A selection of this week’s more interesting vulnerability disclosures and cyber security news. Some horrendous lapses of security this week, all of which I’m going to ignore as they are too obvious. The ones I want to highlight (oh dear, a pun to come, sorry), are in my usual sphere of interest: hardware hacks and IoT.
The first one, and the subject of the pun are IoT light bulbs. Its not a completely new vector but what it does show is the subtly of exfiltration beyond human perception that its happening. Not so sure about the identifying what music or sound the bulb is throbbing along to though! Perhaps knowing what embarrassing music someone listens to in private might be good blackmail?
- Researchers Shine Light on Smart-Bulb Data Theft The attack allows snooping of data from environments that are highly secure or air-gapped using infrared signals from smart bulbs.
This one is absolutely fascinating. I’ve read previous research before about using various ‘noise’ to ascertain what is going on, but this is another step beyond that:
- Side-Channel Attack Allows Remote Listener to ‘Hear’ On-Screen Images The contents of the user’s screen can be gleaned through video or VoIP calls, or voice-operated virtual assistants, like Amazon Alexa.
Again, not completely new, just evolution of the idea, and with easy online markets for buy cheap chargers how many out there could have an alternative objective?
The really sad stuff:
- 1,464 Western Australian government officials used ‘Password123’ as their password. But don’t smirk. Taylor Telford reports
- Adobe Pushes Out Unscheduled Creative Cloud Application Fix Adobe issues a second unscheduled update this month to address a bug with a publicly available proof-of-concept code in the wild.
- AI-Based POC, DeepLocker, Could Conceal Targeted Attacks IBM research scientist discusses DeepLocker, a stealthy artificial intelligence-enhanced proof-of-concept that won’t release any payload until the attacker reaches its ultimate target.
- Proof-of-Concept Released for Apache Struts Vulnerability It took less than five days for proof of concept code exploiting the latest Apache Struts vulnerability to hit Github
- AT Command Hitch Leaves Android Phones Open to Attack Researchers used AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, and unlock screens.
- Spyware Company Leaves ‘Terabytes’ of Selfies, Text Messages, and Location Data Exposed Online Lorenzo Franceschi-Bicchierai reports
- Facebook Flaw Allowed Remote Commands Facebook failed to fully sanitize error data returned by a public facing web app.
- Fortnite Android App Falls Victim to Man-in-the-Disk Flaw After Google publicized the flaw seven days after a patch was issued, the Epic Games CEO called out the company for irresponsible disclosure.