GPS Tracker Bugs Kids... about 600,000 of them.

Serious security flaws in GPS trackers manufactured by a Chinese company have been found to expose location data of nearly 600,000 children and elderly, according to researchers from cybersecurity firm Avast.

T8 Mini GPS Tracker Locator

The researchers spotted the vulnerabilities in the T8 Mini GPS tracker and nearly 30 other models by the same manufacturer, Shenzhen i365 Tech.

...these devices expose all data sent to the Cloud, including exact real-time GPS coordinates, showed the findings revealed last week.

Further, design flaws can enable unwanted third-parties to spoof the location or access the microphone for eavesdropping.

The researchers estimate that there are about 600,000 of these unprotected trackers in use globally that are using the very generic default password of "123456". more

FutureWatch - Non-Public 5G Networks - Network Security via Isolation

The concept of non-public networks is nothing new -- yet the rise of the internet of things (IoT) and connected assets is driving more and more companies to investigate the opportunities that non-public 5G networks could offer them...  

Non-public 5G networks offer protection against industrial espionage. Data in non-public 5G networks is segregated and processed separately from public 5G networks. This ensures complete privacy protection of process -- and production-related data. more

Security Director Alert: Check for Unsecured Wi-Fi Printers

A group of hackers linked to Russian spy agencies are using "internet of things" devices like printers and internet-connected phones to break into corporate networks, Microsoft announced on Monday. more

We see this vulnerability at approximately a third of the corporations where we conduct inspections. It is a very common issue. Very dangerous. 

Q. "So, why does this happen so often?"

A. When initially outfitting the office the IT Department usually does a good job of turning on encryption for Wi-Fi Access Points, and the things connecting to them. 

Later, someone decides they need their own printer. It arrives. It is plugged in. Nobody thinks about turning on the encryption.

Often, the Wi-Fi feature of the printer is not even used, but it's on by default. The company network is now subject to compromise.

The only way to know if you have this issue is to look for it. Have your IT Department check periodically, or have us do it, but do it. ~Kevin

From Those Wonderful Emperors of Espionage...

A popular GPS tracker used as a panic alarm for elderly people and to monitor children's whereabouts can be hacked to spy on users, researchers have warned.

The white-label location tracker, manufactured in China, is rebranded and sold by multiple UK companies - including Pebbell 2 by HoIP Telecom , OwnFone Footprint , and SureSafeGo.

"There were no signs from the device when this was activated or when you called in, turning this device issued to vulnerable people into a remote listening bug,” said Fidus.

"This issue teamed with the location tracking abilities of the device allows you to conceive some pretty scary potential use cases."

The researchers also found it was possible to remotely reset the GPS tracker without needing a PIN, and kill signal to the device altogether, rendering it effectively useless.

Fidus estimates that there are at least 10,000 of these devices in use in the UK, and thousands more around the world.

The team has informed several of the device makers about the flaws, but there is no way to fix the vulnerabilities without recalling every device. more

This Week's Spy Headlines

• Your smart TV is spying on you. Here's how to stop it. more
• Your Smart Home Devices Are Spying on You – Now, You Can Spy on Them more
• Your cellphone is spying on you but you can make it stop. more
• Ex-CIA officer Jerry Lee expected to plead guilty to spying for China. more
• Libyan strongman Khalifa Haftar's forces have detained two Turkish citizens on charges of spying. more
• Amnesty urges Yemen’s Houthis to free 10 journalists held for spying. more
• Whale found off Norway's coast believed to be spying for Russia. more
• Police Search For Man Caught Spying In Bathroom Stall more
• Family of Palestinian ‘Emirati spy’ disputes Turkish suicide claims. more 
• Despite U.S. spying warnings, Huawei 5G reportedly gets U.K. approval. more
• British Embassy refuses to comment on U.K. spying on Trump campaign. more
• Julian Assange has filed a criminal complaint accusing Ecuadorian embassy of spying on him. more

Just Like Your Phone - Your Car is Spying on You

If you’re driving a late model car or truck, chances are that the vehicle is mostly computers on wheels, collecting and wirelessly transmitting vast quantities of data to the car manufacturer not just on vehicle performance but personal information, too, such as your weight, the restaurants you visit, your music tastes and places you go.

A car can generate about 25 gigabytes of data every hour and as much as 4,000 gigabytes a day, according to some estimates. The data trove in the hands of car makers could be worth as much as $750 billion by 2030, the consulting firm McKinsey has estimated. But consumer groups, aftermarket repair shops and privacy advocates say the data belongs to the car’s owners and the information should be subject to data privacy laws.

Yet Congress has yet to pass comprehensive federal data privacy legislation. more

Security Director Alert: Mirai Botnet Targets Corporate Presentation Systems

A new variant of the crushing Mirai botnet, which specifically places enterprises in its crosshairs, has been discovered by security researchers...

Click to enlarge.

Mirai is still a botnet designed to exploit IoT devices, but in its latest iteration it seeks out vulnerable business devices - specifically, wireless presentation systems and the TVs used to present to rooms full of clients, partners and colleagues. 

"This new Mirai is a perfect example of why every organisation needs to map their own networks from an external point of view and close off everything that is open and does not need to be," said Jamo Niemela, principal researcher at F-secure. "The types of new devices that Mirai attacks have no business of being visible to the Internet."

The WePresent WiPG-1000 wireless presentation system and the LG Supersign TV were the two devices singled-out by researchers as most vulnerable to the attack. more

In addition to checking for electronic eavesdropping devices and general information security loopholes, make sure your TSCM technicians examine IoT device settings.

FutureWatch: Invisible-Light-Powered Eavesdropping Devices

Wi-Charge uses safe infrared light to deliver power from a distance. Our products provide enough power to charge a phone across a room, to power smart devices and enable new experiences. With Wi-Charge, mobile and IoT devices appear to charge autonomously. New applications open for homes, offices, factories and public spaces.

Battery-powered devices are portable, but battery capacity limits functionality and the need to replace batteries degrades the user experience. Moving wired devices, routing or hiding the power cords is a pain. Wi-Charge delivers 100x the power budget of battery solutions. With Wi-Charge, you can have the convenience of wire-free portability with a power budget approaching to a wired solution. more

Lots of good uses, and possibly some evil ones. 
Thanks to another Canadian Blue Blaze Irregular for spotting this one!

Smart Light Bulbs May Not Be a Bright Idea

Your discarded smart lightbulbs reveal your wifi passwords, because they are stored in the clear.

Not to mention, someone replacing your bulb and getting the password that way.

Yes, I know, the spy might not program the replacement bulb to operate like the old one. Dead give-a-way, right? My bet is that you'll think the bulb just forgot it's settings, or not notice at all.

This hack was publicized here, and originally researched here, if you want to know more.

Thanks to our Blue Blaze Irregular from the Jersey shore for this one.

Facilities Manager Alert: Your Smart Building May Start Doing Dumb Things

Researchers at enterprise security vendor ForeScout have warned that malware specifically targeting smart buildings is an inevitable next step given the rapidly expanding attack surface that building automation systems expose.

The operational technology researchers at ForeScout should know: they created proof-of-concept malware that revealed smart building vulnerabilities every business should be concerned about.

...just yesterday, Tenable Research revealed it had discovered several zero-day vulnerabilities in a premises access control system used by Fortune 500 companies. Among the many attack scenarios these vulnerabilities could facilitate was 'unfettered access to the badge system database' which in turn meant an ability to create fraudulent access badges and disable building locks. more

"Alexa, what’s my neighbor doing?"

Alexa, what’s my neighbor doing? ‘Human error’ allows user to eavesdrop on stranger’s life.

A German Amazon customer was able to access hours of audio files from a stranger‘s Alexa device that included recordings of him in the shower thanks to a “mistake” by one of Amazon‘s human employees.

Amazon sent the customer a link that included 1,700 recordings of another man and his female companion when he asked to play back the recordings from his own Alexa voice assistant.

He reported the anomaly to Amazon, but the company did not immediately reply, except to delete the files. By then, he had already downloaded them. After weeks of no response from Amazon, the customer notified German trade c‘t, worried the company would just cover up the incident otherwise.

Using the information contained in the recordings, which included their first and last name, the name of their partner, where they lived – even audio of the person in the shower – c‘t was able to locate and the victim, who was... more

Yup, like I said two years ago. ~Kevin

This Month in... Bots Gone Wild

Sneaky parrot uses Amazon Alexa to shop while owner is away. more

GPS signals across far northern Norway and Finland failed. Civilian airplanes were forced to navigate manually, and ordinary citizens could no longer trust their smartphones. more

Virgin Australia is under investigation after two engines on one of its aircraft "flamed out" during descent and had to be manually re-ignited before the aircraft hit the tarmac. more

Drone shatters passenger jet’s nosecone and radar during landing. more

Uber manager in March: “We shouldn’t be hitting things every 15,000 miles.” "They told me incidents like that happen all of the time," whistleblower wrote. more

New Zealand courts banned naming Grace Millane’s accused killer. Google just emailed it out. more

She'd just had a stillborn child. Tech companies wouldn't let her forget it. A woman pleads with tech companies like Facebook and Twitter to stop serving her ads to intensify her grief. more

Microsoft is sending users who search for Office 2019 download links via its Bing search engine to a website that teaches them the basics about pirating the company's Office suite. more

Delivery robot bursts into flames at UC Berkeley. more

Rudy Giuliani Says Twitter Sabotaged His Tweet (not true) more
Mystery Drone Still on the Loose at Gatwick Airport, But Flights Resume Anyway more

Thousands of people trusted Blind, an app-based "anonymous social network," as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies. But Blind left one of its database servers exposed without a password, making it possible for anyone who knew where to look to access each user's account information and identify would-be whistleblowers. more

...and a cautionary tale.

Man's IoT Security Camera Starts Giving Him Advice

An Arizona real estate agent was shocked when a voice started broadcasting from his Nest security camera recently, addressing him directly.

Andy Gregg was in his backyard when he heard the voice, belonging to someone who claimed to be a “white hat hacker” from Canada, Gregg told the Arizona Republic. A white hat hacker is a hacker who exposes security vulnerabilities for the greater good, rather than their own benefit.

Gregg recorded the conversation that followed. In the video, a voice can be heard over the speaker telling Gregg that he was contacting him in the creepiest way possible to warn him about the security risks of his internet-connected camera. more

IT Director Alert - Patch Those Printers... now

Despite copious warnings and efforts by the security community to harden the defenses of printers, they continue to represent a ripe target for attackers.
Just this past summer researchers at Check Point found a vulnerability that allowed an attacker to compromise a multi-function printer with fax capabilities simply by sending a fax.

In July, Positive Technology shared a proof-of-concept attack that shows how attackers can compromise a corporate network via installing a customized Xerox printer firmware on a targeted printer. 

In August, HP Inc. patched hundreds of inkjet models vulnerable to two vulnerable remote code execution flaws (CVE-2018-5924, CVE-2018-5925).

Printers, security researchers say, are the Achilles Heel for network management. They sit on the network like a PC and need regular updating like any other network endpoint – but often don't. more

More Security Cameras Vulnerable to Spying

A popular wireless security camera designed to safeguard businesses and homes was vulnerable to a spying hack.

The flaw meant it was possible to hijack video and audio streamed from other people's properties by making a minor tweak to Swann Security's app.

Researchers found the problem after the BBC reported a case where one customer had received another's recordings.

Australia-based Swann and OzVision - the Israeli provider of its cloud tech - said the issue had now been fixed.

Swann said that the vulnerability had been limited to one model - the SWWHD-Intcam, also known as the Swann Smart Security Camera - which first went on sale in October 2017. Retailers including Maplin, Currys, Debenhams, Walmart and Amazon have sold them.

However, there are concerns that other companies' cameras supported by OzVision could have problems. more

It is argued that the company offers cloud service to around three million smart cameras and users rely upon its app to connect to their IoT devices, and if anyone can gain access to live stream then all the smart cameras stand at risk. These include the Flir FX smart camera and other brands apart from Swann. The problem lies in the tunnel protocol that is responsible for verifying is a particular viewer is authorized to access the live stream or not.  more

Facebook's Patent Called Creepy

If you’re a Facebook user, you’ve likely heard stories of people becoming convinced that the company uses the microphones that are everywhere these days (such as ones on a smartphone or laptop) to spy on its users. While those fears might just be the result of an overactive imagination, a new patent filing is fueling concerns that Facebook might actually be equipped to do just that someday soon...

The patent filing itself is densely packed with information, but the technology at the center of it would use high-pitched audio signals that are inaudible to humans and hidden within advertisements or other “broadcast content.” That audio signal could be used to activate a “client device” to record the ambient audio in the room and log an impression – which makes this sound like a system for tracking how many individual impressions an advertising campaign receives.

The abstract of the patent explains the system relies on client devices that are associated with each individual in a household, which has led many to believe that the patent is talking about activating the mic on your smartphone. The patent filing also features a number of images that depict the “client devices” as smartphones, which leaves little to the imagination. All of that, as you can imagine, has resulted in quite a few negative headlines accusing Facebook of once again overreaching when it comes to user privacy. more

Off-the-shelf Smart Devices Easy to Hack

Off-the-shelf devices that include baby monitors, home security cameras, doorbells, and thermostats were easily co-opted by cyber researchers at Ben-Gurion University of the Negev (BGU). As part of their ongoing research into detecting vulnerabilities of devices and networks expanding in the smart home and Internet of Things (IoT), the researchers disassembled and reverse engineered many common devices and quickly uncovered serious security issues.

"It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices," says Dr. Yossi Oren, a senior lecturer in BGU's Department of Software and Information Systems Engineering and head of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. "Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products."

"It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand," says Omer Shwartz, a Ph.D. student and member of Dr. Oren's lab. "Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely." more

Your Cell Phone Sings "Every Step You Take..."

by Guevara Noubir, Professor of Computer and Information Science, Northeastern University

"My group’s recent research has shown how mobile phones can also track their users through stores and cities and around the world – even when users turn off their phones’ location-tracking services.
The vulnerability comes from the wide range of sensors phones are equipped with – not just GPS and communications interfaces, but gyroscopes and accelerometers that can tell whether a phone is being held upright or on its side and can measure other movements too. Apps on the phone can use those sensors to perform tasks users aren’t expecting – like following a user’s movements turn by turn along city streets.

Most people expect that turning their phone’s location services off disables this sort of mobile surveillance. But the research I conduct with my colleagues Sashank Narain, Triet Vo-Huu, Ken Block and Amirali Sanatinia at Northeastern University, in a field called “side-channel attacks,” uncovers ways that apps can avoid or escape those restrictions. We have revealed how a phone can listen in on a user’s finger-typing to discover a secret password – and how simply carrying a phone in your pocket can tell data companies where you are and where you’re going..." more

Germany to Parents - Destroy Your Child's Smartwatch

Germany's regulatory arm for electricity, gas, telecommunications, post, and railway markets, has issued a ban on smartwatches designed for children over concerns that they can be used by parents to spy on their kids and teachers.

Furthermore, the regulatory office is urging parents to go a step further and physically destroy these smartwatches, should their children own one. The agency has also taken action against several firms that offer smartwatches designed for children.

"Via an app, parents can use such children's watches to listen unnoticed to the child's environment and they are to be regarded as an authorized transmitting system," said Jochen Homann, president of the Federal Network Agency. "According to our research, parents' watches are also used to listen to teachers in the classroom." more

Spy Tech Talk - How to Stop ISPs From Spying on Your IoTs

Botnets are not the only threat to your Internet of Things (IoT) devices: Your internet service provider (ISP) can also detect and track your in-home activities by analyzing internet traffic from smart devices, even when those devices use encryption, according to a paper from Princeton University researchers.

However, the researchers found a simple way to block ISPs from spying on your smart devices: Traffic shaping. more