Flaws in 4G/5G Networks Could Let Hackers Track Your Location

According to researchers, Flaws in both 4G and 5G cellular networks could potentially let hackers pinpoint the location of any given smartphone.

An attack dubbed “Torpedo” exploits the way phones send paging data when they receive calls or texts. By placing and cancelling multiple calls to it within a short amount of time, a target device can be made to trigger a paging message without alerting its owner. The scheme can not only be used to track location, but hijack a paging channel and inject or block paging messages, even denying someone messages altogether.

Torpedo can be the gateway to two other exploits, nicknamed “Piercer” and “IMSI-Cracking.” Both can be used to expose a device’s IMSI (international mobile subscriber identity), the former on 4G networks and the latter on both 4G and 5G.

As a result, even 5G phones could be intercepted by Stingray-style tracking devices used by law enforcement, spy agencies, and criminal groups. Needed equipment is said to cost as little as $200.

All four major U.S. carriers are vulnerable to Torpedo, one of the researchers said. The cellular industry has reportedly been notified about the threat.

E-ticketing flaw exposes passenger information to Hackers

The e-ticketing systems of eight airlines, including Southwest Airlines and Dutch carrier KLM, have a vulnerability that could expose personal information and result in tampering with seats and boarding passes.

The exposed data could include the following:

  • Email addresses
  • First and last names
  • Passport or ID information — including the document number, the issuing country and the expiration date
  • Booking references
  • Flight numbers and times
  • Seat assignments
  • Baggage selections
  • Full boarding passes
  • Partial credit card details
  • Details of booking travel companies

Researchers at mobile security firm Wandera published a report highlighting vulnerability found in check-in emails delivered to passengers.

The issue stems from the use of unencrypted check-in links sent to passengers via email. When a person clicks on the link, they are directed to a site to check in for their flight, make changes or print their boarding pass.  The hackers then can view and, in some cases, even change the victim’s flight booking details, or print their boarding passes.

Air France, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa also have this problem, according to Wandera.

“Wandera investigated the e-ticketing systems in use by over 40 global airlines,” said Michael Covington, the company’s VP of product.

Wandera gives vendors up to four weeks to provide a patch or relevant fix before publicly disclosing a vulnerability.

The company has been communicating with “some of the affected airlines” but has not been able to verify that any fixes have been implemented, Covington said.

Cisco fixes serious DoS flaws in email security appliance

Cisco patched two serious denial-of-service (DoS) vulnerabilities that can be exploited remotely without authentication in its email security appliances.

One of the flaws, tracked as CVE-2018-15453 can be exploited by sending a malicious S/MIME-signed email through a targeted device. An attacker can cause appliances to reload and enter a DoS condition by sending a specially crafted S/MIME email.

“If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again,” the company explained.

“A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.

The second flaw, tracked as CVE-2018-15460 can be exploited by sending a malicious email message that contains a large number of whitelisted URLs. A successful exploit can cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages. The flaw allows an attacker to cause a DoS condition by getting CPU usage to increase to 100%.

Both vulnerabilities were discovered by Cisco itself and there is no evidence of malicious exploitation.

Cisco this week also released 16 other advisories describing “medium severity” flaws affecting ASR routers, Webex, IOS, TelePresence, Prime, IP Phone, Jabber, Identity Services Engine, Firepower, Unified Communications Manager, and Policy Suite products.

 

Android malware steals money from victims’ PayPal account

ESET researchers have found a new Android Trojan hidden inside a battery optimization app that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.

This happens because during installation, the app requests access to the Android “Accessibility” permission, a very dangerous feature that allows an app to automate screen taps and OS interactions.

If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens it and logs in, the malicious accessibility service steps in to perform the transaction.

“During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location,” Stefanko explained.

“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”

This particular Trojan bundled up with the bogus battery optimization app is distributed via third-party app stores, but the researchers also spotted five malicious apps with similar capabilities on Google Play, masquerading as tools for tracking the location of other Android users.

That malware concentrates on phishing the credentials for online banking services for several Brazilian banks, as well as on thwarting uninstallation attempts by AV or app manager apps.

The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds.

The only thing that will prevent the theft is if the user has insufficient PayPal balance and no payment card connected to the account.

Users who have installed the PayPal-targeting Trojan would do well to check if their accounts have been drained (the malware can repeat the stealing manoeuvre) and to report the unauthorized transactions to PayPal. Changing their Gmail and online banking passwords is also a good idea.

Australia passes new encryption laws that could force tech companies to offer access to encrypted messages

Australia has passed that encryption legislation, which means companies including Apple, Facebook and Google could be forced to “build new capabilities” to thwart encrypted messages.

As reported by CNET, the legislation calls on companies to provide three levels of assistance to law enforcement and select government agencies:

  • Technical Assistance Requests: Companies provide voluntary assistance to aid certain agencies as they perform duties relating to “Australia’s national interests, the safeguarding of national security and the enforcement of the law.”
  • Technical Assistance Notices: Requires companies to provide assistance that is “reasonable, proportionate, practicable and technically feasible.” Providers are able to use existing means like encryption keys to decrypt communications.
  • Technical Capability Notices: Requires companies to build a new capability that enables it to provide assistance to law enforcement agencies and government bodies. The notice cannot force a provider to build or implement a capability to remove electronic protection, such as encryption.

Technical Assistance and Technical Capability Notices both require an underlying warrant or authorization, the bill reads.

Australian government officials have been cautious of using the word “backdoor,” but tech companies worry that the law is essentially a pathway for such tools. Speaking about the piece of legislation, Apple stated that it is “wrong to weaken security for millions of law-abiding customers in order to investigate the very few who post a threat.”

What Apple and other tech companies also worry about is the precedent this could set for other countries. Apple has long opposed the idea of creating a backdoor for government officials, but this new Australian legislation could hurt Apple’s efforts around the world.

Google is shutting down Google+ following massive user data exposure

Following a massive data breach first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers.

According to the Wall Street Journal’s sources as well as documents reviewed by the publication, a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place. Google said that it also found no evidence that any of the developers behind the 438 applications that used the API in question were aware of the bug.

Though Google allows developers to collect Google+ profile information when granted access by users, a bug gave developers access to the profile data of friends of those users as well, regardless of whether those friends had chosen to share that information publicly. It included static data fields such as name, email, occupation, gender and age. It did not include information from Google+ posts. The bug was patched in March 2018, but Google didn’t inform users at that point. “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks,” the company said in a blog post. “That means we cannot confirm which users were impacted by this bug.”

Facebook finds ‘no evidence’ hackers accessed third-party apps with its Facebook Login

Facebook has said it’s found “no evidence” that third-party apps were affected by the data breach it revealed last week.

Hackers stole account access tokens on at least 50 million users by exploiting a chain of three vulnerabilities inadvertently introduced by Facebook last year. Another 40 million also may have been affected by the attack. Facebook revoked those tokens — which keep users logged in when they enter their username and password — forcing users to log back into the site again.
But there was concern that third-party apps, sites and services that rely on Facebook to log in — like Spotify, Tinder and Instagram — also may have been affected, prompting companies that use Facebook Login to seek answers from the social networking giant.

Facebook security VP Guy Rosen revealed that investigators “found no evidence” of the intruders accessing third-party apps with its Facebook Login feature. Some sites using the single sign-on also confirmed that there was no indication of a data breach on their end, although they’re not necessarily taking chances.

“We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week,” said Guy Rosen, in a blog post. “That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” he said.

Admittedly, Rosen said that not all developers use Facebook’s developer tools, so the social network is “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”

Security vulnerability in Apple’s DEP could allow full access to corporate networks

A security vulnerability discovered in Apple’s Device Enrollment Program (DEP) could allow an attacker to gain full access to a corporate or school network.

The DEP is a free service offered by Apple to allow new devices to be automatically configured with everything from custom apps to VPN settings.

The vulnerability may allow attackers to enroll any device into an organization’s Mobile Device Management server and, consequently, to obtain privileged access to the private resources of an organization or even full VPN access to internal systems.

The vulnerability was discovered by Duo Security researchers while probing Apple DEP’s security.

“Our research focused on the details of how some of the undocumented DEP APIs work, specifically those that are used by Apple devices to communicate and enroll with the DEP service. Through this research, we found that because of the way DEP is implemented, it only uses a device’s serial number to authenticate to the service prior to enrolment,” James Barclay, Senior R&D Engineer at Duo Labs, explained.

“Also, while Apple’s MDM protocol supports user authentication prior to MDM enrollment, it does not require it – meaning many organizations are currently protecting device enrollment with the serial number alone.”

Unfortunately, serial numbers of Apple devices are predictable and also often found online, and this info can be exploited to query the DEP APIs.

Apple has, of course, been notified of the find earlier this year, but has yet to do something about it.
The researchers recommended that Apple add strong authentication of devices going throug the DEP enrolment process, rate-limit requests to the DEP APIs and limit the information returned by the API endpoints. Not relying on serial numbers as a sole authentication factor has also been put forward as a solution.

Twitter squashes security bug leaking direct messages since 2017

The team at Twitter has discovered and corrected a security bug within one of their developer APIs that has been leaking sensitive information sent via direct messages to business accounts.

According to Twitter, the company recently discovered a bug within its Account Activity API — a programming interface that allows business developers to source information regarding other accounts in real-time. The API feature is regarded as a source of premium information access that allows businesses to connect with customers and monitor social streams.

If you direct messaged a business account between May 2017 and September 10, 2018, it is possible that your information was unintentionally routed to a registered developer. Instead of your private information being shared only with the intended recipient, the developer of the platform used by the business may have also received its contents. Businesses that users may have interacted with include accounts for customer support, airlines, banks, and more.

The team at Twitter stresses that the data breach was fixed within hours of being discovered, but that still means that the bug ran for sixteen months without being detected. The company has also noted that the software glitch affected less than 1 percent of people on Twitter, but with Twitter having sixty-eight million active users as of early 2018, that could mean that up to approximately 680,000 people were affected.

Twitter has begun reaching out via in-app communication and website notices to any users who may have been compromised by the incident. The company’s policies require developer partners to dispose of any information that they may have unintentionally received. As expected, Twitter is hoping that developers will do the right thing and delete any intercepted messages.

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

Security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.

Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its GitHub page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.

Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version 3.9.0.1. Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.

What what makes matters worse with this vulnerability is that NUUO actually licenses its software to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world, and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.