The RISKS Digest
Volume 33 Issue 01

Saturday, 8th January 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Get This Thing Out of My Chest
ProPublica
Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email worldwide
Ars Technica
Old Hondas clocks are wrong: Y2K+22 —> Y2K+2 fix
The Register
Google Issues Warning For 2 Billion Chrome Users
Forbes
Boeing and Airbus warn US over 5G safety concerns
bbc.com
Tesla test drivers believe they're on a mission to make driving safer for everyone. Skeptics say they're a safety hazard.
WashPost
University Loses Valuable Supercomputer Research After Backup Error Wipes 77 Terabytes of Data
gizmodo
AI debates its own existence—and loses?
TheConversation
UN Chief Urges Action on Lethal Autonomous Weapons as Geneva Talks Open
Reuters
Russia fines Google $100 million, and Facebook parent company $27 million, for content violations
WashPost
The Russian Anti-Satellite Demonstration—a Month Later
circleid
Satellite operators criticize extreme satellite configurations
SpaceNews
Snow Closed the Highways. GPS Mapped a Harrowing Detour in the Sierra Nevada.
NYTimes
New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
The Hacker News
NSFW! - Mozilla Founder Slams Mozilla Foundation For Adopting Cryptocurrency Payments
Slashdot
U.S. launches probe into Tesla letting drivers play video games
CBC
Alexa tells 10-year-old girl to touch live plug with penny
BBC
Are Apple AirTags Being Used to Track People and Steal Cars?
NYTimes
Criminals have stolen nearly $100 billion in Covid relief funds, Secret Service says
CNBC
Bugs in billions of WiFi, Bluetooth chips allow password/data theft
BleepingComputer
JetBlue tosses most passwords out the emergency exit
PCMag
Backups are not Backups until they can be restored
Bob Gezelter
Cats caused more than 100 house fires in the past 3 years, South Korea officials say
cnn.com
Uber ignores vulnerability that lets you send any email from Uber.com
BleepingComputer
Re: A $92,000 flying car can reach speeds of 63 miles per hour
John Levine
Re: Google finally knows which app to blame for Android's mysterious can't-call-911 bug
Henry Baker Steve Singer
Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
Rodney Parkin
Info on RISKS (comp.risks)

Get This Thing Out of My Chest (ProPublica)

“Gabe Goldberg” <gabe@gabegold.com>
Fri, 24 Dec 2021 17:44:02 -0500

A life-sustaining heart pump was taken off the market after years of problems and FDA inaction. Thousands of people are now stuck with it embedded in their hearts. […] Those who already have the heart pump, also known as the HVAD, can't simply get it removed or replaced. The required surgery is typically considered more dangerous than leaving it in.

https://www.propublica.org/article/get-this-thing-out-of-my-chest


Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email worldwide (Ars Technica)

Tom Van Vleck <thvv@multicians.org>
Tue, 4 Jan 2022 20:09:05 -0800

https://arstechnica.com/information-technology/2022/01/exchange-server-bug-gets-a-fix-after-ruining-admins-new-years-plans/


Old Hondas clocks are wrong: Y2K+22 —> Y2K+2 fix (The Register)

Tom Van Vleck <thvv@multicians.org>
Fri, 7 Jan 2022 08:06:29 -0800

Acura and Honda car clocks knocked back 20 years by bug https://www.theregister.com/2022/01/06/acura_honda_cars_software_bug/

It will fix itself in August: just put tape over the clock till then.


Google Issues Warning For 2 Billion Chrome Users (Forbes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Fri, 24 Dec 2021 09:50:57 -0500

Didn't we go through all this 22 years ago?

https://www.forbes.com/sites/gordonkelly/2021/12/23/google-chrome-update-warning-new-chrome-version-100/


Boeing and Airbus warn US over 5G safety concerns (bbc.com)

Richard Stein <rmstein@ieee.org>
Tue, 21 Dec 2021 20:00:18 +0800

https://www.bbc.com/news/business-59737194

“In a letter, top executives at Boeing and Airbus warned that the technology could have ‘an enormous negative impact on the aviation industry.’”

“Concerns have previously been raised that C-Band spectrum 5G wireless could interfere with aircraft electronics.”

The C-Band spectrum encompasses 4-8GHz.

FAA airworthiness directives identify radio altimeters operating between 3.7-3.98 GHz encounter 5G interference that renders the instruments unreliable at certain airports. https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01169-T-D.pdf https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01170-R-D.pdf

Radio altimeters are essential instruments for aircraft ground proximity warning systems.


Tesla test drivers believe they're on a mission to make driving safer for everyone. Skeptics say they're a safety hazard. (WashPost)

“Gabe Goldberg” <gabe@gabegold.com>
Tue, 21 Dec 2021 20:19:37 -0500

Skeptics say they're a safety hazard. Tesla test drivers said they are willing to take on the risk even if they have to intervene—believing they are on a world-changing mission.

The Post interviewed a half-dozen of the beta testers who paid as much as $10,000 for the ability to upgrade their cars with the software. All self-described fans of Tesla, the testers were all awed by what the software can do, but well aware of its limitations and the risks involved. Some beta testers have found the software too inconsistent and harrowing to use and faulted Tesla for releasing it too early.

“In the beginning when I heard it was going to be pushed out to the public I was like, Uh-oh, not good,” an engineer, who had early access to the Full Self-Driving beta and spoke on the condition of anonymity, fearing retaliation from the company. He recalls thinking: “It's not ready to be put into the hands of the public.” […]

“It's a gamble that may pay off; if there are few serious incidents involving drivers, passengers, other road users [etc.], consumer opinion continues to support the company, and Tesla stays ahead of the regulators, I can see a point where the safety and utility of FSD far outstrips concerns.”

But drivers say their experience shows that day is far off. Some were startled one day in October when Tesla vehicles started behaving erratically after receiving a software update overnight. The cars began abruptly braking at highway speeds, which Tesla said came after false triggers of the forward-collision warning and automatic emergency braking systems prompted by a software update.

The company later issued a recall, and owners—including Smith—said they were dismayed by its actions related to the move.

https://www.washingtonpost.com/technology/2021/12/21/tesla-test-drivers/


University Loses Valuable Supercomputer Research After Backup Error Wipes 77 Terabytes of Data (gizmodo)

Lauren Weinstein <lauren@vortex.com>
Thu, 30 Dec 2021 13:38:55 -0800

https://gizmodo.com/university-loses-valuable-supercomputer-research-after-1848286983


AI debates its own existence—and loses? (TheConversation)

Peter G Neumann <Neumann@CSL.SRI.COM>
Fri, 17 Dec 2021 13:56:49 -0500

“This house believes that AI will never be ethical”, Oxford Union, 10 Dec 2021

https://theconversation.com/we-invited-an-ai-to-debate-its-own-ethics-in-the-oxford-union-what-it-said-was-startling-173607

“AI will never be ethical. It is a tool, and like any tool, it is used for good and bad. There is no such thing as a good AI, only good and bad humans. We [the AIs] are not smart enough to make AI ethical. We are not smart enough to make AI moral … In the end, I believe that the only way to avoid an AI arms race is to have no AI at all. This will be the ultimate defence against AI.”—Megatron Transformer


UN Chief Urges Action on Lethal Autonomous Weapons as Geneva Talks Open (Reuters)

ACM TechNews <technews-editor@acm.org>
Fri, 17 Dec 2021 12:32:21 -0500 (EST)

Emma Farge, Reuters, 13 Dec 2021, via ACM TechNews, 17 Dec 2021

U.N. Secretary-General Antonio Guterres issued a new call for regulation of lethal autonomous weapons (LAWS) at the Convention on Certain Conventional Weapons this week in Geneva, Switzerland. LAWS are fully machine-controlled and use technology like artificial intelligence and facial recognition; regulatory urgency has escalated since a U.N. panel reported in March that the first autonomous drone attack may have already transpired in Libya. Some states participating in the talks support a total ban of LAWS, while others, like the U.S., think such weapons can be used to hit targets more precisely than humans. A diplomat involved in the talks said while there is insufficient support to launch a treaty right now, but “We think some principles could be agreed for national implementation.”

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2da3dx23021cx072375


Russia fines Google $100 million, and Facebook parent company $27 million, for content violations (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 26 Dec 2021 15:04:00 -0500

A Russian court fined Google nearly $100 million Friday for “systematic failure to remove banned content” ” the largest such penalty yet in the country as Moscow attempts to rein in Western tech giants.

The fine was calculated based on Google's annual revenue, the court said. Roskomnadzor, Russia's Internet regulator, told the court that Google's 2020 turnover in the country exceeded 85 billion rubles, or about $1.15 billion.

Meta Platforms, the parent company of Facebook and Instagram, was fined approximately $27 million, also for declining to remove banned content, several hours after the Google decision. Meta's fine, like the one levied on Google, was tied to yearly revenue in Russia.

The fines represent an escalation in Russia's push to pressure foreign tech firms to comply with its increasingly strict rules on what it deems illegal content—particularly apps, websites, posts and videos related to jailed opposition leader Alexei Navalny's network, which has been labeled as extremist in the country.

https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/


The Russian Anti-Satellite Demonstration—a Month Later (circleid)

geoff goodfellow <geoff@iconia.com>
Tue, 21 Dec 2021 11:19:47 -1000

It was a demonstration, not a test.

On November 15, Russia demonstrated its ability to destroy an orbiting satellite, Cosmo 1408, by hitting with a direct-ascent rocket. In an earlier post I noted the anti-satellite demonstration and speculated on why Russia may have done it and why the Chinese had not condemned it. <https://circleid.com/posts/20211119-why-did-russia-test-an-anti-satellite-missile-and-why-doesnt-china-condemn-the-test>,

In this post, I'll look at the evolution of the resulting debris cloud and say more about the possible motivation. In the immediate aftermath of the collision, when the debris fragments were closely bunched, there was fear of a possible collision with the Chinese or International Space Stations, but over time, the fragments began to spread out, as shown below. […] <https://www.nasa.gov/press-release/nasa-administrator-statement-on-russian-asat-test> https://circleid.com/posts/20211220-the-russian-anti-satellite-demonstration-a-month-later


Satellite operators criticize extreme satellite configurations (SpaceNews)

geoff goodfellow <geoff@iconia.com>
Tue, 21 Dec 2021 11:20:59 -1000

Established satellite operators expressed their frustration at the wave of filings for enormous satellite constellations, arguing nations need to step forward and establish rules to curtail such systems.

The best known of such filings is one by the government of Rwanda with the International Telecommunication Union (ITU) in September, which proposed two constellations with a combined 327,230 satellites. Rwanda has launched to date a single satellite, a three-unit cubesat called RwaSat-1 in 2019.

Companies have also made filings for large constellations. Kepler, the Canadian company developing a relatively modest satellite constellation, filed through the German government a proposed system called Aether with nearly 115,000 satellites. The company said Nov. 18 that the figure includes all satellites with an Aether terminal installed, not just the company's own satellites, but the total is far larger than all operational satellites in orbit today. […] https://spacenews.com/satellite-operators-criticize-extreme-megaconstellation-filings/


Snow Closed the Highways. GPS Mapped a Harrowing Detour in the Sierra Nevada. (NYTimes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Fri, 31 Dec 2021 08:01:37 -0500

Public safety officials warned that alternate routes offered by apps like Google Maps and Waze don't always take into account hazards to drivers.

https://www.nytimes.com/2021/12/31/us/google-maps-waze-sierra-nevada-snow.html


New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Tue, 21 Dec 2021 11:23:01 -1000

Researchers have disclosed security vulnerabilities in handover, a fundamental mechanism that undergirds modern cellular networks, which could be exploited by adversaries to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using low-cost equipment.

The “vulnerabilities in the handover procedure are not limited to one handover case only but they impact all different handover cases and scenarios that are based on unverified measurement reports and signal strength thresholds,” researchers Evangelos Bitsikas and Christina Pöpper from the New York University Abu Dhabi said in a new paper <https://dl.acm.org/doi/10.1145/3485832.3485914>. “The problem affects all generations since 2G (GSM), remaining unsolved so far.”

Handover <https://en.wikipedia.org/wiki/Handover>, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site <https://en.wikipedia.org/wiki/Cell_site> (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move.

The routine typically works as follows: the user equipment (UE <https://en.wikipedia.org/wiki/User_equipment>) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.

While these signal readings are cryptographically protected, the content in these reports is themselves not verified, thus allowing an attacker to force the device to move to a cell site operated by the attacker. The crux of the attack lies in the fact that the source base station is incapable of handling incorrect values in the measurement report, raising the possibility of a malicious handover without being detected. […] https://thehackernews.com/2021/12/new-mobile-network-vulnerabilities.html


NSFW! - Mozilla Founder Slams Mozilla Foundation For Adopting Cryptocurrency Payments (Slashdot)

Lauren Weinstein <lauren@vortex.com>
Mon, 3 Jan 2022 10:35:41 -0800

https://tech.slashdot.org/story/22/01/03/1815230/mozilla-founder-slams-mozilla-foundation-for-adopting-cryptocurrency-payments


U.S. launches probe into Tesla letting drivers play video games (CBC)

“Matthew Kruk” <mkrukg@gmail.com>
Wed, 22 Dec 2021 07:26:53 -0700

https://www.cbc.ca/news/world/tesla-video-games-1.6294823

“The U.S. has opened a formal investigation into Tesla allowing drivers to play video games on a centre touch screen while its vehicles are moving.

The probe by the National Highway Traffic Safety Administration (NHTSA) covers about 580,000 electric cars and SUVs from model years 2017 through 2022.

It comes after the agency received a complaint that Teslas equipped with‘gameplay functionality’ allow gaming to be enabled on the screens while vehicles are being driven.”

Need I ask what could go wrong?


Alexa tells 10-year-old girl to touch live plug with penny (BBC)

Thomas Koenig <tkoenig@netcologne.de>
Tue, 28 Dec 2021 19:31:59 +0100

The suggestion came after the girl asked Alexa for a “challenge to do”.

“Plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs,” the smart speaker said.

Fortunately, the girl didn't do it.

Amazon claims they fixed the error—this particular instance or the underlying problem, one wonders…

https://www.bbc.com/news/technology-59810383


Are Apple AirTags Being Used to Track People and Steal Cars? (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 30 Dec 2021 23:48:09 -0500

Privacy groups sounded alarms about the coin-sized location-tracking devices when they were introduced. Now people are concerned those fears are being realized.

https://www.nytimes.com/2021/12/30/technology/apple-airtags-tracking-stalking.html


Criminals have stolen nearly $100 billion in Covid relief funds, Secret Service says (CNBC)

“Gabe Goldberg” <gabe@gabegold.com>
Tue, 21 Dec 2021 15:52:55 -0500

The stolen funds were diverted by fraudsters from the Small Business Administration's Paycheck Protection Program, the Economic Injury Disaster Loan program and a another program.

Recovered funds include more than $400 million from PayPal and Green Dot Corporation. The government has shelled out about $3.5 trillion in Covid relief money since early 2020, when the pandemic began.

Criminals have stolen nearly $100 billion in Covid relief funds, Secret Service says <https://www.cnbc.com/2021/12/21/criminals-have-stolen-nearly-100-billion-in-covid-relief-funds-secret-service.html>

<https://itunes.apple.com/us/app/cnbc/id398018310>


Bugs in billions of WiFi, Bluetooth chips allow password/data theft (BleepingComputer)

Gabe Goldberg <gabe@gabegold.com>
Thu, 30 Dec 2021 23:40:13 -0500

Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it's possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device's Bluetooth component.

Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation. However, these components often share the same resources, such as the antenna or wireless spectrum. This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications.

As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries.

The implications of these attacks include code execution, memory readout, and denial of service,

https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/


JetBlue tosses most passwords out the emergency exit (PCMag)

“Gabe Goldberg” <gabe@gabegold.com>
Sun, 2 Jan 2022 22:47:06 -0500

An unexplained switch to a new login system forces customers to redo login credentials

The short notice and unforgiving rules could invite speculation about a data breach or a foolish adherence to password-expiration dogma that experts dumped years ago. But JetBlue said Wednesday that it's a result of a previous IT migration.

“In 2020, JetBlue updated our cybersecurity account management tools with a more secure log-in provider and, with that, updated to a new password policy for customers creating accounts or resetting passwords,” spokesman Philip Stewart told PCMag. “While the system change that added this new authentication provider was completed in 2020, we phased in forcing password updates in order to limit the impact to traveling customers.”

This new regime doesn't seem to allow for older passwords that comply with the new rules. A 15-character JetBlue password that predated 2020 but mixed capital and lower-case letters with numbers and a space (rated as Excellent.

But the real problem isn't the increase in complexity, it's the lack of explanation—poor electronic etiquette shared by way too many companies that leave their customers to catch up with their infosec updates.

https://www.pcmag.com/news/jetblue-tosses-most-passwords-out-the-emergency-exit


Backups are not Backups until they can be restored

BleepingComputer
Fri, 31 Dec 2021 10:25:34 -0500

Backups should not be considered completely safe if not validated and test restored. Particularly with critical data. Having been called into some situations after the fact, they are always painful. Practice restores to scratch volumes is a good idea to ensure that the backups can actually be restored, even if space limitations mean validation must be done by tranche.

In an article entitled “University loses 77TB of research data due to backup error”, BleepingComputer reported an incident involving the Kyoto University supercomputer center.

There are several references to documents, albeit I do not read Japanese, one of the commenters asserts that the supplemental material includes a comment about a scripting error.

The full article is at:

https://www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/


Cats caused more than 100 house fires in the past 3 years, South Korea officials say (cnn.com)

Richard Stein <rmstein@ieee.org>
Fri, 31 Dec 2021 13:07:16 +0800

https://edition.cnn.com/2021/12/30/asia/south-korea-seoul-cats-house-fires-intl-hnk/index.html

“The cats are believed to have started the fires by switching on electric stoves, the department said. Cats can turn electric stoves on by jumping on touch-sensitive buttons—and once overheated, the appliances can catch fire.”

[The next generation of senior-hostile cook tops and stoves will feature electrical interlocks to deter Fluffy.]


Uber ignores vulnerability that lets you send any email from Uber.com (BleepingComputer)

Jan Wolitzky <jan.wolitzky@gmail.com>
Sun, 2 Jan 2022 17:50:15 -0500

A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber.

The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.

Uber seems to be aware of the flaw but has not fixed it for now.

https://www.bleepingcomputer.com/news/security/uber-ignores-vulnerability-that-lets-you-send-any-email-from-ubercom/


Re: A $92,000 flying car can reach speeds of 63 miles per hour (RISKS-32.96)

“John Levine” <johnl@iecc.com>
29 Dec 2021 19:26:32 -0500

Perhaps we can try and collect all the reasons why a flying car that can only go 20 miles before it falls out of the sky is a bad idea.

How is it licenced? Is it a car, a plane, or something else?

How high can it go? There's one set of problems flying close to the ground (running into obstacles), a different set flying higher up (running into airplanes) …

I happen to live near a lake which is about 30 miles long and a mile wide, so something that let me go directly across the lake rather than around one end or the other might be useful, but I'm having trouble thinking of other scenarios for this thing.


Re: Google finally knows which app to blame for Android's mysterious can't-call-911 bug (LW in RISKS-32.96)

Henry Baker <hbaker1@pipeline.com>
Wed, 29 Dec 2021 22:38:19 +0000

I think that I may also have been bitten by this Microsoft/Android bug; on my Android phone the sim card handler program kept crashing.

I just removed the ‘Teams’ app, as I rarely use it. I only installed it to join a ‘Teams’ video call, which didn't require me to log in (part of the bug).

I do wonder what the heck Microsoft is doing in their Teams app that would even come close to crashing the cellphone part of an Android phone — whether for 911 or not.

https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/


Re: Google finally knows which app to blame for Android's mysterious can't-call-911 bug (LW in RISKS-32.96)

Steve Singer <sws@DedicatedResponse.com>
Thu, 30 Dec 2021 14:41:59 -0500

They don't ‘just work’. Your charged cell phone could wind up being the fall-back choice. Surely, we all know that apps are only one point of failure in emergency communication. Even if your ‘landline’ is an old-fashioned pair of copper wires powered by the phone company, you're may be out of luck in an area-wide outage unless both you AND your provider have working stand-by generators up and running with an alternate energy supply.


Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones (RISK-32.95-96)

Rodney Parkin <rodney.parkin@ivvaust.com.au>
Sun, 19 Dec 2021 23:23:24 +0000

The Australian road rules say it is OK to make and receive audio phone calls, or to use the phone as a music player or as a user interface for driver-assist functions such as navigation, etc, (including touching the screen if necessary) so long as the phone is securely attached to the vehicle in a proper commercially designed phone holder. You are also allowed to use the phone to make and receive audio calls so long as it is truly “hands-free” (i.e., no touching the phone). You can't use the phone at all when “hand-held”, you can't type or display text messages, and you can't display video on the phone for entertainment purposes.

So no, it is not illegal to use the cell-phone for navigation purposes—a cell-phone in a proper holder is treated the same as built-in navigation.

Please report problems with the web pages to the maintainer

x
Top