A Review of the Best News of the Week on AI, IoT, & Mobile Security

Bypassing Passcodes in iOS (Schneier on Security, Jun 26 2018)
Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once…

Supreme Court: Police Need Warrant for Mobile Location Data (Krebs on Security, Jun 22 2018)
The U.S. Supreme Court today ruled that the government needs to obtain a court-ordered warrant to gather location data on mobile device users. The decision is a major development for privacy rights, but experts say it may have limited bearing on the selling of real-time customer location data by the wireless carriers to third-party companies.

Fortnite’s Android Debut Sees Malicious Apps Launched (Infosecurity Magazine, Jun 21 2018)
YouTube videos have been detected claiming to contain downloads for the Android version of Fortnite

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Winning the Cyber Arms Race with Machine Learning (SecurityWeek, Jun 19 2018)
The fundamental problem is that Application Learning (AL) is solely observational, meaning it flags anomalies based on what it has previously witnessed and does not have the intelligence to determine whether an anomaly is benign or malicious. This generally results in a lot of false positives, so managing these tools end up being very resource intensive.

Artificial Intelligence & the Security Market (Dark Reading, Jun 21 2018)
A glimpse into how two new products for intrusion detection and entity resolution are using AI to help humans do their jobs.

Google Devices Leak Precise Physical Locations: Researcher (SecurityWeek, Jun 20 2018)
A newly discovered attack against Google Home and Chromecast devices can reveal a user’s precise physical location, a security researcher has discovered.

Millions of Google, Roku, and Sonos Devices Are Vulnerable to a Web Attack (Wired, Jun 19 2018)
Using a technique called DNS rebinding, one amateur hacker found vulnerabilities in devices from Google, Roku, Sonos, and more.

NanoLock Launches Platform to Protect IoT Devices From Production Through End-of-Life (SecurityWeek, Jun 20 2018)
Cybersecurity start-up NanoLock Security today announced a new lightweight security platform designed to add security into the small connected devices better known as the internet of things, rather than to overlay security around those devices.

Default Passwords Aid Satori IoT Botnet Attacks (Infosecurity Magazine, Jun 22 2018)
Netlab 360 detected a surge in Satori botnet infecting vulnerable routers and IoT devices.

Indiana IoT Lab founder: Why IoT initiatives need cybersecurity built in from the start (TechRepublic, Jun 26 2018)
The Internet of Things increases the risk of cyber attacks. Here’s what companies need to do to stay safe, according to John Wechsler, founder of the Indiana IoT Lab.

Industrial IoT: Protecting the Physical World from Cyber Attacks (SecurityWeek, Jun 25 2018)
A recent survey from McKinsey found that 98 percent of business leaders report including industrial IoT initiatives in their strategic road maps.

When an App is Released into the App Store, Its Security Will Be Wildly and Fiercely Tested….Instantly. Are You Prepared? (SC Magazine, Jun 20 2018)
Anyone can download an app from Google Play or Apple’s App Store, and every instance of your application runs in an environment you cannot trust. You don’t know if the device has been jailbroken, stolen, or resold (without first being wiped clean). Furthermore, even apps that have protection applied to operate in an open loop. There’s no secure mechanism for an app to “phone home” to communicate current threat status so that developers can be alerted to malicious activity or update protections to stop it.

Offline Android apps get new security check (Naked Security – Sophos, Jun 21 2018)
How do Android users know whether an app is genuine?

Red Alert Android Trojan for Rent at $500 Per Month (SecurityWeek, Jun 25 2018)
The Red Alert 2.0 Android Trojan first detailed in September last year is currently available for rent on underground forums at $500 per month, Trustwave reports.

Ad-clicking, Information-stealing App Controls Over 60,000 Devices (RiskIQ, Jun 26 2018)
Although the app does its advertised function, it also infects victims’ devices and comes with a side of information stealing and ad-clicking.

3,000+ mobile apps leaking data from unsecured Firebase databases (Help Net Security, Jun 20 2018)
Appthority published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.

New HospitalGown Variant in iOS, Android Apps (Infosecurity Magazine, Jun 21 2018)
A Firebase variant was reportedly downloaded 620 million times.