Logitech have released a critical security update for their Logitech Options app (used to configure some of their devices). Unfortunately the fix was two days too late, coming two days after Project Zero released details of the bug (time was up) — nakedsecurity.sophos.com/…
Notable News
Security researchers succeeded in using a 3D printed fake head to fool many Android phones into unlocking, but could not fool the FaceID on iPhones (Editorial by Bart: no need to panic though, while the attacks worked in a lab setting, they are a very very long way from being in any way practical, at least for now) — nakedsecurity.sophos.com/…
Reporting from the NYT claims that FaceBook gave some tech companies (e.g. Apple, Microsoft & Netflix) greater access to user data that the normal APIs/rules allowed. The report claims that this extra data included private messages, but FaceBook denies this — nakedsecurity.sophos.com/…, www.imore.com/…
Amnesty International have released a report describing targeted spear-phishing attacks that tricked users into bypassing 2FA that are similar to those the security research firm Certfa recently described the Iranian government carrying out against US officials. The Amnesty report contains a new twist though – the attackers used their initial access to create app-specific passwords to retain their access permanently — nakedsecurity.sophos.com/…
The same hackers who recently hacked internet connected printers to get them to print out messages asking people to subscribe to PewDiePie on YouTube have struck again, this time taking over TVs with a video with the same message. Details are extremely sparse ATM, so I’m not quite sure what’s going on, but the affected users seem to be running Google ChromeCasts, and Google are advising users to disable UPnP on their routers — www.theverge.com/…
Some more details have emerged on the ChromeCast hackery after we recorded this segment, so things are a little clearer now. For starters, we now have a cute name for it — CastHack! I want to give a special mention to TechCrunch, their writeup really helped me figure out what’s going on. I’ve asked Allison to add that link into the show notes techcrunch.com/….
My theory was that this was a problem with UPnP bugs allowing the attackers to get internet access to ChromeCasts which would normally only be accessible locally. I’d assumed the attack then relied on the owners of the ChromeCasts having configured them so they’d accept a signal from any source (no authentication is obviously the easiest kind from a usability point of view!)
It turns out I was not wrong, but I was also missing a vital piece of information — this is a two-part hack, abusing UPnP to expose the ChromeCast to the internet is only the first of two phases of the attack. The second phase involves exploiting a bug in the ChromeCast itself that allows attackers to bypass authentication by forcing the ChromeCast into its factory default settings, which then allow the attacker to configure the device as they please.
It turns out that this ChromeCast authentication bypass was first discovered as far back as 2014, and Google were notified about it back then. Because the ChromeCast devices are designed to be local devices, neither the security researchers who reported the bug nor Google took it very seriously, and four years later, it remains un-patched! Google have now promised they’ll get a fix out soon.
So, for now, the correct advice is still to disable UPnP on your router if you don’t need it — it’s a troubling protocol that is exposing you to a substantial risk. Why take that risk of you don’t need to? If you’re one of the small number of people who really do need UPnP, make sure your router is still supported by its vendor and still receiving software updates, and, that you have the very latest updates installed. If Your router is out of support, bin it and get a new one — you can’t be safe if you connect to the internet through an un-securable router!
Suggested Reading
PSAs, Tips & Advice
⭐️ WIRED are warning of a new wave of quite convincing Apple-themed phishing attacks — www.wired.com/…
⭐️ 🇺🇸 The U.S. Department of Defense Inspector General (DOD IG) released a report on the security of the US’s nuclear weapons systems, and it can best be described as ‘scathing’. ZDNet summarised the findings well: “no data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities” — www.macobserver.com/…, www.zdnet.com/… & nakedsecurity.sophos.com/…
⭐️ Brian Krebs explored the corporate leadership pages of the global top 100 companies, checking to see how many or how few of them included any security officers at the highest levels, only about a third did: A Chief Security Concern for Executive Teams — krebsonsecurity.com/…
