A Review of the Best News of the Week on AI, IoT, & Mobile Security

Using Hacked IoT Devices to Disrupt the Power Grid (Schneier on Security, Sep 11 2018)
“BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”: Abstract: We demonstrate that an Internet of Things (IoT) botnet of high wattage devices — such as air conditioners and heaters — gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid.

IoT Botnets Target Apache Struts, SonicWall GMS (SecurityWeek, Sep 10 2018)
The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob (Wired, Sep 10 2018)
Weak encryption in the cars’ key fobs allows all-too-easy theft, but you can set a PIN code on your Tesla to protect it.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.


Google releases free AI tool to stamp out child sexual abuse material (Naked Security – Sophos, Sep 05 2018)
The faster new images can be identified, the faster children can be rescued, Google said.

Serious Fraud Office trialling AI for data-heavy cases (Naked Security – Sophos, Sep 05 2018)
A new tool draws links between people under investigation: emails, who was cc’ed, and those quieter messages where nobody at all was cc’ed.

Endpoints a Top Security Concern for Industrial Organizations: IIoT Survey (SecurityWeek, Sep 05 2018)
The SANS Institute recently published a research study of Industrial IoT (IIoT) security. The survey polled more than 200 security professionals from energy, utility, oil and gas, and manufacturing organizations.

IT security teams are being locked out of IoT projects (Help Net Security, Sep 06 2018)
A survey of 1,150 IT and security decision makers in Germany, France, Japan, the UK and US revealed that 79 percent involve the IT department in choosing industrial IoT solutions, but only 38 percent involve their security teams.

Knock, knock: Digital key flaw unlocks door control systems (Naked Security – Sophos, Sep 05 2018)
Attackers could be able to unlock doors in office buildings and factories at will, thanks to a flaw in a popular door controller.

IoT Category Added to Pwn2Own Hacking Contest (SecurityWeek, Sep 05 2018)
This year’s mobile-focused Pwn2Own hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) will include a new category for Internet of Things (IoT) devices.

Airbnb launches investigation after man finds hidden camera in clock (Naked Security – Sophos, Sep 11 2018)
Trust your gut: if staring at that common object in your rental gives you the heebie jeebies, it might be because it’s staring back at you.

Using a Smartphone’s Microphone and Speakers to Eavesdrop on Passwords (Schneier on Security, Sep 05 2018)
It’s amazing that this is even possible: “SonarSnoop: Active Acoustic Side-Channel Attacks”:

Uber Announces Ramped Up Passenger Security (SecurityWeek, Sep 05 2018)
“For example, if there is a long, unexpected stop during a trip, both the rider and the driver will receive a Ride Check notification to ask if everything is OK.”

MITRE Adds Appthority as CVE Numbering Authority (CNA) – Appthority (Appthority, Sep 11 2018)
MITRE announced that Appthority has joined 89 other organizations as a CVE Numbering Authority (CNA). Appthority is the first CNA that is focused on enterprise mobile threat research.

Can ‘sonar’ sniff out your Android’s lock code? (Naked Security – Sophos, Sep 05 2018)
Researchers have demonstrated a novel, if slightly James Bond technique, for clandestinely discovering the unlock pattern used to secure an Android smartphone.

Android System Broadcasts Expose Device Information (SecurityWeek, Sep 04 2018)
Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

Attackers Abuse Age Restrictions to Hide Apps on iOS Devices (SecurityWeek, Sep 06 2018)
Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.

Google Expands ‘Android Enterprise Recommended’ Mobile Device Program (eWEEK, Sep 06 2018)
Google is now certifying Android devices as being ‘rugged’ if they meet certain elevated requirements for safety and security.

Android September 2018 Patches Fix Critical Flaws (SecurityWeek, Sep 09 2018)
Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.

Everything You Should Do Before You Lose Your Phone (Wired, Sep 09 2018)
Misplacing your smartphone—or worse, having it stolen—is awful. But you can at least minimize the damage with a few easy steps.

A popular fetish app stored passwords in plain text (Engadget, Sep 11 2018)
When a human asks you for your password, that’s usually a bad sign.