patsu

About

Username
patsu
Joined
Visits
29
Last Active
Roles
member
Points
84
Badges
0
Posts
430
  • Exploit resellers report glut of iOS vulnerabilities, will pay more for Android bugs

    gatorguy said:
    Just a reminder that exploit costs are to be amortised over the user base. An exploit for a smaller potential base attracts less than the same for a larger potential exploit base
    Wasn't that just as true in years past when Zerodium was (potentially) paying out far more for iOS exploits? Posters here used that fact used to ridicule the security of Android and use it as "proof" that exploits for that platform were a dime a dozen and of course not worth much. Now that Android OS exploits might be more rare and valuable than those for iOS why wouldn't those same arguments those AI posters used be valid now? Personally I don't believe they ever were just as I argued at the time. Where's @NHT and @ericthehalfbee?
    The payout for so-called Android full exploits is just marketing fluff. Hackers don’t have to deliver 1 chain for _all_ Android devices. For mass hacking, they only need to target a handful of brands and can reach most users, which is easy. Zerodium will still pay for them, but significantly cheaper; still dead effective against users though. For high value vertical industries like banking, they target Android and Windows app weaknesses, especially those white box applications. There are too many integration points in these Android and Windows roll outs because they are fragmented. Even though Google try to pull a fast one by just focusing on a small part (just Android vanilla OS), in reality because many 3rd parties modules, extensions need to work together, it is trivial to find the exploits in these mishmash of software. It’s all part of the user stack even though Google doesn’t (want to) count them.

    iOS security is still stronger because of tighter policies. Safari and iMessage can be improved as quickly and targeted as exploits show up. There is nothing inherently weak about Apple’s update strategies. They can release more frequent update if they want to.

    For the recent Uighur hacks, the hackers had to chain together 14 iOS exploits. That’s a long chain and will use up the number of exploits quickly. Android and Windows are also hacked but the developer community did not get a chance to fix them since the attacks had been dismantled when the iOS hack was discovered (more people scrutinizing iOS). So the vulnerabilities still exist, and we don’t know how easy it is. It may very well be shorter exploit chains but more variety of them. I did a quick check, the iOS exploits in this Uighur hack were fixed more than half a year ago in 12.1.4.

    Apple recently beefed up their bug bounty program. This has also generated huge interests amongst the hackers community. After all, everyone knows Apple has deep pocket. So it is not surprising to have so many submissions these days. Some of them are not good enough to receive payouts from Apple or other buyers, and it will result in people shopping around for payment, submitting duplicated findings. Once the bug bounty program (and of course fixes) kick into high gear, we will have a better idea of the run rate for such things.

    Not to mention hardware security. Most software centric companies ignore these hardware and firmware exploits because they don’t play in this area well. So they barely get any mention in the software heavy blogosphere, but Apple’s hardware security is unmatched so far. Take a look at the T2 chip, and other UEFI work done by their teams. It is a cat and mouse game, but Apple’s approach in integrating software and hardware security is pretty interesting so far. We’ll get to see how things evolve in the long run.

    Coincidentally, a new ”Android” exploit today, from the manufacturers:
    https://apple.news/AgUqxXGueSJG68z0oX2oEJA
    lostkiwilolliver
  • Ten days after launching in Poland, Apple Pay has vastly outpaced Google Pay uptake

    maestro64 said:
    To your point, I think China is ahead on the whole electronic pay situation, reason I said this a business associate just got back from a trip in China and was traveling outside the cities and the person who was his in country host, stop at a road side vegetable stand and bought some snack for the drive and the person at the stand took electronic payment. They had one of those NFC readers attached to his phone. I still run into store and retailers in the US with POS terminal which show the NFC symbol but have not active the ability to take Apple Pay.

    Yep. In China, a merchant doesn’t need a POS terminal to accept money. Most of them use QR code. Alibaba and Tencent dominate the payment processor market.

    However even in China, Apple’s early decision to support the credit card companies’ EMVCo tokenization payment standard has long lasting implications. The central bank in China are forcing payment processors, including QRCode ones, to integrate with UnionPay’s EMVCo platform. This decouples the monolithic, end-to-end QRCode payment providers, and allows the central bank to manage the payment industry better. They also extended the EMVCo tokenization infrastructure to support standard QRCode payment in the process:
    https://www.nfcworld.com/2017/07/19/354016/emvco-standardizes-qr-code-mobile-payments/

    Other countries like Thailand and Singapore are also building their national payment platforms around similar infrastructure.

    Back in US, when ApplePay first announced their adoption of the tokenization specs to support the credit card companies, existing payment processors were forced to pivot too. These monolithic businesses were trying to position themselves as the ‘choke point’ of the value chain to suck all the passing user payment data. ApplePay was first to push for enhanced user privacy _and security_ in payment. 

    Looking back, ApplePay helped establish a global payment standard when everyone else was just trying to “be the bank or credit card company themselves”. It was a strategic opening move.
    GG1tmaywatto_cobra