Archive for Internet Security

Surveillance Attack on WhatsApp

It has been reported that it was a surveillance attack on Facebook’s WhatsApp messaging app that caused the company to urge all of its 1.5bn users to update their apps as an extra precaution recently.

What Kind of Attack?

Technical commentators have identified the attack on WhatsApp as a ‘zero-day’ exploit that is used to load spyware onto the victim’s phone.  Once the victim’s WhatsApp has been hijacked and the spyware loaded onto the phone, it can, for example, access encrypted chats, access photos, contacts and other information, as well as being able to eavesdrop on calls, and even turn on the microphone and camera.  It has been reported that the exploit can also alter the call logs and hide the method of infection.

How?

The attack is reported to be able to use the WhatsApp’s voice calling function to ring a target’s device. Even if the target person doesn’t pick the call up the surveillance software can be installed, and the call can be wiped from the device’s call log.  The exploit can happen by using a buffer overflow weakness in the WhatsApp VOIP stack which enables an overwriting of other parts of the app’s memory.

It has been reported that the vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of WhatsApp.

Who?

According to reports in the Financial Times which broke the story of the WhatsApp attack (which was first discovered earlier this month), Facebook had identified the likely attackers as a private Israeli company, The NSO Group, that is part-owned by the London-based private equity firm Novalpina Capital.  According to reports, The NSO Group are known to work with governments to deliver spyware, and one of their main products called Pegasus can collect intimate data from a targeted device.  This can include capturing data through the microphone and camera and also gathering location data.

Denial

The NSO Group have denied responsibility.  NSO has said that their technology is only licensed to authorised government intelligence and law enforcement agencies for the sole purpose of fighting crime and terror, and that NSO wouldn’t or couldn’t use the technology in its own right to target any person or organisation.

Past Problems

WhatsApp has been in the news before for less than positive reasons.  For example, back in November 2017, WhatsApp was used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain bank details.

Fix?

As a result of the attack, as well as urging all of its 1.5bn users to update their apps, engineers at Facebook have created a patch for the vulnerability (CVE-2019-3568).

What Does This Mean For Your Business?

Many of us think of WhatsApp as being an encrypted message app, and therefore somehow more secure. This story shows that WhatsApp vulnerabilities are likely to have existed for some time.  Although it is not clear how many users have been affected by this attack, many tech and security commentators think that it may have been a focused attack, perhaps of a select group of people.

It is interesting that we are now hearing about the dangers of many attacks being perhaps linked in some way to states and state-sponsored groups rather than individual actors, and the pressure is now on big tech companies to be able to find ways to guard against these more sophisticated and evolving kinds of attacks and threats that are potentially on a large scale.  It is also interesting how individuals could be targeted by malware loaded in a call that the recipient doesn’t even pick up, and it perhaps opens up the potential for new kinds of industrial espionage and surveillance.

G7 Cyber Attack Simulation To Test Financial Sector

The G7 nations will be holding a simulated cyber-attack this month to test the possible effects of a serious malware infection on the financial sector.

France

The attack simulation was organised by the French central bank under France’s presidency of the Group of Seven nations (G7).  The three-day exercise will be aimed at demonstrating the cross-border effects of such an attack and will involve 24 financial authorities from the seven countries, comprising central banks, market authorities and finance ministries.  It has been reported that representatives of the private sector in France, Italy Germany and Japan will also participate in the simulation.

Why?

As reported in March in a report by the Carnegie Endowment for International Peace (co-developed with British defence company BAE Systems), state-sponsored cyber attacks on financial institutions are becoming more frequent, resulting in destructive and disruptive damages rather than just theft.

The report highlighted how, of the 94 cases of cyber attacks reported as financial crimes since 2007, the attackers behind 23 of them were believed to be state-sponsored.  Most of these state-sponsored attacks are reported to have come from countries such as Iran, Russia, China and North Korea.

The report pointed out that the number of cyber attacks linked to nations jumped to six in 2018 from two in 2017 and two in 2016.

State-sponsored attacks can take the form of direct nation-state activity and/or proxy activity carried out by criminals and “hacktivists”.

State-Sponsored Attacks – Examples

An example of the kind of state-sponsored hacking that has led to the need for simulations is the attack by North Korean hackers on the Bank of Chile’s ATM network in January, the result of which was a theft of £7.5 million.

Also, in 2018 it was alleged that North Korean hackers accessed the systems of India’s Cosmos Bank and took nearly $13.5 million in simultaneous withdrawals across 28 countries.

As far back as 206 North Korean hackers took $81 after breaching Bangladesh Bank’s systems and using the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).  The perpetrators sent fraudulent money transfer orders to the New York branch of the U.S. central bank where the Dhaka bank has an account.

What Does This Mean For Your Business?

An escalation in state-sponsored attacks on bank systems in recent years is the real reason why, in addition to fending cybercriminals from multiple individual sources, banks have noted an evolution of the threat which has forced them to focus on sector and system-wide risks.

As customers of banks, businesses are likely to be pleased that banks, which traditionally have older systems, are making a real effort to ensure that they are protected from cyber-attacks, particularly the more sophisticated and dangerous state-sponsored cyber-attacks.

Microsoft’s Move Away From Passwords Towards Biometrics

In a recent interview with CBNC, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled the corporation’s move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.

Passwords – Not Enough On Their Own

Many of us are now used to two-factor authentication e.g. receiving a code via text or using apps such as Google Authenticator as a more secure way of using passwords.  Mr Arsenault also notes that hacking methods such as “password spraying”, where attackers attempt to access large numbers of accounts at once using some of the most commonly used passwords, are still effective and highlight the weakness of relying on passwords being used on their own.  Mr Arsenault highlights how damaging this can be for businesses where a hacker can get password/employee identity and use this to gain access to a whole network. This is one of the reasons why many businesses, including Microsoft, are moving away from the whole idea of passwords.

Setting Example – Biometrics

Microsoft is one of the most-attacked companies in the world, and this, combined with reports of the billions of password hack incidents worldwide, have driven the company to move beyond passwords.

For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without passwords using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.

Also Uses Federated Cybersecurity

In addition to rejecting passwords for biometrics, Microsoft also uses a federated cybersecurity model.  This means that each Microsoft product has its own head of cybersecurity and that ethical hackers are actively encouraged to attack the company’s networks and products to test for flaws.

Scrapping Password Expiration Policies

Microsoft has announced that it is scrapping its password expiration policies in Windows 10 arguing that password expiration is an out of date method of data protection.  Users will now effectively be forced to update their passwords every few months once the Windows 10 May 2019 has been rolled out.

Other Tech Companies Moving Away From Passwords

Other tech companies that are known to be moving away from passwords towards biometrics and other methods include Google which has been testing USB key fobs which plug into customers’ computers and provide a second factor of authentication and Cisco which acquired dual-factor authentication start-up Duo in 2018.

What Does This Mean For Your Business?

As Microsoft points out, multi-factor authentication is more secure than relying on just a password for authentication, as password spraying and credential stuffing are widely in use and are still yielding good results for hackers.  As a recent National Cyber Security Centre (NCSC) survey has shown, many people still rely upon weak passwords, with ‘123456’ featuring 23 million times, making it the most widely-used password on breached accounts. There is a strong argument, therefore, for many businesses to look, as Microsoft is looking, towards more secure biometric methods of authentication, and towards a “passwordless future”.

Even though biometrics has been shown to make things incredibly difficult for cybercriminals to crack it, biometrics has not proven to have been 100% successful to date.  For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

Chrome For Android ‘Fake Address’ Phishing Risk Discovered

Developer James Fisher has reported that small changes could be made to Chrome for Android that could enable fake URLs to be displayed and users to be ‘jailed’ in a fake browser, thereby leaving them vulnerable to being duped into visiting fake, malicious pages.

Fake URL Display

Mr Fisher explains on his website about the possible new phishing method here: https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/ .

According to Mr Fisher, if you visit his page URL (as shown above) on Chrome for mobile (Android) and scroll a little way, the page displays itself as hsbc.com.  He reports that this is because, as a result of the few small changes he has made, the page is able to ‘jail’ the user into a ‘fake’ browser. Mr Fisher’s website includes a video of how scrolling leads to the fake URL being displayed.

How?

Mr Fisher explains on his website that, using his method in Chrome for mobile, if a user arrives at a web page that they believe to be trustworthy and scrolls down so that the URL is no longer visible, they can then be switched into a fake browser.  The user is then ‘jailed’ into the fake browser which can either use an insertion of a screenshot of Chrome’s URL bar on another website (in the case of his demonstration HSBC) in the webpage, or could be made to detect which browser it’s in, and forge an inception bar for that browser.  Either way, the user can be tricked into seeing the URL for a page they’re not actually on.

Also, Mr Fisher explains that in his research, as part of trapping the user in a “scroll jail” he was able to include a very tall padding element at the top so that if a user tries to scroll into the padding, they are simply scrolled back down to the start of the content so that it  looks like a page refresh.  This whole process could, in the wrong hands, be able to dupe a user and trap them on a malicious page.

Phishing Risk

The obvious risk is that this could be used as a phishing method i.e. directing users to a fake page to enable sensitive data to be stolen or to direct users to a page loaded with malware.

What Does This Mean For Your Business?

At least now that the potential security risk has been discovered, explained and demonstrated, this should give Google the opportunity to close this loophole, thereby reducing the risk to users of Chrome for mobile. Although (at the time of writing) there is no fix as yet from Google, Mr Fisher has suggested that one fix could be for Google to retain a small amount of screen space above what he describes as the “line of death”, rather than giving up all screen space to the web page. This could make space for Chrome to signal that ‘the URL bar is currently collapsed’.

Back in December, research by Internet Privacy Company DuckDuckGo was reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome could still be tracked, and searches were still personalised accordingly. Also, in February this year, there were more PR woes for Google when the discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec, but which was put down to an erroneous omission by Google, caused a backlash that escalated to the US Congress.

123456 Still A Popular Password

A study by the UK’s National Cyber Security Centre (NCSC) into breached passwords has revealed that 123456 featured 23 million times, making it the most widely-used password on breached accounts.

Top Five Easy-To-Guess Passwords

The study, which analysed public databases of breached accounts to discover which words, phrases and strings were most popularly used, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

Names & Football Teams

The study revealed that people routinely use Christian names and the names of their favourite football teams as passwords, thereby making them relatively easy to crack.  For example, the most popular breached-password names were Ashley, Michael, Daniel, Jessica and Charlie. The most popular football team passwords noted by the study were ‘Liverpool are champions’, followed by Chelsea.

Not Confident

The NCSC study also found that 42% of those surveyed expected to lose money to online fraud, and that only 15% said that they were confident that they knew enough to be able to protect themselves online.

Big Risk – Password Sharing

The study also found that fewer than half of those surveyed used a separate, strong password for their main email account.  The risk of using the same password for multiple accounts and platforms is that if one of those accounts is compromised, cyber-criminals will sell your login details on and/or use ‘credential stuffing’ tools to try stolen passwords on multiple websites.

Stolen credentials are also routinely used in phishing attacks e.g. to send malicious emails to a victim’s list of contacts, and in targeted digital identity attacks, where the breached credentials are used to steal a victim’s entire digital identity, steal their money, or even to compromise their social media network data.

Passwords on Hacking Forums

As revealed back in January by security researcher Troy Hunt of ‘Have I Been Pwned’ service, 772,904,991 unique email addresses, and 21,222,975 unique passwords are already being shared on hacking forums as part of a collection of credentials stolen from multiple sites, dubbed Collection #1.

This highlights the importance of not sharing passwords between websites, and of changing passwords regularly.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One easy-to-use tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

The new version of the Chrome browser (69) also has an improved password manager, which could help those who still appear to rely upon using very weak passwords e.g. 123456, password, 12345678 and qwerty.  The Chrome 69 password manager suggests passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it can add these. Users can also manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 can store the password on a laptop or phone so that users don’t have to write it down or try and remember it (if they are using the same device).

If you’re worried that people in your business may currently be using passwords that have already been stolen, you can find a list of the (from Troy Hunt of ‘Have I Been Pwned’) here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and Mr Hunt provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/.

AI Used To Tackle Money Laundering

Banks and financial institutions are experimenting with AI technology to tackle the multi-trillion-pound problem of money laundering, thereby hitting the traditional funding sources of major criminal gangs.

Money Laundering

Money laundering is the process of concealing the origins of illegally obtained money by passing it through legitimate business or a sequence of banking transfers.

According to figures from the UN’s Office on Drugs and Crime, money laundering accounts for up to 5% of global GDP – the equivalent of £1.5 trillion per year.  In the UK, National Crime Agency figures show that financial crime suspicious activity reports increased by 10% in 2018.

Also, in the UK for example, Companies House and estate agents (setting up new companies and investing in property) have been criticised by the government’s Treasury Committee as being key ways in which money laundering can take place in the UK.

The law in the UK (from 2017) relating to trying to tackle money laundering requires those businesses or sole traders who operate as “high-value dealers” i.e. you / your company accepts or makes high-value cash payments of €10,000 or more (or equivalent in any currency) in exchange for goods, must register with HMRC. 

Money Laundering In The News

Some recent high-profile cases of alleged money laundering involving banks include:

  • Swiss bank UBS being fined a staggering £3.2 billion for helping wealthy clients based in France to hide money from tax and launder the proceeds (the bank has lodged an appeal).
  • In September 2018, Dutch bank ING Groep NV being fined €775 million euros after failing to spot that criminals had been money laundering through its accounts.
  • In December 2018, 10 former employees of the local branch of Danske Bank in Estonia being arrested as part of an international investigation into (alleged) money laundering.

How AI Can Help

AI technology is being tested in the fight against money laundering because AI can crunch vast amounts of data (i.e. the data from millions of bank transactions) very quickly and accurately, thereby making it very good at detecting patterns and deviations from patterns.  AI can, therefore, quickly detect patterns of unusual activity e.g. behaviour consistent with money laundering (AI also learns with experience), as well as being able to spot smurfing attempts (breaking down a transaction into smaller transactions to avoid being spotted), accounts that are set up remotely by bots rather than humans, and suspicious behaviour by corrupt insiders (known to be an important element in many successful money laundering operations).

What Does This Mean For Your Business?

Money laundering is often used to help organised criminals / criminal gangs continue to finance many kinds of other serious crimes which have a negative impact on society and the economy. It is, therefore, good news for businesses (particularly in the financial and property sectors) that an accurate, and reliable technology-based early detection system, that works independently from human influence and error is being set to work to crack an old problem using the very latest means. 

Critics have said, however, that even though AI may be excellent at spotting unusual transaction patterns it will only be as effective as the data it is fed, and banks, financial institutions, governments and law enforcement agencies, therefore, need to share more information to get the best results from AI tools.

Some have also been sceptical of how effective an ‘off-the-shelf’ AI-based money laundering detection tool (of which there are several on the market) could be.

Microsoft Tests ‘Sandbox’ Safe Browsing Extension For Chrome & Firefox

Microsoft is testing an in-browser ‘sandbox’ security extension for Chrome and Firefox that lets users access untrusted pages, safely.

Windows Defender Application Guard

The new browser extension, Windows Defender Application Guard, is already part of Microsoft’s Edge browser and will be rolled out as part of the next Windows 10 update ‘April 2019’ or 19H1 in the Spring.  It is currently being tested among Windows Insiders and will be available to Windows 10 Pro or Enterprise users when it goes live.

How Do You Use It?

When installed, users see a Windows Defender Application Guard landing page when they open their Chrome or Firefox browser. When the Firefox or Chrome user tries to access an untrusted web page / non-whitelisted URL, the new extension will work by loading a special isolated Edge tab (Windows Defender Application Guard page), not a tab in Firefox or Chrome. The sandbox page can also be initiated by the user at any time by toggling a switch in the menu settings.

Enterprise-Wide

Once the extension has been established by an enterprise network administrator it can be applied on devices across an entire company and configured by network isolation or application.  The enterprise administrator defines which web sites, cloud resources, and internal networks can be trusted, and everything that is not on this list is, therefore, considered untrusted.  In this way, it can isolate enterprise-defined untrusted sites eliminating any risk of opening potentially malicious apps on a work machine and protecting the company while employees browse the Internet.  With Windows Defender Application Guard there is less need to operate a fully-fledged virtual machine.

Why?

The new extension is part of a broader move by Microsoft to provide more convenient and secure features for its Enterprise and Pro users.

Types of Devices

The Windows Defender Application Guard was designed by Microsoft to work on enterprise desktops domain-joined and managed by the organisation, enterprise mobile laptops and BYOD mobile laptops, as well as personal devices that are not domain-joined or managed by an organisation.

What Does This Mean For Your Business?

This new extension of an existing Microsoft Edge security feature to Chrome and Firefox browser users gives enterprise admins greater and wider control to protect the organisation from threats to its network and systems that may be invited by employees who happen to browse untrusted websites. The extension is also a value-adding addition to a growing suite of features that are designed to help keep and attract valued enterprise customers.

DNS infrastructure Under Attack

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued a warning that the DNS infrastructure is facing an “ongoing and significant risk” and has urged domain owners to deploy DNSSEC technology.

ICANN

ICANN is one of the many organisations involved in the decentralised management of the Internet but is specifically responsible for coordinating the top-most level of the DNS in order to ensure that it can operate in a secure and stable way and maintain universal resolvability.

Attacks

According to ICANN’s statement, public reports indicate that the DNS infrastructure is facing “multifaceted attacks utilizing different methodologies”.  Examples of such attacks include replacing the addresses of intended servers with addresses of machines controlled by attackers.  The prevalence of so-called “man in the middle” attacks, where a user is unknowingly re-directed to a potentially malicious site is of particular concern.

Cisco’s Talos Intelligence blog has highlighted how this type of attack has been carried out on a grand scale by some international players.  For example, the blog reports how Lebanon and the United Arab Emirates (UAE) have been targeting .gov domains, as well as a private Lebanese airline company.  The attackers used two fake, malicious websites containing job postings via malicious Microsoft Office documents which had embedded macros. The malware, dubbed “DNSionage” supported HTTP and DNS communication with the attackers.

The Cybersecurity Infrastructure Security Agency in the US has also been forced to order federal agencies to act against DNS tampering.

DNSSEC

One of the main ways that ICANN and Internet companies like Cloudflare and Google are suggesting that DNS-focused attacks can be countered is through the deployment of DNSSEC technology by domain owners.   Domain Name System Security Extensions (DNSSEC) has been described as a suite of Internet Engineering Task Force (IETF) specifications.  DNSSEC was designed to protect Internet resolvers/clients from forged DNS data, and it complements other technologies e.g. Transport Layer Security (usually used in HTTPS) that protect the end user/domain communication.  In essence, it cryptographically signs data to make it much more difficult to forge.

Low Adoption Rate

One of the reasons why DNS-focused attacks are so prevalent may be that the adoption rate of DNSSEC is so low – around 20%.  In fact, according to Cloudflare, only 3% of the Fortune 1,000 are using DNSSEC.

What Does This Mean For Your Business?

It is good that ICANN has identified this threat as this will now facilitate greater discussion and action and may motivate more domain owners to look into and adopt DNSSEC, hopefully across all unsecured domain names.  Although full deployment of DNSSEC is not the ultimate answer, it may go a long way towards drastically reducing the current threat.

ICANN has produced a helpful checklist of recommended security precautions that members of the domain name industry e.g. registries, registrars, resellers, and others, can proactively take to protect their systems, their customers’ systems and any that could be reached via DNS.  You can find the checklist here: https://www.icann.org/news/announcement-2019-02-15-en

Crypto-Mining Apps DiscoCrypto-Mining Apps Discovered in Microsoft Storevered in Microsoft Store

Security researchers at Symantec claim to have discovered eight apps in the Microsoft Store which, if downloaded, can use the victim’s computer to mine crypto-currency.

Only There For A Short Time Last Year

The suspect apps are reported to have only been on the Microsoft Store for a short time between April and December 2018, but it is thought that they still managed to achieve significant download numbers, as indicated by nearly 1,900 ratings posted for the apps.

Which Apps?

The suspect apps, in this case, are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search apps.  These apps have now been removed from the Microsoft Store,

What Is Crypto-currency Mining?

‘Crypto-currency mining’ involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the web page visitor or often the website owner. Multiple computers then join their networks so that the combined computing power can enable mathematical problems to be solved. Whichever scammer is first to solve these problems is then able to claim/generate cash in the form of crypto-currency, hence mining for crypto-currency.

Crypto-currency mining software tends to be written in JavaScript and sends any coins mined by the browser to the owner of the web site. If you visit a website where it is being used (embedded in the web page), you may notice that power consumption and CPU usage on your browser will increase, and your computer will start to lag and become unresponsive. These slowing, lagging symptoms will end when you leave the web page.

Mining For Monero

In the case of the eight suspect apps, they had been loaded with a script that had been designed to mine the ‘Monero’ crypto-currency.  Monero, which was created in April 2014 is a decentralised cryptocurrency that uses an obfuscated public ledger.  This means that anybody can broadcast or send transactions, but no one outside can tell the source.

How?

The secret mining element of the eight suspect apps worked by triggering Google Tag Manager (GTM) in their domain servers as soon as they were downloaded.  The GTM, which was shared across all eight apps, enabled them to fetch a coin-mining JavaScript library, and the mining script was then able to use most of the computer’s CPU cycles to mine Monero.

GTM – Legitimate

GTM is usually a legitimate tool that is designed to enable developers to inject JavaScript dynamically into their applications.  In this case, however, it had been used as a cloak to conceal the malicious purpose of the apps.

Not The First Time

This is not the first time that suspect apps have been discovered lurking in popular, legitimate app stores. Back in January, for example, security researchers discovered 36 fake and malicious apps for Android that can harvest a user’s data and track their location, masquerading as security tools in the trusted Google Play Store. The apps, which had re-assuring names such as Security Defender and Security Keeper, were found to be hiding malware, adware and even tracking software.

Also, back in November 2017, a fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people before it was discovered to be fake.

What Does This Mean For Your Business?

This is not the first time that apps which perform legitimate functions of the surface and are available from trusted sources such as Microsoft store have been found to have hidden malicious elements, in this case, mining scripts.  The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and the increasingly sophisticated activities of crypto-jackers and other cyber-criminals, combined with a global shortage of skilled cyber-security professionals to handle detection and response have left businesses vulnerable to this kind of hidden app-based threat.

Although the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Microsoft and Google don’t always seem to be able to detect the hidden aspects of some apps.

The fact that many of us now store most of our personal and business lives on our smartphones makes reports such as these more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents e.g. the reputation of Microsoft Store.

Some of the ways that we can try to protect ourselves and our businesses from this kind of threat include checking the publisher of an app, checking which permissions the app requests when you install it, deleting apps from your phone that you no longer use, and contacting your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious/suspect app.

Also, if you are using an ad blocker on your computer, you can set it to block a specific JavaScript URLs related to crypto-mining, and some popular browsers also have extensions that can help e.g. a browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).  Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current crypto-currency mining threats and scams and what to do to prevent them, are just some of the other ways that you can maintain a basic level of protection for your business.

Scooter Hack Threat

An investigation by researchers at Zimperium® found a security flaw in the Xiaomi M365 electric scooter (the same model that is used by ridesharing companies) which could allow hackers to take control of the scooter’s acceleration and braking.

Xiaomi M365

The Xiaomi M365 is a folding, lightweight, stand-on ‘smart’ scooter with an electric motor that retails online for around £300 to £400. It is battery-powered, with a maximum speed of 15 mph, and features a “Smart App” that can track a user’s cycling habits, and riding speed, as well as the battery life, and more.

What Security Flaw?

The security flaw identified by the Zimperium® researchers is that the ‘smart’ scooter has a Bluetooth connection so that users can interact with the scooter’s features e.g. its Anti-Theft System or to update the scooter’s firmware, via an app. Each scooter is protected by a password, but the researchers discovered that the password is only needed for validation and authentication by the app, but commands can still be executed to the actual scooter without the password.

The researchers found that they could use the Bluetooth connection as a way in.  Using this kind of hack, it is estimated that an attacker only needs to be within 100 meters of the scooter to be able to launch a denial-of-service attack via Bluetooth which could enable them to install malicious firmware.  This firmware could be used by the attacker to take control of the scooter’s acceleration and braking capacities. This could mean that the rider could be in danger if an attacker chose to suddenly and remotely cause the scooter to brake or accelerate without warning.  Also, the researchers found that they could use this kind of attack to lock a scooter by using its anti-theft feature without authentication or the user’s consent.

Told The Company

The researchers made a video of their findings as proof, contacted Xiaomi and informed the company about the nature of the security flaw. It has been reported that Xiaomi confirmed that it is a known issue internally, but that no announcement has been made yet about a fix.  The researchers at Zimperium® have stated online that the scooter’s security can’t be fixed by the user and still needs to be updated by Xiaomi or any 3rd parties they work with.

Suggestion From The Researchers

The researchers have suggested that, in the absence of a fix to date, users can stop attackers from connecting to the scooter remotely by using Xiaomi’s app from their mobile before riding and connecting to the scooter.  Once the user’s mobile is connected and kept connected to the scooter an attacker can’t remotely flash malicious firmware or lock the scooter.

What Does This Mean For Your Business?

This is another example of how smart products/IoT products of all kinds can be vulnerable to attack via their Bluetooth or Internet connections, and particularly where there are password issues.  Usually, the risk comes from smart products from the same manufacturer all being given the same default password which the user doesn’t change.  In this case, the password works with the app, but in this case it appears as though the password isn’t being used properly to protect the product itself.

There have been many examples to date of smart products being vulnerable to attack.  For example, back in November 2017, German Telecoms regulator the Federal Network Agency banned the sale of smartwatches to children and asked parents to destroy any that they already have over fears that they could be hacked, and children could be spied-upon.  Also, back in 2016, cyber-criminals were able to take over many thousands of household IoT devices (white goods, CCTV cameras and printers), and use them together as a botnet to launch an online DDoS attack (Mirai) on the DNS service ‘Dyn’ with global consequences i.e. putting Twitter, Spotify, and Reddit temporarily out of action.

Manufacturers of smart products clearly need to take great care in the R&D process to make sure that the online security aspects have been thoroughly examined. Any company deploying IoT devices in any environment should also require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to specific and measurable criteria.  In the mobile ecosystem and in adjacent industries, for example, the GSMA provides guidelines to help with IoT security.

As buyers of smart products, making sure that we change default passwords, and making sure that we stay up to date with any patches and fixes for smart products can be ways to reduce some of the risks.   Businesses may also want to conduct an audit and risk assessment for known IoT devices that are used in the business.