Tag Archives: Celebrite

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Security News Bites for the Week Ending March 1, 2019

We Don’t Need Back Doors in Crypto – We Have Enough Bugs Already!

Researchers have found three new bugs in the protocol design (as opposed to the implementation) in both 4G and 4G cellular networks.  The design flaws can be carried out by any person with a little knowledge of cellular paging protocols.

The hardware to carry out the attack can be purchased for less than $200 and all four major carriers are vulnerable since these are protocol design problems and not implementation bugs.

The good news is that since these are protocol design flaws, the networks of all of our adversaries (and our friends) are also vulnerable, which probably makes the spy-guys happy too.

There is no fix approved or planned for the security holes.  Source: Techcrunch.

Google Slipped a Microphone into your Nest Security System – Forgot to Tell Buyers.

When Google announced that the Nest security system would now support “Hey Google” with no hardware upgrade, a few geniuses figured out that there must have always been a microphone in the Nest that Google just accidentally forgot to tell people about.

Google is trying to spin down the tornado saying that yes, they just forgot to tell people that there is a microphone in there, but not to worry because it isn’t enabled by default.  They put it in there to detect breaking glass and other features, they say.

Alarm systems often have microphones, usually to detect glass breaking, but the control panel, where Google put it, might not be close enough to all of the windows in the house to detect that.  Some alarms support two way voice communications to the alarm monitoring center, but if a system has that, it is not a secret, but rather a feature, loudly announced.  More likely, Google kept it a secret so that competitors wouldn’t figure out their future plans.  Source: The Intercept.

 

Hacking Tools Going Mainstream

Celebrite, the Israeli company that makes tools for law enforcement (and, I think, for anyone else who’s check clears) to hack iPhones and Android phones has grown a conscience.

Used Celebrite devices are showing up on eBay for as little as $100 – and, of course, will the ex-owner’s data still intact.

Celebrite is “warning” their customers not to do that but rather to return their devices to them for destruction.  If you think they are really concerned about your security, then that makes sense.  On the other, if you believe that they would rather sell you a new one for $6,000 rather than you buying it on eBay for $100 …..

In any case, they are available and many of them still have the captured data on them.  Source: Forbes.

 

TSA’s Pipeline Security Team Has Five People

2.7 million miles of pipeline and five employees.

Roughly half a million miles of pipe  per person.

And none of them have cyber expertise.

Since 2010 the number of people assigned to pipeline security have ranged from a low of 1 to a high of 14.  Not very comforting.

And they don’t plan to add any cyber expertise anytime soon, instead they are relying on begging other parts of Homeland Security for help.

Given that TSA hasn’t figured this out in almost 19 years, some folks in Congress want to move the responsibility elsewhere.

In the meantime, lets hope that the terrorists do not understand how bad things are.  Source: FCW.