Apple’s ‘Find My’ abused
Perpetrators can abuse Apple’s ‘Find My’ location network to transmit sensitive data captured by keyloggers installed in keyboards covertly. Using such a device, they could spy out passwords and send them to themselves, unnoticed, bypassing all security measures in the local network, via the iPhones and other Apple devices of uninvolved individuals around them.
Researchers published their implementation on GitHub, called ‘Send My’. Others can weaponize for uploading arbitrary data onto Apple’s Find My network and retrieving it from any internet-enabled device anywhere in the world.
The researchers created a proof-of-concept (PoC) hardware device to emphasize the risk to the public. They integrated a keylogger with an ESP32 Bluetooth transmitter into a USB keyboard to demonstrate that it’s possible to relay passwords and other sensitive data typed on the keyboard via the Find My network through Bluetooth.
Apple remediated the issue of the potential to abuse Find My to transmit arbitrary data besides device location. Technology firms should address and mitigate risks to protect their users.
Data leak via bluetooth transmission
In the case of Bluetooth transmission, the Find My platform can stealthily weaponize omnipresent Apple devices for the relay. Apple devices are tuned to respond to any Bluetooth message. If that message is appropriately formatted, the receiving Apple device creates a location report and uploads it to the Find My network.
PoC intrusion results
The PoC intrusion accomplished a transmission rate of 26 characters/sec and a reception rate of 7 characters/sec. The latency of between 1 and 60 minutes depends on the presence of Apple devices at the keylogger’s range.
Heise, Bleeping Computer, ISP
A cyber threat group “Rogue Messengers” has been actively involved in the distribution of compromised WhatsApp mods. These mods are unofficial versions of WhatsApp, which have been infiltrated by spyware known as CanesSpy. The lure of enhanced features and customization options in these mods is used to trick users into compromising their own device security.
Initially, these mods appeared benign, offering additional functionalities not available in the official WhatsApp client. Once a user installs the modified app, the spyware is triggered to function either when the device is started or when it begins to charge.
It then establishes communication with a C&C server to exfiltrate sensitive personal data such as the device’s IMEI, user’s phone number, contact lists, and personal accounts.
Moreover, the spyware is structured to receive ‘orders’ from the attackers, allowing them to command the infected device to transmit additional data, record audio, or change control servers.
The primary distribution method identified for these trojanized WhatsApp mods has been through Telegram channels, with a significant number of them using Arabic languages.
The widespread nature of these channels points to a highly organized dissemination strategy, enabling The Rogue Messengers to cast a wide net for potential victims.
More than 340,000 attempted attacks have been reported in many countries. Although the distribution of these malicious mods is global, a noticeable concentration of attacks is observed in the Middle East including Jordan.