A Review of the Best News of the Week on AI, IoT, & Mobile Security

Over a Billion Android Devices Are at Risk of Data Theft (Wired, Aug 10 2020)
Qualcomm has released a fix for the flaws in its Snapdragon chip, which attackers might exploit to monitor location or render the phone unresponsive.

Hackers Could Use IoT Botnets to Manipulate Energy Markets (Wired, Aug 04 2020)
With access to just 50,000 high-wattage smart devices, attackers could make a bundle off of causing minor fluctuations.

A Hacker’s guide to reducing side-channel attack surfaces using deep-learning (Elie Bursztein’s blog, Aug 06 2020)
In recent years, Side-Channel Attacks Assisted with Machine Learning aka SCAAML have been proven a very effective approach to carry-out side-channel attacks even against the toughest hardware cryptographic implementations in a semi-automatic manner.

Building on this line of work, this talk showcases how to take it a step further and demonstrates how to combine the recent advances in deep-learning explainability with dynamic execution to quickly assess which parts of a hardware cryptographic implementation are responsible for leaking the information exploited by a given side-channel attack.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Ways AI could be used to facilitate crime over the next 15 years (Help Net Security, Aug 04 2020)
Fake audio or video content has been ranked by experts as the most worrying use of artificial intelligence in terms of its potential applications for crime or terrorism, according to a new UCL report. The study identified 20 ways AI could be used to facilitate crime over the next 15 years.

How AI is Becoming Essential to Cyber-Strategy (Infosecurity Magazine, Aug 05 2020)
Artificial neural networks can allow an AI to self-determine what features it uses to reach a conclusion

Here’s why Apple believes it’s an AI leader—and why it says critics have it all wrong (Ars Technica, Aug 06 2020)
Apple AI chief and ex-Googler John Giannandrea dives into the details with Ars.

A British AI Tool to Predict Violent Crime Is Too Flawed to Use (Wired, Aug 09 2020)
A government-funded system known as Most Serious Violence was built to predict first offenses but turned out to be wildly inaccurate.

Smart Lock Vulnerability (Schneier on Security, Aug 10 2020)
“Yet another Internet-connected door lock is insecure:

Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec’s $139.99 UltraLoq is marketed as a “secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code.”

Users can share temporary codes and ‘Ekeys’ to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device’s MAC address can help themselves to an access key, too.”

HDL Smart Devices in Homes and Buildings Exposed to Hacker Attacks (SecurityWeek, Aug 11 2020)
Vulnerabilities in HDL Automation smart products could be abused to take over user accounts and remotely control devices deployed in homes, commercial buildings or hotels, SentinelOne reports.

Google Patches Over 50 Vulnerabilities in Android With August 2020 Updates (SecurityWeek, Aug 04 2020)
Google on Monday announced the August 2020 security updates for the Android operating system, with patches for a total of more than 50 vulnerabilities.

Microsoft Won’t Fix TikTok’s Problems (VICE, Aug 04 2020)
A real solution lies not in banning TikTok or transferring its ownership to Microsoft, but in reevaluating the relationship between social media users and the platforms we create.

iOS 14’s Best Privacy Feature? Catching Data-Grabbing Apps (Wired, Aug 05 2020)
Apple’s new operating system hasn’t been released to the public yet, but its new permission notifications are already shaming developers into cleaning up their acts.

#BHUSA: Android Phones at Risk of BlueRepli Bluetooth Attack (Infosecurity Magazine, Aug 06 2020)
Researchers disclose Bluetooth attack that can potentially enable an attacker to steal information from almost any Android device

Twitter Says Android App Vulnerability Exposed Direct Messages (SecurityWeek, Aug 06 2020)
Twitter informed customers on Wednesday that a vulnerability in its Android app could have been exploited by malicious applications to access private data.

There’s little consensus on TikTok’s specific national security threat (Axios, Aug 07 2020)
Some in D.C. highlight China’s possible access to U.S. data, while others think it poses more of a cultural threat.

Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Attacks (SecurityWeek, Aug 10 2020)
A series of vulnerabilities affecting Samsung’s Find My Mobile could have been chained to perform various types of activities on a compromised smartphone, a researcher from Portugal-based cybersecurity services provider Char49 revealed at the DEF CON conference on Friday.

Collecting and Selling Mobile Phone Location Data (Schneier on Security, Aug 11 2020)
“The Wall Street Journal has an article about a company called Anomaly Six LLC that has an SDK that’s used by “more than 500 mobile applications.” Through that SDK, the company collects location data from users, which it then sells.

Anomaly Six is a federal contractor that provides global-location-data products to branches of the U.S. government and private-sector clients. The company told The Wall Street Journal it restricts the sale of U.S. mobile phone movement data only to nongovernmental, private-sector clients.”