Monthly Archives: March 2017

RESEARCHERS PROVE ABILITY TO HACK DEVICES USING SOUND WAVES

Yesterday, computer security researchers from the University of Michigan and the University of South Carolina proved they have discovered a way to hack into a device using sound ways. This newly found weakness allows them to control or influence devices through tiny accelerometers. Accelerometers are instruments that measure acceleration and are manufactured as dynamic silicon chip-based devices used to sense movement or vibrations known as microelectromechanical systems, or MEMS. They are used for navigating, determining the orientation of a tablet and calculating distance in fitness monitors. Accelerometers are standard in consumer products such as smartphones, Fitbits and automobiles.

In the paper highlighting the research, they demonstrate how they were able to add additional steps to a Fitbit monitor, as well as, play a “malicious” music file from a smartphone, demonstrating they can control the phone’s accelerometer. Kevin Fu, one author of the paper, stated, “It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words.” He went on to say, “You can think of it as a musical virus.”

In addition, research from the paper shows that with the toy car, they did not infiltrate the car’s microprocessor, but rather controlled the car by forcing the accelerometer to generate fake readings. Computer security researchers remarked that this is new insight into cybersecurity challenges in complex systems, which show how analog and digital components can interact in unpredictable ways.

Vinny Troia, CEO of NightLion Security commented, “as we see a heightened push to develop self-driving vehicles from numerous companies, undetected vulnerabilities, such as this one, that could allow an attacker to remotely control a self-driving vehicle is disturbing, but a reality that should be seriously considered.”

The computer security researchers will be presenting their findings at the IEEE European Symposium on Security and Privacy in Paris next month.

Tech Companies Comment on WikiLeaks’ Vault 7 Impact

Tuesday, WikiLeaks published “Vault 7”, a collection of about 10,000 CIA documents created between 2014 and 2016. These documents contain the CIA’s collection on specific software vulnerabilities.

Tech companies such as, Apple, Microsoft and Samsung were specifically mentioned in the documents, in regard to, security holes the CIA uses to hack into their specific smart devices. For example, The CIA can use Samsung’s Smart TV to listen to people even when the TV appears to be off. All three of these companies have addressed the security flaws mentioned and state that they are “looking into” them.

Apple commented late Tuesday, “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.” They went on to say, “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

The Vault 7 leak has brought to light new criticism of the CIA and other intelligence agencies’ practice of discovering security flaws in popular hardware and software, and failing to disclose the flaws to the manufacturers. Cybersecurity expert, Vinny Troia commented, “The CIA hiding the security holes in these devices from the manufacturers is frowned upon, however, what I really find to be irresponsible is what Wikileaks did. In one breath, they are saying ‘look at all of this technology that the CIA has to spy and harm everyone’, and on the other hand they are saying ‘here it is. Enjoy!’ Just proves the importance of detecting security weaknesses within your own network before they can be used by cyber criminals.”

Both the CIA and Trump administration have denied any comment on the authenticity of these files.

CloudPets’ Poor Security Leads to Millions of Childrens’ Voice Recordings Leaked

CloudPets’ Internet of Things (IoT) teddy bear leaked more than 2 million voice recordings of parents and children because of their poor database security. This is only the latest compromise to occur with children’s toys. In January, Germany issued a ban on its internet-connected doll, Cayla, and demanded parents destroy them. With the CloudPets leak, everyone’s fear of what the privacy risk to children is with these smart toys has been brought to life.

The breach was first reported on Tuesday in a blog post by Troy Hunt, a Microsoft guru who specializes in cloud and online security. Hunt informs that CloudPets’ data was saved to a MongoDB database on an Amazon-hosted service that was publicly available and required no authentication, not even a password. Hunt goes on to say that the database was filed by Shodan, a search engine known for finding connected things, and evidence shows that since December 25, 2016 the stored data had been accessed multiple times by multiple people. CloudPets’ parent company, Spiral Toys, was notified at least four times about the breach, however, Hunt explains that some attempts to contact the company failed due to dead email addresses. In any event, there is no way Spiral Toys was not aware of the leak due to evidence left from criminal ransom demands.

Although this is a wake-up call to parents, businesses can take a lot away from the CloudPets breach, explains cybersecurity expert, Vinny Troia, CEO of NightLion Security. “Many businesses have not taken cybersecurity as seriously as they should be, until it’s too late,” Troia continues, “they take shortcuts that do not properly protect them against cyber criminals, and then are floored when their system becomes compromised.” Troia goes onto to explain that today cybersecurity needs to be at the forefront of businesses’ minds or they are going to be the next Spiral Toys.

The CloudPets incident is only the most recent compromise involving IoT toys, but they are certainly not the last. Both businesses and parents need to take the proper steps to protect the user data and their children from the darker side of the cyber world.