Security Newsletter

The latest news from the sector finds worrying Amazon’s IoT technologies with big cyber security flaws, could Microsoft be in trouble thanks to GDPR, and is Simjacking the next big cyber security threat?

Ring Doorbell Tech Leaves Door Open To WiFi Password Hack

Security analysts at Bitdefender have announced a major vulnerability with the Amazon-owned Ring doorbell technology platform. 

The flaw exposes the Ring doorbell by making the Wi-Fi password publicly available during setup. 

According to Tech Crunch:

“Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network to launch larger attacks or conduct surveillance.

“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecured manner, through an unprotected access point,” said Bitdefender. “Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”

Whilst Amazon, Ring’s parent company, have fixed this glitch, the fact unencrypted connections with exposed WiFi passport distribution occurred does pose some troubling questions. 

Whilst Tech Crunch only announced the news this month, Amazon fixed the flaw back in September. The latest news will add further pressure on the Internet of Things ecosystem to bolster data privacy security functions. Whilst IoT wants to make the home, the workplace and the educational space intuitive and smart, without basic security measures many people will avoid innovative technology like this. 

Security flaws in popular home smart tech has seen security researchers breach many household IoT technologies. Amazon’s smart doorbell technology, whilst intuitive, does connect with a primary security concern for any homeowner. 

Another issue facing Ring is its perceived closeness with law enforcement organisations. Many US and European police forces are collaborating with Amazon over the technology. 

Could Microsoft Be Noncompliant With European GDPR Rules?

According to research published by the European Data Protection Supervisor, Microsoft software products might not comply with GDPR legislation. This bombshell could mean the thousands of computers littering EU parliaments and offices could be in technical breach as Microsoft technologies play a big part in EU computational experiences. Furthermore, as a data processor, on behalf of the EU, this breach could be bad news for the EU going forward.

According to the European Data Protection Supervisor:

“In April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between Microsoft and the EU institutions are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.”

The EDPS has begun a consultation to help re-write Microsoft’s (and other providers’) contracts so that they align with GDPR rules for data processors.

Researchers Develop “Spy Apps” for Google Home and Amazon Echo

Security Research Labs (SRL), a Berlin-based tech security start-up, has created “smart spies” – apps for home speaker voice assistant platforms, offering horoscopes to random number generation, which was also designed to provide SRL with the ability to listen in and access user passwords through sophisticated phishing means for voice users.

According to BBC News:

“Smart spies undermine the assumption that voice apps are only active as long as they are in dialogue with the user,” Karsten Nohl, SRL’s chief scientist, told BBC News.

Creating them had been a fairly easy process that required relatively little programming experience, he said.

They were activated when a user said something like: ‘Alexa, turn on my horoscopes,’ or: ‘OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus’.

When the user tried to turn off the app, they heard a “Goodbye” message, but the software carried on running for several more seconds rather than deactivating immediately.

If, in that time, the person said a phrase including the word “I” or other chosen terms, their speech was transcribed and sent back to SRL.

“One giveaway something was not right was the smart-speaker light remained turned on, indicating it was still listening”, according to Mr Nohl.”

The researchers noted that people needed to be aware that apps made for Google or Amazon voice-powered systems are also made by third party developers – some with malicious intent. Amazon responded to SRL by changing the way their skills apps utilise the approach taken by these fake voice apps.

Is Simjacking The Next Big Cyber Security Issue?

Anti-poverty campaigner and Food writer Jack Monroe lost £5,000 after her mobile phone was hijacked and copied onto another SIM altogether.

The latest cybercriminal wheeze is a means of bypassing two-factor authentication messages. When you want to change a bank password or even your Facebook password, you’ll be sent a code via SMS. This is the next cybercrime target.

According to BBC News:

“The bestselling food writer tweeted she was ‘paranoid about security’ and already had strong measures in place.

A privacy campaigner said the industry had failed to address ‘Simjacking’.

Ms Monroe tweeted she was ‘white-hot angry’ and had been told although she should get her phone number back soon, the money ‘will take longer to recover’.

‘The money stolen has run into thousands of pounds – I’m a self-employed freelancer and I have to absolutely hustle for every single pound I earn. And someone has just helped themselves to around five thousand of them,’ she tweeted.

Ms Monroe is a best-known for her low-cost recipes and her support for anti-poverty campaigns.

Simjacking, also known as Simswapping, is when criminals port a phone number over to a new Sim card, which they can then use as if it was their own.

They do this by posing as a customer who wishes to move to a different mobile provider but keep their existing phone number.

While mobile phone operators often request personal information to complete the request, this can be data already in the public domain – Ms Monroe’s date of birth, for example, was on Wikipedia.”

The damage done by Simjacking is yet unknown. Some industry experts believe the untold damage is yet to be fully recorded and that as more and more cyber criminals move to Simjacking the damage to individuals could be catastrophic.

Fake Ad Blocking Fooling Chrome Web Store Users

Alphabet has removed two malicious ad block software plug-ins from its Google Chrome Web Store. The removal was due to two ad blocking apps being identified as fake and malicious by security researchers.

uBlock and AdBlock, similar to AdBlock by AdBlock Inc and uBlock by coder Charlie Lee, tricked Chrome users into believing they were the genuine article. Researchers from AdGuard, a similar ad block plug-in maker, discovered the problem and alerted Google.

According to ThreatPost:

“Researcher Andrey Meshkov from rival ad blocker maker AdGuard discovered that the extensions ‘AdBlock’ and ‘uBlock’ found in the store were fraudulent and alerted users in a blog post.

Rather than legitimately block ads on websites—the obvious purpose of this type of browser extension–the malicious blockers perform what’s called ‘cookie stuffing,’ Meshkov said.

In this technique—which has been used since the internet’s early days–a website or browser extension adds extra information to a user’s cookie so it looks like more people clicked on an affiliate ad than actually did. Cybercriminals use cookie stuffing to win money through ad fraud.

By using fake ad blockers, cybercriminals can earn commission on purchases made on sites stuffed with the cookies, Meshkov said.

What’s especially difficult in terms of preventing this type of ad fraud is that it’s difficult for users downloading fraudulent adblockers to tell the difference from legitimate ones, he said.

The two extensions in question–AdBlock by AdBlock Inc. and uBlock by Charlie Lee—have names similar to existing ad blockers AdBlock by getadblockand’s uBlock or Raymond Hill’s uBlock Origin, Meshkov wrote.

Moreover, the fake ad blocker extensions do in fact block ads, he said. They ‘both are based on the code of the original ‘AdBlock’ extension so the quality is good enough,’ Meshkov wrote in the post.”

Until next time …