iPhone users who prefer alternative browsers might get lulled into thinking that the vulnerabilities in Safari and the WebKit engine don’t present a direct danger to them. Unfortunately, this isn’t the case. In this post, we give you the lowdown and tell you why you need to make sure that Safari and WebKit on your iPhone are always updated in time.

Every browser in iOS is Safari

Every browser is based on what is called an “engine.” The engine processes the code that is received from the internet and transforms it into the web pages that the browser ultimately shows the user. Of course, the browser has a bunch of other necessary and useful parts that direct the engine and ensure that the additional features work. Think of the browser engine like the engine of a car: it’s the most important part of a browser and without it you won’t get anywhere.

There are three major browser engines in the world. Google uses its own V8 engine in its Chrome and Chromium browsers, while Microsoft Edge and dozens of other browsers are based on Chromium. There is also the Gecko engine — its modern version is called Quantum — which Mozilla developed and supports for the Firefox browser and a few others. Finally, the third giant of the modern web is Apple’s engine — Webkit, which is used in the Safari browser.

But here’s the thing. The Chrome and Firefox versions for desktop computers and Android are built on Google’s V8 engine and Mozilla’s Gecko/Quantum engine, respectively. However, it’s a different story for iPhones. In keeping with Apple’s policies, there is only one engine permitted in iOS — you guessed it: WebKit. This means that all browsers for iOS are essentially Safari with different user interfaces.

Excerpt from the iOS app developer rules: “Apps that browse the web must use the appropriate WebKit framework and WebKit JavaScript.”

This means that all vulnerabilities found in WebKit present a danger for users of any browsers for iOS. Since iPhones are a very tempting target for hackers, security specialists study the WebKit engine all the more closely, and as a result, they find vulnerabilities in it rather often. This includes vulnerabilities that attackers are already using in the wild.

One of the most dangerous types of vulnerabilities in a browser engine is a so-called zero-click vulnerability, which allows bad actors to infect an iPhone without any action by the user. When this kind of vulnerability is exploited, the user doesn’t need to be convinced to download or install anything. All the attacker needs do is draw the victim to a specially built website with malicious code or hack a popular site and implant the malicious code in it. After the user visits such a site through a vulnerable browser, the attackers can take control of the iPhone.

How to update Safari and WebKit

It’s important to remember that the update of the WebKit engine and Safari browser isn’t related to the update of the browser apps you’re using. Google Chrome automatically updates from the App Store — that is, if you haven’t disabled this option, and we don’t recommend that you do — but in essence this is an update of the shell program, not the engine. So this won’t solve the problem of vulnerabilities in WebKit.

To avoid vulnerabilities in both the WebKit engine and Safari browser, you need to install the appropriate iOS updates. The best thing to do is to make sure to install all the latest operating system updates — after all, the vulnerabilities aren’t just in the browser engine but also in other important components of iOS.

To update your iPhone, go to Settings → General → Software Update. If you see a button on the screen that says Download and Install, tap it and follow the instructions.

Where to find the iOS update in your iPhone’s settings

Don’t be afraid of iOS updates

A lot of users are lukewarm about updating the operating system: some people don’t like having to get used to new features in the interface, some worry about having less storage, while others fear that after an update the iPhone may start to slow down or some old apps that are no longer supported in the new version will stop working.

These fears aren’t totally unfounded. It’s true that Apple does sometimes make the interface less user-friendly. It’s also true that each new version of the system takes up a bit more storage than the previous one and leaves less space for your files. And it’s no myth that iPhones have slowed down after an update — this has been documented.

But we still recommend that you always keep your iPhone updated: doing so is crucial for keeping your data safe and ensuring that it doesn’t fall into the wrong hands. Unfortunately, there is no full-fledged antivirus for iOS. That means that the iPhone’s security is contained only in Apple’s protection mechanisms, so any hole in them without a system update remains an open door for hackers.

How to urgently update Google Chrome

Under normal circumstances Google Chrome automatically installs updates and prompts you to relaunch the browser to apply them. You’ll then see a green “Update” button in the upper right corner of the browser window where the menu button usually is. In a few days the button will turn orange, and after a week it will turn red. We recommend that you update immediately, before these warning colors appear.

But what do you do if you’ve read news about a new vulnerability in Google Chrome but you don’t see that precious “Update” button? Don’t worry, this is normal — when an update is released it can take a while for the button to appear. If the vulnerability is dangerous, it’s best to force things and nudge the browser to quickly install the update. Rest assured this is easy to do — simply follow these steps:

• Click the three dots in the upper right corner of the screen.
  When you see the drop-down list, click Settings.
• Go into the About Chrome section.

Where to find Google Chrome updates: three dots → Settings → About Chrome

• If you see the message Chrome is up to date, everything is fine and you don’t have to do anything else.
• If there is an update available, Chrome will immediately begin downloading and installing it. Google Support says that next to the version number you should see an “Update” button that you need to click, but generally there is no button and the update starts downloading automatically.

After opening About Chrome page, browser will automatically download and install the latest update

• When the update is downloaded, you’ll see a message saying, “Nearly up to date! Relaunch Google Chrome to finish updating,” and a Relaunch button.
• You must then relaunch the browser — otherwise, the update won’t be applied.
• Don’t worry about losing anything important when you relaunch the browser: after updating, Chrome restores all the windows and tabs that were open, except for those in “Incognito” mode.

Make sure to relaunch your browser after installing the update, otherwise it won’t be applied

What to do if you have problems with updating Google Chrome

Google Chrome is the most popular browser on the planet, with billions of users. If all those people tried to install an update simultaneously, Google might not have enough resources to handle all the requests at once. This means that sometimes updates might not be available immediately.

This most often happens when the detected vulnerability is truly dangerous and the update is important, because this is when a lot of people try to install it at the same time. If this happens, you’ll need to wait a little while, periodically repeating the instructions above.

If waiting doesn’t help and you can’t update Google Chrome for quite a while, try following the recommendations of the browser’s developers.

Forewarned is forearmed

Now you know how to install the latest version of Google Chrome even if the browser doesn’t readily tell you that an update is already available. Also remember to update other important apps and make the most of a reliable security solution that will keep your devices and personal data secure.

In addition, turning off or restarting a smartphone is one of the most reliable ways to fight such infections; in many cases, spyware “lives” only until the next reboot because it cannot gain a permanent foothold in the operating system. At the same time, the vulnerabilities that allow malware to work even after a reboot are rare and expensive to exploit.

However, this tactic might not work forever. Researchers have come up with a technique to bypass it using a method they have named NoReboot. In essence, this attack is a fake restart.

What is NoReboot, and how does the attack work?

We want to note right off the bat that NoReboot is not a feature of any real spyware in use by attackers; rather, it’s a so-called proof of concept that researchers demonstrated under laboratory conditions. At this point it is hard to say whether the method will actually gain traction.

For the demonstration, the researchers used an iPhone they “infected” beforehand. Unfortunately, they haven’t shared the technical details. Here’s what happens in the demonstration:

• The spy malware, which transfers the image from the camera, runs on the iPhone;
• The user tries to shut off the phone the usual way, using the power and volume buttons;
• The malware takes control and shows a perfect fake instead of the standard iOS shutdown screen;
• After the user drags the power-off slider, which also looks perfectly normal, the smartphone’s screen goes dark and the phone no longer responds to any of the user’s actions;
• When the user presses the power button again, the malware displays a perfect replica of the iOS boot animation.
• During the entire process, the phone is continually transferring the image from the phone’s front camera to another device without the user’s knowledge.

As is often the case, seeing is believing, and we recommend checking out the researchers’ video:

How to protect yourself against NoReboot

Again, at least for now NoReboot is only a demonstration of the feasibility of an attack. The attack is alarming, to be sure, but don’t forget that malware needs to get onto a smartphone before it can do any damage. Here are some tips to help you prevent that from happening:

• Keep in mind that it’s much harder for attackers to infect a smartphone remotely than if they have physical access to it. Be careful not to let someone else get hold of your smartphone — especially for a long period of time — and install a reliable device lock.
• People most often install malware on their smartphones on their own, voluntarily. Be careful about what you download and avoid installing unnecessary apps — that is, those you can easily live without — as a general rule.
• Don’t root or jailbreak your smartphone (at least if you haven’t been using *nix systems for many years). Superuser rights make malware’s work exponentially easier.
• If you have an Android device, we recommend installing an antivirus solution — to block Trojans from penetrating the system.
• Let your smartphone die a natural death from time to time — that is, wait for the charge to run out completely. The phone will then most certainly restart without any fakes, and there’s an excellent chance that spies will disappear from the system. You can speed up the process by using a resource-hungry app, such as a game or benchmark-test utility.

As recently as three years ago, you could count available authenticator apps on one hand, but with a few dozen in the mix now, it is easy to get lost in the options. To help you choose an authenticator that works with your operating systems, we have grouped the 10 most noteworthy by OS:

• Authenticator apps for Android: andOTP, Twilio Authy, Google Authenticator, Microsoft Authenticator, Cisco Duo Mobile, FreeOTP
• Authenticator apps for iOS 15: OTP auth, Step Two, Twilio Authy, Google Authenticator, Microsoft Authenticator, Cisco Duo Mobile, FreeOTP, iOS built-in authenticator
• Authenticator apps for Windows: WinAuth, Twilio Authy
• Authenticator apps for macOS: Step Two, OTP auth (paid version only), Twilio Authy

1. Google Authenticator

Operating systems: Android, iOS

Anyone reading this post is probably already familiar with the overwhelmingly popular Google Authenticator. However, we can’t write about authenticator apps without mentioning this one — and we can use Google’s authenticator as a baseline for evaluating the other programs.

The iOS version of Google Authenticator

On the whole, Google Authenticator is a convenient solution for those who would rather not get involved with token synchronization through the cloud. Instead, the app can export all of the tokens created in it, making a single QR code to import them en masse to a new device. In the iOS version, it recently became possible to search tokens and protect access to the app with Touch ID or Face ID, unlike with the Android version. Google Authenticator still cannot hide generated codes from view, which may be problematic if you use it in public. (Incidentally, all authenticators for Android restrict the taking of screenshots, so all screenshots in this post come from the iOS versions of the apps.)

Pros:

• No need to create an account,
• Face ID/Touch ID protection for app access (iOS version only),
• Simple interface with minimal settings,
• Ability to export and import all tokens at once,
• Ability to search by token name (iOS version only).

Cons:

• No login protection (Android version),
• Inability to hide codes,
• No cloud backup/sync,
• Greater potential risk, because of ease of exporting tokens, if the unlocked app falls into the wrong hands.

Summary
Google Authenticator lacks some useful features, but if you don’t want to get involved with storing tokens in the cloud, it’s a decent option.

2. Microsoft Authenticator

Operating systems: Android, iOS

Many people looking for an alternative to Google Authenticator turn to Microsoft Authenticator based solely on the reputation of the developer. They’re partly justified: The Microsoft app includes a few useful additions to the basic set of features. For example, it can hide codes on the screen and store tokens in the cloud, and both the iOS and Android versions protect app logins. Microsoft Authenticator also comes in handy if you work with Microsoft accounts regularly, in which case you do not need to enter a code, just tap the button in the app to confirm login.

Microsoft Authenticator: Not bad, but why so big?

However, this app also has drawbacks. First, the Android and iOS apps use completely incompatible cloud backup systems, and you can’t transfer tokens any other way. For users of devices with different operating systems, that would be a deal-breaker. Second, Microsoft Authenticator needs about 10 times the storage space of Google Authenticator, 150MB–200MB compared with 15MB–20MB.

Pros:

• PIN-, fingerprint-, or Face ID–protected access,
• Cloud backup/sync,
• Hides codes,
• No account required (as long as you keep cloud backup disabled),
• Greatly simplified Microsoft account login,
• Support for Apple Watch (iOS version).

Cons:

• Microsoft account login necessary for backup/sync (Android version only),
• Incompatibility between iOS and Android backup/sync systems,
• Inability to export or import tokens,
• Large (requires 150MB–200MB).

Summary
Microsoft Authenticator greatly simplifies login to Microsoft accounts, but it is hard to excuse its enormous size — and that iOS and Android cloud backups are incompatible.

3. Twilio Authy

Operating systems: Android, iOS, Windows, macOS, Linux

Twilio Authy’s main advantage is its comprehensive cross-platform support. Not only does Authy offer versions for all current operating systems, but also, the app syncs them all handily. That easy access does come with one disadvantage, though. The app requires an account linked to your phone number to work at all.

Twilio Authy has apps for every operating system

The app’s interface looks very different from those of other authenticators. Instead of a list, it has something like a set of tabs, so at any given moment, it displays only the selected token, leaving the rest to appear as small icons that you can switch between at the bottom of the screen. If you have a lot of tokens, that can be inconvenient. Desktop users can display tokens as a list, but the option isn’t available in the mobile version.

Pros:

• PIN-, fingerprint-, or Face ID–protected access,
• Cloud backup/sync,
• Availability for all popular operating systems,
• Support for Apple Watch (iOS version),
• Ability to search by token.

Cons:

• Requires an account linked to a phone number,
• Displays only one token at a time,
• Inconvenience of searching for tokens,
• Inability to hide the active token’s code,
• Inability to export and import tokens.

Summary
You cannot use Twilio Authy without setting up an account, and the smartphone interface isn’t as user friendly as we’d like it to be, but with apps for all operating systems syncing perfectly with one another, this app may be worth a look.

4. Cisco Duo Mobile

Operating systems: Android, iOS

Duo Mobile, acquired by Cisco in 2018, is one of the oldest authenticator apps. Its main advantage is a clean, user-friendly interface. Duo Mobile also hides codes from view and does not require an account. However, the software lacks other important features: first and foremost, access protection, which neither the iOS nor the Android version has.

The Android version of Cisco Duo Mobile lets users “Temporarily allow screenshots,” so for variety, here are screenshots of both versions

Duo Mobile uses two systems for cloud backup: Google Cloud on the Android platform and iCloud on the iOS platform. The smartphone user’s existing Google and Apple accounts serve for that, meaning users do not have to create a new account for the app to work. However, users cannot sync data between Android and iOS versions, the app does not support file export, and there is no option to view a secret key or QR code for tokens that are already saved (which could be helpful if you need to do a manual sync).

Pros:

• Clean, user-friendly interface,
• Ability to hide codes,
• No need to create an account,
• Cloud backup/sync,
• Apple Watch support (iOS version).

Cons:

• No access protection,
• Inability to export or import tokens,
• Incompatible backup/sync systems for iOS and Android.

Summary
Cisco Duo Mobile may meet your needs if you use, and plan always to use, only one mobile operating system.

5. FreeOTP

Operating systems: Android, iOS

This open-source authenticator app was created after Google closed its Authenticator source code. The FreeOTP interface is ultraminimalistic, with nothing superfluous. This minimalist approach is especially apparent in the iOS version, which lacks even the option to create a token based on a secret key, leaving only QR-code scanning. The Android version retains both options, and it offers a lot of flexibility in manual token creation, letting users choose the type of generation (TOTP or HOTP), the number of characters in the code, the algorithm, and the refresh interval for the codes.

FreeOTP is the most minimalist open-source authenticator

One disadvantage is that no version of the app supports cloud sync or token export and import in the form of a file, so once you start using the app, you’re stuck with it. In addition, in FreeOTP, you can’t set a PIN or protect app access any other way (in the iOS version, you can protect individual tokens with Touch ID or Face ID). The app hides codes by default, though, and also hides them automatically after 30 seconds of inactivity. FreeOTP’s final advantage is that it takes up minimal storage space, about 2MB–3МB (by comparison, Google Authenticator requires 15MB–20MB, and Microsoft Authenticator takes up 150MB–200MB).

Pros:

• No need for an account,
• Simple interface,
• Hidden codes as default,
• Codes automatically hidden after 30 seconds of inactivity,
• Minimal storage requirement,
• Touch ID or Face ID protection for tokens (iOS version only),
• Ability to search by token name (iOS version).

Cons:

• Inability to generate a token with a secret key (iOS version; requires scanning a QR code),
• Inability to export and import tokens,
• Inability to backup/sync,
• Lack of access protection.

Summary
Like all open-source apps, FreeOTP is a little quirky, but we cut it a lot of slack because its interface and overall storage requirements are so light.

6. andOTP

Operating systems: Android

The andOTP authenticator has everything you can think of to conveniently and securely save tokens, and then some. For example, andOTP’s features include tag support and search for tokens by name. There is also an option to connect a “panic button” so that in case of emergency, you can erase all tokens from the app and reset.

Like all authenticators for Android, andOTP blocks screenshots on a screen with codes, so here’s the Settings menu

The app allows you to view your secret key or QR code for each token individually. You can also save all of your tokens at once in an encrypted file in Google Drive — that means with one tap you can back up to the cloud or export to a file. App access can be protected with a password or the fingerprint you use to log in to your Android device. For greater security, however, you can set up a separate PIN or even a long password specifically for andOTP, along with setting the app to lock after a period of inactivity (which you define). There are three or four more settings screens — this app is a geek’s dream.

Pros:

• Access protection with a PIN or password set in the app, or with the OS login PIN or fingerprint,
• Ability to view the secret key or QR code for any token,
• Ability to export all tokens at once to an encrypted file in Google Drive,
• Code-hiding,
• Automatic hiding of codes when the user is inactive (after 5–60 seconds, configurable),
• Automatic locking of the app when the user is inactive (after 10–360 seconds, configurable),
• Flexible token searching by name or using customizable tags,
• Option to use panic button to erase all tokens,
• Flexible and plentiful settings.

Cons:

• Android-only availability,
• Ease of key retrieval, meaning greater risk if the unlocked app falls into the wrong hands.

Summary
andOTP is the most feature-rich authenticator for Android and is sure to please all authenticator geeks.

7. OTP auth

Operating systems: iOS, macOS ($5.99)

If you are an iPhone user who read the above descriptions of andOTP and started to feel jealous of Android owners, we have good news for you: A cutting-edge authenticator app for iOS is also available. The creators of OTP auth clearly understand the problems of people who use 2FA in a lot of services, so this app features a system of folders for organizing token storage.

OTP auth lets you configure the font size for one-time codes

In addition, OTP auth allows you to view the secret key or QR code at any time for any token or export all of them at once to a file on the smartphone. The app also supports iCloud sync. Users can protect app login with Touch ID or Face ID, or use a separate password for OTP auth. We prefer the latter, given how easy exporting tokens from this app is. The only useful feature missing is the ability to hide codes.

Pros:

• Ability to view the secret key or QR code of any token,
• Ability to export all tokens to a file at once,
• iCloud backup/sync,
• Folder system for organized token storage,
• Apple Watch support,
• Configuration of code display format,
• Access protection with password or Touch ID/Face ID.

Cons:

• Exists only for iOS and macOS (and only as a paid version for macOS),
• Inability to hide codes,
• Icon customization available in paid version only,
• Greater potential risk, because of ease of key retrieval, if the unlocked app falls into the wrong hands.

Summary
OTP auth is the most feature-rich authenticator for iOS, and it boasts easy, convenient token export.

8. Step Two

Operating systems: iOS, macOS

If andOTP seems over the top and Twilio Authy‘s requirement to sign up scares you away, but you still need an authenticator for both iOS and macOS, you should seriously consider Step Two. The interface is minimalist: Both the iOS and the macOS versions are reminiscent of Apple’s Calculator app, and that is nice in its own way.

Step Two: The epitome of minimalism

To match its minimalist interface, Step Two has minimal settings and features, although it does offer iCloud sync. In addition, the desktop app supports QR code scanning, which it does through screen capture (requiring users to grant permission, which makes the feature somewhat risky; in theory it lets the program see everything else they’re doing).

Pros:

• No unnecessary features,
• No need to create an account,
• iCloud backup/sync,
• Ability to scan QR codes (macOS version),
• Apple Watch support,
• Ability to search by token name.

Cons:

• No access protection,
• Does not hide codes,
• Inability to export and import tokens,
• Ten-token maximum in the free version,
• Screen-capture permission needed to scan a QR code (macOS version).

Summary
Step Two is a minimalist authenticator for anyone who has a Mac and iPhone and doesn’t need bells and whistles.

9. WinAuth

Operating systems: Windows

WinAuth targets gamers primarily. The app’s unique superpower is its support for nonstandard tokens for authentication in Steam, Battle.net, and Trion/Gamigo games. If you are looking for an alternative to Steam Guard, Battle.net Authenticator, or Glyph Authenticator/RIFT Mobile Authenticator, this may be the app for you.

WinAuth is one of the few authenticator apps for Windows

To be sure, the app also supports standard tokens, including tokens for Guild Wars 2 and other NCSoft games (which for some reason the developers list separately), and all others: Google, Facebook, Instagram, Twitter, and so on. WinAuth uses a password for logging in and for individual tokens. The app hides codes by default, including automatically, and lets you encrypt the data it stores and exports.

Pros:

• Support for nonstandard tokens for gaming services, meaning it can replace Steam Guard and Battle.net Authenticator, as well as Glyph Authenticator and RIFT Mobile Authenticator,
• Support for token export in an unencrypted text file or in an encrypted archive,
• Codes hidden,
• Automatic code hiding after more than 10 seconds of user inactivity,
• Access protection through password or YubiKey (that is, U2F),
• Additional password protection available for each token,
• Portable, with flash drive and cloud storage options,
• Can encrypt stored data,
• Ability to scan QR code from file (local or on the Internet).

Cons:

• Steam token creation requires giving WinAuth your Steam username and password,
• Using a two-factor authentication app on a PC is not advisable in general,
• No version for other operating systems,
• Greater potential risk, because of ease of key retrieval, if the unlocked app falls into the wrong hands.

Summary
Gamers will love WinAuth because it allows for the creation of the nonstandard tokens game publishers favor.

10. iOS and macOS built-in authenticator

Operating systems: iOS (built in to the system), macOS (built in to the Safari browser)

Starting with iOS 15, all versions of the iPhone’s operating system have a built-in 2FA one-time code generator. To find it, go toSettings → Passwords, select a stored account (or create a new one), and under the heading Account Options tap Set Up Verification Code…. The rest is as usual: You can either scan the QR code or manually enter the secret key — or scan the authenticator QR code right from the camera app and then add a token to an existing account in Passwords. Inconveniently, the latter method will not prompt you to create a new account.

A built-in authenticator is now also available in macOS, or more specifically, in versions 15 and later of the Safari browser. To find it, open Safari, and in the menu at the top of the screen, go to Safari → Preferences → Passwords. Select an account (or tap + to create a new one), tap Edit, and in the window that opens, tap Enter Setup Key… (there is no QR code option here). The tokens automatically sync using iCloud, so you will not need to activate them again on the Маc if you have already created them on an iPhone.

In theory, the iOS/macOS built-in authenticator supports autofill, but in practice, it doesn’t work very smoothly yet. We ran a little experiment with a Twitter account and two-factor authentication with the code we received. Results were mixed: When we logged in to the Twitter app, the system successfully filled in an authentication code, but when we tried to log in to the Twitter website in Safari, the code never appeared, whether we tried in iOS or in macOS.

Pros:

• Availability on every iPhone (iOS 15 and later) and every Маc (regardless of OS, Safari 15 and later),
• No need to create a separate account,
• Ability to add a token directly from the camera app (but only to an existing account; it won’t work for creating a new one),
• Autofill for one-time codes,
• Access protection using Touch ID or Face ID,
• iCloud backup/sync.

Cons:

• Location in the depths of iOS or Safari settings,
• Display of only one token at a time,
• Inability to hide codes,
• Visible account password next to the code (iOS version),
• Storage of 2FA tokens and passwords together antithetical to principles of two-factor authentication,
• Inability to export and import tokens.

Summary
At first glance, building an authenticator into the OS looks like a good idea. However, in this case, autofill doesn’t work consistently, and the feature is too hard to find.

Remember to make a backup copy

In closing, here are a few tips. First, you are never limited to using just a single authenticator app. One option may be better for some purposes, another for others. You can — and should — combine apps depending on your needs.

Second, we recommend paying attention to security. Install a reliable device lock and always make sure to enable app access protection, especially if you plan to use one of the authenticators that lets you easily export tokens (Google Authenticator, andOTP, OTP auth, or WinAuth). With those apps, which prioritize ease of access, a potential attacker can not only steal a one-time code that works for 30 seconds, but also quickly clone all tokens.

Third, remember to make a backup copy of your tokens, especially if you have chosen one of the apps in which you can’t view the secret key or QR code or export tokens to a file (in other words, most of them). The backup copy will come in handy if you lose your smartphone or if, for example, the app stops working correctly after a routine update. In most cases recovering an authenticator without a backup copy will be much harder.

How researchers hacked a remote

The subject of Lehman and Ziv’s research was the remote control for the Comcast Xfinity X1 set-top box, which is popular in the United States (with more than 10 million users, according to the researchers). The remote control supports voice commands, for which it is equipped with a microphone and a quite capable processor.

Two data transfer technologies are implemented in the device. For switching channels and other simple actions, a standard infrared transmitter is used, which has the important advantage of consuming minimal energy so that the remote does not need frequent charging, allowing it to operate on ordinary batteries for an extended period of time.

But for cases requiring a faster data transfer speed, the remote uses a radio interface, enabling the remote not only to send data to the set-top box, but to receive from it as well. The radio interface consumes more power, so it is used only when needed.

Like many modern devices, this type of remote control is essentially a connected computer — and therefore hackable.

Having studied the remote’s firmware (with a copy conveniently stored on the set-top box’s hard drive), the researchers were able to determine the alterations that would enable the firmware to command the remote control to turn on the microphone and transmit sound over the radio channel.

But modifying the firmware was not enough; they still needed a way to upload it to the remote, and preferably without physical contact. To do that, Lehman and Ziv examined how the set-top box communicates with the remote and updates its software.

They discovered that the remote had to initiate the update process. Every 24 hours, the remote queries the set-top box and receives either a negative response or an offer to install a new version of the software, which it downloads from the set-top-box.

The researchers also found several vital flaws in the communication mechanism between the remote and the Xfinity box. First, the former does not check the firmware’s authenticity, so it will download and install whatever firmware the set-top box (or the hacker’s computer impersonating one) offers it.

Second, although the set-top box and the remote exchange encrypted messages, the encryption is not properly enforced. The remote accepts (and executes) commands sent in plain text marked “encryption disabled.” The remote’s requests are still encrypted and therefore cannot be deciphered, but simply understanding the communication mechanism makes it possible to effectively guess what the remote is asking and to give the right response.

It goes something like this:

“YdvJhd8w@a&hW*wy5TOxn3B*El06%D7?”
“Sure, there’s a firmware update available for you to download.”
“Cj@EDkjGL01L^NgW@Fryp1unc1GTZIYM.”
“Sending the file; accept it.”

Third, it is quite easy to trigger an error in the firmware module that handles communication with the remote, causing the module to crash and reboot. That gives the attacker a window during which they are guaranteed to be the only party giving commands to the remote.

Therefore, to hack the remote one needs to:

• Wait for the remote to make requests and guess when it is querying about updates;
• Knock out the set-top box module responsible for communicating with the remote the moment it makes an update query;
• Give an affirmative response to the remote and send a modified file for uploading.

All of that happens contactlessly, over the radio interface.

The researchers stuffed their remote with modified firmware that queried for updates not every 24 hours, but every minute; then, on receiving certain response, turned on the built-in microphone and broadcast the sound to the attackers. Their tests succeeded at relatively long range and through a wall, simulating a wiretap van outside a house.

How to stay protected

In our opinion, there is little point worrying about your remote being hacked and turned into a listening device. Although proven feasible, the attack isn’t really practical. It might be suitable for a targeted attack on some kind of special person, but it’s too complex and time-consuming for large-scale use. That said, here are some tips for those of a you-can-never-be-too-cautious frame of mind:

• If you own an Xfinity TV box, check the remote’s firmware version. The researchers responsibly disclosed the vulnerabilities to Comcast, and the company has issued an update that fixes the problem;
• The remote controls of some other manufacturer’s TV boxes and TVs with voice support likely operate on the same principle and may have similar vulnerabilities. So periodically check for updates for your remote and install them when they are available. Corresponding items in TV and set-top-box menus are likely somewhere near their Wi-Fi and Bluetooth settings;
• Consider taking apart the remote to physically remove the microphone if your remote supports voice commands but you never use them. We think doing so is overkill, but it’s an option;
• Be aware that an attack on your Wi-Fi network is far more probable than such an exotic hack. Make sure to configure yours securely, move all vulnerable IoT devices to a guest network, and use a secure connection] to protect the most valuable data.

That’s no big deal as long as it is just an everyday conversation and both sides understand what they are talking about. It is always better to know the meaning of the words you use, though, and sooner or later, you will run into a geek who will drive you crazy with clarifications, whether it’s authorization versus authentication, fewer or less, which or that, and so on.

So, what do the terms identification, authentication, and authorization mean, and how do the processes differ from one another? First, we will consult Wikipedia:

• “Identification is the act of indicating a person or thing’s identity.”
• “Authentication is the act of proving […] the identity of a computer system user” (for example, by comparing the password entered with the password stored in the database).
• “Authorization is the function of specifying access rights/privileges to resources.”

You can see why people who aren’t really familiar with the concepts might mix them up.

Using raccoons to explain identification, authentication, and authorization

Now, for greater simplicity, let’s use an example. Let’s say a user wants to log in to their Google account. Google works well as an example because its login process is neatly broken into several basic steps. Here is what it looks like:

• First, the system asks for a login. The user enters one and the system recognizes it as a real login. This is identification.
• Google then asks for a password. The user provides it, and if the password entered matches the password stored, then the system agrees that the user indeed seems to be real. This is authentication.
• In most cases, Google then asks for a one-time verification code from a text message or authenticator app, too. If the user enters that correctly as well, the system will finally agree that he or she is the real owner of the account. This is two-factor authentication.
• Finally, the system gives the user the right to read messages in their inbox and such. This is authorization.

Authentication without prior identification makes no sense; it would be pointless to start checking before the system knew whose authenticity to verify. One has to introduce oneself first.

Along the same lines, identification without authentication would be silly. Anyone could enter any login that existed in the database — the system would need the password. But someone could sneak a peek at the password or just guess it. Asking for further proof that only the real user can have, such as a one-time verification code, is better.

By contrast, authorization without identification, let alone authentication, is quite possible. For example, you can provide public access to your document in Google Drive, so that it is available to anyone. In that case you might see a notice saying that your document is being viewed by an anonymous raccoon. Even though the raccoon is anonymous, the system did authorize it — that is, grant it the right to view the document.

However, if you had given the read right only to certain users, the raccoon would have had to get identified (by providing its login), then authenticated (by providing the password and a one-time verification code) to gain the right to read the document (authorization).

When it comes to reading the contents of your mailbox, Google will never authorize an anonymous raccoon to read your messages The raccoon would have to introduce itself as you, with your login and password, at which point it would no longer be an anonymous raccoon; Google would identify it as you.

So, now you know in what ways identification is different from authentication and authorization. One more important point: Authentication is perhaps the key process in terms of the security of your account. If you are using a weak password for authentication, a raccoon could hijack your account. Therefore:

• Create strong and unique passwords for all of your accounts.
• If you have trouble remembering your passwords, a password manager has your back. It can help with generating passwords, too.
• Activate two-factor authentication, with one-time verification codes in text messages or an authenticator application, for every service that supports it. Otherwise, some anonymous raccoon that got its paws on your password will be able to read your secret correspondence or do something even nastier.

We’ll talk about how Lamphone works below, but let’s start with a short digression into the history of the issue.

How is it possible to see sound?

One well-known technology for remotely recording sound using so-called visual methods is the laser microphone. This technique is pretty straightforward.

The people wiretapping a conversation direct a laser beam operating in the infrared range (i.e., invisible to the human eye) at a suitable surface (typically window glass) in the room where the conversation is taking place. The beam reflects off the surface and hits the receiver. Sound waves create vibrations on the surface of the object, which in turn change the behavior of the reflected laser beam. The receiver records the changes, which are eventually converted into a sound recording of the conversation.

The technology has been in use since the Cold War era, and it has turned up in many spy films. You have probably seen it depicted in one of them. Several companies produce ready-made devices for laser eavesdropping, and their declared operating range extends to 500 or even 1,000 meters. For those worried about being the target of laser eavesdropping, however, here are two pieces of good news: First, laser microphones are very expensive; and second, manufacturers sell laser microphones only to government agencies (or so they claim).

However, according to Nassi, the active nature of laser microphones is a serious drawback. For that form of eavesdropping to work, you need to “illuminate” a surface with a laser beam, and that means an IR detector can discover it.

Several years ago, a group of researchers at the Massachusetts Institute of Technology proposed an alternative method of “visual recording” that was completely passive. Their idea was largely the same: Sound waves create vibrations on the surface of an object. Vibrations, of course, can be recorded.

To register the vibrations, the researchers used a high-speed camera at several thousand frames per second. By comparing the frames from the camera (with the help of a computer), they were able to replicate sound from the sequence of video frames.

That method also has a drawback, however, and it is a biggie. The amount of computing resources required to convert the massive amount of visual information from the high-speed camera into sound was extraordinary. Even using an extremely powerful workstation, the MIT researchers needed 2–3 hours to analyze a 5-second video recording, so the approach is clearly not a good one for picking up conversations on the fly.

How Lamphone works

Nassi and his colleagues have come up with a new “visual eavesdropping” technique they call Lamphone. The main idea of the method is using a lightbulb (hence the name of the technique) as an object from which you can capture the vibrations caused by sound.

A lightbulb is not only a very ordinary object, but it is also a bright one. Therefore, someone using a lightbulb’s vibrations does not need to waste computing resources on analyzing extremely subtle changes in the image. All they need to do is direct a powerful telescope at the lightbulb. The telescope directs the light flux from the lightbulb to an electro-optical sensor.

The lightbulb does not emit light in different directions perfectly uniformly (interestingly, the unevenness also varies across the different types of lightbulbs, being quite high for incandescent and LED bulbs but much lower for fluorescent ones). This unevenness causes the vibrations of the lightbulb (caused by sound waves) to slightly alter the intensity of the light flux that the electro-optical sensor captures. And those changes are sufficiently perceptible for recording. Having recorded the changes and made a number of simple transformations, the researchers were able to restore the sound from the resulting “light recording.”

To test their method, the researchers installed a listening device on a pedestrian bridge 25 meters from the window of the testing room, in which sound was played through a speaker. By pointing a telescope at a lightbulb in the room, the researchers were able to record the light variations and convert them into a sound recording.

The resulting recordings turned out to be quite comprehensible. For example, Shazam successfully identified the test songs “Let It Be” by the Beatles and “Clocks” by Coldplay, and Google’s speech recognition service correctly transcribed the words of Donald Trump from one of his campaign speeches.

Does Lamphone present a practical threat?

Nassi and his colleagues have succeeded in developing a truly functional method of “visual eavesdropping.” More important, the method is completely passive and therefore cannot be registered by any detector.

Note as well that unlike with the method pioneered by researchers at MIT, the calculations for decoding Lamphone recordings are extremely simple. Because the processing does not require vast computing resources, Lamphone can be used in real time.

However, Nassi admits that during the experiment, the sound in the test room was played at a very high volume. Therefore, for the moment, the results of the experiment may be mainly of theoretical interest. On the other hand, we should not underestimate the simplicity of the methods used to convert the “light recording” into sound. The technique might possibly be further refined using machine-learning algorithms, for example, which excel at these types of tasks.

At this point, the researchers assess the current feasibility of applying this technique in practice as neither extremely difficult nor easy, but somewhere in between. However, they foresee the method potentially becoming more practical — if someone can apply sophisticated algorithms of converting the electro-optical sensor’s readings into sound recordings.

How deepfakes are made

The most common approach to creating a deepfake is using a system called GAN, or generative adversarial network. GANs consist of two deep neural networks competing against each other. To prepare, both networks are trained on real images. Then, the adversarial part begins, with one network generating images (hence the name generative) and the other one trying to determine whether the image is genuine or fake (the latter network is called discriminative).

After that, the generative network learns, and learns from the result. At the same time, the discriminative network learns how to improve its performance. With each cycle, both networks get better.

Fast forward, say, a million training cycles: The generative neural network has learned how to generate fake images that an equally advanced neural network cannot distinguish from real ones.

This method is actually useful in many applications; depending on the preparatory data, the generative network learns to generate certain kinds of images.

Of course, for deepfakes, the algorithm is trained on real photos of certain people, resulting in a network that can generate an infinite number of convincing (but fake) photos of the person ready to be integrated into a video. Similar methods could generate fake audio, and scammers are probably using deepfake audio already.

How convincing deepfakes have become

Early deepfake videos looked ridiculous, but the technology has evolved enough at this point for such media to become frighteningly convincing. One of the most notable examples of frighteningly convincing deepfakes from 2018 was fake Barack Obama talking about, well, deepfakes (plus the occasional insult aimed at the current US president). In the middle of 2019, we saw a short video of fake Mark Zuckerberg being curiously honest about the current state of privacy.

To understand how good the technology has become, simply watch the video below. Impressionist Jim Meskimen created it in collaboration with deepfake artist Sham00k. The former was responsible for the voices, and the latter applied the faces of some 20 celebrities to the video using deepfake software. The result is truly fascinating.

As Sham00k says in the description of his behind-the-scenes video, “the full video took just over 250 hours of work, 1,200 hours of footage, 300,000 images and close to 1 terabyte of data to create.” That said, making such a video is no small feat. But such convincing disinformation can potentially have massive effects on markets — or, say, elections — which makes the process seem frighteningly easy and inexpensive.

For that reason, almost at the same time that the abovementioned video was published, California outlawed political deepfake videos during election season. However, problems remain. For starters, deepfake videos in general are a form of expression — like political satire. California’s ban doesn’t exactly protect freedom of speech.

The second problem is both technical and practical: How exactly are you supposed to tell a deepfake video from a real one?

How to detect deepfakes

Machine learning is all the rage among scientists all over the world, and the deepfake problem looks interesting and challenging enough to tempt many of them to jump in. For this reason quite a few research projects have focused on how to use image analysis to detect deepfakes.

For example, a paper published in June 2018 describes how analyzing eye blinks can aid in the detection of deepfake videos. The idea being that typically not enough photos are available of a certain person blinking, so neural networks may not have enough to train on. In fact, people in deepfakes at the time the paper was published were blinking far too rarely to believe, and though people found the discrepancy hard to detect, computer analysis helped.

Two papers submitted in November 2018 suggested looking for face-warping artifacts and inconsistent head poses. Another one, from 2019, described a sophisticated technique that analyzes the facial expressions and movements that are typical for an individual’s speaking pattern.

However, as Miller points out, those methods are unlikely to succeed in the long run. What such research really does is provide feedback to deepfake creators, helping them improve their discriminative neural networks, in turn leading to better training of generative networks and further improving deepfakes.

Using corporate communications to mitigate deepfake threats

Given the abovementioned issues, no purely technological solution to the deepfake problem is going to be very effective at this point. But other options exist. Specifically, you can mitigate the threat with effective communications. You’ll need to monitor information related to your company and be ready to control the narrative should you face a disinformation outbreak.

The following suggestions summarize Alyssa Miller’s suggestions for preparing your company to face the deepfake threat — by the way, the same methods can be useful for dealing with other types of PR mishaps as well:

• Minimize channels for company communications;
• Drive consistent information distribution;
• Develop a disinformation response plan (treat these as security incidents);
• Organize a centralized monitoring and reporting function;
• Encourage responsible legislation and private sector fact verification;
• Monitor development of detection and prevention countermeasures.

But why is it possible to forge a perfect fake e-mail in the first place? Andrew Konstantinov’s talk on e-mail authentication for penetration testers, at the 36th Chaos Communication Congress, answers this very question and gives some insight into the effectiveness of protection from e-mail spoofing.

Problem 1: E-mail must flow

E-mail is a staple communication method of the modern world, and every organization relies heavily on e-mail in its daily operations. Though we don’t think much about the technology when everything goes smoothly, if all of a sudden e-mails start going missing, you can be sure everybody will notice. Therefore, reliability is generally the top priority of every e-mail server administrator. E-mail simply has to be sent and delivered, no matter what.

The implication here is that every organization’s e-mail server has to be as compatible as possible with everything else in the world. And therein lies the problem: E-mail standards are badly outdated.

Problem 2: The e-mail protocol with no authentication

The main protocol used both for client-to-server and server-to-server e-mail communications is SMTP. This protocol was first introduced in 1982 and last updated in 2008 — more than a decade ago. And like many other ancient standards, SMTP is a security nightmare.

First let’s take a look at what your typical e-mail message consists of:

• SMTP envelope. This part is used for server-to-server communications and is never shown in e-mail clients. It specifies the sender’s and recipient’s addresses.
• E-mail clients display this part. It’s where you’ll find the familiar “From,” “To,” “Date,” and “Subject” fields that you see for any e-mail.
• Message body. The e-mail text and other contents.

What’s in an e-mail message. Image source

The main problem is that the standard provides no means for authentication. Responsibility for the sender’s address field — in both the SMTP envelope and the header — lies completely with the sender’s server. What’s worse, the sender’s address in the SMTP envelope doesn’t have to match the one in the header (and the user sees only the latter).

Also, though the standard specifies one header per e-mail, SMTP doesn’t actually enforce the limit. If a message contains more than one header, then the e-mail client simply chooses one to show to the user.

It doesn’t take a professional hacker to see a lot of room for trouble here.

The e-mail protocol provides no means of making sure an e-mail actually came from the indicated sender

Problem 3: Fake in, fake out — gotta watch them both

To complicate things even more, every e-mail communication involves two parties, so this no-authentication problem actually unfolds into two subproblems.

On the one hand, you definitely want to be sure any e-mail you receive was actually sent from the address indicated. On the other hand, you probably want to prevent other people from sending e-mails that seem to be coming from your address. Unfortunately the standard can’t help with any of that.

It’s no surprise that the SMTP protocol was so frequently abused that people started devising new technologies to fix the flaws mentioned above.

Fix attempt 1: Sender Policy Framework (SPF)

The idea behind the Sender Policy Framework is rather simple: The receiving server should be able to check whether the address of the server that actually sent an e-mail matches the address of the genuine e-mail server associated with the domain.

Unfortunately, that’s easier said than done. The SMTP standard has no means to perform such a check, so any method of authentication would have to be added on top of the existing stuff. Getting such technology to the point of becoming a “proposed standard” took a decade. Today only about 55% of the top 1 million servers use SPF, and most use quite relaxed policies.

SPF faces loads of other problems here as well, such as messy architecture that makes it easy to misconfigure, certain ways to bypass it using other servers hosted on the same address, and so on. But SPF’s fatal flaw is that it checks only the address indicated in the SMTP envelope and completely ignores the “From” field in the header — the one that a user actually sees.

Outcome:

• SPF helps check if an e-mail came from a genuine server.
• The address visible to users still can be faked.

Fix attempt 2: DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail approaches the problem differently: DKIM cryptographically signs the message header and part of the message body using a private key, which signature can be verified using a public key that is published in the Domain Name System.

It is worth mentioning, however, that DKIM is not supposed to encrypt the whole message. Rather, it appends a cryptographically signed addendum to it. That is a problem. The crypto part is hard to modify, but deleting the signature entirely and crafting a fake message is easy — and the results are undetectable.

DKIM is hard to implement because it involves issuing and managing cryptographic keys. Also, misconfigured DKIM can enable an attacker to preserve the genuine DKIM signature in a message while completely changing its header and body.

Outcome:

• DKIM lets you digitally sign messages, helping assure the receiving server that a message really came from you.
• It’s hard to implement because it involves cryptographic key management.
• Forgers can simply delete the signature while faking an e-mail in your name.
• Certain misconfigurations can result in fake messages containing genuine DKIM signatures.

Fix attempt 3: Domain-based Message Authentication, Reporting and Conformance (DMARC)

Despite its rather lengthy name, the Domain-based Message Authentication, Reporting and Conformance protocol is actually easier to understand than SPF or DKIM. It is really an extension of the two that fixes their most glaring omissions.

First, DMARC helps the domain administrator specify which protection mechanism — SPF, DKIM, or both — the server is using, which really fixes the DKIM mechanism. Second, it fixes SPF as well, providing a check of the address specified in the header’s “From” field (the one that is actually visible to a user), on top of the check of the sender address in the SMTP envelope.

The downside is that the DMARC protocol is relatively new, is not yet a proper standard (RFC 7489 defines it not as standard or even proposed standard, but only as “Informational”), and is not as widely used as it should be. According to this study of 20,000 domains, only 20% had adopted DMARC at all by 2019, and only 8.4% had strict policies.

Unfortunately, DMARC adoption is not yet widespread, and in many cases it is used with “none” policy. Image source

Outcome:

• Fixes the most important issues of SPF and DKIM.
• Not widely adopted yet, and therefore not as effective as it could be.

How to protect yourself from e-mail spoofing

To sum up: Faking e-mails is still possible because the SMTP protocol wasn’t designed with security in mind, so it lets an attacker insert any sender’s address in a forged e-mail. In the past few decades, certain protection mechanisms emerged — namely, SPF, DKIM, and DMARC. However, for those mechanisms to be effective, they have to be used — and implemented correctly — by as many e-mail servers as possible. Ideally, they should be implemented on every mail server on the Internet.

In addition, it is important to consider that some mail relay server may start adding something to the letters due to configuration errors, and this will automatically fail the DKIM check. Also, we must not forget that these technologies will help to deal with mass threats, but to protect your business from sophisticated e-mail attacks you should still use additional protective solutions both on workstations and on the mail server.

Here are some recommendations for e-mail protection:

• Adopt SPF at the least. Make sure that it is configured properly. Also keep in mind that resourceful attackers can bypass SPF (more details in the talk).
• Implement DKIM for better protection. It might be a bit harder, but it’s worth considering. And again, make sure it’s configured properly (some tips on what attackers look for).
• Adopt DMARC, ideally, because it fixes most of SPF’s and DKIM’s exploitable flaws.
• Check your configuration for incoming e-mails as well.
• Use security solutions that support modern authentication mechanisms. For example, use Kaspersky Security for Mail Servers or Kaspersky Security for Microsoft Office 365.

The six critical vulnerabilities in iOS were found by Natalie Silvanovich and Samuel Groß, members of Google’s bug hunting team called Project Zero. What is known so far is that these bugs allow an attacker to run malicious code on victims iPhone or iPad with no user interaction needed. The only thing the attacker needs to do for this exploit to work is to send a malicious message to a victim’s phone.

While four of the uncovered vulnerabilities can be used for this “interaction-less” remote code execution, the other two allow an attacker to read files on the hacked device and to leak data from its memory.

All six combined, these bugs would make possible total “owning” of data stored on victims’ iPhone without user doing anything that can be considered as dangerous. What’s more, since there’re no antiviruses for iOS, it would be hard for a user even to spot malicious activity, not to mention preventing it.

Such bugs are very rare and precious for malefactors. For example, according to publicly available price chart by Zerodium, bugs of this level can cost up to $1,000,000 each. And, the more the merrier, they get even pricier when they come in such a set. With that said, ZDNet puts the possible price tag for this bunch within the range of $5 to $10 million.

Researchers are holding back specifics about one of the vulnerabilities, as in their opinion even iOS 12.4 doesn’t remediate this bug. As for the rest of the details on these bugs and proof of concept of how they can be exploited by attackers, Silvanovich and Groß are going to reveal them in a talk at the upcoming Black Hat USA security conference.

In any case, the best and most practical thing for each and every iOS user to do now is install iOS 12.4 right away. Do not hesitate with the next version of iOS, either; it will probably polish off the remaining issues related to these vulnerabilities.

• To update iOS, go to Settings -> General -> Software Update and tap Download and Install.

• To keep posted on vulnerabilities in the software you’re using, install Kaspersky Security Cloud.