Skip to content

Mobile Security

Lenovo’s file-sharing app uses hardwired password ‘12345678’ … or no password at all

Quote

Lenov-LOL!

Lenovo ShareIT users, get patching: the PC maker’s file-sharing app is pretty much unsecured.

The software runs on Windows and Android devices, and creates a Wi-Fi hotspot allowing data to be exchanged – from phone to PC, PC to phone, etc. But the wireless network is pretty much unsecured on both platforms.

In ShareIT for Windows, the Wi-Fi uses “12345678” as a hardcoded password, while in Android, there’s no password at all. If someone logs into the Wi-Fi hotspot on Windows, they can browse, but not download, files on the machine.

Core Security, which found the design flaw, also note that file transfers in Windows and Android aren’t encrypted. If an attacker was logged into the hotspot on either side of a file transfer, traffic sniffing would yield a copy of the transfer.

The vulnerable versions are ShareIT for Windows version 2.5.1.1 and ShareIT for Android 3.0.18_ww. The bugs are designated CVE-2016-1489, CVE-2016-1490, CVE-2016-1491, and CVE-2016-1492.

Lenovo’s latest versions are available here. Get ’em.

That’s not the only issue. Their machines have come through with so much crapware lately that out of the box they are slower than the old XP machines we are replacing.

 

Surprise! Magic Kinder app could let hackers send vids to your kids

Quote

Security watchers have warned of massive privacy problems with the Magic Kinder App for children.

A lack of encryption within the Magic Kinder smartphone app and other security shortcomings open the doors for all sorts of exploits, they claim.

Hacktive Security alleges that a malicious user could “read the chat of the children, send them messages, photographs and videos or change user profile info such as date of birth and gender,” as explained in detail in a blog post here.

The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher.

The mobile software aims to offer “strategic, educational games and quizzes to improve children’s skills and development”.

Ferrero has yet to respond to a request for comment.

Joe Bursell, marketing manager at independent security consultancy Pen Test Partners, said that the app Magic Kinder App is riddled with basic security problems.

“These are not subtle, hard-to-find issues,” Bursell told El Reg. “You’d see those IDs in the proxy within minutes of testing and the first thing you would do is manually increment/decrement them.”

“There are no authorisation checks on any of the requests. This means that anyone can: send a message to your kids, read your family diary, and change other data about people, e.g. gender.”

“Also, it doesn’t use encryption,” Bursell added.

Probably laden with spyware to hoover up all sorts family data.

 

Tracking Iowa caucus-goers via their phones

Quote

On Thursday morning, I listened to an interview with the CEO of “a big data intelligence company” called Dstillery; it “demystifies consumers’ online footprints” to target them with ads. The CEO told public radio program Marketplace something astounding: his company had sucked up the mobile device ID’s from the phones of Iowa caucus-goers to match them with their online profiles.

Via Marketplace:

“We watched each of the caucus locations for each party and we collected mobile device ID’s,” Dstillery CEO Tom Phillips said. “It’s a combination of data from the phone and data from other digital devices.”

Dstillery found some interesting things about voters. For one, people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa, according to Phillips.

..

What really happened is that Dstillery gets information from people’s phones via ad networks. When you open an app or look at a browser page, there’s a very fast auction that happens where different advertisers bid to get to show you an ad. Their bid is based on how valuable they think you are, and to decide that, your phone sends them information about you, including, in many cases, an identifying code (that they’ve built a profile around) and your location information, down to your latitude and longitude.

Yes, for the vast majority of people, ad networks are doing far more information collection about them than the NSA–but they don’t explicitly link it to their names.

So on the night of the Iowa caucus, Dstillery flagged all the auctions that took place on phones in latitudes and longitudes near caucus locations. It wound up spotting 16,000 devices on caucus night, as those people had granted location privileges to the apps or devices that served them ads. It captured those mobile ID’s and then looked up the characteristics associated with those IDs in order to make observations about the kind of people that went to Republican caucus locations (young parents) versus Democrat caucus locations. It drilled down farther (e.g., ‘people who like NASCAR voted for Trump and Clinton’) by looking at which candidate won at a particular caucus location….

For most ads you see on web browsers and mobile devices, there is an auction among various programmatic advertising firms for the chance to show you an ad. We are one of those buyers, and we are sent a variety of anonymous data, including what kind of phone you have, what app you are using, what operating system version you’re running, and sometimes – crucially for this study – your latitude and longitude (lat/long).
We identified the caucusing locations prior [to] the Iowa caucus and told our system to be on the lookout for devices that report a lat/long at those locations during the caucus.

So when we received an ad bid request that our system recognized as being at one of the caucus sites, our system flagged that request and captured that device ID so we could use it for this.

This is roughly equivalent to exit polling for the smart phone age.

Turn off GPS unless using it, turn on add blockers, and use a VPN.

Amazon Quietly Removes Encryption Support from its Gadgets

Quote

While Apple is fighting the FBI in court over encryption, Amazon quietly disabled the option to use encryption to protect data on its Android-powered devices.

The tech giant has recently deprecated support for device encryption on the latest version of Fire OS, Amazon’s custom Android operating system, which powers its tablets and phones. In the past, privacy-minded users could protect data stored inside their devices, such as their emails, by scrambling it with a password, which made it unreadable in case the device got lost or stolen. With this change, users who had encryption on in their Fire devices are left with two bad choices: either decline to install the update, leaving their devices with outdated software, or give up and keep their data unencrypted. …“This is a terrible move as it compromises the safety of Kindle Fire owners by making their data vulnerable to all manner of bad actors, including crackers and repressive governments,” Aral Balkan, a coder, human rights activist, and owner of a Kindle Fire, told Motherboard. “It’s clear with this move that Amazon does not respect the safety of its customers.”

Balkan also highlighted the hypocrisy of Amazon using encryption to protect its copyright with digital rights management or DRM technology.

Some Amazon Fire customers complained about the change it in support forums.

“How can we keep using these devices if we can’t actually secure the large amount of personal data that ends up on them?” asked a user rhetorically.

The former head of the NSA has a surprising stance on Apple’s battle with the FBI

Quote

Apple has found an unlikely ally in its fight against iPhone backdoors: the former head of the office responsible for spying.

Michael Hayden, who at different times was the head of the NSA and CIA, told USA Today’s Susan Page that he’s against legislation that would require tech companies to create so-called “backdoors” that would make it easier for law enforcement to access devices like smartphones and computers.

Apple has found an unlikely ally in its fight against iPhone backdoors: the former head of the office responsible for spying.

Michael Hayden, who at different times was the head of the NSA and CIA, told USA Today’s Susan Page that he’s against legislation that would require tech companies to create so-called “backdoors” that would make it easier for law enforcement to access devices like smartphones and computers.

Rooting your Android phone? Google’s rumbled you again

do-evil-google

Quote

Google’s crackdown on rooted Android devices continues. Citing security reasons, Google doesn’t want rooted ‘Droid phones to use mobile payments via the Android Pay infrastructure.

This is a standard not required by Pay’s predecessor, the now-deprecated Google Wallet.

In turn, this has led to a cat-and-mouse game with Android’s substantial global enthusiast community. Now a door that modders opened slightly a few months ago has been slammed shut.

A developer last year found a way of rooting Android without disturbing the /system partition (aka “systemless root”).

A Google engineer acknowledged last year that if it had to scan and verify every file on the partition, the phone would be “bogged down for tens of minutes”.

Respite was temporary. Systemless rooting will now fail to fulfil an Android Pay transaction. Pay now introduces an additional check, performed by Android’s SafetyNet framework.

This post at XDA Developers explains that several further tweaks are required to work around the latest security check.

Ah if it was only that simple. Google fears malware, but the real reason is that is that it looses the ability to hoover up all your private information. One of the comments in the article was spot on:

The trouble with that is if Google Pay refuses to work, then Google Play (with an L) refuses to work *even for free apps*.

And you can’t uninstall Google Play Services without it taking all your downloaded apps with it. It uninstalls them when you turn it off in the settings.

This is the linkage game no different than when Microsoft did it.

Google Play Services is one of the most virulent spyware apps ever. Tracking, surveillance, access to cameras, microphones the lot. It has no purpose doing that, yet it does it for Google’s benefit.

You probably don’t know its tracking your location, and monitoring your app usage and all the other things “Carrier IQ” was doing. Sadly it is.

We need a true open source phone (which is what Anrdoid was supposed to be) away from the spying eyes of Google, the carriers and their ilk. Google is a monopolist. Why root? to get rid of the crapware, and spyware installed on the phones and to get security fixes faster and for longer. But if your entire life is on the phone (and then hoovered up and sold on), rooting is not for you. Just bend over for the likes of Google.

Popular 3G/4G data dongles vulnerable, say hackers

Quote

Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products….Because so many of the vulnerabilities – whether it’s via firmware or XSS/CSRF forgery attacks – allow remote code execution, the paper states, it’s easy to track devices. An attacker can read out the Cell ID or the connected WiFi base station.

The vulnerabilities also enabled a range of traffic interception attacks:

Devices could have their DNS redirected to an attacker-controlled domain.
Attackers can plant their own certificates into the devices’ trusted root list.
Some devices allow command-line access (via AT commands) to SMSs.

Other possibilities the research explored included using devices as PC attack vectors, attacks on SIM cards via binary SMS messages, and even upstream attacks directed at carrier networks.

The researchers conclude that the Huawei kit they tested was the least-worst.

Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC

Quote

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

Now that SilverPush and others are using the technology, it’s probably inevitable that it will remain in use in some form. But right now, there are no easy ways for average people to know if they’re being tracked by it and to opt out if they object. Federal officials should strongly consider changing that.

Unplug your PC mic when not used, get smart about Android and iPhone (IOS) permissions and limit access to sound recorder/mic to only the dialer and trusted apps. Of course it should not be this way. It should be all off by default. And as I said before: You pay for this date data rape.

User data plundering by Android and iOS apps is as rampant as you suspected

Quote

Apps in both Google Play and the Apple App Store frequently send users’ highly personal information to third parties, often with little or no notice, according to recently published research that studied 110 apps.

The researchers analyzed 55 of the most popular apps from each market and found that a significant percentage of them regularly provided Google, Apple, and other third parties with user e-mail addresses, names, and physical locations. On average, Android apps sent potentially sensitive data to 3.1 third-party domains while the average iOS app sent it to 2.6 third-party domains. In some cases, health apps sent searches including words such as “herpes” and “interferon” to no fewer than five domains with no notification that it was happening.

“The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs,” the authors of the study, titled Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, wrote. “Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data.”

The personal information most commonly transmitted by Android apps was a user’s e-mail address, with 73 percent of the apps studied sending that data. In total, 49 percent of Android apps sent users’ names, 33 percent transmitted users’ current GPS coordinates, 25 percent sent addresses, and 24 percent sent a phone’s IMEI or other details. An app from Drugs.com, meanwhile, sent the medical search terms “herpes” and “interferon” to five domains, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com, although those domains didn’t receive other personal information.

Also concerning were Android apps that sent third parties potentially sensitive combinations of data. Facebook, for example, received users’ names and locations from seven of the apps analyzed in the study—American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, and Timehop. The domain Appboy.com received the data from an app called Glide.

And you pay for this wholesale rape your privacy!

Google Malvertising App

Quote

Android apps that should be innocuous are pimping smut by way of slack supervision of their advertising networks, with two app authors complaining to The Register that the root of the problem lies with The Chocolate Factory.

The authors of two popular Sydney public transport apps told us Google’s app monetisation service AdMob is failing to catch disallowed advertisements that should be easy to spot for the world-dominating ad-and-click network.

Malvertising is a rising problem because users are turning to ad blockers as a security precaution, both to protect against malware and to keep material they deem inappropriate out of their eyeballs. The latter outcome is made necessary by ads like those below, which The Register has observed in the Arrivo and TripView public transport timetable apps, both of which are likely to pop up on minors’ phones.

If, as it seems to this untutored eye, the ad got past filters by presenting its text as an image with extra space to defeat character recognition, Google deserves its backside kicked through all the letters of its Alphabet. Twice per letter, once per language.