Hacking 4G hotspots – when did you last update?

By Paul Ducklin

Well-known device hacking researchers at cybersecurity company Pen Test Partners have just published an article summarizing the 4G hotspot hacking research they presented at last week’s DEF CON event.

Simply put, a 4G hotspot is a miniaturized, battery-powered, SIM-card-equipped equivalent to your home router.

Home routers typically plug into a mains adapter for power, plug into your phone line or a cable connection for internet connectivity, and accept Wi-Fi or wired network links from your laptops, desktops, smart TVs and so on.

In contrast, 4G hotspots are typically pocket-sized devices, often shaped like a small soap bar, that don’t plug into anything except to charge up their internal battery, usually via a 5V USB port.

Most mobile phones, in fact, include a hotspot feature so that you can share the phone’s 4G connection via the Wi-Fi card in the phone, but self-contained hotspots are still popular, not least because they make it easy to keep your voice and data charges separate.

Indeed, many mobile phone providers offer special deals with a hotspot device and a pre-paid data SIM for home users who can’t or don’t want to get a phone line or cable hookup at home.

Read more at https://nakedsecurity.sophos.com/2019/08/12/hacking-4g-hotspots-when-did-you-last-update/

Apple will hand out unlocked iPhones to vetted researchers

By Lisa Vaas

It’s been called an iPhone jailbreaker’s golden egg: a so-called “dev-fused” iPhone created for internal use at Apple in order to extract and study the Secure Enclave Processor (SEP).

That golden yolk of a processor handles data encryption on the device that oh so many law enforcement and hacker types spend so much time, respectively, complaining about or cracking for fun, fame and profit.

Those rare, developer-only, “pre-jailbroken” iPhones have many security features disabled – a convenient feature for researchers looking to see how they tick and to discover iPhone zero days, which can be worth millions of dollars.

Well, here’s some good news for a select group of researchers: at the Black Hat 2019 security conference on Thursday, Apple’s head of security, Ivan Krstic, unveiled a new program through which the company is offering some form of pre-dev iPhones, specifically for security researchers.

CNet quoted Krstic:

This is an unprecedented, fully Apple-supported iOS security research platform.

As CNet reports, Apple is calling it the iOS Security Research Device Program. The program will launch next year.

Apple’s only handing out a limited amount of the iPhones, and only to qualified researchers.

These are not exactly like the phones that Apple gives its own security researchers. They’re going to come with what Krstic said are advanced debugging capabilities, but they won’t be as wide open as the jailbroken phones Apple insiders use or which sometimes wind up on the black market, in the form of iPhones that either haven’t completed the production process or which have been reverted to a development state.

Krstic said that the iPhones, while not being that open, will still provide ample details that can be used to hunt for vulnerabilities.

Read more at https://nakedsecurity.sophos.com/2019/08/12/apple-will-hand-out-unlocked-iphones-to-vetted-researchers/

Facebook facial recognition: class action suit gets court’s go ahead

By Lisa Vaas

Yes, yet another US court has reaffirmed, Facebook users can indeed sue the company over its use of facial recognition technology.

The US Court of Appeals for the Ninth Circuit on Thursday affirmed the district court’s certification of a class action suit – Patel v. Facebook – that a steady progression of courts has allowed to proceed since it was first filed in 2015.

Though a stream of courts has refused to let Facebook wiggle out of this lawsuit – and boy oh boy, has it tried – this is the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology, that’s increasingly being foisted on the public without our knowledge or consent.

The lawsuit was initially filed by some Illinois residents under Illinois law, but the parties agreed to transfer the case to the California court.

What the suit claims: Facebook violated Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent from the plaintiffs, Nimesh Patel, Adam Pezen and Carlo Licata, collecting it and squirreling it away in what Facebook claims is the largest privately held database of facial recognition data in the world.

Read more at https://nakedsecurity.sophos.com/2019/08/12/facebook-facial-recognition-class-action-suit-gets-courts-go-ahead/

GDPR privacy can be defeated using right of access requests

By John E Dunn

A British researcher has uncovered an ironic security hole in the EU’s General Data Protection Regulation (GDPR) – right of access requests.

Right of access, also called subject access, is the part of the GDPR regulation that allows individuals to ask organisation’s for a copy of any data held on them.

This makes sense because, as with any user privacy system, there must be a legally enforceable mechanism which allows people to check the accuracy and quantity of personal data.

Unfortunately, in what can charitably be described as a massive GDPR teething problem, Oxford University PhD student James Pavur has discovered that too many companies are handing out personal data when asked, without checking who’s asking for it.

In his session entitled GDPArrrrr: Using Privacy Laws to Steal Identities at this week’s Black Hat show, Pavur documents how he decided to see how easy it would be to use right of access requests to ‘steal’ the personal data of his fiancée (with her permission).

After contacting 150 UK and US organisation’s posing as her, the answer was not hard at all.

According to the accounts by journalists who attended the session, for the first 75 contacted by letter, he impersonated her by providing only information he was able to find online – full name, email address, phone numbers – which some companies responded to by supplying her home address.

Read more at https://nakedsecurity.sophos.com/2019/08/12/gdpr-privacy-can-be-defeated-using-right-of-access-requests/

Blackmailed for Bitcoin – exchange rebuffs $3.5m ransom demand

By Paul Ducklin

Cryptocurrencies are a big deal once again, now that Bitcoin is back over $10,000.

You might think that’s good news for cryptocurrency exchanges, which are businesses that let you trade regular money, such as Euros, Dollars and Pounds, into and out of so-called virtual currencies like Bitcoin, Monero and Dogecoin.

But it’s not all plain sailing – cryptocurrency companies are of particular interest to cybercrooks, and not only for the cryptocoins they hold.

Here’s a story of super-sized digital blackmail aimed at one of the biggest exchanges out there.

KYC

As you probably know, business are supposed to make an effort to know their customers (and their suppliers) these days, as a way of making money laundering more difficult.

And know-your-customer (KYC) rules are particularly important for banks and other businesses, including cryptocoin exchanges, that let people put in money at one end, shuffle it around a bit, or even a lot, and later extract it at the other.

The problem with KYC rules is that they force companies to collect and keep personal data that both you and they would much rather not send across the internet – for example, bills that prove your address, bank statements that vouch for the source of your money, scans of your passport to confirm your identity, and more.

Read more at https://nakedsecurity.sophos.com/2019/08/09/blackmailed-for-bitcoin-exchange-rebuffs-3-5m-ransom-demand/

Instagram boots ad partner for location tracking and scraping stories

By Lisa Vaas

A “preferred Facebook Marketing Partner” has secretly tracked millions of Instagram users’ locations and stories, Business Insider reported on Wednesday.

Facebook has confirmed that San Francisco-based marketing firm HYP3R scraped huge quantities of data from Instagram in order to build detailed user profiles. Profiles that included users’ physical whereabouts, their bios, their interests, and the photos that were supposed to vanish after 24 hours.

It was all done in “clear violation of Instagram’s rules,” BI reports, and Facebook has subsequently kicked HYP3R to the curb. BI reports that Instagram issued HYP3R a cease and desist letter on Wednesday after the publication presented its findings, booted it off the platform, and tweaked its platform to protect user data.

Here’s the statement that Facebook is sending to media outlets:

HYP3R’s actions were not sanctioned and violate our policies. As a result, we’ve removed them from our platform. We’ve also made a product change that should help prevent other companies from scraping public location pages in this way.

Instagram’s failure to protect location data is a “mystery”

We don’t know exactly how much data HYP3R got at. But as BI notes, the company has publicly bragged about having “a unique dataset of hundreds of millions of the highest value consumers in the world that gives an edge to the leaders in travel and retail.”

According to the publication’s sources, HYP3R sucks in more than 1 million Instagram posts per month, and more than 90% of the data it brags about comes from the platform.

Data scraping is a pervasive problem online, as BI points out. We’ve seen multiple lawsuits, naming big players, brought over the practice. In 2017, for example, a lawsuit was brought against Uber over one of its units – Marketplace Analytics – that allegedly spied on competitors worldwide for years, scraping millions of their records using automated collection systems.

Read more at https://nakedsecurity.sophos.com/2019/08/09/instagram-boots-ad-partner-for-location-tracking-and-scraping-stories/