Posted on Leave a comment

Researchers Find Way to Run Malware on iPhone Even When It’s OFF

A first-of-its-kind security analysis of iOS Find My function has demonstrated a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is "off."

The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a "power reserve" Low Power Mode (LPM).

While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper.

"The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM," the researchers said.

"Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model."

The findings are set to be presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week.

The LPM features, newly introduced last year with iOS 15, make it possible to track lost devices using the Find My network. Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.

A message displayed when turning off iPhones reads thus: "iPhone remains findable after power off. Find My helps you locate this iPhone when it is lost or stolen, even when it is in power reserve mode or when powered off."


Calling the current LPM implementation "opaque," the researchers not only sometimes observed failures when initializing Find My advertisements during power off, effectively contradicting the aforementioned message, they also found that the Bluetooth firmware is neither signed nor encrypted.

By taking advantage of this loophole, an adversary with privileged access can create malware that's capable of being executed on an iPhone Bluetooth chip even when it's powered off.

However, for such a firmware compromise to happen, the attacker must be able to communicate to the firmware via the operating system, modify the firmware image, or gain code execution on an LPM-enabled chip over-the-air by exploiting flaws such as BrakTooth.

Put differently, the idea is to alter the LPM application thread to embed malware, such as those that could alert the malicious actor of a victim's Find My Bluetooth broadcasts, enabling the threat actor to keep remote tabs on the target.

"Instead of changing existing functionality, they could also add completely new features," SEEMOO researchers pointed out, adding they responsibly disclosed all the issues to Apple, but that the tech giant "had no feedback."

With LPM-related features taking a more stealthier approach to carrying out its intended use cases, SEEMOO called on Apple to include a hardware-based switch to disconnect the battery so as to alleviate any surveillance concerns that could arise out of firmware-level attacks.

"Since LPM support is based on the iPhone's hardware, it cannot be removed with system updates," the researchers said. "Thus, it has a long-lasting effect on the overall iOS security model."

"Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation."


Posted on Leave a comment

Welcome to the Decentralized Web


Web3 will need a brand new form of fully-owned website

Author’s Note: This is Part 5 of my NFT series. Click here to read Part 1, where I document the rise of NFTs. And here for Part 2, where I talk about it as a foundation of the new world. And here for Part 3, where I talk about owning our social media content + social media as our digital identity. And here for Part 4, where I talk about decentralized identity and name ownership.

A few days ago, I asserted that the Web3 revolution and the arrival of the Metaverse could not happen without decentralized identities — the ability to own your own name and thus your identity in the Metaverse.

If you don’t have time to read through the whole post, this blurb summarizes 80% of what I was trying to get at:

In the Metaverse, you need to own your name — proving on the blockchain that you are who you say you are.

Going back to my earlier analogy, this name is the key in the key-value pair, so that when it’s queried against, a slew of information returns — information that actually tells others about who you are.

I think that second statement is really powerful and what I want to expand on today.

An identity is an amalgamation of a lot of different information: your upbringing, your values, your hobbies, your job (if you live in the States), etc.

A name is the identifier that wraps all of that information up to a single key that can be indexed and queried against.

Today, the simplest thing that we can do with this decentralized identity is link our disparate personalities into one key: our Instagram, Twitter, LinkedIn, etc. A single source of truth regarding who we are digitally.

Another really fascinating thing that we can do with decentralized identities today is to actually use them as URLs that resolve to websites — we’ll call them decentralized domains.

How is a domain decentralized?

Right now, domains like .com are owned by third party companies like Verisign and resold to end-consumers through companies like Namecheap and Godaddy.

We’re either paying an annual subscription for the right to use that domain, or we can buy it outright for an egregious sum of money.

Either way, we don’t truly own that domain name. Verisign can censor it at any time. Hackers can target Verisign as an attack vector to shutting down your domain name — thus restricting your website’s access to the internet.

We’ve seen in this crypto before; hackers targeting URL names and resolving them to a malicious website to extract funds from crypto users.

With decentralized domains, the individual owns the domain name, and no one else can use it or take it away without the individual’s expressed consent.

That’s possibly because — like with decentralized identity — the decentralized domain is minted on the blockchain, with immutable ownership rights and permission settings.

That’s what’s so interesting about companies like Unstoppable Domains and Ethereum Name Service; they’re creating the building blocks for the literally Web — like websites — to enter into the Web3 era.

All this talk about Web3, and I completely omitted the discussion around literal websites joining the movement!

Michael Williams, PM of Unstoppable Domains, captures it perfectly:

Unstoppable creates and sells website URLs. Unlike our current options (GoDaddy, Google Domains, etc.) these domains are 100% user controlled. They can never be revoked, taken down, expired, or covered up.

If we combine decentralized domains + decentralized data storage protocols like IPFSArweave or Filecoin + decentralized compute layer like Ethereum, we create a Web3-native world web web — where the identifier/resolution, storage, and processing are all done in an open, permissionless, and decentralized way across thousands of computers instead of large datacenters owned by Microsoft, Google or Amazon.


A Look into the Decentralized Web

It’s hard to conceptualize what a decentralized web looks like — after all, isn’t the world wide web already decentralized, built on open source protocols like IP, DNS, SMTP, and TCP?

Yes, but in the past few decades, large corporations like Google and Facebook have centralized that data and information flow. Now they are essentially the internet, and the Web3 movement is trying to reclaim that initial freedom that Web 1.0 charted.

Here’s an illustrative example that may be able to shine some light on what a decentralized web could look like:

A web where individuals own their own data.

Let’s say I have a blog on Medium (which I do). If I wanted to start writing new posts for Substack instead, I’d essentially have to start all over again with a blank state instead of a robust library of content that I have right now on Medium— or I could literally copy and paste my articles onto Substack, but I run the risk of either Medium finding out (idk what they’d do, but they technically own my content), or at the very least Google seeing and deprioritizing my copied content on Substack in SEO.

Net-net is that none of my data would carry over. My views stats, my followers, my comments, etc.

Now imagine that I could carry over my content, because I actually own them. They’re stored in the blockchain and tied to my identifier.

I could port them to whichever platform I’d like — which ever platform that suits me the best, treats me the best, and has the features that support my objectives the best.

I can even host my own website where my identifier — say jimmy.crypto — would resolve to a website that showcases my beloved content.

Data interoperability across any platform would be possible, after years of walled gardens between the different social media platforms.

Closing Thoughts

I’ll close with another quote from Michael Williams:

Decentralized domains are certainly toy-like, strange, and unserious. But much of that is because they’re fundamentally different from anything we’ve had before. And those differences open up a whole new world of possibilities.

The decentralized web is still a very nascent and abstract thought — and honestly even as I was writing out my illustrative example, I struggled to come up with something concrete that can really hammer home the value of the decentralized web.

I ended up with a lame example about data interoperability between blogging platforms, but honestly the implications of this technology are so much bigger than that, and so much bigger than I can even imagine — let alone articulate.

If you thought this blog post was worth the ~5 minutes of your time to read it, please help me by clapping below (up to 50 times) or sharing with a friend who would benefit from this content. Thanks so much!

Posted on 3 Comments

Whoop’s New Wearable Can Go on Your Wrist—or in Your Clothes

Your workout apparel just got a lot smarter.

fitness tracker
Slide Whoop’s new 4.0 fitness tracker into your shorts, leggings, shirt, or sports bra.PHOTOGRAPH: WHOOP

ASK PEOPLE IF they’ve heard of the Whoop activity-tracking wearable and they’ll either look at you blankly or say they couldn’t work out, sleep, or live without it. It’s a wrist wearable aimed at fitness fanatics—pro and college athletes, CrossFitters and weekend warriors—and it stands out for a couple of reasons. For one, the only way to get a Whoop wearable is to pay a monthly or annual subscription fee. And two, one of its marquee features is that it tells wearers how much physical strain they can handle on any given day.

You might not think that business model would be worth $3.6 billion. But some investors—and an undisclosed number of subscribers—seem to think Whoop is a big whoop. Now, the Boston company is expanding its product line and getting into “smart” clothing: The Whoop module that’s normally worn on the wrist has been redesigned so that it can also be attached to Whoop-branded athletic apparel. The new Whoop, which the company has dubbed Whoop 4.0, is also the first consumer product on the market to ship with a new kind of super-charged silicon lithium battery.

“Smart clothes” have struggled to gain traction before, and when it comes to wearables specific to the wrist, Apple dominates that market. But Whoop thinks its combination of continuous health monitoring and new “Any-Wear” technology, which is supposed to determine where on the body you’re wearing your Whoop and adjust your data-tracking accordingly, will set it apart in a sea of tracking tech.

“We’ve long felt that wearable technology should be cool or invisible. Those are the only two paradigms we want to develop on,” says Will Ahmed, Whoop’s cofounder and chief executive. “In terms of ‘cool,’ it’s an area we’ve focused on a lot historically, making it something that you can dress up or dress down. But ‘invisible’ is, ‘How do we make it disappear?’”

Buyers might also notice their dollars disappearing when they factor in a $24 per month subscription to Whoop’s fitness-tracking software platform—the hardware is included in that—and the cost of Whoop’s new apparel, which includes $69 boxers, a $79 sports bra, and $109 leggings. But serious exercisers who are used to paying top price for fitness apparel might not bat an eye at those costs. (And if they did bat an eye, Whoop would certainly track it.)Track Star

person inserting WHOOP into sock
The new Whoop fitness tracker can be worn in a band on your wrist like before, or it can slide into one of the company’s new workout apparel pieces, like these leggings.  PHOTOGRAPH: WHOOP

Whoop tracks heart rate variability, resting heart rate, respiratory rate, and sleep. The new Whoop 4.0 sensor module still tracks all of the above, but it’s 33 percent smaller than the third-generation Whoop, says Ahmed. This is partly what makes the Whoop clothing line possible: The device had to be small enough to fit comfortably in apparel pockets. It also has to sit snug to the skin, so that there’s a “good agreement between the sensor and your skin” and accurate data can be captured, says John Capodilupo, another cofounder and the company’s chief technology officer.

Because Whoop thinks that customers will attach the Whoop module to different parts of their body on any given day—which is one way to convince the Apple Watch-wearing crowd that they could also buy into Whoop—it developed an algorithm that automatically detects where the Whoop is being placed and processes biometric data accordingly. The software was developed based on more than 20,000 data sets gathered from thousands of beta testers wearing both Whoop tech and standard heart-rate-monitoring chest straps, Capodilupo says. The company has not published its methodology or the full results of this research.

The Whoop 4.0, which goes on sale this week and ships later in September, has some more new features. It vibrates during sleep cycles to wake up wearers. It has a built-in pulse oximeter as well as a skin temperature sensor. Those are not uncommon in activity-tracking wearables, though.

woman working out
Still works on the wrist if that’s where you like it. PHOTOGRAPH: WHOOP

What’s especially interesting about the new Whoop is its lithium-ion battery technology. It’s the first consumer product to ship with battery tech developed by Sila Nanotechnologies, a buzzy Alameda, California, company that uses microscopic silicon particles to “supercharge lithium-ion cells when they’re used as the battery’s negative electrode,” as WIRED reported last year.

Sila Nano doesn’t actually make the batteries. It provides its proprietary silicon nanoparticles and recipes to battery makers. The company’s founder, Gene Berdichevsky, thinks this battery tech will eventually make its way into electric vehicles. (Berdichevsky was also an early employee at Tesla.) But he says it’s challenging to scale the manufacturing equipment for Sila Nano’s materials to the size and volume needed for electric vehicles, so it’s starting out with small electronics.

What this means for Whoop wearers is that version 4.0 has the same expected battery life as previous Whoop bands—around five days of continuous tracking per charge—but the physical battery is smaller. And as with any battery technology that pushes the limits of chemistry and physics, years of research and development were required before the tech could be considered commercially viable; silicon has a tendency to swell, which stresses batteries. But Berdichevsky has said in the past he believes Sila Nano has solved this “expansion” problem with its nanoparticles.Wear It Out

woman in sports bra
Whoop sells a 4.0-compatible sports bra as well. PHOTOGRAPH: WHOOP

It remains to be seen whether people want to wear “smart clothes,” or if wrist wearables are providing enough value for wearers for now. Over the past decade, tech behemoths like Intel, as well as lesser-known upstarts like Athos, OmSignal, and Sensoria, have dabbled in sensor-filled clothing, the idea being that it provides a more passive tracking experience while the wearer is being active. The results have been mixed.Most Popular

Stefan Olander, a former Nike executive who launched the FuelBand wrist wearable for Nike back in 2012, said in an email that connected apparel involves “much more friction than wrist-worn devices. Anything that requires batteries, charging, pairing, is harder to wash, or anything else that requires a change in behavior, is going to have a hard time becoming a truly scalable consumer proposition.” (Olander, who has been working on another not-yet-released connected fitness product, was not briefed specifically on Whoop’s new product, and was speaking broadly about the product category.)

“True scale comes from simple solutions that enhance people’s lives, with as little unnecessary change as possible,” Olander says.

Whoop, of course, thinks it is that simple solution, with its screenless, customizable bands, wear-it-and-forget-about-it battery life, and now, its ability to slip right into your workout clothes. It just also happens to target a very specific demographic that will pay to subscribe to a workout wearable—and now, will also pay top dollar for its apparel.