Credit to Author: Lily Hay Newman, Andy Greenberg| Date: Sat, 14 Dec 2019 14:00:00 +0000
Telegram hacks in Russia, Senate encryption hearings, and more in the week’s top security news.
After months of scandals around the security camera Ring and its controversial partnerships with law enforcement, perhaps it was inevitable that the Amazon-owned company would face a far more common sort of scandal for sellers of internet-connected consumer surveillance devices: They can be hacked. After an extremely creepy incident in which hackers cracked a Ring camera inside a child's bedroom and used it to talk to three young girls, it's clear that Ring doesn't just raise questions over how consumers should share their devices' surveillance data with the police. It's also a quintessential example of the broader problem of people putting insecure internet-of-things devices into their most private spaces.
And Ring wasn't the only one caught up in a child surveillance scandal lately. So was Toys "R" Us, which is back after its bankruptcy and stood accused of surveilling children after reports about its use of high-tech sensors to track shoppers around stores. The company behind those sensors, however, claims that the cameras are designed not to register people shorter than 4 feet tall.
Meanwhile, another long-running surveillance story—the FBI inspector general's investigation into the origins of its own Trump-Russia probe and the FISA-enabled monitoring of Trump staffer Carter Page, who was suspected of ties to Russia—concluded in a 500-page report that exculpated the FBI of any partisan political motivations in the probe while also pointing out serious flaws in its adherence to legal protocols. Another equally complex surveillance scare is coming to a head, as rural US wireless providers are resisting an FCC proposal to remove all gear from American telecom networks sold by the Chinese firm Huawei, citing spying fears.
Elsewhere in the security world, researchers across half a dozen universities warned that Intel chips are vulnerable to a technique that fiddles with their voltage to make them spill their most well-protected secrets. And a bitcoin scheme allegedly lured in consumers with promises of a stake in a cryptocurrency mining operation to assemble a $722 million pyramid scheme.
And there's still more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
With tensions still high in Iran after weeks of public protests, hackers published 15 million bank debit card numbers from customers of Iran's three largest banks on social media this week. The breach impacts almost a fifth of Iran's total population. Iranian information and telecommunications minister Mohammad Javad Azari Jahromi said that the breach was a result of a rogue contractor who abused financial system access to steal the data and then posted it as part of an extortion scheme. Though a major breach, this explanation would mean that bank systems weren't actually hacked, but were compromised by someone with legitimate access. Outside analysts suggest, though, that a breach of this scale may have actually been the result of nation-state hacking, targeting Iran during a period of intense instability.
US authorities are investigating former White House and intelligence staffers who conducted espionage and hacking operations for the United Arab Emirates after leaving their US government positions. Reuters has reported previously on the group, known as Project Raven to its American participants and DREAD, or Development Research Exploitation and Analysis Department, in the UAE. The group formed a contract espionage firm in 2008 to help the UAE spy on targets including journalists, dissidents, terrorists, and human rights activists. In some cases, targets Project Raven members spied on were arrested or deported from the UAE and allegedly tortured in their home countries, such as Saudi Arabia. American participants in Project Raven became increasingly concerned that the work they were being asked to do by the Emiratis was targeting groups or people with US ties, potentially crossing a hard line.
In Russia, a rash of Telegram account breaches has led some researchers to believe that hackers are gaining access through telephony network hacking. The compromised accounts were protected by two-factor authentication, so attackers would have needed the username and password, plus a special one-time code sent in an SMS message. The fact that multiple accounts have been breached may indicate that attackers have access to the SMS messages at a network level, perhaps through known flaws in a ubiquitous telephony protocol known as SS7.
The drone platform Dronesense left a database of user information exposed and accessible—a problematic mistake, but especially significant because Dronesense has government and law enforcement customers. For certain clients, the data revealed flight paths some drones took. Motherboard, which obtained samples of the data, was able to plot out drone courses, including a "Mapping Mission" seemingly to take photographs over a residential Washington, DC, neighborhood, a flight over an apartment building and parking lot in Atlanta, Georgia, and a "disaster assessment" over an unknown playground. The database seems to include data from organizations like the US Army Corps of Engineers, Atlanta Police Department, and City of Coral Springs.
In a Senate Judiciary Committee hearing on Tuesday, lawmakers pressed Facebook and Apple representatives on the limits of law enforcement visibility into data on end-to-end encrypted services. They especially emphasized the need to access data related to child exploitation cases following a Department of Justice conference on the topic in October. Facebook has been under pressure from US law enforcement for months, since announcing earlier this year that it will add end-to-end encryption to its messaging services. Facebook-owned WhatsApp already offers the data protection.
Similarly, Apple has come under repeated scrutiny, because its operating systems and devices are designed so that if a device is locked with a passcode or biometric there is no way to unlock it without that authentication. For years, law enforcement has pushed Apple to create an access tool for searches with a warrant, including a memorable showdown in 2015. At the Senate hearing, the Facebook and Apple representatives and independent researchers all testified that adding backdoors to the encryption schemes in their services would undermine the utility and efficacy of the protections and expose all of their users to threats from nation-state hackers, criminals, or other rogue actors.