A Review of the Best News of the Week on AI, IoT, & Mobile Security

WhatsApp urges users to upgrade app after security breach (Reuters, May 14 2019)
Facebook’s WhatsApp said on Tuesday a security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the U.S. Department of Justice.

Now generally available: Android phone’s built-in security key (Google Cloud Blog, May 07 2019)
Android phone, bringing the benefits of a phishing-resistant two-factor authentication (2FA) to more than a billion users worldwide. This capability is now generally available.

Federal agencies are spending millions to hack into locked phones (Washington Post, May 13 2019)
A $1.2 million tab for iPhone hacking technology at U.S. Immigration and Customs Enforcement underscores how pervasively law enforcement is cracking into passcodes and other security features Americans use to keep their information private.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Man’s Homemade Electronics Disrupt Entire Neighborhood’s Car Keys and Garage Openers (Jalopnik, May 07 2019)
Sudden and mysterious reports of car key fobs and garage door openers not working started back in late April in a North Olmsted, Ohio suburban neighborhood, befuddling locals as to what could be the cause. It was like something out of the Twilight Zone, and it took weeks to find out what was actually happening.

Cutting Edge TensorFlow – Keras Tuner: hypertuning for humans (Elie on Internet Security and Performance, May 09 2019)
Keras Tuner is a hypertuning framework made for humans. It aims at making the life of AI practitioners, hypertuner algorithm creators and model designers as simple as possible by providing them with a clean and easy to use API for hypertuning. Keras Tuner makes moving from a base model to a hypertuned one quick and easy by only requiring you to change a few lines of code.

Why Google believes machine learning is its future (Ars Technica, May 10 2019)
Why we heard so much about machine learning at Google I/O this year.

Major Uptick in IoT-Related Breaches and Attacks (Infosecurity Magazine, May 07 2019)
Third-party IoT risks are a growing concern for most companies, a Ponemon Institute report says.

NIST Working on Industrial IoT Security Guide for Energy Companies (SecurityWeek, May 07 2019)
The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems.

Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone (TechCrunch, May 10 2019)
A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids and track vehicles — contains security flaws, which security researchers say are so severe the device should be recalled.

Metal keys beat smart locks in NYC legal battle (Naked Security – Sophos, May 09 2019)
A group of tenants in New York City have prevailed in a lawsuit against their landlord’s use of smart locks.

Samsung leaked SmartThings app source code and secret keys (SC Magazine, May 09 2019)
A security researcher at a Dubai-based cybersecurity firm SpiderSilk discovered a development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings  platform. The researcher, Mossab Hussein, found Samsung engineers had left dozens of internal coding projects on a GitLab instance hosted…

The IoT threat landscape is expanding rapidly, yet few companies are addressing third party risk factors (Help Net Security, May 09 2019)
There is a dramatic increase in IoT-related data breaches specifically due to an unsecured IoT device or application since 2017 – from 15 percent to 26 percent – and the results might actually be greater because most organizations are not aware of every unsecure IoT device or application in their environment or from third party vendors, a Santa Fe Group study reveals.

SMS Spammers Expose 80 Million Records Online (Infosecurity Magazine, May 13 2019)
Unprotected MongoDB instance found by researcher

Study finds Android smartphones riddled with suspect ‘bloatware’ (Naked Security – Sophos, May 13 2019)
According to a new study, Android bloatware can create hidden security and privacy risks.

U.S. Blocks China Mobile, Citing National Security (SecurityWeek, May 09 2019)
US regulators on Thursday denied a request by China Mobile to operate in the US market and provide international telecommunications services, saying links to the Chinese government pose a national security risk.

AT&T and Verizon Employees Charged With Helping SIM Swapping Criminal Ring (VICE, May 13 2019)
The indictments show that sometimes stealing phone numbers to hack accounts is an inside job.

Nine Charged in Alleged SIM Swapping Ring (Krebs on Security, May 10 2019)
“Eight Americans and an Irishman have been charged with wire fraud this week for allegedly hijacking mobile phones through SIM-swapping, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device. From there, the attackers simply start requesting password reset links via text message for a variety of accounts tied to the hijacked phone number.”

Bluetooth harvester signals hacking group’s growing interest in mobile (Ars Technica, May 13 2019)
ScarCruft’s new interest in mobile devices suggests the group’s continuing evolution.