WhistleOut fast facts
- Hackers are using spyware disguised as calendar invites to hack iPhones.
- The spyware primarily targets journalists, political figures, and NGO workers globally
- In the U.S., the FBI warns that hackers use free charging stations for malware and infecting devices.
- The free charging stations in airports, hotels, and shopping centers use public USB cords that can infect devices.
The FBI and researchers revealed two new significant vulnerabilities for cell phone users this week.
The first one targets iPhone users through calendar invites and does not require users to click anything. Citizen Lab and Microsoft reported it, and Apple says a patch for iOS 14 solved the vulnerability.
The second vulnerability is specifically U.S. based and is a warning for anyone travelling to the U.S.: avoid free charging stations.
Let’s dive into what these mean for consumers.
Calendar invitations lead to spyware
Research from Microsoft Threat Intelligence and Citizen Lab at the University of Toronto identified spyware from QuaDream that hackers use to exploit iPhone users.
The exploit uses invisible iCloud calendar invitations that can compromise mobile users’ Directory Services Identifier. The calendar invites fall under the umbrella of zero-click exploits— spyware that does not require victims to click a link or download anything.
Many invites were backdated, meaning the user did not receive a prompt or notification. There were also overlapping invites, which may have triggered a specific behaviour.
This exploit, dubbed ENDOFDAYS, does not have a fix, but it is not believed to be targeting users in Canada. According to Citizen Lab, the spyware has targeted “journalists, political opposition figures, and an NGO worker.”
If you know how to dig into your phone’s files, searching this query in the phone’s Calendar.sqlitedb file will identify ENDOFDAYS attacks:
SELECT * FROM calendaritem WHERE summary="Meeting" AND description="Notes";
QuaDream, the company that developed the vulnerability, is an Israeli surveillance company. Its zero-click tools are similar to the NSO Group, another Israel cyber-intelligence firm known for its spyware.
Free charging ports have malware risk
The FBI is warning people not to use public phone charging stations. The Bureau says “juice jacking” involves public chargers being used to infect phones and devices with malware.
The FBI in Denver released a statement last week: “Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
While there are not any recently documented cases of phones being infected with malware from public charges, the FBI’s warning is an advisory, especially as people begin to travel for the summer holidays.
Cybercriminals also use public Wi-Fi networks to target travellers.
Vulnerabilities are not new
Unfortunately, privacy concerns are nothing new. In the last six months, bugs and security flaws have been found twice in Apple devices—including in Apple OS and through Siri with AirPods.
The past month has also seen Canada ban TikTok on government devices due to national security concerns.
Apple is not the only manufacturer to deal with bugs and flaws. Google has faced lawsuits due to privacy protections it promises but has not delivered on. Those cases are in progress.
Finally, Canada’s Data Privacy Week in January highlighted user privacy.
“Privacy is a fundamental right that we should not have to surrender in the name of innovation or profit,” said Philippe Dufresne, Privacy Commissioner of Canada.
Meta and Apple also announced new privacy policies to help users and offer encryption.
While mobile devices are open to flaws, keeping your device’s operating system up-to-date for new security patches is essential.
Join the more than 130,000 people who follow WhistleOut to find technology they love.
Find a better phone plan
Thousands of cell phone plans unpacked. All the facts. No surprises.
Related Articles
Find Better Phones and Plans
Hundreds of cell phone plans unpacked. All the facts. No surprises.
