says there’s plenty of juice jacking scare stories, but precious little juice jacking. And he’s wondering if anyone has ever had their smartphones juice-jacked in the real world. Has the FBI, he asked, ever actually seen a real life instance of someone being maliciously hacked through a USB charger?
Josh Long 11:21
Well, this is definitely something that we’re going to be looking into. And I’ll have an article up on the Mac Security Blog later today. So by the time you’re listening to this show, we should have an article about this as well. And if we find anything interesting, I’ll be sure to mention that in the article. By the way, the way this attack works, you don’t want to use the charging station because you don’t know whether there’s a computer behind it on the other end, right. And so you don’t know whether you’re actually plugging into something malicious that could either try to steal data from your device, or could try to, for example, implant malware or things like that onto your device. The whole reason why this trust dialog box exists is to avoid trusting a computer that you don’t need to trust in order to just charge your device. Well. First of all, if you ever do plug into a public charging kiosk, which we don’t recommend, make sure that you don’t get this dialog box. First of all, if you do, that’s a concern. Because that means there’s a computer on the other end that may be trying to do something with your device. But if you do get that and you absolutely have to charge right here and now then at least you can take some comfort in knowing that if you hit don’t trust, be very careful to make sure you hit the right button. But if you don’t trust it, you can charge your device.
Kirk McElhearn 12:41
Yes, it’s important to know that if you just plug it into a charger, you won’t get the trust dialog. We’re gonna take a break when we come back we’re going to talk about an interesting new phishing email that we have all received multiple copies of in the past few hours.
Voice Over 12:57
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 14:13
Okay, we want to reply to a listener question Harvey asked if one’s iPhone and unlock code are stolen? Could you compare the security risks associated with it and passkeys versus traditional passwords with two factor authentication? Well, one of the interesting things about passkeys is they require biometric authentication. Now, to do this live, I’ve gone to eBay where I set up passkeys when I wrote an article which I’ll link to in the show notes about passkeys. And when I click sign in, I get the dialog that you see when you try to sign in on a Mac with Safari using passwords in the iCloud Keychain where you can continue with Touch ID. Now the difference here with a normal password. You can also enter your password instead of Touch ID with the passkey. I can either continue with Touch ID or sign in with another device to sign in with another device, I click a link and I get a QR code, which I use with a device running iOS 16 or later to sign into eBay. So either I’m using the biometrics on the computer or the phone. And this is just the way passkeys work. So if your biometrics don’t work, you’re actually locked out of things. But if someone gets a hold of your phone and your passcode, your passkeys are far more secure than passwords, and two factor authentication. [Good to know.]
Kirk McElhearn 15:26
Now, we got a bunch of phishing emails in the past few hours. Actually, Josh didn’t get in, he’s a bit jealous, Doug, our producer and I each got three or four of them, and they claim to come from BestBuy. Now, this is a very interesting type of email because technically, it’s not phishing. This is an invoice from Best Buy total tech now I’m not in the US. So I don’t know about Best Buy the Geek Squad, which is apparently the people who fix things for you. It is an invoice for $199.99. In the invoice, we have auto renewed your plan for three years. And we understand that you’re busy and hence could not get through to you when we are trying to contact you. So here’s our helpline number 1-888…And I won’t say the rest of it. There’s nothing malicious in the email, or no links that are going to take you to phishing websites. The email is actually sent from intuit.com, which is the maker of QuickBooks. And so what’s happened is someone has a QuickBooks accounting account, and they’ve created invoices for a whole lot of people. Now, every invoice we’ve gotten has a different invoice number. The rest of the invoice is the same with the number to call the price all the text but the invoice number is different accounting programs do that you make an invoice number one, the next invoices number two, etc, etc. You could theoretically, let’s say you have an app and you have 10,000 subscribers and you have to build them every month. You could be sending out invoices like that every month and I don’t use QuickBooks, I use different online accounting software. But it’s certainly possible to batch send hundreds, if not thousands of invoices. So what’s interesting here is that this is technically not phishing, it is a call center scam, social engineering attack. When you get this invoice you say I don’t want to pay $200 for whatever this is. So you’re going to call the number and I can imagine what happens. Hello BestBuy. How can I help you? Well, I got this invoice and I don’t want to pay it. Oh, okay, what’s your invoice number? And I give them the invoice number. Okay, well put to a refund. Can you give me your credit card number? Bingo. That’s what they’re trying to get.
Josh Long 17:37
Yep, exactly. This is not unprecedented. These kinds of scams happen all the time. What’s interesting is that this is actually being sent through Intuit through their web servers, their service. So that’s kind of concerning. One interesting side note on this is that although Kirk said that, that we have different invoice numbers, each time, I was able to discover by uploading one of those invoices to virus total, that one of those had already been uploaded, this was the first one that Kirk sent over to me, I uploaded it and it said two hours earlier, somebody else had uploaded this exact same-File, that means the same invoice number, everything else was identical. So that means that whoever is sending out these scam emails through Intuit, and through QuickBooks servers, they’re sending them out to probably hundreds of people, and maybe thousands of people at a time. And then they’re using a different invoice after that for the next batch of emails that they’re sending out to. But oddly enough, they’re sending the same email, other than the invoice number being different to the same people over and over again, I don’t know if that’s a glitch in their system, or what?
Kirk McElhearn 18:51
Well, it could be that they just have a big list of email addresses. And the same email address appears in multiple positions in the list because, as I said to you before the show, this email address of mine has been receiving spam since 1995. It’s that old. Also, you might think, Why do I keep getting this email, I really need to follow up on this. I can’t wait because they’re really, they’re really being insistent about this charge. And I really don’t want to pay this. One of the things to note is that this gets through spam filters because it’s being sent from the intuit.com servers, which are approved by all these spam filters. We looked at the headers in the email, the headers is all the information that gets added to an email at each email relay. And so it talks about things like DKM and SPF or your spam identification things, and it shows how it’s passed all the tests. So even my spam filters aren’t flagging this as spam. The biggest problem here is that a major company is being exploited. And of course, as soon as we get finished recording, Josh is going to contact into it to let them know what’s going on, if they haven’t already been awarded, but a major companies being exploited for this. It’s not malware. It’s not technically fishing, but I guess we can still call it fishing. Right?
Josh Long 20:07
Yeah. And I’ll try to find out who to contact regarding that 888 number to see if I can get them disconnected as well. We’ll do all the research that we need to do on this. And we’ll do a write up about this and let you guys know more about our discoveries. And we’ll have a link in the show notes. Hopefully, by the time we publish this episode.
Kirk McElhearn 20:27
We’re recording this on April 12. Doesn’t something happen on the 15th? In the United States?
Josh Long 20:33
I think you mean tax day. Yeah, that usually follows I think, around the 15th. But this year, it happens to be on Tuesday, April 18 Instead.
Kirk McElhearn 20:42
OK. So the IRS uses something called e-file to file taxes online, and somehow they’ve gotten hacked. Is that true?
Josh Long 20:49
Yes, this is an IRS authorized Tax Service. E-File is something that’s been around for a long time. And recently, the e-File website was breached by hackers, they had some malicious JavaScript code in the website that would pop up these fake error messages on nearly every page of the site. And one of the things that it would prompt you to do was download another file called Update dot exe. So if you happen to be a Windows user who was visiting the site to file your taxes, then you would be prompted by this IRS authorized tax site to install malware on your computer, which is a really bad thing. So it seems that this problem has been resolved. But there was a period of time up until April 1 When this malicious JavaScript existed on the site. So if you want to file your taxes, three-File, I guess you can, but this is something to be aware of. Because although this happened to be Windows specific malware that this was pushing, it could just as easily have been offering Windows malware, if you were using Windows or Mac malware, if you’re using a Mac, we’ve seen many, many campaigns like that, that offer you different malware based on your operating system. So this is something to be cautious about. And be aware that even perfectly legitimate sites can get hacked, and can distribute malware from time to time. So be very careful about these prompts to install an application that you weren’t necessarily expecting to have to do.
Kirk McElhearn 22:24
So we talked earlier about liability for the garage door company, Shouldn’t a government agency have better security than this?
Josh Long 22:30
Well, this particular website was actually efile.com. So there are multiple sites that call themselves e-File. But this one was efile.com, no hyphen or anything like that. And so this is actually a third party website. That’s not run by the government, but they are an authorized IRS e-File, e hyphen file, provider.
Kirk McElhearn 22:51
It’s worth noting that you can also file your taxes using Quicken. And that kind of links to stories here today in a strange way, doesn’t it?
Josh Long 22:59
Yes, TurboTax is one that people use. And there’s a bunch of other services like that, where you can file your taxes online, you put your information into a website that hopefully you trust really well because you’re giving them an awful lot of very personal information. And then they will help you through the process and file your taxes for you.
Kirk McElhearn 23:19
It’s interesting, because here, you can just go to the HMRC website, which stands for His Majesty’s Revenue and Customs. And you can file in fact, you set up an account so it’s from year to year it records your information and you just enter your information there. You can do it with software, I do my business taxes through my accounting software, but you can do it directly. You don’t have to go through a third party. Alright, one last story. There is a new form of keyless car theft. It works in under two minutes. And this is really interesting because it’s not keyless like I’m standing there with a phone it actually uses hardware to defeat some of the protection in cars.
Josh Long 23:55
This story is so fascinating. There was a man who’s based in London, and two times, he found that the front left side bumper of his Toyota vehicle had the headlight partially dismantled. At first he thought this was just some random vandalism and all kinds of odd that had happened the same way on two different occasions. After the second attempt, a few days later, a neighbor found that their Toyota vehicle was missing. And so it turned out that this guy in London happened to be a vehicle security researcher, can you believe that? He was able to figure out what exactly was going on. And it turns out that this left headlight on these Toyota vehicles was attached to this Controller Area Network. So you’ve heard of probably lands la NS local area networks. A Controller Area Network is something that is often found in cars, and different components all tie into the same network. If you were able to get to that left headlight. Then you were able to imitate the smart key that could turn on the car, they were all part of that same controller bus. And so by popping off that left headlight, you could connect to the car and hijack the car.
Kirk McElhearn 25:12
It’s pretty disturbing. But of course, that’s quite different from someone just pressing a button on a phone or some little device. In order to start the car unlock the car, we went to an article from the security researcher where he shows a video on YouTube of what it looks like for people when they’re actually stealing one of these cars. Now I’m not sure if this video is of the car in question or not. But it shows two people huddled—they’re wearing hoodies, of course—huddled over the front left of a car taking it apart and sticking to thing and it’s kind of interesting, because this is defeating….We mostly talk about things that are defeated over networks and wirelessly whereas this is just a wired system. This is like picking a lock in some ways, isn’t it?
Josh Long 25:53
Very much like that. This is a physical attack, you do have to have physical access to the vehicle. And we’ve talked about other attacks like this. You remember the one we talked about, maybe I don’t know, a few weeks or a month ago about you where you were able to take the steering wheel off and insert something into a USB slot and turn it and start the car that way. Well. This is another one of those physical attacks and maybe a little bit easier to pull off because I don’t know how you’re supposed to…you must have to reattach the steering wheel on the other attack and this one well, so what if you’ve got a dangling headlight, you know until you get the car to a safe location. Pretty crazy stuff.
Kirk McElhearn 26:30
I assume that if they’re smart enough to be able to do this, they’re also smart enough to disable whatever allows the car to be tracked. Now I can track my car on the manufacturers’ website when I had Toyotas in the past it was possible as well. If it’s that easy to track, then it would be that easy to catch the thieves. So I assume they have a way of disabling the tracker.
Josh Long 26:51
However, if you have an AirTag in your car, the attacker would have to find it and destroy it or disable it or get rid of it some other way. So this is a good reason to stick an AirTag in your car even if your car has its own built-in tracking technology.
Kirk McElhearn 27:07
You know what I think I’m going to do that right now. Until next week, Josh, stay secure.
Josh Long 27:11
All right, stay secure.
Voice Over 27:14
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.