No-bunny compares to our #MobSec5 readers. Bad puns aside – we appreciate each and every one of you.
Now let’s get this egg rolling [groan] with your weekly basket [can’t help ourselves] of mobile security news that matters.
In this edition you’ll find:
- Part two of pwning mobile devices over Wi-Fi
- Funny videos lead to unfunny theft of mobile banking credentials
- FDA threatens manufacturer of connected medical devices with seizure, injunction, and fines due to security vulnerabilities
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Project Zero: Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)
(Google Project Zero)
“In this blog post we’ll continue our journey into gaining remote kernel code execution, by means of Wi-Fi communication alone. Having previously developed a remote code execution exploit giving us control over Broadcom’s Wi-Fi SoC, we are now left with the task of exploiting this vantage point in order to further elevate our privileges into the kernel.”
Along with part one of his blog series, researcher Gal Beniamini explains how an attacker can take complete control of a mobile device (including both Android and iOS devices) via Wi-Fi without any user interaction whatsoever. This second post details the elevation of privileges from a compromised Broadcom Wi-Fi chip to the OS kernel. The vulnerabilities discussed in part one have been patched according to Beniamini. However, security issues related to the utilization of hardware components remain – specifically the need for more separation between the Wi-Fi chip and application processor. Beniamini concludes the post stating, “While flaws exist in the communication protocols between the host and the chip, these can eventually be solved over time. However, the current lack of protection against a rogue Wi-Fi chip leaves much to be desired.”
“The BankBot springs into action when the victim opens any of the mobile apps from a pre-configured list of 425 banking apps. A complete list of banks a BankBot variant is currently imitating can be found on the blog post published by the researcher.”
FORTIFY in Android
(Android Developers Blog)
“After migrating from GCC to clang as the default C/C++ compiler early last year, we invested a lot of time and effort to ensure that FORTIFY on clang is of comparable quality. To accomplish this, we redesigned how some key FORTIFY features worked, which we’ll discuss below.”
Phone Hack Uses Sensors To Steal PINs
The authors of the study identified patterns in data leaked from mobile phone sensors using an artificial neural network that could then determine four-digit PIN codes entered by a mobile device’s user with a 74 percent success rate. A survey conducted as part of the study found that “users generally have expressed more concern about sensors such as camera and microphone than accelerometer, gyroscope, orientation, and motion. This does not match the actual risk levels since the latter sensors allow PIN recovery with higher accuracy as we have shown.”
How the Denver Police Crack and Search Cell Phones
“New training documents show how the Colorado agency instructs officers to use Cellebrite devices to get into suspects’ phones.”
Groups Say NIST Must Better Address Healthcare’s Cyber Needs
“The National Institute for Standards and Technology’s proposed update to its cybersecurity framework needs to better address specific concerns of the healthcare sector, ranging from medical device risks to strained resources at smaller care providers.”
Health-care providers have to adhere to multiple cybersecurity frameworks which results in high costs and inconsistent security practices according to joint comments submitted to NIST by two industry associations. Among other grievances, the associations state that “with the growing reliance on a cloud environment, there is much that is outside the control of health-care providers,” which places an unfair burden on HIPAA-covered entities compared to their business associates (i.e., vendors). We recently provided some clarity about preventing man-in-the-middle attacks on mobile health apps on the NowSecure blog.
“But public comments filed by business groups voice concern about what metrics should be used for measurement and how public that demonstration ought to be.”
“The FDA sent a letter threatening regulatory action if Abbott Labs does not address security issues in cardiac devices.”
Say what you will about an investment firm’s controversial method of disclosure for a vulnerability in St. Jude Medical pacemakers – a warning letter from the Food and Drug Administration suggests that the agency agrees with the firm’s contention that “St. Jude Medical has been grossly negligent in its product design.“ Among other violations, the FDA writes that Abbott Labs, which purchased St. Jude Medical, failed to ensure “design verification” that “the Remote Monitoring device shall only open network ports to authorized devices.” The letter goes on to say that Abbott Labs has 15 days to “…take prompt action to correct the violations addressed in this letter,” and that failure to do so could result in “seizure, injunction, and civil money penalties.” The federal government is taking IoT security vulnerabilities seriously and is prepared to impose enforcement actions on negligent manufacturers. Building security into the design of IT hardware and software isn’t just best practice, it’s a necessity in today’s regulatory climate. Learn how to establish secure mobile app development policies at your organization and verify compliance with those policies next week during our webinar “Next-level mobile app security: A programmatic approach.”
Stories From Two Years in an IoT Honeypot
“Curious just how susceptible some of the more vulnerable IoT devices are, a researcher set up a series of honeypots at his friends’ houses to record traffic, exploit attempts and other statistics.”
Cyber Losses Testing Insurance Policy Boundaries
“Now that cyber attacks and data breaches have become common, insurers and risk managers are struggling to assign the resulting costs and losses among different types of insurance.”
“News of Qualcomm’s string of lawsuits continues, this time through an arbitration result in a disagreement between the chipset maker and BlackBerry.”
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.