Security Weekly 49

Security Weekly 49 Main Logo

Security Weekly 49 Fake iPhone And The Price Of The Security

July 19 edition of Motherboard published an interesting long for a fake iPhone with a cost of one hundred dollars. Android-smartphone, mimicking for iPhone X, was purchased in China; he is one of those that we rarely come across, and in the West, in general, are unknown – the target audience is not the same.

Forgery is not something that is quality, but diligent, starting with the box and ending with icons. Photographed in the dark, the phone and the truth can be confused with the original.

Security Weekly 49 Photo 1

Naturally, when you start using it, everything becomes clear. The phone is not very fast, from under the Apple-like interface pop up messages that “Google services stopped working.”

  • A copy of the advanced face recognition system unlocks the smartphone from any person and face-like object, and the rounded edges of the display and the platform with sensors and a speaker are emulated (!) Programmatically.

Journalists Motherboard appealed to experts with a request to assess the safety of the smartphone, and they found there if translated literally some “game”. Spoiler: no game there, just a lot of irresponsible code, showing that in a cheap smartphone user data is also protected by three kopecks.

  • I will not retell the whole story – read it in the original or just look at the pictures. Cheap smartphone, although it tries to look like a branded device for a thousand dollars, it remains a hundred-dollar device. It works, as it turned out, on Android 6 with a heavily modified anchor.

At the first start, it reliably reproduces the dialogue of the initial setting, as on the real iPhone. And the settings that are present in Android, honestly change from this menu. What does not exist in Android, politely, but silently ignored?

Security Weekly 49 Photo 2

The phone is assembled on rivets. If you do not like that in modern (real, not like here) smartphones are all planted on glue, then here’s a worse option. The phone is just one-time, you can disassemble it only with wire cutters, it will not work out at all. Why? It’s cheaper.

  • The backdoors promised by the author and malicious programs are there, as it were, but everything depends on the interpretation. The article, in terms of security, loses a bit of fighting enthusiasm, and we can assume that nothing terrible in a hundred-dollar copy of the iPhone X was found. The smartphone was given to the experts of the company Trail of Bits – to see what is there with security. Researcher Chris Evans shared his findings in a report that was shown to reporters but did not publish.

And what did you find? Applications like “Compass” and “Clock” have too many powers (about horror!). A fake browser, mimicking under Safari, has a built-in feature for remote startup and code execution. It is possible, without much embarrassment, to call backdoor, although not the fact that it was inserted with malicious intentions. Just such a curve interface. The publication cites the words of a specialist who confirm this version: the phone is not necessarily “malicious”. It’s just that there is no “security there”.

Security Weekly 49 Photo 3

And it’s not that we try to stand up for a fake iPhone. Rather, the text refers to the software for the remote update of the Adups phone, which for a couple of years has been known for its free handling of user data, up to sending the call history to China (here’s the news, here’s the Kryptowire study). But the lack of specifics and an attempt to inflate an elephant from a fly in the original publication of Motherboard provokes an easy … it would be more accurate to express … perhaps, frustration. Security experts “proceeded from the fact that the device is most likely unsafe” and stored it in a bag that isolates radio emissions. Well, yes, yes, Faraday cage cannot do without a cage.

  • Recently in the blog “Laboratories”, there was a post with a good selection of examples of how cheap smartphones, even if they do not try to sound like iPhones, are unsafe. I have two of these stories, I hope, to the extent of the original conclusion. First, the cheaper the phone, the worse protection. The more likely the OEM-firmware is used, the more often it is rolled with crooked hands, the sooner there will forget to close any debug-interface that sends any personal information to anyone.

Secondly, people with minimal knowledge in the field of information security have incredibly high requirements for data protection. Us, for that matter, the flagship phones, where everything is much better, do not always suit you. We count trojans in the Google Play store, discuss ways to bypass protection from copying data from iPhone via USB port and other different subtleties. And hundreds of thousands of low-cost phones are not even about hacking: access to other people’s data there seems to be a regular function. Some “improvement of protection” in the case of the flagship smartphone will cost 5% of its value. For a cheap phone, this will be a two-fold rise in price.

It’s a pity that the Motherboard publication did not examine in detail one point. In the process of “setting up the iPhone” the user is offered to enter a login and password from the iCloud service, which on the android, of course, does not work. And then what happens with this data? At best, they, like other iPhone-specific things, are not saved anywhere. At worst … Well, you understand what is happening.