Site icon The Mac Security Blog

Supply Chain Attacks, Garage Doors, and Exploding USB Drives – Intego Mac Podcast Episode 286

We look at new malware that uses a supply chain attack; we explain what this is, and why it is not uncommon. We discuss how hackers can open a certain company’s garage doors from anywhere, and how a journalist got injured by a malicious USB drive that exploded.


Transcript of Intego Mac Podcast episode 286

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, April 6, 2023.

This week’s Intego Mac Podcast security headlines include: a listener query about how to handle old hard drives; there’s new malware that uses a method called a “software supply chain attack”. We explain how it works and who should be concerned. A job recruitment scan exposes eager applicants to malware; Netgear Orbi owners are urged to immediately check that its firmware is updated to patch a set of serious exploits. And a story about—would you believe—exploding USB drives? Now here are the hosts of the Intego Mac Podcast, veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:58
Good morning, Josh. How are you today?

Josh Long 1:00
I’m doing well. How are you, Kirk?

Apple announces dates for 2023’s WWDC.

Kirk McElhearn 1:02
I’m doing just fine. Make a note in your calendar. Two months from today–we’re recording on April 5 Wednesday and two months from today on June 5, Apple’s Worldwide Developer Conference is launching from the fifth to the ninth in Apple’s home spaceship there.

Josh Long 1:15
In Cupertino, California.

Kirk McElhearn 1:17
And we’re not going to talk too much about what we expect. But I’m hoping we’re going to see a Mac Pro. There hasn’t been an M series processor Mac Pro. Not that I want one. But it’s like Apple promised they would transition all their Mac’s within two years, and they’re now about six months behind. So maybe we’ll see that maybe we’ll see. We’ll hear about the next iPhone. We’ll hear about the next Apple Watch. Maybe new Macs other than the Mac Pro, maybe new iPads. The usual.

Josh Long 1:42
I’m personally curious to see what they’re going to do with compatibility with iOS 17. Because this week, there’s conflicting rumors about whether or not it’s going to support the iPhone 10 and iPhone 8 and 8 Plus. So anyway, we’ll find out in a couple of months.

George Moore, Intel co-founder, has died

Kirk McElhearn 1:57
Okay, some news about Moore’s Law. George Moore, one of the co founders of Intel died. He was 94 years old. Moore’s Law was, I don’t know exactly who made it up, but just kind of was…people noticed that every 18 months we were doubling in computer power. And I remember since Wired magazine came out in the 90s, every few years it would be like, “Is This the End of Moore’s Law?” And we keep having smaller and smaller transistors on chips. And we have other reasons that make computers faster. So Moore’s Law is still going on. Some interesting trivia about Intel was founded in 1968 by Gordon Moore, and Robert Noyce, who was the co-inventor of the integrated circuit, and their original name choice was going to be “Moore Noyce”, but they decided not to. So they chose Intel, which stood for Integrated Electronics, and they had to buy the rights for the name from the hotel chain Intelco. I don’t know if I’d want to stay at a hotel called Intelco. So interestingly, Intel’s still around, and they’re one of the main processor manufacturers, you know, you think of the other companies founded back then Hewlett Packard was founded in a garage, they’re not gone, but they’re not a monolithic company like that. Apple was founded in ’76. And they’re still around, a lot of other companies have disappeared. But Intel was one that’s lasted. So take a drink for Gordon Moore and Moore’s Law. And we’ll see if our computers are twice as fast in 18 months,

How to dispose of old hard drives?

Kirk McElhearn 3:24
We have a listener question we want to discuss. Sue asks, When I upgrade to a newer backup drive, what should I do with my old one? And what if my old backup drive is no longer working? How can I securely erase it? Well, we have an article on the Intego Mac security blog called “How to Securely Dispose of Old Hard Drives and SSDs”. And you know, it’s funny because I have a pile of drives next to my desk that I need to get rid of. I replaced some hard drives recently that were about five years old. And I have securely erased them with all of the techniques that I described in this article. But there’s still one step that I’m going to do and my neighbor is going to help me with a power drill to run a drill through the platters to break the platters to be fully sure that there’s no data that can be recovered.

Josh Long 4:06
You say you used all the techniques—one of the techniques you mentioned in this article is “soak them in acid”. Did you actually do that?

Kirk McElhearn 4:38
YeahWell, I tried with vinegar, which is acetic acid, so it is an acid but it wasn’t it didn’t do very well. I didn’t see the little smoke coming up the way you would—no, I use the techniques applicable to this sort of hard drive that don’t involve things that might be deemed dangerous. So avoid the soaking in acid that was meant as a tongue in cheek thing, but there are businesses who do that. They’ll have acid baths for their hard drives. Go figure.

Josh Long 4:38
Yeah, I’ve taken apart hard drives in the past. Depending on how old the drive is, I’ve always done this with spinning hard drives. I’ve never had occasion to destroy an SSD. All it is is chips I mean, so you just smash the chips on the board and that’s it. That’s where all the data is being stored. Old spinning platters what you would typically want to do is destroy the platters. Some platters bend and others just explode.

Kirk McElhearn 5:08
‘Cause they’re made of glass.

Josh Long 5:09
Yeah. So make sure you wear goggles or something like that just in case it’s the kind of drive platter that shatters.

Kirk McElhearn 5:15
It’s a lot of work taking the hard drive apart. It really is. There’s a lot of screws and things that have to pull apart. I think I mentioned last week this new series with Kiefer Sutherland called “Rabbit Hole”. Well, in the third episode, after he hacked into the financial information of whoever, he took the phone that he used, and he put it in a blender. Now, you could do that with an SSD. You might not want to use your blender after that you couldn’t do it with a big steel hard drive. I don’t think that would blend. Remember when that was a meme?

Josh Long 5:44
Blendtec! Yeah I remember.

Kirk McElhearn 5:45
A company that sold blenders? And “Will It Blend!?” and the guy with the goggles in the white, the lab coat, would blend things in a blend

Josh Long 5:53
“Don’t breathe this!”

What is a “software supply chain attack”?

Kirk McElhearn 5:55
Yes. Okay. So we have new malware. And there was a perfect theme song for this. It’s called “Smooth Operator”. If you don’t know the song, look it up on your favorite streaming service, also called Sam Scissors, don’t know where that comes from. And this is what’s called a software supply chain attack. And I had never heard this term, you had to explain it to me. What is this?

Josh Long 6:16
Well, in general, a software supply chain attack usually refers to some bad guys getting control of the server that is being used to distribute some software or in some cases, it could be something related to that. It could be maybe they get control of the signing keys for some software, maybe they get control of the developers website and then link to a completely different server where they’re actually hosting the malware. In any case, the whole idea behind the supply chain attack generally when you’re talking about software’s that somebody has found a way to sort of interrupt the normal flow of where you would get that software. This is something that is outside of the App Store. If you normally go to the developers website to download software, somebody has done something to tamper with that process. So now you get a trojanized version of that software, you get some malware along with the software you were expecting to get.

Kirk McElhearn 7:15
So what is the software in question?

Josh Long 7:18
This was a voice over IP application. The company is called 3CX. And they have a desktop app for Windows and macOS. And both versions of the software were actually compromised. If you happen to download this for this period of time when they were distributing, unknowingly distributing this trojanized version of their own software, then you would have gotten infected.

Kirk McElhearn 7:45
But what about the time when they didn’t know that they had malware and didn’t do anything for seven days?

Josh Long 7:50
Well, this was kind of an interesting story. Apparently, some people had pointed out that some antivirus software was flagging their software as malicious. And the tech support people said, don’t believe that, you know, this happens all the time where legitimate software is falsely getting flagged as malware. So just contact the antivirus vendor and tell them that they messed up. It turns out, they were distributing malware and they just didn’t do anything about it. So if you are a developer of software, it’s probably a good idea to verify that something malicious is not going on that there hasn’t been a supply chain attack. And this has actually happened before on the Mac. This is not the first time we’ve seen this kind of a supply chain attack that affects the Mac. The most notable example that comes immediately to mind is the Transmission BitTorrent app, which on two different occasions was compromised. So the developer was unknowingly distributing an infected version of their own app. This was the KeRanger ransomware K E R A N G E R, this was back in like 2016 that this happened. So it’s not something that we see super often, at least on the Mac. But in this particular case, this attack is being attributed to the Lazarus Group. You might remember that we’ve mentioned them before. This is a group that’s believed to operate out of North Korea, and they’ve had a lot of Mac malware over the last couple of years.

Job recruitment scam tricks applicants into downloading malware.

Kirk McElhearn 9:23
Well, speaking of North Korea, the North Koreans have been targeting security researchers with a new backdoor they’ve been sending PDFs that contain job descriptions that also contain surprises.

Josh Long 9:34
This has been happening over the last couple of months. We’ve seen a few different attacks, claiming to be from different companies, but there’s the same kind of thread running behind these. They all claim to be a job description that you download from an email that’s being sent to you. So if you’re somebody who works in the security industry, or maybe crypto currency, if you work in something similar to that they might be targeted. And you’re with these job descriptions that sound enticing, right? They, they’re they’re trying to lower people who currently work at a company like that, and try to trick them into thinking that they are a recruiter from one of these types of companies that are sending them a job opportunity that might interest them. What really happens, of course, is that you download this apparent job description, and it actually infects your computer and then opens up a job description, so you don’t realize that you just got infected.

Kirk McElhearn 10:34
Okay, that is just on the computer. But we have another story about a journalist who plugged an unknown USB drive into his computer, he got it in the mail, and it blew up in his face. That’s a little bit worse than malware, isn’t it?

Josh Long 10:47
Yeah. So we’ve got security researchers being targeted with malware that’s being sent to them. And we’ve also got journalists getting a physical USB Drive mailed to them. This was kind of a surprising story. Surprising, in part, because the journalist believed that if they just plugged in this thing, they would be able to find, I don’t know what they thought they were going to get on this mysterious USB drive that was mailed to them. This particular journalist was based in Ecuador. And we don’t know who exactly sent this drive. This is really crazy stuff to imagine, first of all, that a USB drive can do something like this, right? That you should never just pick up a USB drive that you find somewhere and plug it into your computer. Because there’s a number of things that can go wrong. One is malware, that should be the obvious one, right? In the past, there have been hacks and tricks, at least on Windows, where malware would automatically run as soon as you inserted the drive into your computer. Even if it doesn’t auto-run, if you see something that’s kind of interesting, that looks like an Excel spreadsheet, or something that has people salaries in it at the place where you work, or who knows what it could be any number of things that might be enticing, right. But again, if you’re seeing this on a drive that you’ve inserted, you just don’t know it could be malware, it could be something that’s actually a Trojan horse. And there are also things that can physically go wrong with the computer that you put it into. We’ve seen USB devices before that can destroy the port that you plug it into, or can really even fry your motherboard on your computer. There are also cases like this, what happened to this journalist where the drive actually can explode. So there’s all sorts of problems. This is just a good reminder to not plug in strange USB drives.

Kirk McElhearn 12:39
So what should you do if someone mails you a USB drive or if you find one someplace? Go to the police? Send it to you?

Josh Long 12:47
Don’t send it to me.I would say that if you get an anonymous USB drive sent to you, you might want to turn it over to the police because there’s a chance that somebody could be targeting you with again, it could be malware, it could be something more physically dangerous. I would not trust anything that’s unlabeled, unmarked or comes from some unknown sender. And definitely don’t just pick up a USB drive that you find on the ground and plug it into a computer.

Kirk McElhearn 13:17
Okay, we’re gonna take a break. When we come back, we’re going to talk about garage doors and Wi Fi routers and more.

Voice Over 13:25
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.

One brand of “smart” garage door opener can be easily hacked from remote locations.

Kirk McElhearn 14:41
Okay, an interesting story came out on Ars Technica that you can open garage doors anywhere in the world by exploiting this smart device. Now I’m thinking back decades ago when I knew someone who had a little transmitter in his car that would try the var— the 16 different channels that garage door we moats worked back in the day. And of course, these garage door remotes you might have a neighbor across the street is on the same channel, and garage doors open easily. But now these are supposed to be smart garage doors with passwords and you know all the smart home technology. And yet someone’s figured out a way to open them from anywhere. So picture the scenario: you want to break into a house, you know no one’s there, you’re watching via the neighbor’s security cameras, the black van pulls up and you open the door remotely, the black van drives in and you close it, and then you know, the rest is just Tom Cruise.

Josh Long 15:34
Okay, so what’s really going on here. We’ve got this company called Nexx N E X X that makes this Internet of Things device, this smart device, that as it turns out not so smart. The problem here is that in part, they’re they’re sending unencrypted user data and commands like what could possibly go wrong with this, right. And because they’re not properly securing the technology that they use, a security researcher was able to discover that they could basically unlock anybody’s garage door anywhere, all you basically need to do is know their email address, and you put it into the website and voila. Now you know, you can like unlock their garage door at any time. The researcher initially contacted the company on January 4 of this year, then the ticket was closed. So he followed up on it a couple of days later, they closed the ticket again, he reached out to the company’s founder via a personal Gmail address that he found in FCC filings, he sent numerous requests to follow up. And he tried working with the CISA, Cybersecurity and Infrastructure Security Administration. And ultimately, they were not able to establish contact with this company Nexx. And so the CISA recommended to this researcher that he go ahead and publish his advisory. So now this is public knowledge. If you have one of these garage door openers, you’re insecure, now anybody basically in the world can open your garage at anytime.

Kirk McElhearn 17:13
It’s interesting how dumb the smart home can be, that there are so many security risks that are ignored. Now, I’ve never heard of this company, obviously, they’re in the U.S. and I can’t find much information about them. I mean, they have a website and all that: “We strive to make products that are not only functional, but simple to use.” How can you trust a company ever that does something like this, the whole thing of not being able to contact and trying to get in touch with the company having to go through the CEO, and even you know, the Homeland Security tried to get in touch with them. So this I would not, I don’t have a garage. If I did, I would probably not want to use something like this or use any kind of thing. I had some locks repaired in my house last year. And the locksmith said to me, I asked about Smart Locks, because you know, I ask about things like that. And he said, Nope, none of them are good enough. He doesn’t trust any of them. So I don’t know, Smart Locks, garage door things, all of this stuff. This is too important. Your home is too important to trust to devices that you can’t trust.

Josh Long 18:12
I would say that there are companies that make Smart Locks that are more reliable than other companies, that there’s no doubt about that. But yeah, even so, even a well established-brand, I would really think twice about installing a Smart Lock. That’s just my personal opinion. Now for some people that might be a good solution. I know less about these garage door opening devices in terms of whether there are any, like, reputable companies that sell these. But in any case, you can’t—I would definitely suggest that you do not just go shopping on Amazon and find the cheapest, you know, home door lock or garage door opener, because you never know, it might be something like this Nexx company producing, let’s say, very insecure hardware.

Netgear Orbi owners should check that they have the latest firmware updates.

Kirk McElhearn 19:02
It’s a good point because most people when they’re looking for a device like this, they will go on Amazon which is full of cheap Chinese knockoff brands and you don’t know who they are. And most people don’t think about how important the security is of these devices. Anyway, we have a story that I wanted to mention last week and we ran out of time. We talk about router vulnerabilities and firmware update as occasionally on this podcast, but this one hit me close to home because it was a Netgear Orbi router. Ars Technica points out that if your Netgear Orbi router isn’t patched, you’ll want to change it pronto. And I did change mine pronto. Now the settings on my router were to auto update, and it should do this overnight, but I was several versions back. I’ve noticed in the past that routers don’t tend to auto update well. So this is something if you have a Netgear Orbi router do check it. We’ll link to the Ars Technica article in the show notes and you want to make sure that you have this specific version of firmware which for me was immediately available. Usually when we talk about routers, it’s brands I’ve never heard of. But this is the one that I’ve had for about seven years now.

Josh Long 20:07
And this is a good reminder that you probably should set a calendar event or a monthly reminder for yourself somewhere to check your router firmware and make sure it’s fully up to date. And as I’ve mentioned before, if it’s been, let’s say, more than a year, since the last time that your router ever got a firmware update, it’s entirely possible that the manufacturer might not be supporting that model anymore. So it’s a good idea to check with them, and verify that. If they say that they’re no longer releasing updates for that model, or they just don’t reply to you, it’s probably time to get a different router. Because this is something that you don’t want to mess around with. You want to make sure that…remember, this is the device that’s essentially your firewall, right? It’s keeping the bad guys out on the internet from getting into your home network. You don’t want people infecting your router, because then they can spy on whatever’s going on on your home network. And there might be some things that are happening less securely, just in local network traffic that you don’t want exposed to hackers, somewhere out there in the world.

News of a total U.S. ban of TikTok, or imprisonment for using it, are likely exaggerated rumors.

Kirk McElhearn 21:13
Hey, Josh, did you hear that you might be jailed for 20 years if you use TikTok after it’s banned? It’s pretty scary. 20 years for using TikTok.

Josh Long 21:24
Yeah, so this is a rumor that’s been going around. And this all comes because the U.S. Congress has been investigating TikTok. And they brought in the the CEO to testified recently. And so the U.S. has been considering banning the TikTok app, I don’t think it’s very likely to happen. What they have done, and other governments are doing the same thing now, is that they are banning TikTok from government phones, meaning that if you are a government employee or an elected official, you’re being told that you are not supposed to have TikTok on your official government phone. In fact, the UK, Canada and other governments are also banning TikTok, from government devices. This is something that may make sense, it may or may not really be a big deal, but you don’t know. We have seen before things like TikTok and ByteDance, its parent company, saying, ‘Oh no, we didn’t spy on American journalists and monitor their location.’ Well, it turned out they actually did, once they researched it. So I kind of get banning it from government devices. But I don’t think this is likely to happen as a broad thing, that’s going to be the case for all people in the United States. First of all, this has never happened before. That’s not to say it never will happen. But as far as whether you would be jailed, if you continue to use TikTok, TikTok is available as a website. And you could install this quote unquote, install this as a “web app” on your mobile phone, whether it’s your iPhone or an Android phone, if that were to happen, that they got kicked out of the Apple and Google official app stores, right? There’s other ways that you could still use TikTok on your phone, and no, you’re not going to go to jail. The whole idea behind banning it would be based on government concerns about how this app may affect American citizens.

Kirk McElhearn 23:26
So the reason governments have banned it for elected officials is that they’re worried that the Chinese government might have access to location data and other information, other data of these people, prime ministers, members of parliament, congresspeople, senators, etc. And this is a valid reason to worry, because when we know that the Chinese government has direct access to everything that every company in China does. This is valid, but you know, Facebook collects a lot of data on people. And Google collects a lot of data on people, including location data and cell phone companies collect location data on people. So there’s a kind of a double standard here. That doesn’t make sense. Yes, I think there is a risk that China and ByteDance has already done this with journalists and China could use this. But with all these other companies, why don’t we just have a privacy law that prevents every company from doing this?

Josh Long 24:21
Yeah, well, and this is something that a lot of people have been bringing up. You know, we’ve got Facebook in particular, right. We know, like Facebook for years has been spying on American citizens, you could say, you know, you sign an agreement, right when you create your Facebook account, basically. But I think the the concern specifically with TikTok is that it’s a Chinese company. That’s why people are concerned because they’re like, well, it’s one thing for Facebook to have my location data and all kinds of other information about me, but it’s something entirely different for a foreign government that maybe isn’t friendly with Western countries where I might live. That’s, I think the concern and the whole reason why there’s this big kerfuffle over TikTok recently.

Kirk McElhearn 25:08
To be fair, China forced Apple to move data for Chinese citizens to Chinese servers. Now, one of the things about TikTok is that Americans wanted to make sure that this data was stored on American servers. But that doesn’t necessarily prevent it from being stored also on Chinese servers, right?

Josh Long 25:29
Or from being accessed or accessible to certain TikTok-slash-ByteDance employees who operate out of China or are paid by the Chinese government to provide information. So TikTok did say in their testimony before Congress that they’re soon going to have all U.S. data stored on a server, I think in Texas, but that doesn’t necessarily prevent employees from outside of the United States from being able to get access to that information. So it’s like a step maybe in the right direction. But you still have to trust the company. And at some point, you have to decide what companies you’re going to trust with your data.

Kirk McElhearn 26:10
Okay, that’s enough for this week. Until next week, Josh, stay secure.

Josh Long 26:13
All right, stay secure.

Voice Over 26:16
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.


If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.

Share this: