Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a libertarian point of view.Full Bio

 

Tech Friday with Dave Hatter - August 27th 2021 - SPONSORED BY INTRUST IT

IoT strikes again! An estimated 83 million IoT devices have a severe vulnerability:

  • IoT strikes again, demonstrating that so-called "smart" devices are often rather dumb
  • "The Internet of things (IoT) describes the network of physical objects - "things' - that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet" - Wikipedia
  • Experts estimate there will be 75 billion IoT devices by 2025
  • As many traditional devices become "smart" and support Internet connectivity, you should ask yourself if you really need your refrigerator online
  • Many IoT devices are rushed to market with little to no security
  • Hackers love these "smart" devices because they are easy to hack, always on, and often have high band-width connections making them perfect for botnet attacks
  • They are often hard to update and users are unaware that they need to be patched and secured
  • Casey Ellis, CEO of Bugcrowd said "IoT security has been horribly flawed ever since it first became a thing, largely because of the pace that new products have to go to market, and the fact that designing security is seen by vendors as ‘slowing things down"
  • Palo Alto Networks’ Unit 42 researchers warned that over 50% of IoT devices are vulnerable to attack which is a "ticking time bomb"
  • Before you start adding "smart" devices to your network, you should think about the implications
  • IoT devices are being attacked in many ways:
    • Hackers may compromise IoT devices to use them to attack other devices and networks (botnets)
    • Hackers attempt to compromise IoT devices to get into your network and attack other devices
    • Hackers may try to steal data from a device
    • Hackers may use an IoT device to spy if it has a microphone or camera
  • These attacks have caused new concerns about the vulnerability of millions of "smart" devices that are increasingly appearing in homes and businesses
  • Many devices (dolls, cars, drones, TVs, games, washers, coffee makers etc.) are increasingly connected to the Internet
  • Many "smart" toys include microphones, cameras and/or video camera
  • A vulnerability in the ThroughTek "Kalay" network used by an estimated 83 million IoT devices could allow hackers total control over connected devices including monitoring audio and video feeds and exposing passwords
  • The vulnerability was found by Mandiant’s Red Team in late 2020
  • Mandiant said "Due to how the Kalay protocol is integrated by original equipment manufacturers ("OEMs") and resellers before devices reach consumers, Mandiant is unable to determine a complete list of products and companies affected by the discovered vulnerability,"
  • One of ThroughTek's largest customers is Chinese tech company Xiaomi. If you use a "smart" baby monitor, web camera, or DVR you should check it
  • The US Cybersecurity and Infrastructure Security Agency (CISA) assigned it a severity score of 9.6 on the CVSS v3 scale, which tops out at 10
  • It's a major problem due to the sheer amount of devices impacted as well as complete compromise of affected devices
  • Currently, the attack is hypothetical, but now that it has been disclosed, device manufacturers will have to make changes to secure Kalay connections
  • Unfortunately, it may not be possible to secure all impacted devices
  • For Kalay version 3.1.10 or above, ThroughTek said enable AuthKey and DTLS. For older versions, upgrade to library 3.3.1.0 or 3.4.2.0 and enable AuthKey and DTLS 
  • ThroughTek may sound familiar, three months ago Nozomi Networks disclosed a different vulnerability limited to CCTV camera products
  • Sadly, this is all too common in the IoT space, for example, in February of this year roughly 110,000 camera systems using the Real-Time Streaming Protocol (RTSP) system were found to be exposed with their video streams accessible

Pegasus spyware zero-click attack evades Apple’s iPhone security:

  • Paris-based Forbidden Stories obtained a list that contained 50,000 phone numbers of potential surveillance targets including activists, journalists and executives
  • This disclosure brought NSO's Pegasus software back into public view
  • Pegasus is very powerful surveillance software from Israeli company NSO, possibly the most powerful spyware yet developed
  • NSO builds surveillance software for government agencies
  • NSO has been implicated in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018, and the earliest known version of Pegasus was captured by researchers in 2016
  • NSO's website says "NSO Group licenses its products only to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime"
  • Pegasus can surreptitiously capture text messages, photos, emails, videos, contact lists, browser history, basically anything from a phone
  • It can also record phone calls and enable a microphone and/or camera to record according to the Washington Post. It makes your phone a 24x7 surveillance device
  • Amnesty International (AI) researchers discovered NSO can deliver Pegasus by sending a link that when opened infects the phone, or silently and without any interaction via a "zero-click" exploit, that leverages vulnerabilities in the iOS software
  • Apple has said it is continually updating its software to stop these types of attacks
  • If spear-phishing or zero-click attacks fail, Pegasus can also be installed over a wireless transceiver in close proximity or manually if physical access to the device is possible
  • The Citizen Lab at the University of Toronto reviewed and validated AI's work. Bill Marczak from Citizen Lab tweeted that NSO’s zero-clicks worked on iOS 14.6
  • AI's researchers published detailed technical notes, read them here:https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
  • WhatsApp revealed in 2019 that NSO’s software had been used to send malware to nearly 1,500 phones by exploiting a zero-day vulnerability. A WhatsApp call to a target device could install Pegasus even if the target didn't answer the phone
  • Edward Snowden called for a ban on spyware sales in an interview with the Guardian warning that these tools will be used to spy on millions of people.
  • "When we're talking about something like an iPhone, they're all running the same software around the world. So if they find a way to hack one iPhone, they've found a way to hack all of them" Snowden said
  • Pegasus is in the news again because a Bahraini human rights activist’s iPhone was hacked with it
  • Pegasus appears to have defeated new security protections that Apple designed to defeat this type of attack
  • The activist’s iPhone 12 Pro was hacked in February 2021 using a so-called "zero-click" attack that leveraged a previously unknown vulnerability in Apple’s iMessage
  • The hack is significant because it seems to have defeated a new security feature in iOS 14, dubbed BlastDoor. As a result, the exploit was named ForcedEntry
  • Apple has said they are continuing to strengthen defenses in iOS 15 which is due soon
  • AI published a toolkit called the MVT (Mobile Verification Toolkit) that can help determine if a phone (iOS or Android) has been compromised. It can also scan for other potentially malicious applications. Get it here:https://github.com/mvt-project/mvt

A recent study finds users are clueless about cyber risks:

  • It appears employees are headed back into the office with personal devices, lax security and no clue about some of the most catastrophic attacks in history
  • Armis surveyed 2,000 end users in the US and found few seem to be aware of recent high profile, high impact cyber attacks
  • Over 20% hadn't heard of the Colonial Pipeline attack
  • 45% didn't know about attempts to poison Florida’s water supply
  • A Forrester report found 63% of healthcare delivery businesses were breached due to an unmanaged internet of everything (IoT) device in the last two years
  • more than 60% of healthcare employees didn't think their devices posed a risk
  • Over 25% of organizations have no policies in place regarding personal devices
  • The Internet Crime Complaint Center (IC3) was created by the FBI to report cybercrime
  • It also has excellent resources to help you identify and avoid cybercrime and it issues alerts to the public
  • It took over seven years for the IC3 to log the first million complaints
  • In March of 2020 the IC3 broke 5 million complaints
  • Between 2019 and 2020, the number of complaints the IC3 received increased by nearly 70%
  • They received nearly 800,000 complaints for nearly $4.2 billion in losses
  • Phishing, non-payment/non-delivery scams, and extortion were the top reported cybercrimes in 2020
  • Business email compromise (BEC) scams, romance and confidence schemes, and investment fraud led to the greatest losses
  • The COVID-19 pandemic resulted in an overall increase in complaints related to cybercrimes and the IC3 believes that 2021 may unfortunately be a record year
  • "On one hand, the number holds some positive news. People know how to find us and how to report an incident. But on the other hand, these numbers indicate more people are being affected by online crimes and scams” - IC3 Chief Donna Gregory
  • It's never been more important to be cautious and skeptical! Remember:
    • Stop
    • Think
    • Protect - Be a human firewall
  • Visit the IC3 site here:https://www.ic3.gov
  • View the 2020 IC3 Annual Report here:https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Sponsored Content

Sponsored Content