The Weekly Ink #37
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
Google I/O
Earlier this week Google held their annual developers event known as Google I/O which Google describes as “two days of inspirational talks, hands-on learning, and a chance to hear more about Google’s latest developer products”. A few of us on the Labs team had the video stream going in the background while we worked, and a few things stood out for us.
Better Permission Control for Android Apps
Android users who attempted to manage their privacy and security by paying attention to the permissions installed applications request let out a collective sigh of relief as more granular permission control will be included in the next release of the Android operating system. According to the announcement, Android M will let users not only allow permissions on a granular basis but also revoke permissions at any time. Mike Mimoso over at ThreatPost covered the changes here.
Another interesting announcement from a security perspective is that Google will be releasing an API for third party developers that allows them to integrate into the existing Smart Lock features of Android. Users can expect to start seeing the familiar “save password” dialogue box popping up on their Android devices. Google has even gone as far as releasing an Identity Toolkit which is designed to help developers create a more secure password and sign-in workflow for applications.
Other things that we found interesting that may not have much of a security impact but are still worth mentioning are:
Bigger, Better Cardboard
Google announced an updated version of Cardboard that not only supports phones with larger screens but also has an improved, also made of cardboard, button control. In order to encourage more virtual reality content and to leverage YouTube’s support of Virtual Reality and 3D videos Google also released something they have called Jump Camera. Using a total of 16 GoPro Hero 4 cameras, the Jump rig can be used to create perfect 360 degree video. Pricing information is not yet available, but we are already brainstorming for ideas on how we can justify buying one of these for the Labs team - maybe some virtual reality hardware hacking sessions or VR enabled tech talks.
Last but not least, the announcement and demo of Google Expeditions made many of us wish that we were still in school. Using Cardboard and some amazing looking content Google is able to offer Teachers the technology that enables them to take students on a virtual reality field trip. Very cool looking technology.
Hacked or Not?
Mobile Malware Spyware Monitoring company mSpy suffered a breach that appears to expose users data, including AppleID and passwords. Initially mSpy claimed that they were not in fact hacked. When presented with a sample of their data, which was easily found on the Tor network, mSpy representatives then told BBC News that the data was fake only to finally admit that yes, there has been a breach. Sadly, mSpy didn’t stop trying to spin this problem away and added that the claims of almost 400 000 affected users are greatly exaggerated and that only 80 000 users were affected. While we have not looked at the data dump ourselves, our gut feeling on this is that the original number is probably more accurate than the one stated by mSpy. Regardless of the actual count of users, the impact has the potential to be huge depending on what you keep in that iCloud account of yours. Hopefully mSpy has done the right thing and notified all of their users, and of course, fixed whatever lapse in security caused the breach in the first place. Brian Krebs broke this story here and then provided a great follow up piece here.
Keep Your Keys On Ice
Automobile hacking was back in the news this past week. But this time it’s not a research paper or upcoming conference demo but real world attacks on the Passive Entry Keyless system. The threat of relay attacks on these systems has been known for quite some time a quick Internet search reveals a paper written in 2003, as well as a few blog posts and news articles that are at least five years old. However, a recent incident has put the spotlight back on to the insecurity of Passive Entry and even Passive Start systems.
A writer for the New York Times detailed an experience he had literally watching two kids break into his car using a “small black device” to simply unlock the doors. The would be thieves were not caught so the device they used has not been analyzed but chances are that they are based on work published in early 2011 by a group of researchers at ETH Zurich that demonstrated how, regardless of existing encryption or protocol use, these systems can be easily bypassed by using a simple relay from up to 300 feet away. The writer of the New York Times piece goes as far to suggest that those concerned about their cars being broken in to keep their keys in the freezer as it appears to be effective at blocking the signal and preventing it from being relayed. However, this of course does not protect the keys while in your pocket or bag in public for that there are “Faraday Cage bags” from outfits like Fob Guard, who will happily take $29.99 from you and provide you with what we assume to be a tin foil lined carrying pouch for your keys. Hopefully car manufacturers improve the security of these systems and prevent these types of attacks.
Another IRS Security Lapse
In other breach news we heard this week that the IRS managed to lose about 100 000 tax records via a flaw in a system known as “Get Transcript”. Complete details of the attack are still a bit sketchy, however, it has been reported that Russia is suspected as being behind the attack. This of course comes on the heels of a rash of fraudulent tax returns designed to hijack refunds from legitimate recipients. As for the Russian connection, our attribution 8-ball appears to agree.
IoT Home Door Locks
While we are talking about electronic door locks on cars and how easy they are to attack. Security researcher and all around smart guy Dino A. Dai Zovi said this on Twitter;
Sadly, he is probably very much correct, however I am sure thieves will prefer to unlock doors via their smart phone and a vulnerability vs. the more traditional, physical brute force methods.
Juvenile Security Fun - Follow Us On Twitter!
As most of you probably know, we launched our @Duo_Labs Twitter account with an attribution 8-ball give-away. Not only do you have a chance to get some fun Duo Security swag by following and interacting with us on Twitter, we will occasionally tweet out things of interest and keep our followers updated on what our Labs team is up to. If you are a Twitter user, be sure to follow us.