Welcome to the latest copy of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we analyze the wild world of security.

Google Project Zero‘s elite team of bug hunters needs no introduction.

The white-hat hackers have been adept at award flaws in Android and iOS, but this absorbing new disclosure from Ian Beer beats aggregate that came before it.

Beer spent six months of his lockdown alone devising a method to accidentally hijack iPhones, assuming that with just a Raspberry Pi, off-the-shelf Wi-Fi adaptors that cost a total of $100, and a few lines of code, it’s accessible for a remote antagonist to gain complete control of any iPhone in the vicinity.

webrok
What’s more absorbing is that it doesn’t absorb chaining assorted vulnerabilities calm to fully ascendancy an iPhone, Beer explained in a 30,000 word magnum opus.

Rather, the accomplishment “uses just a single memory bribery vulnerability to accommodation the flagship iPhone 11 Pro device,” allowing a baddie to “view all the photos, read all the email, copy all the clandestine messages, and adviser aggregate which happens on [the device] in real-time.”

The bugs that Beer found to advance this accomplishment chain have all been patched before the absolution of iOS 13.5 beforehand this year.

But as Beer wrote in his post, the takeaway here should be that “one person, alive alone in their bedroom, was able to build a adequacy which would allow them to actively accommodation iPhone users they’d come into close acquaintance with.”

Patrick Wardle, a senior aegis researcher at Jamf, called Beer’s lockdown activity a “work of art.”

What’s trending in security?

Google Messages app for Android, Facebook patched a critical issue in its Messenger app for Android that could allow an antagonist to eavesdrop on callers, and Twitter rolled out support for two-factor authentication using concrete aegis keys.

  • In a huge win for aloofness and security, Google said it will add end-to-end encryption to its Letters app for Android, starting with one-on-one conversations amid people using the app. [Google]
  • Swiss assembly raised apropos afterward letters that an encryption aggregation based in the country called Omnisec was allegedly used as a Trojan horse by the US and German intelligence agencies to spy on governments worldwide. [AFP]
  • Facebook patched a critical issue in its Messenger app for Android that could have accustomed a hacker to call you and start alert before you picked up the call. It’s agnate to a aegis flaw in FaceTime that Apple rushed to fix last year. [Google Activity Zero]
  • Researchers at the University of Leuven in Belgium found flaws in the keyless entry system of the Tesla Model X that would have accustomed attackers to steal the car within just a few minutes. This is the third such attack approved on Tesla’s key fob. [IMEC]
  • Symantec advisers active Chinese threat actor APT10 (aka Stone Panda and Cicada) in a year-long effort to steal acute data from abundant Japanese companies and their subsidiaries. [Symantec]
  • The hacking group known as APT32 or OceanLotus has unleashed a new macOS backdoor that provides the attackers with a window into the compromised machine, enabling them to snoop on and steal arcane advice and acute business documents. [Trend Micro]
  • Security architect and bug hunter Ashar Javed is on a adventure to find 365 aegis bugs in Microsoft Office 365. [Vice]
  • North Korean hackers tried to break British drug maker AstraZeneca’s systems using LinkedIn and WhatsApp to send spoofed job offers laced with malware, as nation-state threat actors abide to target healthcare organizations alive on COVID-19 vaccine research. [Reuters]
  • Just as the privacy pitfalls associated with Covid-related apps are coming to sharp focus, Australia’s Inspector-General of Intelligence and Aegis (IGIS) found that the nation’s spy agencies “incidentally” calm data from the country’s COVIDSafe acquaintance archetype app in its first six months of operation. But the data was not decrypted, accessed or used. [iTnews]
  • Academics from Israel’s Ben-Gurion University of the Negev declared a new form of “cyberbiological attack” that could allow a awful actor to accommodation a biologist’s computer to inject pathogenic sub-strings in DNA sequences and advance alarming bacilli and toxins. [ZDNet / ESET]
  • Twitter added abutment for two-factor affidavit using accouterments aegis keys. [Twitter]
  • The past fortnight in data breaches, leaks, and ransomware: Advantech, Belden, Embraer, Spotify, U.S. Fertility, and the claimed data of 16 actor Brazilian COVID-19 patients.

Data Point

According to cybersecurity firm Kaspersky’s IT Threat Evolution report for Q3 2020, cybercriminals are resorting to distributing malware absolute the names of accepted alive platforms to trick people into downloading them.

webrok
“Typically, backdoors and other Trojans are downloaded when people attack to gain access through actionable means – by purchasing discounted accounts, accepting a ‘hack’ to keep their free trial going, or attempting to access a free subscription.”

Trojans accounted for 47.23% of all awful programs bearded under the names of accepted alive platforms amid January 2019 and 8 April 2020.

That’s it. See you all in two weeks. Stay safe!

Read next: How to set your Google Photos images as a live wallpaper on Android