close

Hacking news

Stolen Facebook logins put up for sale on the dark web for $3

Stolen Facebook logins put up for sale on the dark web for $3

Hackers are selling stolen Facebook logins on the dark web for as little as $3

Facebook accounts are being sold on the dark web for as low as $3, reports The Independent. This news comes shortly after a massive security breach that exposed data of approximately 50 million of Facebook users last month.

Hackers had exploited the security flaw and stolen “access tokens”, which is equivalent of digital keys that keep users logged into their accounts and include users’ sensitive data. However, the company back then claimed that it did not find any evidence of Facebook Logins being used by hackers.

But now, these stolen Facebook logins are being sold on the dark web for as little as $3 with the most expensive being sold for $12. Value of the entire stolen data has been estimated to be around $150 million and $600 million.

According to The Independent, dozens of listings for sale were noticed on the dark web marketplace, Dream Market, which use a similar rating system to other online retailers like Amazon and eBay to verify its vendors. Interested buyers can purchase the account login details through cryptocurrencies such as bitcoins.

Basically, the access tokens allow users to stay logged into Facebook apps on smartphones even when they close them. However, the hackers can misuse it to take control of user accounts, or for cybercriminal crimes such as identity theft, credit card fraud, spam and fraud emails, or even blackmailing.

Facebook CEO Mark Zuckerberg in a post to Facebook last week said: “We face constant attacks from people who want to take over accounts or steal information around the world… The reality is we need to continue developing new tools to prevent this from happening in the first place.”

As a precautionary measure, Facebook has taken down the “view as” feature, known as a privacy tool to let users see how their profiles look to other people. In short, how their information is displayed to friends or friends of friends or to anyone.

Also Read- Top 10 Ways That Hackers Use To Hack Facebook Accounts

read more

North Korean hacker charged for WannaCry and Sony cyberattacks

North Korean hacker charged for WannaCry and Sony cyberattacks

U.S. charges North Korean hacker for WannaCry, Sony cyber attacks

The U.S. government on Thursday charged and sanctioned a North Korean hacker for the 2014 Sony hack and the 2017 WannaCry global ransomware cyberattack, U.S. officials said.

The accused, Park Jin Hyok worked as part of a team of hackers, also known as the Lazarus Group, has been charged under the strategy planned by the U.S. government for naming and shaming the hackers in order to prevent future cyber attacks.

According to an FBI wanted poster released on Thursday, Park is identified as an alleged North Korean programmer who is accused of being “part of a state-sponsored hacking organization responsible for some of the costliest computer intrusions in history.”

Those attacks include the Sony Pictures Entertainment hack, the WannaCry attack and “a series of attacks targeting banks across the world that collectively attempted to steal more than one billion dollars,” according to the FBI.

Also Read- Top 9 hacking groups sponsored by governments

The U.S. Treasury Department sanctioned Park, a computer programmer, and the North Korea entity, Chosun Expo Joint Venture, the company he worked for.

The Treasury said the joint venture, also known as Korea Expo Joint Venture, is “a front for the North Korean government,” according to the Justice Department.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General for National Security John C. Demers.

“The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”

Park is also suspected of trying to hack into Lockheed Martin’s THAAD Missile defense system project currently deployed in South Korea. He is suspected of working for North Korea’s Reconnaissance General Bureau, a leading intelligence agency of that country.

The complaint against Park describes a “wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea, commonly known as North Korea.”

In 2014, the U.S. officials said unnamed North Korean hackers were responsible for the cyber attacks launched on Sony, which resulted in the loss of internal documents and data.

The hack on Sony Pictures came after Pyongyang sent a letter to the United Nations demanding that the movie production house not move forward with the movie “The Interview,” that showed the North Korean dictator Kim Jong Un in a negative light.

Park exploited multiple social media personas by sending malicious links to individuals involved in the production of the movie, the complaint said. The malicious links carried North Korean-controlled malware.

In 2017, WannaCry ransomware made headlines as one of the most widespread cyber attacks in history that brought up to 3,00,000 computers running Windows operating system in 150 countries to a standstill. Among the victims were Britain’s National Health Service (NHS), which had to close emergency rooms in a number of hospitals due to the hack.

Federal prosecutors have charged Park, who is not in custody, with conspiracy and conspiracy to commit wire fraud.

The Treasury Department, in a press release, said, “North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace.”

“Our policy is to hold North Korea accountable and demonstrate to the regime that there is a cost to its provocative and irresponsible actions.”

John Demers, the Assistant Attorney General of the National Security Division, said on Thursday, “The department has charged, arrested and imprisoned hackers working for the governments of China, Russia, and Iran. Today, we add the North Korean regime to our list, completing frankly four out of four of our principal adversaries in cyberspace.”

This is the first time the U.S. law enforcement agencies have formally charged a hacker involved in the North Korean “sponsored” cyber attacks. However, North Korea has denied the allegations of hacking.

read more

Celebgate hacker jailed for role in theft of Jennifer Lawrence’s nude photos

Jennifer Lawrence’s hacker who posted her nude images sentenced to prison

Jennifer Lawrence’s hacker who posted her nude images sentenced to prison

One of the four hackers involved in the 2014 ‘Celebgate’ scandal was sentenced on Wednesday in a federal court in Bridgeport, Connecticut. The accused has been sentenced to eight months in prison after which he has to serve three years of supervised release and perform 60 hours of community service.

George Garofano, 26, had hacked into more than 200 iCloud accounts of Hollywood stars including Jennifer Lawrence, Kirsten Dunst, Kate Upton as well as ordinary members of the public, and had posted their intimate pictures on Reddit.

The North Branford man admitted to posing as a member of Apple’s online security team and using a phishing scheme to send emails to the victims asking for their usernames and passwords. He then used the information from victims to steal personal information, including photos and videos. He also traded the credentials and personal information with others.

Earlier this month, Garafano pled a judge for a shorter sentence after claiming his “life has been ruined” by the scandal.

In a court filing, he said: “It will take me a while to forgive myself for this, and I am disappointed in myself.

“I feel remorse for anyone that could have been affected by this on any scale, public or private.

“It is a part of my life that I will always regret, as it has never been a reflection of who I am as an individual.”

“He now stands before the court having matured, accepting responsibility for his actions and having not been in trouble with the law since,” defense attorney Richard Lynch wrote. “There is nothing to suggest that he would ever engage in this or any other criminal conduct in the future.”

However, the prosecution wrote in a sentencing memo to the court: “Mr Garofano’s offence was a serious one. He illegally hacked into his victims’ online accounts, invaded their privacy, and stole their personal information, including private and intimate photos.

“He did not engage in this conduct on just one occasion. He engaged in this conduct 240 times over the course of 18 months.

“Not only did Mr Garofano keep for himself the photographs he stole, he disseminated them to other individuals. He may have also sold them to others to earn ‘extra income’.”

It added: “In committing this offense, Mr Garofano acted in complete and utter disregard for the impact on his victims’ lives.”

Two of the other hackers who were involved in the nude leak have already been sentenced. Ryan Collins, 36, was sentenced to 18 months in prison after pleading guilty to felony hacking and violating the Computer Fraud and Abuse Act; while Edward Majerczyk, 28, pled guilty to the same and was sentenced to nine months in prison. The fourth accused, Emilio Herrera, 32, also pled guilty and is scheduled to be sentenced this month.

read more

16-year-old hacks Apple and steal 90GB of secure files

16-year-old hacks Apple and steal 90GB of secure files

Australian teenager hacks into Apple’s secure network and steals 90GB of data

An Australian teenager is facing criminal charges for repeatedly breaking into Apple’s computer system after the company contacted the FBI, reports The Age. The teenager who began hacking at the age of 16, reportedly hacked into Apple’s private servers and stole over 90GB of sensitive corporate information on multiple occasions over a year.

The teen, who cannot be publicly named, was well known in the international hacking community. He pled guilty in Australian Children’s Court on Thursday, with sentencing set for next month. The teenager’s lawyer said in court that the boy was a big fan of Apple who “dreamed” of working for the company.

“Hacky hack hack”

During a raid on his family home in Melbourne, the authorities found downloaded files saved in a folder called “Hacky hack hack.” They also seized two Apple laptops, along with a mobile phone and hard drive. According to the prosecution, the two Apple laptops that were seized and their serial numbers matched the serial numbers of the devices which accessed the internal systems.

Modus operandi of the teenager

Apparently, the boy downloaded tens of gigabytes of secure files and accessed “authorized keys” that granted login access to users. He then managed to use security keys that “worked flawlessly” to access Apple’s information. He also allegedly had a look at customer accounts. The teenager used a virtual private network (VPN) to disguise his location.

Apple last year alerted the FBI, when it detected the unauthorized access and blocked the source of the intrusions, who launched the investigation. FBI, then coordinated the case with the Australian Federal Police (AFP), after the source of the intrusions was traced to Australia.

It is unclear if any of the acquired data was forwarded to third parties. However, it is understood that the teen hacker used WhatsApp to communicate his intrusion to others. Also, there is no clarity on the extent of the breach, or what type of accounts or other information were accessed, and if the breach was only limited to Australia or was it worldwide.

Apple has not yet commented on the case.

read more

Instagram hack locking users out of their accounts

Instagram hack locking users out of their accounts

Instagram hack: Users become victims of a strange account locking hack

In a widespread Instagram hacking campaign, hundreds of users are reporting that their accounts have been compromised. Besides losing access to the Instagram account, the profile image, email address, phone number, and bios related to the accounts of the affected users have been changed too.

Instagram Users Reporting Strange Hacks

Instagram users have been reporting of the bizarre hack since the beginning of August. Users are reporting that they are getting ‘logged out’ of their account, and if they try to log in again, it shows that their username no longer exist. The affected users also found hackers had altered their profile info and changed contact details.

Many of them saw their profile pictures typically set to a Disney or Pixar character with the new email addresses switching to a Russian .ru email address. Also, their bios and personal information have been deleted.

“My account has been hacked! Username, email, and password have been changed. Now someone called Laitus Maria has all my pics,” one Instagram user complained. While another disgruntled user tweeted:

Instagram responds to the widespread hack

The Facebook-owned app in a blog post said that people who have been locked out of their accounts can regain access here with a new, secure email address.

The company wrote, “If you received an email from us notifying you of a change in your email address, and you did not initiate this change, please click the link marked ‘revert this change’ in the email, and then change your password. We advise you pick a strong password.”

Instagram hack - account security

Instagram also shared the following safety measures to avoid falling victim to similar hacks:

  • Use a strong password—at least six numbers, letters, and symbols—different from those used elsewhere on the web.
  • Revoke access to suspicious third-party applications.
  • Activate two-factor authentication (2FA).

Instagram added, “We have dedicated teams helping people to secure their accounts. If you have reached out to us about your account, you will hear back from our team soon.”

While the motive behind the attacks on Instagram is still unknown, the use of .ru email addresses indicates that the source may be from Russia or perhaps threat actors pretending to be from the country.

Instagram is currently dependent on text messages for two-factor authentication (2FA), which is believed to be less secure than other app-based 2FA methods. However, the company says that it is working on improving its 2FA settings.

We recommend you to visit the Instagram Help Centre dedicated to hacked accounts for more information. Keep watching this space for more updates!

read more

US indicts 12 Russians Intelligence Agents for hacking and leaking DNC emails

US indicts 12 Russians Intelligence Agents for hacking and leaking DNC emails

U.S. charges 12 Russian intelligence officers of hacking Democrats in 2016 election campaign

Twelve Russian intelligence officers were charged on Friday by the U.S. Justice Department for hacking the computer networks of 2016 Democratic presidential candidate, Hillary Clinton and the Democratic Party. The shocking announcement comes just two days before U.S. President Donald Trump, who is currently on a visit to Britain, is scheduled to meet Russian President Vladimir Putin, for a summit in Helsinki, Finland.

The indictment, was secured by Robert Mueller, the special counsel investigating alleged Russian election meddling in the November 2016 vote and whether any members of Trump’s campaign team conspired with Moscow.

The 11 count, 29-page indictment, accuses all the 12 Russian military intelligence agency known as the GRU for carrying out “large-scale cyber operations” to steal Clinton campaign and Democratic Party documents and emails, as part of a Russian government effort to interfere with the election.

According to Mr. Mueller, the agents used “spearphishing” — a hacking method involving the use of deceptive email addresses — to fake Clinton campaign and DNC staffers and hacked into the election database of a U.S. state. The hackers then filtered the pilfered material through fake personas called DC Leaks and Guccifer 2.0, as well as others, to try to influence voters.

The suspects “covertly monitored the computers, implanted hundreds of files containing malicious computer code, and stole emails and other documents,” said Deputy Attorney General Rod Rosenstein while announcing the indictments at a press conference in Washington on Friday. “The goal of the conspirators was to have an impact on the election. What impact they may have had .?.?. is a matter of speculation; that’s not our responsibility.”

However, Rosenstein said the indictments did not claim that the cyber-attacks eventually affected vote count or changed the outcome of the 2016 election.

“There’s no allegation that the conspiracy changed the vote count or affected any election result,” Rosenstein said.

“There’s no allegation in this indictment that any American citizen committed a crime,” Rosenstein added, although the “conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, he added, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers.”

Rosenstein said he had briefed Trump “earlier this week” on the impending indictment and that the timing was determined by “the facts, the evidence, and the law.”

Rudolph W. Giuliani, Trump’s lawyer said on Twitter that the indictments “are good news for all Americans. The Russians are nailed. No Americans are involved.” He then called on Mueller “to end this pursuit of the president and say President Trump is completely innocent.”

On the other hand, Trump while speaking in Britain before the indictments were revealed, had said that he would question Putin about the allegations of election interfering.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” he told a joint press conference with British Prime Minister Theresa May.

At the same time, he also condemned the Mueller investigation as a “rigged witch hunt,” and said he has been “tougher on Russia than anybody.”

Russia rejected accusations that it meddled in the U.S. presidential election and has denied any role in the attack to help Trump win.

Senator Chuck Schumer, the Democratic Senate minority leader, advised Trump to cancel the Putin talks.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Schumer said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections.”

Similarly, Republican Senator John McCain said the summit should be called off if Trump is not ready to warn Putin there is a “serious price to pay for his ongoing aggression towards the United States and democracies around the world.”

“If President Trump is not prepared to hold Putin accountable, the summit in Helsinki should not move forward,” McCain said.

Responding to the calls for cancellation of the summit to be held on Monday, the White House spokeswoman Sarah Sanders said, “It’s on.”

read more

15 Chinese PUBG hackers arrested and fined $5.1 million USD

15 Chinese PUBG hackers arrested and fined $5.1 million USD

PUBG Cheat: Chinese police arrest 15 suspects and fine over $5 million USD

Last week, PUBG Corporation, the developer behind the popular online battle royale game, “PlayerUnknown’s Battlegrounds” (PUBG), confirmed in an announcement made through the game’s Steam page that 15 suspects were arrested in China for allegedly creating and selling hacks for the PUBG game.

According to the Steam post, the suspects not only illegally affected PUBG with the programs but also used Trojan horse software. “Earlier this month, on April 25th, 15 suspects were arrested for developing and selling hacking/cheating programs that affect PUBG,” the announcement said. “It was confirmed that malicious code, including Trojan horse software, was included in some of these programs and was used to steal user information.”

The game’s developer revealed that it has been working with the local Chinese authorities to arrest and fine the makers of PUBG hack programs.

“As you all now know, we’ve been doing everything possible to root out cheating from PUBG,” the Steam post reads. “The ultimate goal is to create an environment for players that’s completely safe from hackers and cheaters.”

The PUBG team provided the following information on the case that was translated by the local authorities:

“15 major suspects including “OMG”, “FL”, “??”, “??” and “??” were arrested for developing hack programs, hosting marketplaces for hack programs, and brokering transactions. Currently the suspects have been fined approximately 30mil RNB ($5.1mil USD). Other suspects related to this case are still being investigated.

“Some hack programs that are being distributed through the internet includes a Huigezi Trojan horse*(Chinese backdoor) virus. It was proven that hack developers used this virus to control users’ PC, scan their data, and extract information illegally.”

The post also added, “The longstanding rumor that hacking/cheating programs extract information from users’ PCs has been confirmed to be true. Using illegal programs not only disrupts others, but can end up with you handing over your personal information.

Last December, anti-cheat company BattlEye had tweeted that it had banned over 1.5 million accounts until then and over a million more in January alone. “Unfortunately, things continue to escalate,” it said.

Hacking is a big issue for PUBG and it is taken “extremely seriously,” the post read. It also reminded players that developing, selling, promoting, or using unauthorized hacking/cheating programs is not only unfair for others playing PUBG but also against the law. It said that the efforts between PUBG Corp. and the proper authorities to root out cheating from PUBG will continue.

“We’ve upgraded our security measures, improved our anti-cheat solutions, and recently even added a new anti-cheat solution on top of all that. In the meantime, we’ve also been continuously gathering information on hack developers (and sellers) and have been working extensively with multiple partners and judicial authorities to bring these people to justice,” the post added.

“We’ll continue to crack down on hacking/cheating programs (and their creators) until our players are free to battle it out in a totally fair environment.”

read more

Hackers built a ‘master key’ that unlocks millions of hotel rooms

hackers created master key to unlock rooms

Hackers find a serious security vulnerability in hotel key system

Researchers from the Finnish cyber security firm, F-Secure have discovered a critical flaw that allows hackers to use a used or even a discarded hotel key card to create a master key for the entire building within minutes without leaving a trace.

According to Tomi Tuominen and Timo Hirvonen, security consultants for Finnish data security company F-Secure said that they discovered a vulnerability in the software of the electronic hotel room keys of VingCard Elsafe (a brand under Assa Abloy), a global provider of hotel locking systems. The vulnerable software in question is called ‘Vision’ and it could affect millions of rooms as they are available in 166 countries and in over 40,000 buildings, F-Secure researchers estimate. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen said.

“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities,” Hirvonen added. “You cannot really know how secure the system is unless someone has really tried to break it.”

Tuominen and Hirvonen from F-Secure started studying the vulnerability 15 years ago after a laptop belonging to one of their colleagues was stolen from the hotel room.

The duo wanted to figure out if it’s possible to open an electronically locked room without leaving a trace, and developed their own software to hack into the keycards.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” explained Hirvonen. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

The researchers found that an attacker just needs access to an electronic key (RFID or magnetic stripe) to the hotel or facility they are targeting. They found that information from a single keycard, even an expired and discarded one, can be scanned and copied using a small device to spoof more keys to the hotel or facility. It takes only a minute to decipher the card using the custom software, and produce a master key, which can bypass any lock, allowing unrestricted access to any hotel or facility.

“The hack consists of three steps,” Tuominen explains to The Independent. “Firstly, get access to a key card, it doesn’t matter which. Secondly, use a relatively-cheap piece of hardware, combined with our custom software, to read the card and search for the master key code. Thirdly, write the master key onto the key card, or any other key card, to gain access to any room in the facility.”

The two consultants have since worked with lock manufacturer Assa Abloy to fix the software flaw with an update, where some of the locks has been patched at the central server. However, it is expected to take a long time to roll out the fix across all hotels affected.

“We appreciate F-Secure’s ethical approach in bringing these issues to our attention,” a spokesperson for Assa Abloy said.

“We strive for the utmost security and quality in our products, so we are glad to have the opportunity to ensure our products pass the most rigorous evaluations. With these updates, we have elevated hospitality security to the next level.”

The researchers are set to present their findings at the Infiltrate conference later this week.

read more

‘Unpatchable’, Nintendo Switch Hacked, Hack Tool Released Publicly

Nintendo Switch Hacked, Cannot Be Patched By Nintendo

Hackers have a particular liking when it comes to hacking Nintendo Switch. The console has been hacked following a complete dump of the Nintendo Switch’s boot ROM, with two very similar exploits of the console being released that take advantage of a security vulnerability in the Nvidia Tegra X1 processor, which cannot be patched by Nintendo, reports Eurogamer. In other words, the exploit takes advantage of bugs in the Switch’s bootROM and USB recovery mode, which can be abused to run arbitrary code.

The exploits was first uncovered by console hackers ‘fail0verflow’ with the group’s ShofEL2 release, as well as the Fusée Gelée hack from Kate Temik and the team at ReSwitched. Since the vulnerability extends to most Tegra devices, the nature of the exploit was fully disclosed to Google, Nintendo and Nvidia by both the hackers well in advance.

'Unpatchable', Nintendo Switch Hacked, Hack Tool Released Publicly

While fail0verflow was set to release its exploit on April 25th, it pre-poned the release once the Switch’s boot ROM dump leaked. The video below shows Linux running on an unmodified Switch due to the exploit.

How to hack Nintendo Switch?

“Choosing whether to release an exploit or not is a difficult choice,” fail0verflow wrote in a blog post accompanying the release of its exploit. “Given our experiences with past consoles, we’ve been wary of releasing vulnerability details or exploits for fear of them being used primarily for piracy rather than homebrew.

“That said, the Tegra bootrom bug is so obvious that multiple people have independently discovered it by now; at best, a release by other homebrew teams is inevitable, while at worst, a certain piracy modchip team might make the first move. 90 days ago, we begun the responsible disclosure process with Google, as Tegra chips are often used in Android devices. The disclosure deadline has now lapsed. The bug will be made public sooner or later, likely sooner, so we might as well release now along with our Linux boot chain and kernel tree, to make it very clear that we do this for fun and homebrew, and nothing else.”

The reason Nintendo cannot patch to stop the hack is because the flaws are reportedly hardware-based that allow homebrew code to run on the hybrid console. So, the only way for Nintendo to patch the hack and remove the ROM exploit would be to alter the Nividia Tegra X1’s architecture — the processor that powers the Switch. Homebrew code is mostly used to emulators of classic video game platforms like the SNES, but it can also be used to pirate or modify software. Basically, every Switch released till date and going forward is vulnerable to the exploit until the Tegra chip is modified.

“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever.” The group goes on to explain the exploit’s process, which basically requires a wire bridge (or a 3D printed tool). “As it turns out, what Tegra calls the Home button is actually connected to Pin 10 (the rearmost pin) on the right hand side Joy-Con connector. You can just use a simple piece of wire to bridge it to e.g. a screw on the rail (easiest), or pins 10 and 7 (or 1) together (10 and 9 won’t work),” writes fail0verflow.

Nintendo has yet to comment on how it plans to address the exploits. When reached for comment a spokesperson at the company said, “We have nothing to announce on this topic.”

Source: Eurogamer

read more

iTunes’ Wi-Fi Sync Feature Vulnerable To Trustjacking Attack

itune trustjacking attack

iOS Trustjacking Attack Allows Hackers To Hack iPhone, iPad

Security experts at Symantec have discovered a flaw that if exploited would allow attackers to compromise iOS devices without the owner’s knowledge.

The latest iOS attack dubbed as “Trustjacking” exploits a vulnerability in iTunes Wi-Fi Sync, a feature that allows iOS devices to be synced with iTunes without having to physically connect the iOS device to the computer. This feature can be enabled by physically connecting an iPhone/iPad to a computer once with a cable, specify that the iOS device can trust the computer henceforth, and then enable iTunes Wi-Fi Sync from the PC. Once a trusted Wi-Fi Sync connection is established, the hacker who has access to the user’s computer can secretly spy on the iOS device or record and control any sort of activities remotely, as long as they are both under the same local network.

“This allows the computer to access the photos on the device, perform a backup, install applications and much more, without requiring another confirmation from the user and without any noticeable indication. Furthermore, this allows activating the “iTunes Wi-Fi sync” feature, which makes it possible to continue this kind of communication with the device even after it has been disconnected from the computer, as long as the computer and the iOS device are connected to the same network. It is interesting to note that enabling “iTunes Wi-Fi sync” does not require the victim’s approval and can be conducted purely from the computer side,” Roy Iarchy, Head of Research, Modern OS Security wrote in the report.

Trustjacking is “extremely impactful,” said Adi Sahabani, SVP of modern OS security at Symantec, who disclosed the findings at RSAC 2018 last Wednesday alongside his colleague Iarchy.

The report stated that once the malicious computer is authorized, there is no other means that prevents the continued access to the device. Further, the users do not receive any prompts or notifications that by authorizing the computer they allow access to their device even after disconnecting the USB cable. Many users assume that their device is no longer exposed once they disconnect the USB cable.

“Even if the device is only connected for a very short period of time, it is enough for an attacker to execute the necessary steps to maintain visibility of all actions performed on the device after it is disconnected,” Iarchy wrote.

Researchers disclosed the vulnerability to Apple, who have attempted to address the issue by adding an extra layer of protection in iOS 11. The new protection layer requires the user of iOS to enter his or her passcode when trusting a computer. However, the researchers believe that such measures are inadequate.

“The user is still being told that this authorization is only relevant while the device is connected to the computer, making him believe that disconnecting his device guarantees that no one can access his private data,” Iarchy writes in the blog post. “While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work,” Iarchy added.

Researchers also suggest users to enable encrypted backups in iTunes and select a strong password to protect their devices.

Users can also go to Settings > General > Reset > Reset Location & Privacy, and re-authorize all previously connected computers next time when connecting their iOS device to each device, said Symantec.

read more