Photo Credit: Rick Meyers

Top Security and Privacy News: Scrambled Bits Vol. 35

Enigma ICO Hijacked, Building America’s Distrust, Warrant Wars, and More.

This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.

Top Stories

Building America’s Distrust

The Building America’s Trust Act is a massive surveillance expansion masked as increased border security. A leaked copy of the bill is a culmination of invasive security practices that will affect both immigrants and US citizens. The following are some of the standouts among the measures outlined in this bill:

• mandatory DNA collection
• record iris prints and voice scans of all immigrants
• hire no fewer than 26,370 full-time border control agents
• add 12 new federal judges in the southwestern US
• increase the fleet size and usage of drones (not less than 24 hours per day, five days per week)
• increase recording and storage of biometric data

“[Building America’s Trust Act] proposes this surge in surveillance with virtually no regard to privacy or the legitimate Fourth Amendment interests at stake,”

— Said Neema Singh Guliani, an attorney with the American Civil Liberties Union.

Another Hacked ICO

A startup called Enigma, which aims to be something like the Google Finance for crypto currencies and tokens, was hacked ahead of its planned Initial Coin Offering (ICO). The hackers took over Enigma’s website, mailing list, and slack channel and tricked would-be investors into sending their Ethereum and Bitcoin to the hackers’ address. Around US$500,000 was stolen. The company failed to take basic precautions like using two-factor authentication, and now some of their customers are paying a steep price.

ICOs are the hot new way for companies to raise money. Some companies have raised tens of millions of dollars in minutes. We break down what it all means in a separate post: Initial Coin Offerings: A More Complete Definition.

Sonos Broadcasts Music and Your Privacy

Sonos is collecting more data on their users. Coincidentally, they are also removing the option to opt out of their privacy policy without foregoing the product functionality altogether. The privacy policy requires the collection of “functional data,” which includes email information, IP addresses, account information, and device data including info on your Wi-Fi, room names, and error data.

Sonos doesn’t need this data to operate, though they claim otherwise. We’ll just note that they operate in a competitive space and customers can vote with their wallets. We will.

Government

Cyber Promotion

In the midst of increased cyber threats, the administration is elevating the Cyber Command to the status of a unified military command from its current status as a subdivision of the NSA to a peer.

The move to make the Cyber Command unit independent provides new flexibility for the US military to implement digital offense and defense. The effort, which unifies the oversight of the military’s cyber security resources, received bipartisan support.

Proposed Law Might Improve IoT Security

The government is addressing the ever mounting security risks posed by IoT devices. Senators from across party lines came together to introduce the IoT Cybersecurity Improvement Act of 2017 to set baseline security standards for IoT devices.

While their efforts are a step in the right direction, the legislation only enforces security standards for IoT the federal Government. Hopefully, if the bill passes, it will drive better security into IoT devices intended for consumers, as well.

In addition to requiring better security in IoT devices sold to the Government, the bill also makes “good-faith research” into the security of IoT devices legal via a permanent exemption to the DMCA and Computer Fraud and Abuse Acts.

Warrant Wars

Court Invalidates Warrant for ‘All Electronic Devices’

Police had reason to believe gang member was the getaway driver in a homicide investigation. They obtained a warrant to search the home of the suspect for “all electronic devices to include but not limited to cellular telephone(s).” The affidavit for the warrant asserts that gang members often communicate with each other “and share intelligence about their activities through cell phones and other electronic communication devices and the Internet.” So the warrant was intended to uncover evidence of incriminating communications. Incidental to the warrant, the suspect was found throwing a firearm out of his window and was arrested for illegal possession of a firearm by a felon.

An appeals court in the DC Circuit found a number of flaws with the original warrant including:

• “The supporting affidavit… offered almost no reason to suspect that Griffith in fact owned a cell phone, or that any phone or other device containing incriminating information would be found in his apartment.”
• “The warrant authorized the wholesale seizure of all electronic devices discovered in the apartment, including items owned by third parties... we conclude that the warrant was… unduly broad in its reach.”
• “The lion’s share of the affidavit… might have established probable cause to arrest Griffith for his participation in the crime. The warrant application, though, was for a search warrant, not an arrest warrant.”
• “We do not doubt that most people today own a cell phone… But the affidavit in this case conveyed no reason to think that Griffith, in particular, owned a cell phone. There was no observation of Griffith’s using a cell phone, no information about anyone having received a cell phone call or text message from him, no record of officers recovering any cell phone in his possession at the time of his previous arrest (and confinement) on unrelated charges, and no indication otherwise of his ownership of a cell phone at any time.”
• “An arrest warrant for Griffith… presumably would have occasioned a search of him incident to his arrest, and an ensuing seizure of any cell phone he owned in the most likely place to find it (on his person).”

In short, the fact that most people carry a cell phone is not sufficient grounds to justify an intrusive search of a home. Score one for the 4th Amendment’s “probably cause” clause.

Tomato Growers Beware

Law-abiding tea drinkers and gardeners beware: One visit to a garden store and some loose tea leaves in your trash may subject you to an early-morning, SWAT-style raid, complete with battering ram, bulletproof vests, and assault rifles. Perhaps the officers will intentionally conduct the terrifying raid while your children are home, and keep the entire family under armed guard for two and a half hours while concerned residents of your quiet, family-oriented neighborhood wonder what nefarious crime you have committed. This is neither hyperbole nor metaphor — it is precisely what happened to the Harte family in the case before us on appeal.

…

The defendants in this case caused an unjustified governmental intrusion into the Hartes’ home based on nothing more than junk science, an incompetent investigation, and a publicity stunt. The Fourth Amendment does not condone this conduct, and neither can I.

— Judge Lucero of the Tenth Circuit writing for the majority

New Attack Vectors

Encrypt All the Things — Even Your DNA

A person’s genetic code can reveal intimate physical details about that person such as their chances of getting Alzheimers or other diseases. Researchers are clamoring for access to this wealth of information. Thanks to encryption, we don’t have to choose between medical advancements and keeping our most prized information private; we can have both.

Cryptographers created a technique they call “genome cloaking” which allows scientists to conduct medical research while keeping 97 percent of each participant’s genetic information hidden.

Encryption again solves the hard problems of the digital age.

Self-driving cars see this graffitied stop sign as a 45 mph speed limit sign. Image is from the paper “Robust Physical-World Attacks on Machine Learning Models” by Evtimov, Eykholt, et al.

Autonomous Vehicles Tricked by Stickers

Self-driving cars use cameras to observe the world around them and classifiers to make what they see meaningful. For example, the classifier identifies a stop sign, so the car knows to stop.

Using nothing more than a couple of stickers made on a home printer, security researchers at the University of Washington were able to trick the vision systems into misidentifying road signs. One notable exploit caused a car’s electric eyes to mistake a stop sign for a 45 MPH sign.

Segway Steering Snag

A researcher discovered a new attack targeted at Segways. A remote attacker can make a Segway stop short or steer it into traffic, all while there is a passenger on board.

The Segway MiniPro app uses Bluetooth to connect to the vehicle. The app allows users to steer, stop, and track their scooters remotely. But the communication channel can be hijacked, allowing a malicious hacker to damage the vehicle or injure its rider. This allows hackers to bypass safety protocols and cause severe physical damage to the machine and anyone riding it.

A Fishy Foothold

Hackers took advantage of an internet connected fish tank located at the casino to compromise the tank’s control system. Once the tank’s security was breached, the hackers used it to scan the casino’s network for vulnerabilities and to move through the network to exploit those weaknesses.

This incident marks a larger trend — as more and more gadgets are connected to the internet, the number of threat vectors increases, exposing more and more of the vulnerabilities in our networks and technology.

Notable Vulnerabilities and Breaches

• Apple’s “Secure” Enclave Processor — Apple’s new Secure Enclave Processor is responsible for processing fingerprint data from the Touch ID sensor, enabling access or purchases. The bad news, the key used for this outer level encryption was discovered and posted. Not good.
• Weather App Spies on Users— AccuWeather iOS app asks users for access to location data under the guise of providing localized weather information. What AccuWeather doesn’t tell you is that the app is also sendings GPS coordinates, the name of the Wi-Fi router, and information specifying whether or not Bluetooth is on every few hours to Reveal Mobile.
• Apps Made by a Chinese Ad Company are Spying on You — A popular advertising software kit used by over 500 Google Play apps is spying on users, collecting location information, call logs, and device descriptions. Research showed that the the malicious apps have been downloaded over 100 million times.

Bottom of the News

• New “Cop Button” in iOS 11 Beta — A new feature in iOS lets users quickly call for help in an emergency by pressing the power button five times. Doing so locks their phone and disable Touch ID so an assailant can’t get access to their device. But the feature could also be used to quickly lock a phone to prevent law enforcement access, which has led to its nickname of the “cop button.”
• Better Sit Down for This One — Barclays installed devices that track the amount of time bankers sit at their desks. The bank said that the intent is not to monitor people or their productivity but rather to analyze space usage with the aim to reduce cost. Whatever their intent, Barclays employees have a new big brother.
• $100K for Spearphishing Detection — A group of researchers earned $100,000 from Facebook last week by creating a real-time detector of spear phishing attacks in enterprise settings.
• Apple Easter Egg Job — Apple created a secret page with a job listing on it to find tech savvy engineers. Zack Whittaker, a security editor for ZDNet, was able to find the listing after watching traffic to apple servers with a sniffer.

If you liked this, please click the 💚 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.

Subscribe to our email digest to avoid missing another update.