UK Demands Backdoor in Apple Encryption; 2.8 Million Devices Launch Brute Force Attack; UK's RN & RAF Fast Track Cyber Specialists

It seems that the UK government and its advisors have not being paying attention to the recent Salt Typhoon attacks against US telcos where lawful intercept capabilities built into those networks were abused by hostile nation state actors to intercept traffic travelling over those networks. As I have said many times, "we can have strong encryption and accept that the cost will be its abuse by criminals while the internet is made more secure, or we can weaken encryption and accept that the cost will be its abuse by criminals while the internet is made insecure."

Brian Honan

Governments will never learn from past failures in implementing 'back doors' in communication infrastructure. Proposing this before 'Volt Typhoon' is even fully evicted (or even identified as far as the UK is concerned) is actually kind of funny.

Johannes Ullrich

Encryption with a "government/law enforcement" backdoor is an oxymoron. Remember the clipper chip? We've seen this movie before, there is no effective way to restrict access to that back door, let alone prevent others from reverse engineering it. The concerns over decrypting iCloud data were exacerbated with the introduction of Advanced Data Protection for iCloud in iOS 16 which enables end-to-end for the majority of your iCloud data, and not even Apple can access this data.

Lee Neely

If you thought the Cryptography War ended with Salt Typhoon, think again. Apparently governments will never gracefully consent to private communications for their citizens. As one might infer from Salt Typhoon, any such backdoor will become the target of choice for all the resources of China, Israel, Iran, Russia, and North Korea, not to mention NSA. It is unlikely that Scotland Yard, Special Branch, MI5, and GCHQ can protect any such backdoor better than the FBI, NSA, and the Telcos were able to protect CALEA. Such a facility, justified by terrorism and crime, will inevitably be used for surveillance, not limited to His Majesty's subjects.

William Hugh Murray

Everyone is watching how Apple will handle this. A backdoor for the UK government is a universal backdoor for everyone. At least that's what it would appear on the surface. I don't know how that will work or if Apple will be okay with it. If you want to know what these backdoors can be used for just follow Salt Typhoon, CALEA, and all that mess.

Moses Frost

Apple has been at the forefront in protecting the communication of users of its products. It was only a matter of time before some Government would demand access for national security purposes. One can understand the arguments, and each are valid. What's particularly interesting is the reach of the Investigatory Powers Act. If successful, other nations will surely follow in the UKÕs footsteps.

Curtis Dukes

This is what we enable when we fail to properly manage the devices that we expose to the public networks.

William Hugh Murray

What's particularly troubling about this attack is the number of compromised devices employed. It speaks to the poor job that IoT vendors have done embodying secure by design principles in their products. Hard-coding credentials in a product is no longer acceptable and vendors should be help accountable. In the meantime, prioritize MFA enforcement for all Internet facing devices.

Curtis Dukes

The attack leverages compromised SOHO devices, but the initial attack vector to those devices is unknown. Those devices are attempting password/login attacks. Make sure that your devices are not only running the most current firmware but are also still supported. Change default passwords and disable WAN access to the management console. Make sure VPN or remote access services use MFA rather than password-based authentication. Lastly, make sure you're not only monitoring service use but also actively reviewing/managing users.

Lee Neely

If you have an edge device with an N+1 day vulnerability and you get owned. Well, I mean, that's on you at this point. Honestly.

Moses Frost

It's a new day in the military with cyber skills very much in demand. For the recruit it's an opportunity to obtain skills that translate into high demand private sector jobs upon completion of military service. Well, done UK MoD, well done.

Curtis Dukes

The UK is dropping the traditional basic (fitness and weapons) training, focusing instead on needed cyber skills to fill the gaps in their Navy and Air Force now. The British Army is slated to join the campaign in 2026. Since last July, the UK has also increased the starting compensation by 35% for recruits and removed 100+ outdated policies which block or slow recruitment to attract and retain candidates. My concern is the lack of comradery and defense skills developed in basic training may put these candidates at risk as they are still soldiers, particularly when deployed in the field.

Lee Neely

USB Restricted mode, introduced in iOS 11.4.1, prevents unauthorized USB data access to your locked device, and is one countermeasure to bad-USB attacks, mitigating some risks for travelers who don't always think twice before connecting for a charge. This protection was augmented in iOS 18, which introduced an inactivity reboot (after 72 hours), which makes forensic access to devices much harder as when the device is in "Before First Unlock" mode all encryption keys are in the secure enclave and not otherwise accessible without the device passcode. CVE-2025-24200, USB Restricted Mode bypass, doesn't have a CVSS score and while the bypass is a sophisticated physical attack, the update is worth applying to your iOS/iPad 17 & 18 devices now; it's under 500mb and only takes a few minutes to install.

Lee Neely

Apple has done a fantastic job getting everyone to update their phones. I suspect that most people will update. What's interesting is the impact of this patch on physical access, as the exploit attacks the USB lockdown. Makes you wonder how they arrived at this exploit.

Moses Frost

Apple also published updates for MacOS, but these updates did not fix any security issues.

Johannes Ullrich

The importance of sanitizing ALL input cannot be overstated. If your developers have never seen how easy it is to manipulate input data, perhaps a demonstration is in order. If your QA process isn't checking every input to make sure it's sanitized, you need to address that oversight. While a WAF can mitigate the risk on your applications, particularly COTS, the best fix remains within the application code itself as you need to continue to verify the WAF mitigations work throughout application lifecycles.

Lee Neely

Given the current quality of much of our software, it is prudent to hide as much of it from the Internet as possible. Given recent history of vulnerabilities in firewalls, consider layering them, at least for mission critical systems and applications. Ensure that sensitive data is encrypted at rest, keeping in mind that "cryptography is harder than it looks."

William Hugh Murray

I'm not sure what this system is, but it's interesting to note the 'Rust' loader for Beacon. I suspect we will see more use of these; next will be a Zig loader for Beacon.

Moses Frost

According to the CISA advisory this flaw can be exploited by an "authorised user." To reiterate previous commentaries, any critical management systems should not be internet facing and instead should be only accessible via a VPN with all accounts protected by MFA.

Brian Honan

Whenever you see an article describing vulnerabilities in DeepSeek, assume similar issues exist to some extent in other AI applications. It is just that DeepSeek is the squirrel of AI distracting everybody from vulnerabilities in more 'boring' vendors' systems.

Johannes Ullrich

The vulnerability research is troubling on several fronts. Like the UK Investigatory Powers Act (see NewsBites snippet), Government can demand access to the data stored by ByteDance. In this case however, the Chinese government has access to the unencrypted communications. The question becomes, is this simply poor coding practices exposed in one's rush to market, or something more devious? You can decide.

Curtis Dukes

Researchers have noted that the Android DeepSeek app is even less secure than its iOS counterpart. Both warrant removal from both your corporate and BYOD devices. Discoveries include hardcoded keys, insecure data transmissions - both unencrypted and weakly encrypted (3DES), questionable data sharing, as well as storing of data in China. If you're continuing to use DeepSeek, make sure that you're doing an in-depth risk assessment, to include MitM interception and/or manipulation of data. US lawmakers have kicked off efforts to ban DeepSeek from all government devices, citing concerns over backdoor and other sensitive data access. If passed, DeepSeek could be banned within 60 days.

Lee Neely

While this effort does not promise the kind of investigation as our now defunct CSRB, it may partially fill the gap. The intent seems to be to measure risk, something that very few enterprises have the necessary special knowledge and experience to do.

William Hugh Murray

Events are scored based on the financial impact and number of organizations affected. Financial thresholds are £10 million, £100 million, £1 billion, and £5 billion. The number of affected organizations thresholds are 270; 2,700; 27,000; and 136,000, which correspomds to .01, .1, 1 and 5 percent of the total UK public and private organizations. Using this system, the MoveIT attack in the UK would rate a one, Synnovis (healthcare) rates a two, and the CrowdStrike outage a three. If the CrowdStrike event had been a malicious act, it would have rated a four. The ratings are expected to be initially issued within 30 to 45 days of an event, with a goal of 30 days in 2026. While exciting, the value of these categorizations will need to be proven over time to see if they are a help or distraction.

Lee Neely

Well, I'm all for simplifying things. In this case, not sure it makes a whole lot of sense. The insured's state of defenses come into play, and they are not all equal. And, besides, it doesn't really solve any problem. That is, unless it's really just a feint to immunize the insurance industry. All I can say for now is meh.

Curtis Dukes

DICOM is a mess. It's a total mess. I am *very* surprised that we have not seen widespread exploitation. I'm telling you that after working in healthcare, people put DICOM servers on weird ports all over the place, and barely any scanners exist for it. It's a nightmare waiting to happen.

Moses Frost

CVE-2025-0896, missing authentication, CVSS score 9.8, can be exploited remotely with a low level of complexity. In addition to applying the update and security configuration change, also minimize network exposure to your ICS devices, don't expose them to the Internet, and restrict internal access to verified systems. Take a look at CISA's latest ICS Defense-in-Depth Strategies guide to see if you're missing any updated approaches to keep your systems protected.

Lee Neely

Per Dragos, there were 119 ransomware attacks in 2024 targeting European companies, (UK, Germany and Italy most affected) and from July to September there were 394 attacks on the manufacturing sector globally, 56 of which targeted ICS systems. If you're in either of these categories, make sure you're up to speed on your cyber hygiene. Revisit the risks of exposed services, and consider newer compensating controls where access is only granted to continuously vetted devices.

Lee Neely

The digital news sites still have headers indicating services are undergoing maintenance affecting access to subscription accounts and the electronic edition. The most visible impact to analog subscribers was a loss of printed editions, and publishers are working to print and deliver these back issues. Lee Enterprises is not yet claiming the event is materially impactful but is keeping recovery details close.

Lee Neely