Security Week 27: Counterfeit iPhone and Security Price

Published on July 23, 2018

Security Week 27: Counterfeit iPhone and Security Price

    On July 19, the Motherboard edition published an interesting longrid about a fake iphone worth one hundred dollars. Android smartphone, mimicking iPhone X, was acquired in China; He is one of those that we rarely come across, and in the West are completely unknown - the target audience is not the same. A fake is not that quality, but diligent, starting with the box and ending with icons. Photographed in the dark, the phone can really be confused with the original.

    Naturally, when you start to use it, everything becomes clear. The phone is not very fast, from under the Apple-like interface pop-up messages that "Google services have stopped working." A copy of the advanced facial recognition system unlocks the smartphone from any face and subject-like subject, and the rounded edges of the display and pad with sensors and speakers are emulated (!) Programmatically. Motherboard journalists appealed to specialists with a request to evaluate the safety of the smartphone, and they found there, if translated literally, some kind of “game”. Spoiler: there is no game there, just a lot of irresponsible code showing that in a cheap smartphone user data is also protected for three pennies.


    Even somehow originally done, with a twinkle!

    I will not retell the whole story - read the original or just look at the pictures. A cheap smartphone, although it tries to look like a branded device for a thousand dollars, but it remains a hundred-dollar device. It works, as it turned out, on Android 6 with a highly modified launcher. When you first start reliably reproduces the initial setup dialog, as on a real iPhone. And the settings that are present in Android, honestly change from this menu. What the Android doesn’t exist is politely but silently ignored.

    Assembled phone on rivets. If you do not like that in modern (real, but not like this) smartphones everything is planted on glue, then this is a worse option. The phone is just a one-time, you can only disassemble it with pliers, it will not work at all. Why? So cheaper.


    Backdoors and malware promised by the author seem to be there, but it all depends on the interpretation. The article about security is losing a bit of enthusiasm, and it can be assumed that nothing terrible was found in the hundred-dollar copy of the iPhone X. The smartphone was given to the study of the specialists of the company Trail of Bits - see what is there with security. Researcher Chris Evans shared his findings in a report, which was shown to journalists, but did not publish.

    And what did you find? Applications like "Compass" and "Clock" have too many powers (oh, horror!). A fake browser that mimics Safari has a built-in remote launch feature and code execution. It is possible, without too much embarrassment, to be called a backdoor, although not the fact that it was inserted with malicious intentions. Just such a curve debag-interface. The publication cites the words of a specialist, which confirm just such a version: the phone is not necessarily “malicious”. It's just that there is no “security there”.

    And not that we are trying to defend a fake iphone. Rather, the text mentions software for remotely updating the Adups phone, which for a couple of years has been known for its free handling of user data, up to sending call history to China (here's the news, here is a research by Kryptowire). But the lack of specifics and the attempt to inflate an elephant from a fly in the original Motherboard publication causes a slight ... as if to be more precise expression ... perhaps frustration. Security experts "proceeded from the fact that the device was most likely unsafe," and kept it in a bag that isolated the radio. Well, yes, yes, without a Faraday cage there is no way.

    Recently, a blog post "Lab" appeared postwith a good selection of examples of how cheap smartphones, even if they do not try to appear as iPhones, are unsafe. I have two of all these stories, I hope, to the best of the original conclusions. First, the cheaper the phone, the worse the protection. The more likely the OEM firmware is used, the more often it rolls with crooked hands, the sooner they will forget to close any debug interface that sends personal data to anyone.

    Secondly, people with minimal knowledge of information security have incredibly high demands on data protection. We, for that matter, and flagship phones, where everything is much better, are not always satisfied. We count Trojans in the Google Play store, discuss methods.Bypass protection from copying data from an iPhone via USB-port and other various subtleties. And hundreds of thousands of low-cost phones are not even talking about hacking: access to someone else's data there seems to be a regular function. Some kind of "improved protection" in the case of the flagship smartphone will cost 5% of its value. For a cheap phone it will be a two-fold rise in price.

    It is a pity that in the publication Motherboard one moment was not investigated in detail. In the process of “setting up an iPhone,” the user is prompted to enter a username and password from the iCloud service, which on an android, of course, does not work. And then what happens to this data? At best, they, like other iPhone-specific things, are not saved anywhere. At worst ... Well, you understand what is happening.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.