If you are a long-time reader of this blog, you’ll know that while the majority of our focus is on business technology, I like to keep an eye on all technology, especially issues that can affect our quality of life and personal safety. Hondas are very popular (even here in Los Angeles where it seems like every 3rd car is a Tesla) and according to at least one statistics website, Honda accounts for between 8-9% of the U.S. car market in 2020 and 2021, and the Honda CR-V is near the top of the list of best-selling vehicles for the past several years. It’s safe to say that there are probably millions of Hondas on the road right now, and apparently any that are accessed using a key fob are vulnerable to a hack that allows attackers to unlock car doors and remotely start engines if the car has that capability.
What this means for you
If you own a Honda, you may want to give this article a read, which was based a relatively unknown vulnerability dubbed “Rolling-PWN” by the researchers/hackers that discovered it. The vulnerability is documented and published in the National Vulnerability Database run by the National Institute of Standards and Technology, which is about as official as you can get in terms of documenting vulnerabilities. Despite this, Honda has yet to confirm or even acknowledge the issue. Which also means that there is very little you can do about it other than the following:
- Reconsider what sort of valuables you keep in your car, even if you don’t drive a Honda. This particular hack may not be limited to just Honda according to the researchers. It just happens to be the manufacturer they’ve tested and confirmed vulnerable across multiple years and models.
- Even though they may be able to start the car, they can’t drive the car because they can’t exploit the proximity requirements of the key fob…yet. Regardless, if you park your car in a garage, make sure that it is well ventilated. Carbon monoxide kills, and some prankster might put you in real danger by leaving your car running for hours in garage with poor ventilation.
- Perhaps write a letter to your local congress-critter (Representative and Senator) asking them to look into Honda’s seeming disregard for a significant security issue. If you are friendly with a local Honda dealership (because you own a Honda and use them for service), you could also stop in and show them the article and a link to the exploit on the official government website of vulnerabilities as well. If enough of us raise our voices, perhaps some of these big companies will take notice!
Back when the internet was relatively new and essentially unspoiled, there was a great deal of hype around the “connected home” which was to include every major appliance, all of your entertainment electronics, home lighting, environmental controls, and security. Everything it would seem, including toilets, which some manufacturers are still trying to make happen in 2018. One thing that had zero trouble becoming extremely popular is the internet-connected security camera, which has exploded in growth (as predicted) and shows no signs of stopping as the devices become more affordable and easy to install. The downside, of course, is that the low-cost comes at a price, which is most often achieved through poor quality control. Back before the days of solid-state everything, this used to mean shoddy wiring and terrible video resolution, but now, unfortunately, it seems to be coming at the cost of proper security.
Peekaboo, I hack you!
Once again, an overseas firmware manufacturer in Taiwan has announced that a recent version of its firmware used in an undetermined number of camera models has two significant bugs that, when exploited, can lead to complete root-level control of the device, which, in laymen terms means, “all your cameras are belong to us!” Any device, inside your network, that can be compromised and controlled by an outside, unauthorized agent is the very definition of bad news. Early estimates put the number of affected cameras at 180,000 to 800,000, which is really shorthand for “we don’t really know how many devices are impacted,” and is based on the list of partners the company released that might be affected by this vulnerable firmware. While the firmware maker was quick to issue a fix, the patch itself would need to be applied manually, and it’s not clear how that fix would be distributed, nor how the camera owner would be notified.
At the moment, there is no list of affected camera models, so unless your specific IP camera actually tells you what firmware it is using in the built-in web interface (most of them don’t), you can’t even check for yourself. You will have to wait to see if your camera manufacturer issues an update for your device. And let’s be frank, most folks, even yours truly, aren’t watching for firmware updates for our IP cameras, and I would hazard a guess that most owners of the consumer-grade IP cameras likely affected by this vulnerability haven’t even registered their ownership with the camera manufacturer, so unless you (1) know the model of the installed camera and (2) go look up on the manufacturer’s website to see if an update even exists, it’s likely you will never know if your camera is vulnerable until after it’s been hacked. Unfortunately, we have enough trouble keeping our computers and mobile devices up to date without having to keep track of the growing Internet of Things, but sadly, it looks like this is exactly what our next challenge will be.
Researchers from security firm Check Point announced at this year’s DefCon security conference that up to 900 million smartphones may be vulnerable to a set of up to 4 vulnerabilities that appear in Qualcomm-powered devices. Discovered earlier this year and reported to the manufacturer, Qualcomm has since published fixes, but not all manufacturers have pushed these fixes to all the affected models, including Google’s own Nexus line which normally has a reputation for being kept more current than most Android devices.
What this means for you:
Based upon the affected Qualcomm chipset impacted by these four vulnerabilities, the following models are impacted:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
To find out if your phone is affected by the vulnerabilities, you can run this app on the Google Play Store: QuadRooter Scanner. Buyer beware: the app developer is very transparently marketing its mobile protection app through the publicity surrounding their discovery. I don’t begrudge them the opportunity – after all they did the hard work to discover these flaws, but I didn’t install their software as I am confident I can keep my device safe, and I’m sceptical of mobile security apps in general. If the app reports that you are vulnerable, it will state which CVE’s are still unpatched on your device. You have a few options at this point:
- Check to see if any outstanding OS updates are available to be installed on your device. Where this is shown will vary depending on your phone’s manufacturer, but typically it will be found in “Settings”
- Avoid “side-loading” apps from dodgy sources. Only install apps from the Google Play store and nowhere else. Even then, think twice and read the reviews on any new apps, especially ones that seem to be very new – hackers have been known to sneak malicious apps onto the Play Store for a short while before being detected and removed.
- As usual, avoid opening strange emails, URLs and attachments on your device.
- Send an email to your device manufacturer asking them when they plan to patch the vulnerabilities on your phone. The more people that write in, the more likely the manufacturer will move faster on deploying the fixes.
Just when you think Microsoft might have its act together security-wise, some clever/persistent security researcher will do their damndest to shatter your fledgling comfort with the latest exotic bug. In this case, the bug has been around since 1997 – it’s so old it’s officially Bug #4 in Internet Explorer. As in the fourth bug discovered in Internet Explorer, ever. And never fixed! Sadly, this negligence has arisen as a critical security flaw in both Windows 8 and 10, and could lead to your Microsoft Live account being exposed.
What this means for you:
This flaw does not affect the following:
- Windows 7,
- Windows 8 or 10 computers attached to a domain,
- Windows 8 or 10 computers accessed via local accounts,
- Windows 8/10 users who do not use Internet Explorer, Edge or any version of MS Outlook.
The people who fall into #2-4 are what I would call a “select” demographic, which is to say that it’s more likely you are using Windows 8 or 10 with a Live account. Via trivial exploit, a hacker could obtain your login and a hashed version of your password, and depending on how complex that password is, that hash could be cracked in less than a minute, meaning your Live account is now fully compromised. In case you weren’t sure what Live accounts can do, they give you a wide variety of access to Microsoft services including OneDrive, Skype, MS Office, and XBox Live to name a few, not to mention your actual computer, should the hacker somehow gain access to your local network or the device itself.
Before you start panicking, there is a (relatively) simple solution: change your password and switch your Live account to use 2-factor authentication. This won’t change how you log into your computer, but it will force anyone trying to use your credentials elsewhere online from using them without that second authorization that 2-factor provides, even if they manage to steal your password again. To really circumvent this bug from impacting you, switch to using a local account on your computer, or to stop using IE/Edge and Outlook until Microsoft fixes this ancient, but dangerous bug.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
In case you are new here, let me catch you up on the primary purpose of this blog. My objective is to scare you into being more secure with technology. It doesn’t always work – one person’s phobia is another’s fetish, but this one ought to give you pause. A white hat security hacker has uncovered a bug in Symantec Antivirus that would allow for an almost trivial exploitation of its scanning engine to actually compromise the computer its supposed to be protecting. And this bug exists across all three major operating systems – Windows, OSX and Linux – something that is very rare in any type of software. Not worried yet? A victim doesn’t even need to open an infected file because Symantec will do it for them when it scans the file in your email, or scans a link in your web browser. Just touching a file designed to exploit this bug will cause a memory buffer overflow, which is tech-speak for “OK malware, I’m puckering up so you can plant a big haymaker right in my kisser.”
What this means for you:
If you don’t use Symantec or Norton products for malware protection, carry on and enjoy that feeling of schadenfreude most technology users rarely experience. If you do use either of those products, Symantec has already patched this bug, and if your software is set to update automatically, it should no longer be a problem. There in lies the rub: do you know if your antivirus is up to date? How many of you have been ignoring the little warning flags your AV has been waving at you from the corner of your screen, “Hey, I need to update but I can’t for some reason!” Do you know how to make sure your antivirus is updating regularly? By the way, “regularly” means daily, if not multiple times a day. Zero-day exploits are sometimes seen within hours of an vulnerability being published. Security companies like Symantec stake their reputation on reacting quickly, but they can only lead your computer to the update river. You need to make sure it’s drinking deep, daily. Not a software update wrangler by trade? Well it just so happens I know someone who is, pardner.
You wouldn’t let your business be run by amateurs, why would you leave your technology to anyone less that an experienced professional?
For those of us old enough to remember the cartoon, I’m willing to bet that at least a few of us are still holding out hope for a Jetson’s future, complete with personal jetpacks, flying cars and fully automated homes. We’re getting closer on the car and jetpack thing, but it seems we have some way to go on the home automation, despite it being around in some form for decades now. Samsung’s SmartThings platform has been around for a few years now and the continuing permeation of mobile devices across all aspects of our daily lives has led to some amazingly convenient but woefully insecure home automation systems. Researchers at University of Michigan have demonstrated several security vulnerabilities in internet-connected door locks, fire alarms and lighting systems to name a few. At the moment, using the Internet of Things to upgrade your home may actually downgrade your security.
What this means for you:
Despite the technology being available for several years, most Americans have only just begun to discover a small glimmer of a Jetson-esque future. This is due to a combination of factors that include price, complexity and a (justifiable) lack of trust in remote control devices to secure their most prized (and pricey) investments. Even Silicon Valley darling Nest (now owned by Alphabet née Google) suffered multiple PR setbacks via highly-publicized bugs, failed hardware and canceled products. As such, these products and others like Samsung’s SmartThings are only just starting to realize enough critical mass in the market to capture the attention of security researchers. For now, the University of Michigan researchers are cautioning against using the SmartThings platform wherever security is a paramount concern. I don’t know about you, but as far as this homeowner and business-owner is concerned, my house and office can stay dumb for the moment. I already have problems with phones that are too smart for their own good.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
During it’s heyday, Apple’s QuickTime software was arguably hailed as the king of digital video. Though there were many competitors (remember Real video?) Apple’s codec reigned supreme in both editing as well as playback for many years, making Apple’s Mac computers the defacto standard in high-end digital video editing. Not unwisely, Apple realized the untapped market potential on the Windows side of the fence, and released a version of QuickTime for Windows 3.1 in 1996, and has steadily iterated on the platform through last year, though its use has declined steadily since the rise of streaming web video. Apparently usage has fallen off so dramatically that Apple recently announced it was no longer supporting the Windows version of QuickTime, hot on the heels of the announcement by US-CERT that the latest version of QuickTime for Windows had two significant zero-day vulnerabilities.
What this means for you:
Because I know you, I won’t bore you with the how the zero-days work, just know they are serious enough for the Department of Homeland Security to issue an alert. It’s not likely you will have Apple’s QuickTime software installed on your late-model business computer, but if you own an older computer at home (5-6 years old), and you’ve installed iTunes on that computer you probably have QuickTime is installed as it was bundled into iTunes as recently as 2011. If you happen to be in the relatively narrow demographic of digital video editor using Windows and Adobe’s Creative Cloud suite, you might also have QuickTime installed as it’s a requirement for certain video editing formats.
Either way, if you have it installed, remove QuickTime immediately. Apple has no plans to patch the vulnerabilities, and even though there are no known exploits in the wild as I write this, you can bet the high profile exposure has already triggered a wave of malicious programming. The easiest way to determine if QuickTime is installed is to go to Control Panel -> Programs & Features -> Uninstall Programs and scan through the list for “QuickTime” (not Apple QuickTime, like you might think). On older OSes you might have to look in Control Panel -> Add/Remove Programs. While you are there, you can look for other old programs you don’t use anymore and remove them in the spirit of spring cleaning.
Due to a vulnerability in Android’s implementation of MMS, nearly one billion smartphones and tablets could be impacted by a security weakness known as Stagefright. In a nutshell, an attacker exploiting this vulnerability could send an MMS message with an infected attachment that could literally take over your device without you knowing it. Even though Google has released a fix for this vulnerability none of the major carriers and manufacturers have pushed the update to the affected devices, including Google’s own Nexus devices, which are due to be patched next week.
What this means for you:
This vulnerability can affect you even if you don’t open an infected MMS attachment, which could appear as a picture, movie or just about anything that can be attached to an SMS message. Stagefright’s actual purpose is to provide you with the thumbnail preview of the attachment in your SMS application, so having the attachment appear while scrolling through your messages would be enough to get infected. Regardless of what app you use to view MMS messages on your Android device, the only way to combat this attack is to prevent your device from automatically downloading MMS attachments. In Google’s default SMS application Hangouts, this is accomplished by doing the following:
- With Hangouts open, tap the Menu icon (3 horizontal lines in a stack) in the upper left corner.
- Tap the “Settings” icon (looks like a gear)
- Tap “SMS” (usually at the bottom of the list, below “Add Google Account”)
- Scroll down to “Auto retrieve MMS” and uncheck that box.
If you aren’t using Hangouts to view your SMS and MMS, make sure you check with the software developers to find out if disabling this option is possible in their app. I was previously using ChompSMS as my messaging app, and this option was NOT available, so I immediately switched back to Hangouts.
Security analysts recently demonstrated a significant weakness in Samsung smartphones that could potentially impact up to 600 million people. The vulnerability lies in their modified version of the Swiftkey app, which is Samsung’s onscreen keyboard. This vulnerability impacts the the Samsung Galaxy S6 on Verizon and Sprint networks, the Galaxy S5 on T-Mobile, and the Galaxy S4 Mini on AT&T. The developers of SwiftKey were quick to confirm that the version available for download on Google Play was not affected by this vulnerability, and supposedly Samsung has provided a fix to carriers, but there is no confirmation from any of the carriers as to whether they’ve distributed this fix, or have any plans to do so.
What this means for you:
This vulnerability could potentially allow an attacker to completely “own” your device – from the camera to microphone, incoming and outgoing texts and emails, as well as installing further malicious applications. There is no way to uninstall this app unless you root your phone (only recommended for the technically savvy, and you might void your warranty), and even if you switch to a different keyboard app, the vulnerability still exists. Until the carriers can confirm that they’ve patched this vulnerability you should avoid using public wi-fi networks, and if you are feeling sufficiently outraged, you can contact your carrier and demand they issue this patch immediately.
Chinese computer manufacturer Lenovo (IBM’s former hardware division) is making headlines this month, but not the kind that most companies covet. Until as recently as January 2015, Lenovo has shipped a large number of computers with pre-installed software from adware company Superfish. In and of itself, this isn’t an uncommon practice – hardware manufacturers commonly reduce manufacturing costs for their consumer products by striking deals with various companies who pay to have their software installed on brand-new computers. As initially reported by security researcher Marc Rogers, the Superfish partnership was a bad one for Lenovo, not only because the software itself was already notorious for being adware, but also because it compromises the built-in security of your computer’s SSL protocols to do its dirty work. Lenovo initially tried to downplay the problem, but pressure from the security community and the resulting media attention has since caused Lenovo to reverse its position 180 degrees. The CTO apologized in an open letter, and the company has issued a fix that completely removes the vulnerable software.
What this means for you:
Unless you are really into the technical details, the “what” and “how” of the Superfish vulnerability is much less important than the “why” and the “who”. In this case, we know why Lenovo installed Superfish – presumably they benefitted financially in some fashion. The real problem behind this fiasco is that Lenovo (a “trusted” brand – I use a Yoga 3 while I’m out seeing clients) missed the security flaws in this arguably useless piece of software and endangered thousands of its customers for no other reason than to make a buck. Can any hardware manufacturer be trusted to have our security in mind when making and selling their products? If the most recent NSA hard drive firmware scandal is to be believed, I’d say the answer is a resounding “no”. As we’ve seen with numerous other industries, when a company is held more accountable to shareholder profit (or “patriotic” duty?) than to consumer wellbeing, the only person we can trust is ourselves.
Unfortunately, manufacturers like Lenovo, Dell and HP have made a bed that is now very uncomfortable in which to lie. Their practice of installing “bloatware” on their equipment have driven prices down to a level that may be very difficult to maintain if they can’t lean on the dollars gained by these pre-installed software deals. At minimum, they’ll have to be much more discerning on what they pre-install, which, in turn, will drive up costs and narrow their margins even further.