Ondrej Holzman Although the new features introduced in OS X Yosemite and iOS 8 bring a lot of useful features to users that simplify the use of multiple devices, they can also pose a security threat. For example, forwarding text messages from an iPhone to a Mac very easily bypasses two-step verification when signing in to various services.
The set of Continuity functions, within which Apple connects computers with mobile devices in the latest operating systems, is very interesting, especially in terms of the networks and techniques they use to connect iPhones and iPads to Macs. Continuity includes the ability to make calls from a Mac, send files via AirDrop or quickly create a hotspot, but now we will focus on forwarding regular SMS to computers.
This relatively inconspicuous, but very useful function can, in the worst case, turn into a security hole that allows an attacker to obtain data for the second verification phase when logging into selected services. We are talking here about the so-called two-phase login, which, in addition to banks, is already being introduced by many internet services and is much more secure than if you have an account protected only by a classic and single password.
Two-phase verification can take place in different ways, but when we talk about online banking and other internet services, we most often encounter sending a verification code to your phone number, which you then have to enter next to entering your regular password. Therefore, if someone gets hold of your password (or computer including password or certificate), they will usually need your mobile phone, for example, to log in to internet banking, where an SMS with the password for the second phase of verification will arrive.
But the moment you have all your text messages forwarded from your iPhone to your Mac and an attacker takes over your Mac, they no longer need your iPhone. In order to forward classic SMS messages, no direct connection is needed between iPhone and Mac - they don't have to be on the same Wi-Fi network, Wi-Fi doesn't even have to be turned on, just like Bluetooth, and all that's needed is to connect both devices to internet. The SMS Relay service, as the forwarding of messages is officially called, communicates via the iMessage protocol.
In practice, the way it works is that although the message arrives to you as a normal SMS, Apple processes it as an iMessage and transfers it over the Internet to the Mac (this is how it worked with iMessage before the advent of SMS Relay), where it displays it as an SMS, which is indicated by a green bubble . iPhone and Mac can each be in a different city, only both devices need an Internet connection.
You can also get proof that SMS Relay does not work over Wi-Fi or Bluetooth in the following way: activate airplane mode on your iPhone and write and send an SMS on a Mac connected to the Internet. Then disconnect the Mac from the Internet and, conversely, connect the iPhone to it (mobile internet is enough). The SMS is sent even though the two devices have never directly communicated with each other - everything is ensured by the iMessage protocol.
Thus, when using message forwarding, it is necessary to keep in mind that the security of two-factor authentication is compromised. In the event that your computer is stolen, disabling messaging immediately is the fastest and easiest way to prevent potential hacking of your accounts.
Entering Internet banking is more convenient if you don't have to rewrite the verification code from the phone's display, but just copy it from Messages on the Mac, but security is much more important in this case, which is greatly lacking due to SMS Relay. A solution to this problem could be, for example, the possibility to exclude specific numbers from forwarding on Mac, since the SMS codes usually come from the same numbers.
As mentioned in the last paragraph - the ability to copy the code is much more convenient and better.
In addition - if someone steals my MacBook, the first thing I do is block it and turn off all "forwarding" and Continuity on the iPhone - that's why there is also this option in Settings / Messages. :)
And if someone hooks it to you, do you also stop it?
And why have two-step authorization when you can block the stolen device right away, huh?
Two-step verification is a third-party service, so I can hardly not use it or ignore it, at least in the case of banks. And I block or delete my Mac via Find my Mac. The benefits of SMS forwarding outweigh if I don't see the devil behind everything.
No one cares about theft, full disk encryption solves that. But what are you going to do with a hacked computer? Probably nothing, you won't know about it.
Well, of course, the advantages prevail, nobody sees the devil and the user always trades security for a dancing pig.
By the way, do you have the impression that the banks are forcing you to send SMS just for fun?
if anyone is worried then don't use it. I am extremely satisfied with it
And those who don't have concerns in combination with 2FA don't even use it, because they obviously don't know what they're doing.
And how do I exclude a specific number on the Macbook and leave it on the iPhone? Thanks for the reply
AFAIK the best option is "switch off Text Messages Forwarding under Messages in Settings (from your iPhone)."
If I'm not mistaken, it is not possible to whitelist what should be forwarded, nor blacklist what not.
Well, isn't it easier to steal a cell phone than a Mac? Yes, you can have a password for mobile, but also for MAC. I'm not an expert, but it's probably not easy to get to the Mac if I don't know the password (I don't mean to read the data, but to log in so that the SMS relay starts).
Also, don't forget that we are talking about double security, where the first phase is the main one - entering the password to honor and if you don't have it written on the MAC or in some text document inside, then there is no access to the bank (and you don't use 1111 as a password :-))
So, stealing a mac will probably cause you the greatest damage due to the true price of the mac.
2FA does not solve primary Mac or IP theft. The solution is that the attacker has to get control of the Mac and something else. The Mac is enough for him now. Coz negates all the benefits of 2FA.
(The advice is to protect against the "attacker on Mac only controls the browser" variant, which is probably not a completely controlled situation.)
It's just that if you consider Mac to be totally safe (haha), then you don't have to deal with 2FA. And if not, then 2FA stopped bringing you that increased security, like driv.
And one more time, very vividly - you go to the website "nicnebezpecneho.cz", which is dangerous due to an unfortunate set of circumstances. This can happen to you quite easily - you don't have to go to porn sites right away, it's enough for someone to not secure the blog you're visiting and let unsanitized javascript be inserted into the comments. There is a remote exploit for your browser on that page (this can still happen to you, nothing very unusual). Or get caught up in social engineering...
...after a few hours you go to send money from the bank (you log in to gmail, github...). In doing so, you enter the login data into the already compromised computer (or you don't even have to do that if you have these passwords saved) and copy and paste the code from the SMS one time.
..and at night, your computer logs into the bank (gmail...) by itself, the password has already been saved by someone with malware. You will not receive a confirmation SMS on your mobile phone, but... into that compromised computer.
2FA solved exactly these scenarios. Until Apple broke it.
I thought that 2FA means that I have to prove myself by 2 things, for example:
– password
– with a phone that accepts SMS
Well, forwarding SMS to Mac to the phone also adds the Mac (or more Mac and iPad that I have paired) as an alternative, but it's still 2FA. Or not?
Once again - under normal circumstances, 2FA solves situations like "my Mac is hacked and I don't know about it". Because then you can assume that the Mac knows your password for the service (that you already have it saved or will listen to it the next time you log in to the service). And now you can expect that he will also know SMS (or he can ask for it at any time and he will receive it).
Most services that offer two-factor authentication (Facebook, Dropbox, Google, Microsoft, …) allow one-time passwords to be generated using an app (I use Google Authenticator). The application constantly generates time-limited codes for registered services. The code can be copied immediately and used to log in. You don't have to wait for the SMS to arrive and, if they are forwarded to the Mac, solve the problem described in the article.
Compromised macs have SMS messages when logging in...
Feel free to ask for that. If I have turned on two-phase verification with the generation of a one-time code using the application, then the given service does not send any SMS.
If something hasn't changed, a lot of services wanted the phone and left SMS as the default option. So your hacked computer is back.
With a large number of banks, there is no choice, just an SMS and that's it.
I don't understand this very clearly. If someone steals my Mac, I turn off SMS, remotely wipe the Mac and change the password at the bank. Or what's the catch?
Would you do that before reading this article?
Absolutely, absolutely automatically.
But two-phase authentication is about the fact that the attacker needs two confirmations: PASSWORD AND SMS. This means that if I'm afraid that someone will take my paired Mac, I don't store the password there, and if someone hacks my browser, they won't get into iMessage.
Where do you get the assurance that it won't break out of your browser? According to the current results of Pwn4Fun and Pwn2Own, it looks like there are at least two zero days for Safari:
"At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X"
"By Liang Chen of Keen Team:
Against Apple Safari, a heap overflow along with a sandbox bypass, resulting in code execution."
Thin white lettering on a green background - not even a pupil of a special school could have suggested it better...
One of the ways to stop this is to replace code generation via a dongle (for example this: http://www.czc.cz/battlenet-authenticator/110449/produkt?gclid=Cj0KEQiAs6GjBRCy2My09an6uNIBEiQANfY4zKhlCIiwD9za5e_QYUAp_YEpqdA9frjVqnS9i8sgIgsaAh558P8HAQ ) it is safe and it enables higher security, KB also needs to do something similar - a certificate uploaded to a USB disk, without which a person cannot connect to Internet banking, plus sometimes a one-time password is sent to the phone, etc... There are many possibilities, but everyone has their own she has to decide if security is important to her (if she has a password or not? etc.)
Unicredit has a great thing. The smart key is never a classic SMS, but I generate a one-time password in the mobile application.
I need advice on why I suddenly can't send a mm short video, which was possible until now? There is no option to simply insert a video, it doesn't respond, it doesn't insert it into the message
Thank you