A Review of the Best News of the Week on AI, IoT, & Mobile Security
Decades-Old Code Is Putting Millions of Critical Devices at Risk (Wired, Oct 01 2019)
Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light.
New Unpatchable iPhone Exploit Allows Jailbreaking (Schneier on Security, Oct 08 2019)
-Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits.
-The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
-Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
-All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
-Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.
Inside New York City’s Partnership With Israeli iPhone Hacking Company Cellebrite (Medium, Oct 08 2019)
Documents reveal the Manhattan DA subscribes to a program that lets authorities break into iPhones in-house
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Blind Spots in AI Just Might Help Protect Your Privacy (Wired, Oct 02 2019)
Researchers have found a potential silver lining in so-called adversarial examples, using it to shield sensitive data from snoops.
Forget fake news—nearly all deepfakes are being made for porn (MIT Technology Review, Oct 08 2019)
The internet is home to at least 14,678 deepfakes, according to a new report by DeepTrace, a company that builds tools to spot synthetic media.
Multiple zero-day vulnerabilities found medical IoT devices: CISA (SC Magazine, Oct 02 2019)
Advisory ICSA-19-274-01, which has a CVSS rating or 9.8, covers the following pieces of equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, Zebos by IP Infusion, and VxWorks by Wind River. The vulnerabilities include stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection and null pointer dereference.
Measuring the Security of IoT Devices (Schneier on Security, Oct 03 2019)
“In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software.”
FDA Issues Cybersecurity Warning for Medical Devices (Infosecurity Magazine, Oct 03 2019)
URGENT/11 vulnerabilities discovered in widely used third-party software
Tracking by Smart TVs (Schneier on Security, Oct 04 2019)
Long Twitter thread about the tracking embedded in modern digital televisions. The thread references three academic papers….
Inside consumer perceptions of security and privacy in the connected home (WeLiveSecurity, Oct 08 2019)
The ESET survey polled 4,000 people to get a sense of their attitudes towards the privacy and security implications of smart home technology
Microsoft CEO Satya Nadella says stopping the firm’s controversial research in China would hurt (Business Insider, Oct 07 2019)
Microsoft CEO Satya Nadella says stopping the firm’s controversial research in China would hurt Business Insider
What’s next for 5G? (Help Net Security, Oct 01 2019)
The future of 5G lies in the enterprise, states ABI Research. Use cases across different vertical markets, such as industrial automation, cloud gaming, private Long-Term Evolution (LTE), and smart transport systems, will become pervasive, and will unlock new opportunities for Mobile Service Providers (MSPs) along the way.
US Warns Italy Over China and 5G (SecurityWeek, Oct 02 2019)
US Secretary of State Mike Pompeo warned Italy Wednesday of China’s “predatory approach” to trade and investment, but Rome insisted its special powers over 5G supply deals would protect it.
Do apps need all the permissions? (WeLiveSecurity, Oct 02 2019)
Why you should ensure that all those apps on your smartphone only run with the permissions they reasonably need to do their job
Attackers exploit 0-day vulnerability that gives full control of Android phones (Ars Technica, Oct 04 2019)
Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.
Inexpensive, unpatched phones put billions of users’ privacy at risk (Ars Technica, Oct 07 2019)
Billions who only connect with cheap Android phones pay with their personal info.
Signal immediately fixed FaceTime-style eavesdropping bug (Naked Security – Sophos, Oct 08 2019)
Remember the FaceTime bug that allowed a caller to eavesdrop on your phone? Researchers just discovered another – this time in Signal.
Google Patches Remote Code Execution Bugs in Android 10 (SecurityWeek, Oct 08 2019)
Google’s October 2019 set of security patches for Android address a total of 26 vulnerabilities in the operating system, including a couple of remote code execution bugs impacting Android 10.