Category Archives: Mobile threats

Where’s Wally? Tracking the president with GPS

Is the security of wearable technology really a big deal? Is the security of IoT devices really such a big deal? I mean, my fridge, my light bulb, my other cliché, what use are they to an attacker? Who really cares where I am, how fast my heart is beating or what my typical pace is over any given distance?

Maybe this photo of the President of the United States sporting his shiny new fitbit Surge gives you all the answer you need. The POTUS, wearing a fitbit, with GPS, being tracked 24/7, by a third party… See where I’m going?

The Internet of Things (IoT) and even more broadly, the Internet of Everything (IoE) are still nascent areas of technology where individual physical devices with embedded electronics, software and sensors are internet connected in order to provide greater value by exchanging data without the need for direct human intervention. This rapidly expanding arc of the information technology rainbow has attracted much attention recently from security researchers; with presentations at the high profile security events, breaking the security of home security systems, cars and many others.

Whilst this research is important in practical terms, hopefully driving some manufacturers to resolve the issues identified, it is also somewhat misdirected.

IoT devices themselves are almost invariably sold as a “black box” solution,; little to no user interface and no options for aftermarket security or tweaking. They are most often low memory, low storage, low processor-power devices designed primarily to harvest data and forward it on for the actual processing. And there’s the rub. The data is sent off-device, to the cloud, where it can be processed, mined, correlated and cross-referenced. Where it can be BIG data.

It is a simple matter for a security researcher to acquire a piece of interesting technology and begin to dissect it for vulnerabilities. Of course it takes skill to do so, but there are no significant barriers aside from that. You buy the kit and you break it.

It is a far more complex minefield to navigate if you set out to test the security of the back-end to those devices. In fact, more often than not it is illegal. To probe the security of someone else’s data centre without their permission, to break in and see what treasure is there for the taking, that ventures outside the realms of research and into the criminal, so the good guys don’t do it.

The bad guys, of course, don’t have to play by those rules, targeted attacks are their stock in trade, and data centres are fast becoming targets of choice. If the President of the USA is wearing technology x, then technology x’s back-end suddenly presents a juicy looking target for criminal or state-sponsored attack and they won’t be discerning about who else’s data they make available either.

Data in general is gold dust to attackers, the more of it one can accumulate, the more tailored, credible and successful one’s attacks can become. All too often devices destined to be connected and used online are designed and produced either by traditional organisations who have typically not had to pay attention to digital security during the manufacture and design process or by entrepreneurs who are too interested in getting their first product to market to be slowed down by some nagging security concern.

It is becoming a significant challenge to regulatory bodies and to governments to ensure that safety standards, which have previously focused on the physical risks of a product and its components, accurately and clearly identify digital risks and outline the minimum safety criteria.  Perhaps in the near future we can hope for a kind of digital kite-mark, offering at least some assurance that physical goods and their supporting infrastructure have been designed and built to a defined standard of digital security, that security was baked -in, not glossed over and that none of the small parts may cause choking. The need for this becomes ever more urgent as pretty much every £100+ good becomes connected in some way, in fact Gartner estimated in 2013 that by the year 2020 (have you watched our award-winning web series yet?) there will be more than 30 billion “connected devices”.

Naked celebrities revealed by “iCloud hack”

I was young and I really wanted the job.

I was young and I needed the money!.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.

Snapchat user data exposed in huge data theft.

Image courtesy of aturkus Flickr photostream

Image courtesy of aturkus Flickr photostream


Usernames and phone numbers for more than 4.5 million Snapchat users have been published on a website called SnapchatDB.info after attackers took advantage of an exploit disclosed on the 23rd December 2013. According to TechCrunch, SnapchatDB said
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does”
This is of course not the first vulnerability that has been discovered in the Snapchat service or app, various methods of secretly saving photos or recovering deleted photos have already hit the headlines in recent months, those were vulnerabilities in the app itself and would be exploited on the end-user device. This latest attack is using weaknesses in the API on the Snapchat servers themselves, the API is the method by which a Snapchat client communicates with the Snapchat service. These weaknesses allow for an automated system to send an enormous number of queries to the Snapchat server in a short period of time, discovering whether or not a given telephone number exists in the Snapchat database and retrieving other information associated with that number, of course the numbers themselves will be mobile telephone numbers. This attack, combined with further mining of data, for example through social media could be easily used to build a very large database of personal information for many kinds of further exploitation or resale. Although Snapchat were made aware of these vulnerabilities some months ago, GibsonSec – the publishers of the Proof of Concept exploit, claim that they are still easily exploitable and Snapchat DB proves that point.

 

These two areas, vulnerabilities in mobile apps and vulnerabilities in APIs, are areas still largely under explored by criminals but we fully expect to see malicious exploits, rather than simple proofs-of-concept ramping up over the coming years. We, as users, store ever more data; data often belonging to other people, on our mobile devices and app developers are very interested in getting hold of that data, as are criminals. Far too many apps routinely request (or simply steal) the data contained in your address book for example and far too many app users are willing to surrender this data for the dubious “pleasure” of inviting their friends to yet another social network/messaging platform. Trend Micro’s own data collected in ongoing analysis through our Mobile App Reputation Service reveals that more than 20% of *all* apps are consistently leaking data and the most common data to leak are your contacts, your location, your phone number and details about the handset and SIM.

 

In the old days, back when rainbows were still in black & white, if a stranger were to approach you in the street asking for a copy of your address book that would doubtless strike you as a bizarre request, likewise if a shop assistant insisted on the details of 100 of your friends in return for a discount voucher. Somehow as the data itself has become digitised and the means of transfer invisible and painless this has become entirely acceptable behaviour. Rather than continue this erosion of privacy; users of these types of service would be better advised to use the phone for its long-neglected purpose and maybe give those same friends a call, possibly even arrange to meet up(!) and talk about the great new app you’ve discovered in person, rather than selling your friends down the river.

 

As a social platform, your satisfied customers are your best ambassadors. If you begin to act in ways detrimental to their best interests then a storm is certainly coming, as Path found out to their cost in the early part of 2013.