Category Archives: Safety

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather

TSA Rolls Out New Screening Rule

Earlier this summer, TSA banned laptops and other large electronics on flights into the United States from certain countries.  Almost as quickly, they removed those bans – likely due to feedback from the airlines who were concerned that travelers would use video conferencing instead of flying.

Later this summer, TSA started a pilot program at a few airports that implemented enhanced scanning of electronics.

Now they are beginning the roll out of the program nationwide between now and early 2018.

Here is how the program will work.  Passengers will be required to take ALL electronics larger than a cell phone out of their carry on bags and place them in a tray by themselves with nothing underneath them and nothing on top of them.

This includes game consoles, cameras, iPads and other large electronics.

Because of these new rules and the anticipated delays at screening locations, TSA is recommending that passengers arrive at the airport 90 minutes before their flight rather than 60 minutes before.

It is not clear if these rules will apply to TSA Precheck passengers.

Information for this post came from Security Today.

Facebooktwitterredditlinkedinmailby feather

DHS Considering Laptop and Tablet Ban on All Flights From Europe to US

Multiple sources are reporting that Homeland Security is considering banning all laptops and tablets from all cabins on all flights from Europe.

An announcement is expected tomorrow and I will update this post if an announcement is made.

DHS is saying today that no final decision has been made.

While we don’t know what DHS will do, here are my thoughts:

  1. It is HIGHLY likely that terrorists have figured out how to make bombs that can be hidden inside laptops and other larger electronic devices.
  2. Since airlines are not responsible for broken or stolen laptops and other electronic equipment in checked baggage, that puts travelers between a rock and a hard place.
  3. Stolen laptops and electronics represent a major security risk to corporations and individuals.
  4. ALL companies and users should encrypt ALL mobile devices to reduce the risk of having to declare a breach when an unencrypted laptop is missing from checked luggage.  The only state that was thought to require a breach declaration for encrypted data was Tennessee and they changed their law last month to clarify that was not the case.
  5. Regarding broken laptops (and when I say laptops I mean laptops, tablets, drones, cameras and other electronic equipment), there are a couple of issues.  First, consider insurance.  It is possible that you may be able to add coverage to your homeowners or renters policy but beware of policy deductibles.  For businesses, they are likely to be self insured.
  6. If you are going on a trip and electronics (and the data stored on them) are important, you should consider a disaster preparedness/incident response plan to deal with what occurs if your electronics don’t arrive or are broken.
  7. ASSUMING this happens, this is the best gift ever for the video conferencing business since 9/11.  The airlines didn’t recover from the lost business from 9/11 for years.  If this happens, this will just accelerate the decline of business travel.

One more thing to consider.  Given that Lithium Ion batteries – the type used in laptops – were responsible for more than 30 in flight cabin fire incidents in 2016 that flight attendants were able to put out with halon fire extinguishers, putting those devices in baggage may represent a safety issue. The FAA’s Fire Safety Branch says that the fire suppression systems used in cargo holds is ineffective at putting out lithium ion fires caused by the types of batteries in laptops, based on their tests in 2015.

Stay tuned for more details.

Information from this post came from the Daily Beast.

Facebooktwitterredditlinkedinmailby feather

IoT Liability – Who’s Responsible?

When your Internet connected baby monitor fails you probably whine.  You may complain to the manufacturer or the store where you bought it.  Or, you may just buy a new one.

But if that IoT device is your car, well, that could be a bit more complicated.

If you buy a used car and the previous owner did not wipe the phonebook from the hands free unit in the car, the buyer may have access to data that he or she should not have.

But if you wipe the data, is it really gone?  That is way less clear.  Is the data backed up in the cloud.  Is the cloud account associated with the buyer or the seller.

What if the seller had access to the car (to say unlock it or start it) from his or her smart phone?  Does the buyer know if that “connection” between the seller and the car has been severed?  How would the buyer ever know?  Maybe the seller can still see geolocation data – where the car is at any time.

What if a house had a smart thermostat?  If the seller still had access he or she could turn off the heat in the winter or turn off the AC in the summer.  There have been a number of cases where, during a divorce, the displaced spouse did mischievous things.

What if the house had a smart lock and the seller decided to unlock it?  Randomly.  What if the house was burgled as a result?

Are realtors equipped to counsel buyers about smart homes?  I doubt it.  Many realtors have a hard time using their MLS software (certainly not all of them, but this is a pretty geeky subject).

What about home inspectors?  Surely they are educated enough to warn people.  Many home inspectors are retired handymen.  That is the wrong demographic to be providing advice on the Internet of Things.

In some cases, the IoT devices are not even visible.  Like, perhaps, a connected furnace or smart water heater.

In some cases, when the seller sells the house and takes their Internet connection connection with him or her, the device, of course, will go offline.  Does that mean the device stops working or is there a fail-safe in the device?

According to the National Association of Realtors, only 15% of buyers ask about smart homes.  What if the realtor says “I don’t know if this is a smart house”?  Does the buyer demand answers?  Probably in some cases, the seller probably doesn’t even remember if the water heater is connected to the Internet and if it is, how do you change that connection.

Underwriters Laboratories is working a a UL security seal, but that process is voluntary and maybe, in 10 or 20 years that may turn into something.

In this article I am talking about big, expensive, smart devices, but the prediction is that, by 2020, there will be 20 billion devices connected to the Internet.  Most of them small – a toaster or refrigerator or baby monitor or security camera.  What if, as some people do have, there are security cameras inside the house and the buyer doesn’t change the password that the seller provides the buyer.  That isn’t too far fetched.  It works and it is too hard to figure out how to change it.  Now the seller can watch the buyer in his or her house.  No telling what the seller might see.  Or capture.  Or post online.  Or share with friends.  Think about that one for a minute.

In the mean time, it is kind of like the wild west.  You are on your own and good luck.

I am not anticipating this changing any time soon.

BUYER BEWARE!

Information for this post came from SC Magazine.

Facebooktwitterredditlinkedinmailby feather

The Problem With Buying Chinese Electronics

Electronics made in China are often less expensive than products sold by western companies such as Cisco and Juniper.  But there may be a cost associated with that price.

The Chinese security firm Boyusec is working with the Chinese Ministry of State Security intelligence service in conducting cyber espionage, according to the Pentagon.  This would not be a surprise except that they are also working with the Chinese network equipment manufacturer Huawei that the Pentagon banned from DoD purchasing a few years ago.

While Huawei denies this, the Pentagon says that Huawei/Boyusec is putting back doors in Huawei networking gear so that the Chinese can spy on purchasers of Huawei equipment.  In addition to spying on customer’s phone and network traffic, using these backdoors also allow the Chinese to take control of these devices – likely to subtly reprogram them to allow them even more effective spying.

This follows a report earlier this month that software was found on more than 700 million phones, cars  and other smart devices that was manufactured by Shanghai Adups and used by Huawei, among others.  The software phoned home every three days and reported on the users calls, texts and other data.  Another Chinese technology manufacturer, ZTE, also uses the software.

The moral of the story  is that you should consider the reputation of the vendor that you are considering prior to making your purchase decision.

Sometimes that vendor is hard to detect.  If you buy a piece of electronic gear – such as those security web cams that took out Amazon and hundreds of other companies last month – had software and internal parts that were made by a vendor that didn’t care about security, but that company was not the name on the outside of the cameras – sold by many different companies.

Unfortunately, those vendors are price sensitive, so if they can find software for a few cents per device sold, they may decide to use it and not ask any questions about security.  After all, there is no liability in the United States if a company sells a product with poor or even no security.  That is up to the customer to figure out. 99% of the customers have no idea how to figure out whether a web cam or baby monitor is secure.  Unfortunately, what is needed is for companies to be held accountable for the security of these products.  This doesn’t mean that they should be clobbered for every bug found, but if they are ignoring reasonable commercial security practices, well, then, that might be a different story.  My two cents, for what it is worth.

Information for this post came from the FreeBeacon.

Facebooktwitterredditlinkedinmailby feather

Nest Security Cameras Can Be Easily Blacked Out

Security researchers have figured out three different ways to disable Nest Security Cameras (Nest is part of Google).  As of a few days ago, Google said they were working on patches and would push them out shortly.  But it speaks to the more general problem of wireless security.

In the Nest situation, there are three vulnerabilities.  The researcher, Jason, Doyle, notified Google in October but there are still no fixes – 5 months later.  If the bug had been found by Google’s own bug hunters in Project Zero, they would have started having a wall-eyed cat fit in January.

But it points to the lack of security in IoT in general, the challenge of getting companies to patch IoT bugs (there is no revenue after the initial sale) and later getting users to actually install the patches (I hope Nest automatically looks for and installs patches with no user involvement,  but I don’t know).

The first bug is pretty simple. Get into bluetooth range and ping the camera with an overly long Wi-FI SSID parameter.  This causes the camera to crash and reboot.  While it is rebooting, you are clear to break in.  Keep doing it and you could be clear for days.

The second bug is related.  Send a long Wi-Fi password and the camera crashes and reboots also – same deal as above.

The third bug can be exploited by telling the camera to connect to a new network.  This causes it to disconnect from the current network (and stop recording).  Since the new network is bogus, it will eventually reconnect to the old network, but in the meantime, it won’t record.

I have a variant to the last one.  If the burglar brings a local Wi-Fi hotspot with him or her, the Nest, I would guess, would connect to it, but since that hotspot doesn’t an Internet connection, it can’t transmit.  In that case, it might  not reconnect to the old network – I don’t know.

Since these cameras ASSUME that they always have an Internet connection, they don’t deal well with not having one.

While these attacks require the hacker to be in bluetooth range, since they are trying to break into the house, that is likely not a problem.

Why Google doesn’t turn off Bluetooth after the camera is initially configured is not clear either.

This is just an example of the challenges of Wireless camera systems.  Another example would be overpower the Wi-Fi connection to force the camera to connect to a rogue hotspot or no hotspot.  There are lots of other attacks.  Hard wired cameras are better – if the burglars can’t easily get to the wires to cut them.

Many alarm and camera systems use cellular connections to transmit alarms.  While cellular is good, it is not foolproof.  Bring a cellular jammer with you (yes, they are illegal, but so is breaking into someone’s house or office) and the alarm won’t be able transmit images or alarms.

On the other hand, wireless is much easier to install (you don’t have to run wires), so less expensive.  This goes for cameras and alarm systems also.

But the vendors don’t talk about the fact that they are also less reliable.

In part, it depends on your level of paranoia.  And also the quality of the manufacturer.  Likely there are several to many manufacturers. If you are expecting junkies to break into your house or office, they probably won’t worry about disabling cameras or alarms.  Pros, on the other hand – they might worry and likely have the smarts to disable your entire system.

For many systems, there can be multiple manufacturers.  One camera might come from vendor ‘A’, but a different camera might come from Vendor ‘B’.  Same thing with alarms.  A door sensor could come from one vendor while a motion sensor might come from another.  It used to be that these sensors were dumb – you make or break the connection and the panel generates an alarm. Now, at a minimum, it needs to have enough software to connect to the right network and then transmit the alarm.  Many cameras an sensors are much smarter than that.  Smarter also means buggier.

While Google will, eventually, issue a patch, what about the hundreds of other wireless camera vendors and thousands of other alarm piece part vendors who aren’t quite so reputable.

In addition, if the burglars can kill your Internet connection (like cutting your cable or phone line, since these cameras have no local storage, you have no pictures of the bad guys.  If a camera somehow uses wireless Internet (like cellular), then the bad guys would have to disable both, but I am not aware of any consumer grade cameras that work that way.

It is important to understand the risks you have.  In this case, the Nest was supposed to protect you, but maybe didn’t.  For other wireless camera systems – well, who knows.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather