If you're at high risk of being targeted by mercenary spyware, or just don't mind losing iOS features for extra security, the company's restricted mode is surprisingly usable.

With the releases of iOS 16 and macOS Ventura in 2022, Apple debuted its Lockdown Mode for people at particular risk of being targeted by mercenary spyware. The feature is essentially a set of configurations for iOS and macOS that limit or block niceties like link previews in Messages and shared albums in Photos. Lockdown Mode also restricts your device's ability to accept unsolicited communications like FaceTime calls from phone numbers and accounts you've never called before. And this year, in iOS 17, Apple added additional improvements, meaning more safety-focused limitations. The company has consistently emphasized that Lockdown Mode is not meant for mainstream use by most people—but in a week of testing, it's surprisingly tolerable.

Turning on Lockdown Mode simply involves confirming the setting change with your device PIN or a biometric authentication in “Privacy & Security” and then rebooting so the system can apply all the restrictions and limitations. Enabling Lockdown Mode is similar to changing the language of your device—the system needs to comprehensively adopt the new configuration and apply it everywhere. Once the reboot is complete, your device comes back on looking pretty much like normal.

When malware developers target Apple devices, they tailor their attacks to exploit weaknesses in the complex features of iOS and macOS that facilitate communication and data sharing and handle different file types and information formats. So Lockdown Mode aims to make it much harder for commercial spyware vendors or other motivated and well-resourced actors to develop exploit chains that combine vulnerabilities in multiple iOS or macOS features to take control of devices. In practice, this means that it's harder and less fun to casually share—and especially receive—links, GIFs, and integrated elements in tools like Messages. And services like HomeKit are curtailed as well.

For example, you can still use Apple Pay with Lockdown Mode, but its integrations with other apps are much less fluid. If someone sends you a payment through Apple Cash, you can receive it, but you'll only get a very general, unspecific message in Messages that something has occurred— you won't know that someone sent you money on Apple Cash. Links don't expand when you send and receive them, and if you send or receive a link to an image or other file, it will send as text-only—a gnarly, full URL with no preview and no hyperlink that would let you automatically open it in a browser.

As part of Apple's most recent updates for Lockdown Mode in June, the company added support for Apple Watch and began automatically removing geolocation data from photos when you share them. The improvements also include a move to block devices by default from joining unsecured Wi-Fi networks and 2G cellular networks—a change meant to protect against malicious Wi-Fi networks and the mobile data surveillance tool known as stingrays.

This set of updates enabled “safer wireless connectivity defaults, media handling, media sharing defaults, sandboxing, and network security optimizations,” Apple said in a statement at the time. “Turning on Lockdown Mode further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface for those who need additional protections.”

Lockdown Mode also places some restrictions on web browsing in Apple's Safari and other browsers. When this impacts crucial features and performance on particular sites that users trust, they can add them individually to an “excluded websites” list. Users can also selectively turn off Lockdown Mode limitations for some third-party apps like Gmail.

Ultimately, though, the feature doesn't offer many power user configurations precisely because the whole point is to keep everything on lock. But by and large, you can continue to function normally while using Lockdown Mode. Sometimes you'll miss a call from someone you've never interacted with digitally before or need extra seconds to convey something you're trying to share to a friend, but the restrictions start to make sense and become more intuitive over time. As one Reddit user put it last year, “Usable for the most part. Don't really notice it until you run into the cons.”

This is the instantly recognizable experience of using Lockdown Mode. It's all good until it stops you from doing something you really, really want to do.

“It's a great additional layer of security for Apple to offer,” says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. “But balancing security and usability is super tough, and it shows that usability is king for most people—myself included. I turned off Lockdown Mode because it blocked the feature where two-factor SMS codes show up as an autofill option in websites, forms, etc. I think Apple did a great job with it, yet as soon as it impacted a feature that I love and use a lot, I turned it off.”

For some, it's the loss of shared albums in Photos. For others, it's the limitations of enjoying a meme with friends. But if you really need Lockdown Mode for your digital safety and personal protection, it's a workable alternative to throwing your phone in the ocean.

What It’s Like to Use Apple’s Lockdown Mode

By Deeba Ahmed
German cybersecurity researchers from Technische Universität Berlin employed a €600 (£520 - $660) tool to gain root access to the ARM64-based circuit board of Tesla's autopilot.
This is a post from HackRead.com Read the original post: Researchers Crack Tesla Autopilot with ‘Elon Mode,’ Access Critical Data

Is it impossible to crack Tesla autopilot? Not for these German researchers who’ve just unveiled ‘Elon Mode’ to exploit the popular autopilot feature.

Three cybersecurity researchers from Technische Universität Berlin (Technical University of Berlin/TU Berlin) have successfully hacked **Tesla’s autopilot system**. Their exploit, achieved with relatively inexpensive equipment, grants access to internal hardware and even unlocks a hidden “Elon mode” with enhanced capabilities.

TU Berlin’s doctoral students Christian Werling, Niclas Kühnapfel, and Hans-Niklas Jacob used tools costing around €600 (£520 – $660) to root the ARM64-based circuit board of Tesla’s autopilot. This allowed them to extract arbitrary code and user data, including cryptographic keys and important system parts. They also accessed a deleted GPS coordinates video as it wasn’t overwritten. 

However, the biggest catch was the exposing of the hidden “Elon mode,” which was **discovered** in June 2023 by a Twitter user (Now X) @greentheonly. This feature is a part of Tesla’s self-driving technology but has never been acknowledged by the company. 

For your information, Tesla’s “Elon mode” is a hands-free, full self-driving feature through which vehicles can self-drive without driver input or monitoring. However, as per TU Berlin researchers, this hack could enable premium features for free. They could enable additional performance capabilities and disable safety features through this mode.

It is worth noting that @greentheonly, the cybersecurity researcher, is the same individual who, **in May 2020**, uncovered sensitive customer data in Tesla car parts being sold on the multinational e-commerce platform eBay.

This isn’t the first time security loopholes have been discovered in Tesla vehicles. **Hackread.com has previously reported** a Tesla infotainment AMD processor hack that enabled free seat heaters.

For your information, in August 2023, researchers from TU Berlin and Oleg Drokin reported a flaw in Tesla’s Bluetooth system that led to unlocking in-car purchasable features. They gained root access to the MCU-Z infotainment system, allowing them complete control over the vehicle’s operating system and activation and deactivation of its systems.

As per a **report** from the German news outlet Der Spiegel, this research was conducted in a controlled environment. Der Spiegel’s report reads that manipulating the autopilot of other people’s parked Tesla vehicles is unlikely because such attacks are not feasible outside the laboratory.

Still, this research has confirmed the existence of the yet-rumored “Elon Mode” and may affect consumers’ trust in Tesla’s safety architecture. It exposes autopilot system gaps, raising concerns about potential misuse and ethical implications, emphasizing the need for robust cybersecurity measures.

****Watch the presentation****

Nevertheless, after informing Tesla, the researchers **presented these findings** at the Chaos Computer Club congress in Hamburg. Tesla has not released its statement so far. We will update our readers when the company responds.

****_RELATED ARTICLES_****

1.  **Bug bounty: Hack Tesla Model 3 to win your Model 3**
2.  **Tesla cars can be remotely hacked using drone, WIFI dongle**
3.  **Whistleblower Leak Reveals Tesla Data Breach, Affects 75,000**
4.  **Researchers found another way to hack Tesla Model X Key Fob**
5.  **Researchers show how to unlock Tesla wireless key fobs in 2 secs**

Researchers Crack Tesla Autopilot with ‘Elon Mode,’ Access Critical Data

By Waqas
Cheap Security, Costly Privacy: Vietnamese Group Profits from Hacked Home Cameras by Selling Bedroom Camera Footage- Change Your Passwords Now!
This is a post from HackRead.com Read the original post: Vietnamese Group Hacks and Sells Bedroom Camera Footage

A group of Vietnamese individuals involved in cybercrime is hacking into home security cameras of unsuspecting users and selling private and intimate footage on Telegram for a mere $16.

A Vietnam-based Telegram group has been discovered selling private footage obtained from hacked security cameras, showcasing what they describe as ‘dark corners’ and ‘hot scenes.’ Security experts attribute this privacy breach to poor password hygiene as the primary cause.”

In 2021, cybersecurity researchers at BitDefender debated whether Telegram, an encrypted messaging app, had become the new dark web. As the world approaches 2024, the significance of this argument has never been more evident.

According to details shared by security researcher Minh Hung, who first discovered the notorious Telegram group and published by Vnexpress, the group offers three packages for accessing the hacked footage.

The cheapest package costs 150,000 Vietnamese Dong ($6.16), while the highest package costs VND500,000 ($20.53). The top tier, ‘Super VIP,’ includes 4 years’ worth of hacked footage from hundreds of cameras and live access for VND800,000 ($32.84).

This group claims to specialize in hacking into “private cameras of families and shops in Vietnam” and invited Hung to join them on the channel.

Hackread.com also managed to identify Vietnamese-language Telegram channels offering malicious footage stolen from hacked home security cameras. The screenshots below were taken by Hackread.com:

On the other hand, according to Vnexpress’s report, Hung could watch the videos for the first and second packages, but with the third package, he could download an application from a camera firm and watch live feeds using the provided QR codes. Hung suspected it to be a scam but paid VND800,000 to check it out.

Hung further discovered that the timestamps on security camera feeds matched the current time. Using the application, he could access 15 cameras installed in clothing shops and spas, including bedrooms, living rooms, and dressing rooms.

****Should You Install Security Cameras in Your Bedroom?****

Installing security cameras in your bedroom raises significant privacy concerns and is generally considered a bad idea. The bedroom is an intimate space where individuals expect the highest level of privacy. Placing cameras in this area not only invades personal boundaries but also raises ethical issues.

The footage captured in bedrooms can include highly sensitive and personal moments, compromising one’s privacy and dignity. Beyond the ethical aspect, it also poses a risk of unauthorized access by hackers, as demonstrated by this article.

Additionally, such surveillance within the confines of a home may lead to legal implications, as it potentially violates laws related to privacy. To maintain a sense of security and privacy, it is advisable to install cameras in public areas of the home while avoiding intrusion into personal spaces like bedrooms.

**How to Protect Your Security Camera from Hackers?**

whether at home or work, protecting your security cameras from hackers is crucial to protect your privacy and security. Here are some vital tips to help you enhance the security of your security camera system:

1.  **Update Firmware Regularly:**  
    Ensure that your security camera’s firmware is up to date. Manufacturers often release updates that address security vulnerabilities, so regularly check for and install firmware updates.
2.  **Use Strong Passwords:**  
    Create strong, unique passwords for your camera’s login credentials. Avoid default passwords and choose a combination of letters, numbers, and special characters. Change passwords regularly and avoid using easily guessable information.
3.  **Network Security:**  
    Secure your home network by setting up a strong Wi-Fi password and using WPA3 encryption if available. Restrict access to your network by using a strong, unique network password.
4.  **ALWAYS** **Change Default Settings:**  
    Change default usernames and passwords on your security cameras. Default credentials are often well-known and exploited by hackers.
5.  **Enable Two-Factor Authentication (2FA):**  
    Whenever possible, enable two-factor authentication on your security camera accounts. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device.
6.  **Regularly Check for Suspicious Activity:**  
    Monitor your camera system for any unusual or unauthorized access. Regularly review footage and set up alerts for suspicious activities, such as multiple failed login attempts.
7.  **Keep Cameras Offline When Not in Use:**  
    Consider disconnecting your security cameras from the internet when you don’t need remote access. This can be done by configuring your router to block camera access during certain hours.
8.  **Purchase from Reputable Brands:**  
    Choose security cameras from reputable manufacturers with a track record of providing regular firmware updates and security patches.
9.  **Secure Physical Access:**  
    Ensure that physical access to your cameras is restricted. Place cameras in locations that are not easily accessible, and consider installing them at a height to prevent tampering.
10.  **Regularly Review Camera Logs:**  
    Some advanced camera systems provide logs of access and activities. Regularly review these logs for any suspicious entries.

****_RELATED ARTICLES_****

1.  **ThroughTek Flaw Exposed Millions of IoT Cameras to Spying**
2.  **Whitehat hacker shows how to detect hidden cameras in hotels**
3.  **3TB of clips from exposed home security cameras posted online**
4.  **This creepy site shows live footage from 73K Private Security Cameras**
5.  **Israeli Rabbi arrested for hacking CCTV cam at women’ bathing suit shop**

Vietnamese Group Hacks and Sells Bedroom Camera Footage

By Waqas
Work from home or WFH is a blessing for employees, but it can be a disguise when it comes to data security. Protecting yourself and your work infrastructure at home from cyberattacks is crucial.
This is a post from HackRead.com Read the original post: Top Data Security Issues of Remote Work

The surge in remote work has brought about intense concerns regarding data security including unsecured home networks and the increased use of personal devices pose significant challenges.

You’re living in an era where traditional office spaces are rapidly becoming a thing of the past. The advent of technology and the internet has brought about a paradigm shift in the way you work. This shift, however, has also ushered in new challenges, especially concerning data security. Data is the lifeblood of modern businesses, and its security should be a top priority.

The shift to remote work has only increased the need for robust data security measures. With employees accessing confidential information from a variety of locations and devices, the risk of data breaches has never been higher. Therefore, it’s important to understand these risks and implement effective measures to mitigate them.

In this article, you’ll explore the top data security issues of remote work and how to manage them effectively. Let’s begin.

****The Growth of Remote Work****

While the return-to-office initiative is on the rise, many organizations still allow remote or hybrid work arrangements. In 2023 alone, 28.2% of full-time employees use a hybrid approach, while 12.7% work from home. The flexibility offered by remote work is a big draw for many employees, and businesses are finding that it can also lead to increased productivity and cost savings.

However, as the number of remote workers increases, so does the risk of data security issues. Working from home often means using less secure home networks and personal devices, which can be a goldmine for cybercriminals. Furthermore, the lack of direct supervision makes enforcing corporate policies and regulatory requirements harder.

****Top Remote Work Data Security Issues****

One of remote work’s most significant data security issues is the risk of data breaches. In a traditional office setting, physical security measures can prevent unauthorized access to sensitive data. However, in a remote work setting, these measures are often absent. Moreover, the increased use of cloud services for collaboration and data storage also presents additional risks.

Another major issue is the vulnerability of home networks, which frequently lack the security measures found in corporate environments. Home networks, unlike corporate networks, frequently lack strict firewalls and antivirus software, making them a prime target. Cybercriminals can easily exploit these security flaws, putting personal information and data at risk. As a result, strengthening home network security is critical.

Other security issues to keep in mind include:

*   **Use of Personal Devices**: Remote employees frequently use personal devices for work, which can jeopardize data security. These devices may lack the same level of security as company-supplied equipment, making them more vulnerable to cyber threats and data breaches.
*   **Enforcing Corporate Policies and Regulatory Requirements** – Enforcing corporate policies and regulatory requirements is another major challenge with remote work. Ensuring compliance with data security policies can be difficult without the physical presence of supervisors and IT staff.
*   **Increased Risk of Phishing, Malware, and Social Engineering** – Remote workers are also more susceptible to phishing, malware, and social engineering attacks. These attacks often exploit human error and can lead to significant data breaches. Therefore, educating remote workers about these threats and how to avoid them is essential.
*   **Inadequate Secure Wi-Fi Networks**: Remote workers typically connect to corporate networks through unsecured or public Wi-Fi networks, which poses a significant security risk. Cybercriminals can easily exploit these networks by intercepting data transmission or injecting malware, potentially resulting in data breaches or system compromises. 

****Managing the Data Security Issues of Remote Work****

Regardless of these challenges, there are ways to effectively manage the data security issues associated with remote work. Implementing a data protection platform and zero-trust security controls are two of the most effective solutions.

A data protection platform is an essential component of today’s cybersecurity strategies. It offers a comprehensive solution for safeguarding sensitive data while meticulously monitoring and controlling data access. Its sophisticated mechanisms ensure that only authorized individuals have access to sensitive data, preserving data integrity and confidentiality. This platform is vital for preventing data breaches, improving regulatory compliance, and providing businesses with a secure digital environment.

Zero-trust security controls, on the other hand, are founded on a fundamental principle: by default, trust no user or device. Because of this, each access request is thoroughly verified before it can be approved. It is not a case of being overly suspicious, but of being proactive in terms of security. By scrutinizing every request, these controls significantly reduce the likelihood of data breaches. This method is extremely effective in preventing unauthorized access while also maintaining the integrity and confidentiality of sensitive data.

Other benefits of using data security tools for remote work include:

*   **Improved Visibility and Control:** Data security tools provide real-time visibility into all data movement, allowing businesses to monitor and control data access effectively.
*   **Improved Compliance:** These tools help to meet regulatory requirements by ensuring that data is handled and stored in a compliant manner, lowering the risk of penalties.
*   **Data Loss Risk is Reduced:** Data protection tools include features like automatic backups and encryption, which reduce the risk of data loss due to accidents or cyber-attacks.
*   **Advanced Threat Detection:** Some tools use artificial intelligence and machine learning to detect suspicious activity or anomalies, preventing potential breaches.
*   **Increased Productivity:** In a secure environment, employees can focus on their work without being concerned about potential data breaches, resulting in increased productivity.
*   **Improved Remote Work Security**: Data security tools include features like secure VPNs and multi-factor authentication, significantly enhancing network security by making it more difficult for unauthorized individuals to access sensitive information.
*   **Cost-Effective**: Implementing these tools can lead to long-term cost savings by preventing costly data breaches and reducing the time and resources spent on recovery after a breach.

Ultimately, remote work presents distinct data security challenges. These challenges, however, can be effectively managed with the right strategies and tools. A solid data protection platform that provides a secure foundation for your digital assets is extremely important.

Coupled with zero-trust security controls, you can ensure solid safeguards for your valuable data. These safeguards are essential to maintaining business continuity, especially in this day and age when remote work is becoming more common. With careful planning and implementation, you can weather the storm of data security threats in a remote work scenario.

****_RELATED ARTICLES_****

1.  **Top 3 data security risks facing businesses**
2.  **Data Security: Key Steps When Transferring Your Digital Workspace**
3.  **Data Security Threats to Businesses: Strategies to Strengthen Defense**
4.  **Nexo Achieves Type 2 SOC 2 Audit, Reinforces Data Security Compliance**
5.  **How cloud data distracts businesses from correct data security practices**

Top Data Security Issues of Remote Work

Talos revealed that rebooting an iOS or Android device may not remove the Predator spyware produced by Intellexa. Intellexa knows if their customers intend to perform surveillance operations on foreign soil.

Thursday, December 21, 2023 11:00

_By Mike Gentile,_ _Asheer Malhotra_ _and_ _Vitor Ventura__._

**Editor’s note:** This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.

*   Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa (previously known as Cytrox). 
*   Talos’ analysis revealed that rebooting an iOS or Android device may **_not_** always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
*   Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
*   Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions. Public reporting on Intellexa’s operations has had little to no impact on their ability to conduct and grow their business across the world.
*   Almost all publications on malicious operations conducted using Intellexa’s spyware consist primarily of malicious domains as indicators of compromise (IOCs). Talos assesses that the disclosure of such domains, managed by the customers, has little to no effect on Intellexa’s operations and enables them to preserve their malware implants due to a lack of technical disclosures. 
*   After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.

In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa’s spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system. This research also sheds light on several other aspects of the commercial spyware space, like plausible deniability, the impacts of widespread media exposure and recruitment issues.

During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.

This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.

**Implants’ persistence is an add-on in Intellexa’s offering**

Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution. Rebooting the device is no longer a means to remove the implants from an infected device. 

In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS). However, by April 2022, that capability was being offered to their customers. Since then, no reports have been published detailing such a mechanism, as there is no reason to believe it has become obsolete. It still doesn’t survive a factory reset, but it is fair to assume that this specific capability will become available, literally breaking all trust in the device beyond recovery.

**Intellexa’s product development journey**

Cytrox was first created in North Macedonia in 2017, and at the time, built Android-based malware. In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear (and Cytrox) and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware’s misuse. 

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception. Nexa Technologies (now called RB 42) is a French-based company whose main focus is remote surveillance and security services.

Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android. This can be confirmed on the artifacts left on the malware binary due to the use of static library compilation at build time.

By April 2020, the revamp was finished and the malware was ready to be deployed on Android. In May 2020, the developers began working on an iOS “solution” which we assess with medium confidence was a port of Alien/Predator from Android to iOS. Our assessment is based on the fact that the engine that drives the high-level components of the Predator system is similar, if not identical, to the point where some Android artifacts, detailed in the following sections, can be found on the iOS sample.

Evolution timeline

**Pricing model**

Building commercial spyware is a sophisticated and research-driven process. It involves meticulously circumventing, bypassing and exploiting security controls put in place by mobile applications/packages and Operating Systems such as Android and iOS. Combining such potent software into a package with zero or one-click zero-day exploits makes it a highly reliable offensive “solution” – and that is exactly what makes it expensive. As early as 2016, The New York Times reported that the NSO Group charged $650,000 for every 10 infections, with an additional $500,000 for initial setup. Multi-year deals between the NSO Group and Mexico were estimated to be around $15 million – and this was back in 2013.

Fast forward five years to 2021, and another disclosure from The New York Times details the proposal brochure for Intellexa’s Predator framework offering their solution for a whopping 13.6 million Euros for:

*   20 concurrent infections.
*   One-click exploit for initial access.
*   Predator C2 and administrative hardware and software.
*   Project plans, documentation, etc.
*   12 months of warranty support.

Proposal (snipped) defining price and items

Leaked documents from 2022 show that the Nova platform, which is Intellexa’s data-gathering module, was priced at 8 million Euros in 2022. Price tags of 13.6 million or even 8 million Euros is a hefty sum. However, this reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators. These solutions are meant for customers with deep pockets and such expenses can only be incurred by state-sponsored agencies.

The pricing model also shows the technological evolution of the product. Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution. It also increased the support for Android to 18 months. At this point, it is unclear if this is the direct result of Intellexa’s development and research capabilities, or if these are based on exploits acquired that ultimately would result in having such capabilities.

The original persistence mechanism on iOS was the exploitation of the original vulnerability during the boot process by loading the malicious HTML page stored locally. As such, the newly introduced Android persistence mechanism can simply be based on a similar method.

**Plausible deniability**

Intellexa’s commercial proposals are designed to create plausible deniability. These clauses extend from the infrastructure responsibilities to the delivery methods. This is a key aspect of Intellexa’s business model, the goal is to avoid a bad reputation and to claim they are not responsible for what their customers do with their “product” — they claim that they don’t even know who the victims are.

Proposal (snipped) defining responsibilities

The leaked proposals show that the infrastructure and anonymization are the responsibility of the customer. From a deniability point of view, this enables the claim that Intellexa doesn’t know _how_ victims are being targeted. From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.

Delivery method method

The delivery of Intellexa’s supporting hardware is done at a terminal or airport. This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (“Incoterms”). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located. This exact scenario was seen being put into practice when, according to a LighthouseReports

investigation

, Intellexa sold their solution to the Sudanese government.

Source: https://www.lighthousereports.com/investigation/flight-of-the-predator/

Even if we take into consideration the proposal’s terms such as, “Installation and configuration at customer designated facility…” and the “Standard training course ……,” it still does not mean that Intellexa might know where the hardware is located since everything can be done remotely or even without their personnel knowing where the customer’s “solution” is physically located.

Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction. This knowledge is a consequence of the licensing model. Any sale is limited to a single phone country code prefix, but for an additional fee, the customer can license the usage of the solution in additional countries without geographic limitations.

**Business risks****Human resources**

Commercial spyware companies don’t seem to have any kind of problem recruiting highly specialized human resources to develop their solutions. This was evidenced by the LinkedIn profiles of several highly specialized engineers. In one example, the NSO Group in June had just recruited new, highly specialized engineers from an intelligence military unit.

During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group. The timing of the hire indicates that the firm needed to integrate the implant with the exploit chain to deploy it reliably on iOS devices.

Snippet of the iOS security expert Curriculum Vitae

Such “experts” can be found working for and actively hunting for jobs regularly at other commercial spyware vendors too.  For example, a quick search by Talos showed that just in September 2023, the NSO group had hired another security researcher with the same research background:  

Example of employment history

And there are several examples like that. The highly skilled researchers will move from one company to another in the same line of business supplying a constant flow of human resources as needed.

**Target operating system support**

New operating system releases don’t seem to make a considerable impact on the Predator solution. Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest. Google releases approximately one new version per year just like Apple. But, the Android OS may consist of beta versions months before general availability. This gives plenty of lead time to Intellexa and their exploit suppliers to develop new exploit chains to use as initial attack vectors. 

It is important to understand that the Alien/Predator implants themselves don’t need to change much between operating system releases. They are written to be as generic and modular as possible, and the modules that need to be specific to an OS version and/or capability are written in Python, which can easily be updated and deployed on the fly via a customer’s infrastructure. 

The components that are more sensitive to operating system updates are the initial access vectors and the persistence mechanisms. These capabilities often rely on exploits that can be patched or new mitigation techniques may render them useless. 

**Vulnerability exploits chain patching**

This is the most sensitive and least controlled part of any commercial spyware solution. Still, one may think that there is a high impact on the operational capability of a commercial spyware vendor, but the reality seems to prove the impact is low, or medium at most. 

Exploit brokers and exploit research companies, sell full or partial exploit chains as a subscription model where the customers are entitled to workable replacements if the purchased chain is patched.

The timeline of events shows that it took Intellexa, at most, six months (probably less) to obtain and integrate a new fully operational exploit chain into their solution, after their Android previous one was patched in Nov 2021. This is confirmed by the fact that, in May 2022, their platform was being shipped to a new customer in Sudan, according to the Lighthouse report.

Overall, this demonstrates that exposing the vulnerabilities used by commercial spyware vendors, although extremely important, does not impose much of a risk on them. In fact, that risk is transferred onto the exploit brokers and vendors.

This has caught the attention of the Biden-Harris administration, to the point that the Intellexa Alliance was added to the Entity List for “_...determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems…_”  In practical terms, U.S.-based companies that deal in exploits cannot do business with the Intellexa galaxy of companies. This means that Intellexa will have to procure its exploits from companies in other regions, which for the time being, doesn’t seem to be a problem. However, if the United Kingdom and the European Union take similar actions, the market will become smaller, making it much harder for these companies to acquire their initial attack vector.

**The lack of impact from public exposure**

The public exposure of commercial spyware companies creates awareness and has gained the attention of governments and regulating bodies. Such disclosures have also been successful at attributing malicious operations conducted by regimes against human rights activists, journalists and civilian dissidents, indicating the lack of a moral compass of many of Intellexa’s “customers.” 

However, exposing regimes conducting these operations seems to have little effect on these companies’ abilities to make money. It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access. A majority of public disclosures in the commercial spyware space focus on the political aspects of the operations along with listing malicious domains and infrastructure but fail to tear open the inner workings of the malware themselves. The domains and infrastructure exposed in a disclosure are owned and operated by spyware customers themselves, often in silos, meaning that exposing one operation typically may have no impact on all the other customers. However, the risk of exposure will always be primarily based on the efforts put by the customer into their anonymization chain.

Such disclosures may have a substantial impact on the regimes (“customer”), but they fail to impose costs on the spyware vendor themselves. What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do not provide an adequate session management for the administrative web interface. This allows adjacent attackers with access to the management network to read and modify the configuration of the device.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# MOKOSmart MKGW1 Gateway Improper Session Management #

Link: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management

## Vulnerability Overview ##

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do  
not provide an adequate session management for the administrative web  
interface. This allows adjacent attackers with access to the management  
network to read and modify the configuration of the device.

* **Identifier**            : SBA-ADV-20220120-01  
* **Type of Vulnerability** : Improper Authentication  
* **Software/Product Name** : [MOKOSmart MKGW1 BLE Gateway](https://www.mokosmart.com/mokosmart-mkgw1-gateway-iot-cloud-platform/)  
* **Vendor**                : [MOKO TECHNOLOGY LTD](https://www.mokosmart.com/)  
* **Affected Versions**     : <= 1.1.1  
* **Fixed in Version**      : Not yet  
* **CVE ID**                : Pending  
* **CVSS Vector**           : CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
* **CVSS Base Score**       : 8.0 (High)

## Vendor Description ##

> * MKGW1 Bluetooth gateway is mainly used for the MOKO Bluetooth products.  
> * It is convenient for users to get the data of the MOKO series Beacon,  
>   and advertising raw data of any Bluetooth device.  
> * It can upload the data to the server via MQTT (V3.1.1) or HTTP(S)  
>   protocol.  
> * MKGW1 was developed with MediaTek® MT7688AN relying on OpenWrt system  
>   and Nordic® nRF52 platform.  
> * MKGW1 can connect the standard MQTT Broker, Aws IOT, Azure IOT HUB,  
>   Aliyun IOT.

Source: <http://doc.mokotechnology.com/index.php?s=/page/108>

## Impact ##

By exploiting the documented vulnerability, an attacker can gain  
administrative access to the device. For example, this can be misused by  
altering the configuration of the device or by reading out the configured  
network credentials and therefore getting a foothold in the victim's network.

## Vulnerability Description ##

The gateway offers a web-based configuration interface that can be used to  
edit the configuration of the gateway. Username and password are requested  
to authenticate the administrator. After sending the correct credentials the  
device sets a global server-side state to "logged in" for 3600 seconds,  
rather than issuing a session ID. Now any device on the same network can  
access the configuration interface as administrator without any additional  
authentication and read and modify the configuration.

## Proof of Concept ##

Login with the admin credentials on the web interface from a legitimate  
client:

HTTP request:

```http  
POST /goform/login HTTP/1.1  
Host: 192.168.22.1  
Content-Type: application/json  
Content-Length: 39  
Origin: http://192.168.22.1  
Connection: close  
Referer: http://192.168.22.1/sign_in

{"username":"Admin","password":"[redacted]"}  
```

HTTP response:

```http  
HTTP/1.1 200 OK  
Content-type: application/json  
Pragma: no-cache  
Cache-Control: no-cache

{ "state": { "code": 2000, "msg": "ok" }, "data": { "activetime": "3600" } }  
```

The response shown above does not contain any session identifier.  
On another client that can reach the web interface, an attacker can read out  
the configuration without any authentication:

HTTP request:

```http  
GET /goform/get_wan HTTP/1.1  
Host: 192.168.22.1  
Connection: close  
```

HTTP response:

```http  
HTTP/1.1 200 OK  
Content-type: application/json

{ "state": { "code": 2000, "msg": "ok" }, "data": { "wanmode": "WIFI", "wanssid": "[redacted]", "wanencrypt": "[redacted]", "wanpassword": "[redacted]", "proto": "dhcp", "ipaddr": "", "netmask": "", "gateway": "", "firdns": "", "secdns": "" } }  
```

The above proof-of-concept shows that the MOKO gateway cannot distinguish  
between multiple sessions. Therefore, if a legitimate client is logged in,  
an attacker can read the configuration. Furthermore, an attacker can also  
modify the configuration by sending the appropriate `JSON` data to the  
respective `POST` endpoint. Changes to the network can trigger a reboot  
of the device.

## Recommended Countermeasures ##

We are not aware of a vendor fix yet. Please contact the vendor.

We recommend to implement a proper session management for the  
administrative web interface of the device.

## Timeline ##

* `2022-01-20`: identification of vulnerability in version 1.1.1  
* `2022-01-27`: initial vendor contact  
* `2022-03-02`: disclosed vulnerability to vendor contact but received no reply  
* `2023-12-11`: request CVE from MITRE  
* `2023-12-12`: public disclosure

## References ##

* [Moko Gateway Documentation](https://www.mokosmart.com/wp-content/uploads/2019/10/GS-gateway.pdf)

## Credits ##

* Jakob Hagl ([SBA Research](https://www.sba-research.org/))  
* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWB8iQACgkQ+7iGL1j3  
dbK0eg//atfWytZOUPJ3omp9Rjb9sMJwu1Z8LdEZZGsQdsmQXJLaKF3AUDnt2cBx  
CLPVDh32lFbszJiMrJrXjj5WxH8CUtNQFdj1WTN4Uv5MlaRRvipOz7/XTemqRwGP  
+nctTDZHLFCeli4ZD36tE4zKcP3vm+R4e7Zy5BIP74G2Dw2hmFreSt7CC5CqZT3K  
oPo1hMF9PD7WhjYK/lBaxeR+6FkiCm7p/thgyeShHMVygJJjmjF+k3GQ61NmoVXc  
IjwRs+WY8Y/X/SfPjM8tjW/gZFHdOv/r/Gcz1OJs2D2quqmiKuoOhS9b/F8LDHsf  
OnKTNBaWH2oTzmuh7zSan+kPYj42gjpp+aSSoWK7At78yFFvLilCcckwIpKagh4U  
b3W//s5BPKCXJ1a7yH3WYGjbDAOzGMq1g50X1ZDNQ7zdQbELobFSNLWsnPwfN64i  
ljq6tXTOYT+4Jg4hI5I+3vD4q7mf7O2CL4fk5pUHoKMy7P28sxa7wX2jH+02C07J  
PKkaU+V2v4Lvf3PQvGTeupo50bTZX0xYqdmjjr3G9SUD+jESMCHPGaXw/Zpau71U  
uKD9f9MbZ9v/XML3IsBvd22QkayL7eegvmweyLmchp/ppigp99IX3rA7EgGkauW7  
1W7YiybQOvo5xaCiMakIqHXZtFcWIEryT8FRMW5cyraExHGkPPk=  
=jrYM  
-----END PGP SIGNATURE-----

MOKOSmart MKGW1 Gateway Improper Session Management 

By Waqas
The data breach came to light in early November 2023, when Mr. Cooper announced that it had fallen victim to a cyberattack on October 30, 2023. 
This is a post from HackRead.com Read the original post: Mortgage Giant Mr. Cooper Data Breach; 14 Million Users Impacted

Initially, the data breach was thought to affect only 4.3 million current customers, but now the impact has extended to an additional 10 million.

In a new cybersecurity incident, Coppell, Texas-based mortgage and loan giant Mr. Cooper has become the latest victim of a cyberattack that may have compromised the sensitive personal information of more than 14 million individuals, impacting both current and former customers.

The company, in its data breach notifications to **state and federal regulators**, disclosed that the incident initially thought to affect 4.3 million current customers now extends its reach to an additional 10 million past customers.

The severity of the situation prompted the company to file a **data breach notification** with the Maine Attorney General, revealing that a staggering total of 14,690,284 individuals could be affected, with 59,917 of them being residents of Maine.

The data breach came to light in early November 2023, when Mr. Cooper announced that it had fallen victim to a cyberattack on October 30, 2023. The breach, discovered the following day, prompted the company to take swift and decisive action by shutting down all IT systems. This included the temporary closure of the online payment portal, a vital platform used by customers to manage their loan and mortgage payments.

The company is now actively engaged in investigating the extent of the breach and has begun the process of notifying affected individuals. The compromised data is said to include sensitive personal information such as names, email addresses and personal identifiers in combination with Social Security Numbers (SSN), raising concerns about the potential misuse and identity theft implications for the affected customers.

Mr. Cooper has launched a dedicated website to keep impacted customers updated on the data breach. (Screenshot: Hackread.com)

However, Mr. Cooper assures its customers that it is working to enhance its cybersecurity measures to prevent any future breaches. In the meantime, affected individuals are encouraged to remain alert, monitor their financial accounts, and take necessary precautions to safeguard their personal information.

In a comment to Hackread.com, **Claude Mandy**, Chief Evangelist of Data Security at Symmetry Systems highlighted the challenge organizations face with data retention due to legal requirements and business aspirations. Despite the desire to use data for analytics and customer re-engagement, data often remains untouched, leading to breaches that impact both current and past customers.

_“_Unfortunately, a lot of organizations are stuck between a rock and a hard place, when it comes to the retention of data. Various laws and legislature require organizations to keep records for over 7 years, but they also hope to attract their past customers back into the fold and plan to leverage it to develop future analytics insights. In reality, this data just lies untouched where it lies, often long past their actual retention policies. Regardless of the reason, it is not unusual to see breaches impacting not only current customers but previous customers too._“_

Mandy emphasizes the importance of proactive data management, citing an example where Symmetry Systems enabled a Fortune 100 organization to delete 25% of their cloud assets without business impact. Additionally, he notes that the absence of credit card numbers in Mr. Cooper’s breach may suggest the use of outsourced payment providers that tokenize credit card information for enhanced security.

_“_Increasingly our customers with the help of our data-centric monitoring, identify and proactively delete data beyond its retention lifecycle, and further reduce access to sensitive data in a manner commensurate with its actual usage and sensitivity. In one example, we enabled a Fortune 100 organization on Google Cloud to delete over 25% of their cloud assets such as Projects, Identities, and production data without any business impact._“_

_“_The lack of credit card numbers in the breach notification isn’t exceptionally notable given that Mr Cooper doesn’t offer credit card facilities to its customers, and mortgage companies generally restrict credit card payments for mortgages. For other organizations that do, this may be a sign that they are leveraging an outsourced payment provider that tokenizes (i.e. replaces with a token) credit card numbers to secure them._“_

The announcement of the data breach at Mr. Cooper came just days after Delta Dental, a dental insurance provider based in Oak Brook, Illinois, United States, **revealed that it had experienced a data breach** affecting 7 million customers.

Nevertheless, impacted individuals are urged to be watchful for **phishing emails** that may falsely claim to originate from the company, claiming to provide new updates. However, the actual motive could be to exploit the situation and attempt to steal user data.

****_RELATED ARTICLES_****

1.  **Sensitive Data of 123 Million American Households Exposed​**
2.  **Hackers Claim Major Data Breach at Smart WiFi Provider Plume**
3.  **Mortgage Broker 8Twelve Exposes Data of Canadian Residents**
4.  **Sony Data Breach via MOVEit Vulnerability Affects Thousands in US**
5.  **Cybercriminals Selling Social Security Numbers of Infants on Dark Web**

Mortgage Giant Mr. Cooper Data Breach; 14 Million Users Impacted

Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-8 watchOS 10.2

watchOS 10.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214041.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

ExtensionKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3quQACgkQX+5d1TXa  
IvoPPhAAgReQjt/dYzFqQbyMQQPLK1iDWh9s0M+PbHz5x+eS6vSX/OpkLNFy6MC1  
kHQI1EaV37/3sRqko8eX+f/deKqPi59tSV3BALedLV2v8F+4ioXIzsyGWsSYzor4  
U1l4h7fNA64060MR35dlvYnB2FsNnyVI6hlhEyfEEZXVMX4cX0KX5l5a7m/wKmQK  
tpDOak7WVEIj5aLk/e0IQBjpOJW8c2Moa8PTtERr1jJsp+PVrXNu9zZfHWhsCn02  
KPa26RRDtiru7KpXlRy2vzOQeCgJmRZH1CKVWKSiLEjTZnKWM1IF1LTYBJalDGbS  
nOvV6BcVD4rdbbi4cYlPic+Z65YKw+ctW0bNAgnim8RyOF28VNQX8DOcYKZnyqPS  
jYLG5rAq0oKtJztwDkIKc2nc0FrxZzV3f4QwTaFWbVzN0koYJJpVKDs5GgGQ/2MG  
4MtuxRuK2j5eibLInW33K58XCVpAidhiU5YaeIG5dbzf0YKXsUmKImmXap5SKnSe  
fwf6kEFR7keGiu8tlEOnBonDIOhFyWeiK785WhxdwrWMJNHQUegTTYItNrtrzaZr  
Q/lDfMQ9/1L38Jj/OuR1WSdBpDKmT9jepE2mLZb4fQasALJlGh9g1uFTaTl883QG  
uADzZx+TIGO2RIlMGPxwwr4+I2kpi1x/amwRjzCzvwr9+nQDyyk=  
=MttV  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-8

Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-7 tvOS 17.2

tvOS 17.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214040.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AVEVideoEncoder  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qngACgkQX+5d1TXa  
Ivrv3RAAuQY01CVjPIhf1IVMNryEZAW+NEm29U419ldBlHWNENHiXD7dF5cPNcDd  
fVlyxJ4zXCjIMflrS5oOGjqtsJvMfL99QaF9of5elxBjF8wA3d3bslESVveUw4/n  
OflBE44Ghbg2nNd/wQiiLCDWCbKyVk9R5Vm1c2L5+afg4dyppaNME4oxq7itnyjr  
UmNv7Sb2pxjjew0L9YAV15DaZmH30By6jRIKynS0+P1Eys/Vx3JVwC6QOOba6ixF  
OxO/Ki4vFAuwxnC9hGbYon6QTpMAuI0nzQAD/RYtpQMtkPkZ3dPPeA7DBs8TIxIo  
8QKfABYt5QY+VKFaTbNclzMu0/l/l3AcaZsbKTsyM1rEH8hACZKlkVQxQ3GhVXbe  
Hmc6JqOA+fpVJya7RUNCyo3Kq4jKf8Rgj+rDJyHSqZ8vEHr/qrLmgvEsHfhAPq46  
tUZMuVrHtcREKzxLh2Os4hCs68kcEG3w9Q2n5a5UHskLBYimhFTsp5ajClNC1l1w  
KiVW8SmDL7zt5ApNWRNa1Pc3ZxvAUousVbuMWt6VP40mz9AHKs8VsoscMwQkzscs  
OMkrHUJdQfki+GLsd4Zk54/VjQR1CFtr1xBPZkKPW4WCinjAiw73fuOCzTz4f+rZ  
Dwvd0BGIGPWaRewZhcxPXrSHDj91bbBLRkOPn5JVDkbP3eXRbAU=  
=IKXm  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-7

Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-4 macOS Sonoma 14.2

macOS Sonoma 14.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214036.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Sonoma  
Impact: Secure text fields may be displayed via the Accessibility  
Keyboard when using a physical keyboard  
Description: This issue was addressed with improved state management.  
CVE-2023-42874: Don Clarke

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: Multiple memory corruption issues were addressed with  
improved input validation.  
CVE-2023-42901: Ivan Fratric of Google Project Zero  
CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael  
DePlante (@izobashi) of Trend Micro Zero Day Initiative  
CVE-2023-42912: Ivan Fratric of Google Project Zero  
CVE-2023-42903: Ivan Fratric of Google Project Zero  
CVE-2023-42904: Ivan Fratric of Google Project Zero  
CVE-2023-42905: Ivan Fratric of Google Project Zero  
CVE-2023-42906: Ivan Fratric of Google Project Zero  
CVE-2023-42907: Ivan Fratric of Google Project Zero  
CVE-2023-42908: Ivan Fratric of Google Project Zero  
CVE-2023-42909: Ivan Fratric of Google Project Zero  
CVE-2023-42910: Ivan Fratric of Google Project Zero  
CVE-2023-42911: Ivan Fratric of Google Project Zero  
CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42882: Ivan Fratric of Google Project Zero

Archive Utility  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

Bluetooth  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to  
inject keystrokes by spoofing a keyboard  
Description: The issue was addressed with improved checks.  
CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices  
Available for: macOS Sonoma  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

ExtensionKit  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Sonoma  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

TCC  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Sonoma  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

Additional recognition

Memoji  
We would like to acknowledge Jerry Tenenbaum for their assistance.

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

macOS Sonoma 14.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qdUACgkQX+5d1TXa  
Ivp5JQ/9FhhIgATXMT6vd3gK4Bqn3JRODRK+rBcNBjb0zMKWh42fXqZA81K86Ksv  
FB6/OxqYmdo9NI2g7VMj0I7vS8cQf2ZE0sjSYObkuZ32As5y7Ov+xvNnrCjLuwV3  
vrDlBFRRS7KWNskNEV4ciT+ECHUYU6Jkrpt/TqpmR/B/fFxNfjE2Ibeuy56CSlGi  
FYCasHeyI5pC4kfetYG6Jo7RwcK1nCbNWHB3+zKQItvkkwV3nVBF+QjJGD/aEzz3  
X8Jp/hf3taYesK45lr6HWGcuuAGLAAYkjfxz8lLYDQ4AoQ5Xi9WCTjEX9shdKgoF  
oo1JQDCEuhLXK+1vOxoYEmUAKMRQMMlRMtZgft8hPh6Pce8gYcI0Rez3RT5+m2+U  
C7d0+97gnpssZkq2JRdyjogl5ACNHGD81jBHg33PppnjTptKNn8JSyXIZLBM3zK/  
jQRLmEAlJkl6MgnWKiy+pyzPxCsoFJnOJG481sLTEfQbiQONFIUV3YTesxbIv2a0  
8yAM0cFf5cqF6frS81zn8vYfdPJU6HJ3OQGmumLQ4UJAbWY7zg9XbyyZTFw2woGj  
0IvoSEBuP4e25JznB1/nchP7W4MJ9VfAzMe/MyBqOibHgomkY1UQqdvWz7olK3Bb  
5NkKt5PVTVjAH+R5wVnnXPlWq7Rgfg2m0Y9g3FwTm4WPrIUT5Us=  
=c6Yv  
-----END PGP SIGNATURE-----

Tag

#wifi