A Review of the Best News of the Week on AI, IoT, & Mobile Security

How Hackers Are Breaking Into Ring Cameras (VICE, Dec 11 2019)
“Ring Video Doorbell Config,” one thread on a hacking forum reads. A config is a file used to drive special software for rapidly churning through usernames or email addresses and passwords and trying to use them to log into accounts. Hackers have developed configs for a wide variety of websites and online services, from Uber to Facebook.

WhatsApp Fixes Yet Another Group Chat Security Gap (Wired, Dec 17 2019)
The flaw would have given attackers an avenue for crashing the app—every time a user opened an infected group thread.

Security Vulnerabilities in the RCS Texting Protocol (Schneier on Security, Dec 16 2019)
SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

A sobering message about the future at AI’s biggest party (Ars Technica, Dec 14 2019)
AI leaders say that simply throwing more computers at a problem isn’t sustainable.

IBM Security adds AI features to its Cloud Identity solution (Help Net Security, Dec 11 2019)
IBM Security announced it is extending its artificial intelligence (AI) technology originally developed to protect users in the financial services industry, to clients in all industries via the company’s identity-as-a-service (IDaaS) offering.

US Software Testing Giant Buys AI Firm (Infosecurity Magazine, Dec 11 2019)
Qualitest has acquired AI and machine learning company AlgoTrace

Emotion-detection in AI should be regulated, AI Now says (Naked Security – Sophos, Dec 16 2019)
It’s built on junk science, yet it’s being used to determine who gets hired, fired, insured, medicated and more, the research institute says.

Artificial intelligence – A help or hindrance? (SC Magazine, Dec 16 2019)
There are two divided sides when it comes to Artificial Intelligence (AI): those excited about its possibilities and those scared by its potential.

Consumers not willing to compromise when it comes to IoT security (Help Net Security, Dec 12 2019)
Nearly three quarters of consumers expect manufacturers of connected IoT devices to protect their devices from hacks, according to Karamba Security.

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis (Wired, Dec 12 2019)
A new wave of reports about the home surveillance cameras getting hijacked by creeps is painfully familiar.

IoT security: Why it’s your biggest nightmare (Network World Security, Dec 16 2019)
The internet of things encompasses connected devices on a massive scale, actionable data and innovative business models – and it also brings unprecedented security headaches.

Researchers discover weakness in IoT digital certificates (Naked Security – Sophos, Dec 17 2019)
IoT devices are using weak digital certificates that could expose them to attack, according to a study released over the weekend.

Apple iOS 13.3 is here, bringing support for keyfobby authentication (Naked Security – Sophos, Dec 12 2019)
On Tuesday, as expected, Apple released iOS 13.3, iPadOS 13.3, tvOS 13.3, and watchOS 6.1.1 to the public, bringing bug fixes and performance improvements, as well as one big new security improvement: support in its Safari browser for two-factor authentication (2FA) hardware tokens such as Yubico’s Yubikey.

Extracting Data from Smartphones (Schneier on Security, Dec 11 2019)
Privacy International has published a detailed, technical examination of how data is extracted from smartphones….

Android App Analysis Uncovers Seasonal Shopping Risk (Dark Reading, Dec 12 2019)
Researchers scanned 4,200 Android apps and found many exhibit malicious behavior or have a dangerous level of permissions.

Apple’s new Screen Time Communication Limits are easily beaten with a bug (Ars Technica, Dec 13 2019)
Apple acknowledges the bug affects iPhones with a “non-standard configuration.”

Google adds Verified SMS and anti-spam feature to Messages app (Naked Security – Sophos, Dec 16 2019)
If webmail, WhatsApp and IM are killing SMS, someone might want to tell Google – as it continues to add new features to its Messages app.

House Democrat questions Google, Apple over handling of foreign-linked apps (TheHill, Dec 16 2019)
A House Democrat pressed Google and Apple this week to provide information on whether they require mobile app developers to disclose foreign affiliations prior to the apps being offered to consumers, citing specific concerns around apps TikTok and FaceApp.

Mobile Devices Account for 41% of DDoS Attack Traffic (Dark Reading, Dec 16 2019)
DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic.