AI, IoT, Mobile Security

AI, IoT, & Mobile Security – The Week’s Best News – 2019.10.08

2019-10-08 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Decades-Old Code Is Putting Millions of Critical Devices at Risk (Wired, Oct 01 2019)
Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light.

New Unpatchable iPhone Exploit Allows Jailbreaking (Schneier on Security, Oct 08 2019)
-Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits.
-The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
-Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
-All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
-Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

Inside New York City’s Partnership With Israeli iPhone Hacking Company Cellebrite (Medium, Oct 08 2019)
Documents reveal the Manhattan DA subscribes to a program that lets authorities break into iPhones in-house

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Blind Spots in AI Just Might Help Protect Your Privacy (Wired, Oct 02 2019)
Researchers have found a potential silver lining in so-called adversarial examples, using it to shield sensitive data from snoops.

Forget fake news—nearly all deepfakes are being made for porn (MIT Technology Review, Oct 08 2019)
The internet is home to at least 14,678 deepfakes, according to a new report by DeepTrace, a company that builds tools to spot synthetic media.

Multiple zero-day vulnerabilities found medical IoT devices: CISA (SC Magazine, Oct 02 2019)
Advisory ICSA-19-274-01, which has a CVSS rating or 9.8, covers the following pieces of equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, Zebos by IP Infusion, and VxWorks by Wind River. The vulnerabilities include stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection and null pointer dereference.

Measuring the Security of IoT Devices (Schneier on Security, Oct 03 2019)
“In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software.”

FDA Issues Cybersecurity Warning for Medical Devices (Infosecurity Magazine, Oct 03 2019)
URGENT/11 vulnerabilities discovered in widely used third-party software

Tracking by Smart TVs (Schneier on Security, Oct 04 2019)
Long Twitter thread about the tracking embedded in modern digital televisions. The thread references three academic papers….

Inside consumer perceptions of security and privacy in the connected home (WeLiveSecurity, Oct 08 2019)
The ESET survey polled 4,000 people to get a sense of their attitudes towards the privacy and security implications of smart home technology

Microsoft CEO Satya Nadella says stopping the firm’s controversial research in China would hurt (Business Insider, Oct 07 2019)
Microsoft CEO Satya Nadella says stopping the firm’s controversial research in China would hurt Business Insider

What’s next for 5G? (Help Net Security, Oct 01 2019)
The future of 5G lies in the enterprise, states ABI Research. Use cases across different vertical markets, such as industrial automation, cloud gaming, private Long-Term Evolution (LTE), and smart transport systems, will become pervasive, and will unlock new opportunities for Mobile Service Providers (MSPs) along the way.

US Warns Italy Over China and 5G (SecurityWeek, Oct 02 2019)
US Secretary of State Mike Pompeo warned Italy Wednesday of China’s “predatory approach” to trade and investment, but Rome insisted its special powers over 5G supply deals would protect it.

Do apps need all the permissions? (WeLiveSecurity, Oct 02 2019)
Why you should ensure that all those apps on your smartphone only run with the permissions they reasonably need to do their job

Attackers exploit 0-day vulnerability that gives full control of Android phones (Ars Technica, Oct 04 2019)
Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.

Inexpensive, unpatched phones put billions of users’ privacy at risk (Ars Technica, Oct 07 2019)
Billions who only connect with cheap Android phones pay with their personal info.

Signal immediately fixed FaceTime-style eavesdropping bug (Naked Security – Sophos, Oct 08 2019)
Remember the FaceTime bug that allowed a caller to eavesdrop on your phone? Researchers just discovered another – this time in Signal.

Google Patches Remote Code Execution Bugs in Android 10 (SecurityWeek, Oct 08 2019)
Google’s October 2019 set of security patches for Android address a total of 26 vulnerabilities in the operating system, including a couple of remote code execution bugs impacting Android 10.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.10.01

2019-10-01 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Why Checkm8 iDevice jailbreak exploit is a game changer (Ars Technica, Sep 28 2019)
Unpatchable vulnerability is a game-changer that even Apple will be unable to stop.

Researchers Think They Know How Many Phones Are Vulnerable to ‘SIMjacker’ Attacks (VICE, Sep 27 2019)
They also created a tool to determine whether your phone’s SIM card is vulnerable.

Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold (VICE, Sep 30 2019)
Their creation has been successfully fully outsourced to a factory, the security researcher behind the cables said.

Share today’s post on Twitter Facebook LinkedIn

Google made thousands of deepfakes to aid detection efforts (Naked Security – Sophos, Sep 27 2019)
It’s an arms race: as detection methods improve, deepfake-generating algorithms are quickly updated to correct the flaws.

New ‘Gucci’ IoT Botnet Targets Europe (SecurityWeek, Sep 30 2019)
Security researchers with SecNiche Security Labs have discovered a new piece of malware that attempts to ensnare Internet of Things (IoT) devices in Europe into a distributed denial-of-service (DDoS)-capable botnet.

Poison Carp cyberespionage group targeting Tibetan officials with mobile malware (SC Magazine, Sep 24 2019)
A newly designated threat group dubbed Poison Carp has been found using Android exploits to plant spyware on devices operated by the leadership of various Tibetan leaders.

Android apps with scores of downloads serve up annoying ads, unwanted subscriptions (SC Magazine, Sep 24 2019)
Hundreds of millions of Android devices have potentially been compromised by malicious adware and ad fraud apps that on the surface appear to offer harmless services such as selfie filters, weather forecasts or VPN security, according to a trio of recently released research reports.

218M Words with Friends Players Compromised in Data Breach (Dark Reading, Sep 30 2019)
The same attacker was reportedly behind the Collection #1 and Collection #2 data dumps earlier this year.

New Spyware Threatens Telegram’s 200 Million Users (Infosecurity Magazine, Sep 27 2019)
Trojan-delivered spyware uses messaging app to exfiltrate stolen information

Checkm8 jailbreak and AltStore put cracks in Apple’s walled garden (Naked Security – Sophos, Sep 30 2019)
People are taking different tacks to get around Apple’s tightly controlled phone rules.

Illegal gambling apps snuck into Apple and Google stores (SC Magazine, Sep 26 2019)
Google and Apple recently removed hundreds of apps from their respective app stores after being informed they were actually fronts for gambling operations. While it’s not unusual to find malicious apps, this operation was different in that many of the apps passed through Google and Apple’s vetting process, Trend Micro reported.

Apple updates software, fixes flaw affecting third-party keyboard apps (SC Magazine, Sep 26 2019)
Apple last week released a series of software updates that repaired vulnerabilities in iOS, iPadOS, macOS Mojave, macOS High Sierra, macOS Sierra, watchOS, tvOS, Apple TV Software and Safari.

Cloudflare Launches Its Security-Focused Mobile VPN, Again (Wired, Sep 25 2019)
When the company first launched the Warp VPN, “all hell broke loose,” its CEO says. After a few months of tinkering, Cloudflare wants a do-over.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.09.24

2019-09-24 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

What security and privacy enhancements has iOS 13 brought? (Help Net Security, Sep 23 2019)
With the release of iPhone 11 and its two Pro variants, Apple has released iOS 13, a substantial functional update of its popular mobile operating system. But while many users are happy to finally get a complete Dark Mode for the device or a better phone camera, some are more interested in security and privacy enhancements.

Verizon Makes SIM Swapping Hard. Why Doesn’t AT&T, Sprint, and T-Mobile? (VICE, Sep 19 2019)
Verizon employs different security procedures when porting a phone number to a different SIM card than the other carriers. This is making SIM swapping attacks harder to perform against Verizon customers.

Huawei Suspended From Global Forum Aimed at Combating Cybersecurity Breaches (WSJ, Sep 18 2019)
A group formed to respond quickly to hacks and other cyber threats has temporarily expelled the Chinese company after legal advice

Share today’s post on Twitter Facebook LinkedIn

Report: Use of AI surveillance is growing around the world (Naked Security – Sophos, Sep 20 2019)
It’s not just China: at least 75 out of 176 countries globally are actively using AI technologies for surveillance purposes, research shows.

Government Report Warns of AI Policing Bias (Infosecurity Magazine, Sep 18 2019)
Forces also need a clear Code of Practice, says think tank

Japan seeks AI system for predicting cyberattacks (Inquirer, Sep 23 2019)
The hope is that sharing early-warning information among relevant institutions will lead to rapid responses. Work could start within the month, with plans to conduct verification experiments in fiscal 2022 and have working technology as early as possible.

Protocol found in webcams and DVRs is fueling a new round of big DDoSes (Ars Technica, Sep 18 2019)
WSD is supposed to be confined to local networks. It’s not, and researchers are concerned.

Improving the security, privacy and safety of future connected vehicles (Help Net Security, Sep 19 2019)
The security, privacy and safety of connected autonomous vehicles (CAVs) has been improved thanks to testing at WMG, University of Warwick. Four new innovations…

A Safer IoT Future Must Be a Joint Effort (Dark Reading, Sep 20 2019)
We’re just at the beginning of an important conversation about the future of our homes and cities, which must involve both consumers and many players in the industry

California’s IoT Security Law Causing Confusion (Dark Reading, Sep 19 2019)
The law, which goes into effect January 1, requires manufacturers to equip devices with ‘reasonable security feature(s).’ What that entails is still an open question.

15,000 private webcams left open to snooping, no password required (Graham Cluley, Sep 19 2019)
Once again concerns are being raised about the sorry state of IoT security, after a security researcher discovered over 15,000 private webcams that have been left wide open for anyone with an internet connection to spy upon.

How a hacked Jeep Cherokee led to increased security from cyber carjackers (Autoblog, Sep 21 2019)
When researchers remotely hacked a Jeep Cherokee in 2015, slowing it to a crawl in the middle of a U.S. highway, the portal the hackers used was an infotainment system made by supplier Harman International. Harman, now part of Samsung Electronics, has since developed its own cybersecurity product, and bought Israel-based cybersecurity company TowerSec for $70 million to help it overhaul manufacturing processes and scrutinize third-party supplier software.

iOS 13 ships with known lockscreen bypass flaw that exposes contacts (Ars Technica, Sep 20 2019)
Vulnerability was demonstrated one week ago, when iOS 13 was still in beta.

Apple iOS 13.1 will fix location privacy bug, lockscreen bypass exploit (SC Magazine, Sep 23 2019)
A location privacy bug in iOS 13 that apparently doesn’t honor users’ privacy settings in some apps should be fixed in the Tuesday launch of iOS 13.1.

The FBI Tried to Plant a Backdoor in an Encrypted Phone Network (VICE, Sep 18 2019)
The FBI wanted a backdoor in Phantom Secure, an encrypted phone company that sold to members of the Sinaloa cartel, and which is linked to the alleged leaking of sensitive law enforcement information in Canada.

Deconstructing an iPhone Spearphishing Attack (Dark Reading, Sep 19 2019)
How criminals today bypass smartphone anti-theft protection and harvest AppleID and passwords taken from fake Apple servers.

AT&T Says Customers Can’t Sue the Company for Selling Location Data to Bounty Hunters (VICE, Sep 19 2019)
Due to the contract fine print, AT&T says customers must instead deal with the company privately rather than in court.

Hackers Tried to Compromise Phones of Tibetans Working for Dalai Lama (VICE, Sep 24 2019)
Citizen Lab details new hacking campaigns against high-profile Tibetans using iPhones and Android smartphones.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.09.17

2019-09-17 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Simjacker silent phone hack could affect a billion users (Naked Security-Sophos, Sep 16 2019)
The shadowy world of phone-surveillance-for-hire became a little clearer last week following the discovery of a phone exploit called Simjacker.

T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About (VICE, Sep 13 2019)
T-Mobile’s little known NOPORT setting can protect your phone number from SIM swapping.

How Artificial Intelligence Is Changing Cyber Security Landscape and Preventing Cyber Attacks (Entrepreneur, Sep 14 2019)
The world is going digital at an unprecedentedly fast pace, and the change is only going to go even faster. The digitalization means everything is moving at lightning speed – business, entertainment, trends, new products, etc. The consumer gets what he or she wants instantly because the service provider has the means to deliver it.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Security Pros’ Painless Guide to Machine Intelligence, AI, ML & DL (Dark Reading, Sep 10 2019)
Artificial intelligence, machine learning, or deep learning? Knowing what the major terms really mean will help you sort through the morass of words on the subject and the security uses of each.

Off the hook: How AI catches phishing emails even if we take the bait (Darktrace Blog, Sep 06 2019)
By uniting email security with enterprise security, we can autonomously fight back against phishing attacks — even those we fall for hook, line, and sinker.

How a Hacked Light Bulb Could Lead to Your Bank Account Being Drained (Observer, Sep 11 2019)
“As time passes and we continue to have unpatched connected devices in our homes with dated software full of known bugs, we are just waiting to be exploited by hackers,” said Ashkenazi.

IoT attacks increasing in the cyber underground (Help Net Security, Sep 11 2019)
Cybercriminals from around the world are actively discussing how to compromise connected devices, and how to leverage these devices for moneymaking schemes, according to Trend Micro.

New Passive RFID Tech Poses Threat to Enterprise IoT (Infosec Island, Sep 11 2019)
Although passive RFID technology shows much promise for streamlining and improving the management of IoT, unresolved vulnerabilities in the technology’s security remain a bottleneck for both the implementation of RFID and the growth of the IoT industry.

IIoT security challenges: Dealing with cutting edge technologies (Help Net Security, Sep 12 2019)
“My advice is to “unlock” data at the edge for use in IT decision making in a way that is scalable and does not alter manufacturing processes. Smart manufacturing requires a rethinking of most manufacturing networks, which are too often “spaghetti networks,” full of devices and computers with specific functions in the plant but whose internal data flows have never been properly evaluated within the framework of a strong security policy.”

It’s Time for IoT Security’s Next Big Step (Wired, Sep 11 2019)
Connected devices are more secure than ever. That’s still not nearly enough.

Shining light on dark data, shadow IT and shadow IoT (Network World Security, Sep 13 2019)
What’s lurking in the shadows of YOUR organization? What you don’t know can hurt you. Insider Pro columnist Mike Elgan looks at how your business is at risk and offers six steps to minimize it.

Securing a Connected Future: 5G and IoT Security (SecurityWeek, Sep 12 2019)
Organizations Must be Wary of the Security Implications of Transitioning to 5G

Preventing GPS spoofing is hard—but you can at least detect it (Ars Technica, Sep 12 2019)
This GPS spoofing defense software looks promising, but it’s short on detail.

Error-laden phone location data suspended from use in Danish courts (Naked Security – Sophos, Sep 12 2019)
10,700 cases will be reviewed over 2 months, and 32 detainees have already been released after finding bugs in software and raw telecom data.

Telegram Failed to Delete Removed Images From Local Storage (SecurityWeek, Sep 11 2019)
The Telegram secure messaging application was found to breach users’ privacy by failing to properly remove images from a device’s local storage when the sender selects to delete them for all recipients.

The Biggest iPhone Hack in History, Explained (VICE, Sep 12 2019)
Inside a hack that targeted thousands of people a week. (Audio)

#44CON: GPS Trackers Hacked to Make Premium Rate Calls (Infosecurity Magazine, Sep 13 2019)
How consistent API flaws allowed IoT devices to be hacked

iPhone lockscreen bypass: iOS 13 tricked into showing your contacts (Naked Security – Sophos, Sep 16 2019)
This time, José Rodríguez came up with a way to trick the iOS 13 beta into showing its address book without the need to unlock the screen.

Recycled Source Code Used to Create New MobiHok Android RAT (SecurityWeek, Sep 16 2019)
MobiHok is a new Android RAT marketed by the actor known as mobeebom. It is a recycled version of the older, established SpyNote RAT

Android Flashlight Apps Request up to 77 Permissions (SecurityWeek, Sep 13 2019)
An analysis of Android flashlight applications available in Google Play has revealed that they request an average of 25 permissions, with some requesting up to 77 permissions when installed.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.09.10

2019-09-10 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

120 Million Workers Need To Be Retrained Because Of AI (Forbes, Sep 10 2019) In the next three years, as many as 120 million workers in the world’s 12 largest economies may need to be retrained or reskilled as a result of AI and intelligent automation; only 41% of CEOs surveyed say that they have the people, skills and resources required to execute their business strategies; the time it takes to close a skills gap through training has increased from 3 days on average in 2014 to 36 days in 2018 [IBM]

Cybercriminals Impersonate Chief Exec’s Voice with AI Software (Dark Reading, Sep 03 2019) Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.

Apple Disputes Google’s Claims of a Devastating iPhone Hack (VICE, Sep 06 2019) Apple says that Google oversold the nature of the hack and that it quickly fixed the vulnerability.

Facebook launches $10m deepfake detection project (Naked Security – Sophos, Sep 09 2019) If you’re worried about the evil potential of deepfake video, you’re not alone; so is Facebook.

A Hacker Guide To Deep Learning Based Side Channel Attacks (Elie Bursztein, Aug 09 2019) This talk provides a step-by-step introduction on how to use deep learning to perform AES side-channel attacks.

What Do We Often Misunderstand About Artificial Intelligence’s Role In Cybersecurity? (Forbes, Sep 09 2019) Both machine learning and deep learning use mathematical models from data to help inform decision making. However, there is a big difference in the performance of traditional machine learning versus deep learning. The more data you feed into a deep learning system, the more accurate it becomes. The performance does not plateau as it does with traditional machine learning.

‘Satori’ IoT Botnet Operator Pleads Guilty (Krebs on Security, Sep 04 2019) “A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.”

600,000 GPS trackers for people and pets are using 123456 as a password (Ars Technica, Sep 05 2019) A lack of encryption and easily enumerated IDs open users to a host of creepy attacks.

Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT (Dark Reading, Sep 05 2019) Field-programmable gate arrays are flexible, agile-friendly components that populate many infrastructure and IoT devices and have recently become the targets of researchers finding vulnerabilities.

5G Standard to Get New Security Specifications (Dark Reading, Sep 04 2019) Researchers had recently demonstrated how attackers could intercept device capability information and use it against 5G mobile subscribers.

Android Phone Flaw Allows Attackers to Divert Email (Dark Reading, Sep 04 2019) Researchers find that a spoofing a service message from the phone carrier is simple and effective on some brands of Android smartphones.

Security hole opens a billion Android users to advanced SMS phishing attacks (Help Net Security, Sep 04 2019) The affected Android phones use over-the-air (OTA) provisioning, which allows mobile network operators to deploy network-specific settings to a new phone joining their network. However, researchers found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP)…

Facebook loses control of key used to sign Android app (Naked Security – Sophos, Sep 04 2019) What should be a private key used to vouch for the ‘Free Basics by Facebook’ app was used to sign unrelated apps.

QR codes need security revamp, says creator (Naked Security – Sophos, Sep 04 2019) QR codes have been around since 1994, but their creator is worried. They need a security update, he says.

Zerodium Offers Up to $2.5 Million for Android Exploits (SecurityWeek, Sep 04 2019) Exploit acquisition firm Zerodium announced on Tuesday that it’s offering up to $2.5 million for powerful Android exploits, more than what it’s offering for the same type of exploit on iOS.

Twitter disables tweeting via SMS (temporarily at least), in wake of Jack Dorsey account hijack (Graham Cluley, Sep 04 2019) In the wake of the CEO of Twitter having his account hijacked the site has disabled the option to tweet via SMS.

Why ‘SIM Swapping’ Is a Growing Security Nightmare (The New York Times, Sep 05 2019) Hackers have been targeting regular people and celebrities with the attack. Last week, it was used to hijack the Twitter account of Twitter’s C.E.O.

Future iPhones may have both Face ID and in-display fingerprint reader (Ars Technica, Sep 05 2019) iPhone users may get option to unlock with either fingerprint or Face ID.

Google purges 24 malware-ridden apps that were downloaded 500,000 times (The Next Web, Sep 10 2019) The findings, disclosed by cybersecurity firm CSIS Security Group, reveal that the malware — called Joker — is designed to surreptitiously sign users up for premium service subscriptions, in addition to stealing the victim’s SMS messages, the contact list, and device information.