A Review of the Best News of the Week on AI, IoT, & Mobile Security

About that “Any fingerprint can unlock your Galaxy S10” report (Graham Cluley, Oct 17 2019)
Sound-based fingerprint sensors send an ultrasonic bounce against the finger pressed against the phone, and listen to the sound print based upon how the pulse bounces back from the ridges of your finger. However, if you register your fingerprint on an ultrasonic fingerprint sensor which is behind the wrong type of screen protector that might – in the worst cases – be little better than trying to read a fingerprint through rubber gloves! Ultrasonic fingerprint scanners can have problems with some screen protectors, as they may register the sound of a “fingerprint” which is bounced back off the screen protector rather than the actual fingerprint’s ridges.

Alexa and Google Home abused to eavesdrop and phish passwords (Ars Technica, Oct 20 2019)
Amazon- and Google-approved apps turned both voice-controlled devices into “smart spies.”

Using Machine Learning to Detect IP Hijacking (Schneier on Security, Oct 17 2019)
To better pinpoint serial attacks, the group first pulled data from several years’ worth of network operator mailing lists, as well as historical BGP data taken every five minutes from the global routing table. From that, they observed particular qualities of malicious actors and then trained a machine-learning model to automatically identify such behaviors.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

AI and ML will become important for how organizations run their digital systems (Help Net Security, Oct 21 2019)
89 percent of the survey respondents believe AI and ML will become important for how organizations run their digital systems

Deepfakes and voice as the next data breach (Help Net Security, Oct 21 2019)
“As cybercriminals continue to evolve their tactics and identify additional channels to target, I anticipate that voice will be the next major data breach. Companies need to build defenses against the technology before it gets too unwieldy to contain.”

IoT Attacks Up Significantly in First Half of 2019 (Dark Reading, Oct 15 2019)
New research shows attacks increased ninefold year-over-year, coming from more than a quarter-million unique IP addresses.

Why Bricking Vulnerable IoT Devices Comes with Unintended Consequences (Dark Reading, Oct 15 2019)
Infosec vigilantism can cause serious harm in the era of industrial IoT and connected medical devices.

Fake mobile app fraud tripled in first half of 2019 (Help Net Security, Oct 16 2019)
In Q2 2019, RSA Security identified 57,406 total fraud attacks worldwide. Of these, phishing attacks were the most prevalent (37%), followed by fake mobile apps (usually apps posing as those of popular brands).

iPhone jailbreakers lured to click fraud site (SC Magazine, Oct 15 2019)
A cybergang has created a malicious website that dangles the reward of being able to jailbreak an iPhone, but instead injects the device with click fraud malware. The threat actors use the legitimate Checkm8 vulnerability, which does allow some legacy iOS devices to be jailbroken, as the basis for their program…

Researcher releases PoC rooting app that exploits recent Android zero-day (Help Net Security, Oct 17 2019)
Late last month Google Project Zero researcher Maddie Stone detailed a zero-day Android privilege escalation vulnerability (CVE-2019-2215) and revealed that it is actively being exploited in attacks in the wild. She also provided PoC code that could help researchers check which Android-based devices are vulnerable and which are not.

Phishy text message tries to steal your cellphone account (Naked Security – Sophos, Oct 18 2019)
Which sort of company is most likely to contact you via SMS? Why, your mobile phone provider, of course!

Some Android adware apps hide icons to make it hard to remove them (Naked Security – Sophos, Oct 18 2019)
SophosLabs has discovered 15 apps on Google Play that install without icons as a ploy to keep themselves on the user’s device.

Fake iOS Checkra1n jailbreak site installs slot machine game, generates click-fraud revenue (Graham Cluley, Oct 15 2019)
A website that promises to jailbreak your iPhone using the Checkm8 exploit actually installs apps with the intention of generating click-fraud revenue.

Google says a fix for Pixel 4 face unlock is “months” away (Ars Technica, Oct 21 2019)
Google says to use the “lockdown” feature to stop others from unlocking your phone.

Woman ordered to type in iPhone passcode so police can search device (Naked Security – Sophos, Oct 22 2019)
It’s not a violation of her Fifth Amendment rights against self-incrimination, the court said on Wednesday, because the fact that she knows her phone passcode is a “foregone conclusion.”

Inside the Phone Company Secretly Run By Drug Traffickers (VICE, Oct 22 2019)
Crime blogger Martin Kok was assassinated while leaving a sex club. It turned out MPC, one of his clients, was not an ordinary phone company.