The RISKS Digest
Volume 33 Issue 22

Thursday, 19th May 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF
The Hacker News
PDF election ballots
Andrew Appel
New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars
The Hacker News
When Your Smart ID Card Reader Comes With Malware
KrebsOnSecurity
Sadly, this food delivery robot got caught on the tracks while trying to cross
Twitter
Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are Ripping Off Consumers
Buzzfeed News
Crypto meltdown highlights need for urgent regulatory intervention
Dave Farber
Eavesdroppers Can Hack 6G Frequency with DIY Metasurface
Jake Boyd
China's Internet Censors Try a New Trick: Revealing Users' Locations?
NYTimes
Exposure through identity verification?
Geoff Keunning
463 people's COVID benefits accidentally sent to one of them
Mark Brader
Zero-trust security: Assume everyone on the Internet is out to get you—and already has
techxplore
DOJ says it will no longer prosecute good-faith hackers under CFAA
TechCrunch
Selfies Further Endanger Rare Phallic Plant, Conservationists Fear
Richard C. Paddock
Artificial Intelligence
Colbert/Gervais via Lauren Weinstein
Re: Companies envision taxis flying above jammed traffic
Martin Ward John Levine Barry Gold
Re: Finding it hard to get a new job? Robot recruiters might be to blame
Amos Shapir
Info on RISKS (comp.risks)

Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Tue, 17 May 2022 18:00:14 -1000

A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is “off.”

The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC <https://en.wikipedia.org/wiki/Near-field_communication>), and ultra-wideband (UWB <https://en.wikipedia.org/wiki/Ultra-wideband>) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM).

While this is done so as to enable features like Find My <https://thehackernews.com/2022/02/experts-create-apple-airtag-clone-that.html> and facilitate Express Card transactions <https://support.apple.com/en-us/guide/security/sec90cd29d1f/web>, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO <https://www.seemoo.tu-darmstadt.de/>) at the Technical University of Darmstadt said <https://arxiv.org/pdf/2205.06114.pdf> in a paper entitled “Evil Never Sleeps.”

“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.

“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”

The findings are set to be presented <https://wisec2022.cs.utsa.edu/accepted-papers/> at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week. […]

https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html


PDF election ballots

Peter Neumann <neumann@csl.sri.com>
Thu, 19 May 2022 13:48:37 PDT

Andrew Appel:

A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified

https://freedom-to-tinker.com/2022/05/19/a-pdf-file-is-not-paper-so-pdf-ballots-cannot-be-verified/


New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 19 May 2022 10:08:46 -1000

A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas.

“An attacker can falsely indicate the proximity of Bluetooth LE (BLE) devices to one another through the use of a relay attack,” UK-based cybersecurity company NCC Group said. “This may enable unauthorized access to devices in BLE-based proximity authentication systems.”

Relay attacks <https://en.wikipedia.org/wiki/Relay_attack>, also called two-thief attacks, are a variation of person-in-the-middle attacks in which an adversary intercepts communication between two parties, one of whom is also an attacker, and then relays it to the target device without any manipulation.

While various mitigations have been implemented to prevent relay attacks, including imposing response time limits during data exchange between any two devices communicating over BLE and triangulation-based localization techniques, the new relay attack can bypass these measures. […]

https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/ https://research.nccgroup.com/2022/05/15/technical-advisory-kwikset-weiser-ble-proximity-authentication-in-kevo-smart-locks-vulnerable-to-relay-attacks/ https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/


When Your Smart ID Card Reader Comes With Malware (KrebsOnSecurity)

geoff goodfellow <geoff@iconia.com>
Tue, 17 May 2022 17:14:53 -1000

Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriate security level. But many government employees aren't issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here's one example. […]

https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/


Sadly, this food delivery robot got caught on the tracks while trying to cross (Twitter)

geoff goodfellow <geoff@iconia.com>
Wed, 18 May 2022 11:16:05 -1000

https://twitter.com/tulipsmg/status/1525976684998144005


Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are Ripping Off Consumers (Buzzfeed News)

Monty Solomon <monty@roscom.com>
Wed, 18 May 2022 16:08:50 -0400

The global credit-card rivals maintain a strikingly permissive relationship with companies that have been accused of fraud. For one of Mastercard' top executives, that relationship went even further. A BuzzFeed News investigation.

https://www.buzzfeednews.com/article/rosalindadams/mastercard-visa-fraud


Crypto meltdown highlights need for urgent regulatory intervention

Dave Farber <farber@keio.jp>
Fri, 20 May 2022 06:32:12 +0900

From an OPED in Nikkei Asia 5/20 by David Farber and Dan Gilmor

You have to feel a twinge of sympathy for the people who “invested” their savings in cryptocurrencies during the past few months and who subsequently lost most or all of their money when the cryptocurrency marketplace collapsed during the past several weeks.

The words “invested” is in quotes for a reason. This bubble was a classic in the genre, and the people who are collectively losing the most money are low-information gamblers, not investors, just as they are when every economic bubble deflates.

And they were warned. Anyone paying the slightest attention had to have heard the ever-more-strident cautions, including ours, that cryptocurrencies were not what they seemed and that this “marketplace” was in large part a mirage. And, as we said in the article, “Cryptocurrencies remain a gamble best avoided,” published online on Feb. 5, a rigged game.


Eavesdroppers Can Hack 6G Frequency with DIY Metasurface (Jake Boyd)

ACM TechNews <technews-editor@acm.org>
Wed, 18 May 2022 12:28:57 -0400 (EDT)

Jade Boyd, Rice University News, 16 May 2022, via ACM TechNews, 18 May 2022

Hackers can use common tools to construct a metasurface that allows them to listen in on 6G wireless transmissions. Researchers at Rice and Brown universities demonstrated that attackers could employ a sheet of office paper covered with two-dimensional foil symbols to reroute part of a 150-gigahertz “pencil beam” signal between two users, calling it a Metasurface-in-the-Middle exploit. In such a situation, the eavesdropper designs a metasurface to diffract part of a signal to their location; Rice's Zhambyl Shaikhanov said they then laser-print the metasurface by feeding metal foil through a laminator. Brown's Daniel Mittleman said the hot-stamping technique was developed to simplify metasurface manufacturing for quick, affordable testing. Warns Rice's Edward Knightly, “Next-generation wireless will use high frequencies and pencil beams to support wide-band applications like virtual reality and autonomous vehicles.”

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ea62x233db0x071353&


China's Internet Censors Try a New Trick: Revealing Users' Locations? (NYTimes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Wed, 18 May 2022 07:12:17 -0400

For years China's censors have relied on a trusted tool kit to control the country's Internet. They have deleted posts, suspended accounts, blocked keywords, and arrested the most outspoken.

Now they are trying a new trick: displaying social media users' locations beneath posts.

Authorities say the location tags, which are displayed automatically, will help unearth overseas disinformation campaigns intended to destabilize China. In practice, they have offered new fuel for pitched online battles that increasingly link Chinese citizens' locations with their national loyalty. Chinese people posting from overseas, and even from provinces deemed insufficiently patriotic, are now easily targeted by nationalist influencers, whose fans harass them or report their accounts.

The tags, based on a user's Internet Protocol, or I.P., address that can reveal where a person is located, were first applied to posts that mentioned the Russian invasion of Ukraine, a topic authorities said was being manipulated with foreign propaganda. Now they are being expanded to most social media content, further chilling speech on a Chinese Internet dominated by censorship and isolated from the world.

The move marks a new step in a decade-long push by Chinese officials to end anonymity online and exert a more perfect control over China's digital town squares.

https://www.nytimes.com/2022/05/18/business/china-internet-censors-ip-address.html


Exposure through identity verification?

Geoff Kuenning <geoff@cs.hmc.edu>
Mon, 16 May 2022 19:55:30 -0700

I got data-breach notice today from Assurance IQ, LLC and some of its affiliated companies. (I'm dang sure they wouldn't have told me if they weren't forced to by law.) Of course they said that “keeping personal data safe and secure is very important” to them.

I guess that's why they didn't notice for 16 months that someone was repeatedly using their site to extract personal data. Based on their description, it sounds like if you filled out a life insurance application with someone's “name, address, and other information”, they then “retrieved a driver's license number that was then displayed…in the online application.” Yup, either they helpfully auto-filled that number (if they knew it, why did they need it filled in?) or, more likely, displayed it as a method of identity verification. “Please click here if you are the person with DL number 1234567.”

Did nobody review this design?


463 people's COVID benefits accidentally sent to one of them

Mark Brader <msb@Vex.Net>
Tue, 17 May 2022 09:49:17 -0400 (EDT)

https://english.kyodonews.net/news/2022/05/814926b5d433-man-mistakenly-sent-463-mil-yen-in-covid-funds-gambles-it-all-away.html


Zero-trust security: Assume everyone on the Internet is out to get you—and already has (techxplore)

Richard Stein <rmstein@ieee.org>
Thu, 19 May 2022 09:47:40 +0800

https://techxplore.com/news/2021-05-zero-trust-assume-internet-youand.html

“Using the public health analogy, a zero-trust approach to cybersecurity assumes that an infection is only a cough—or, in this case, a click — away, and focuses on building an immune system capable of dealing with whatever novel virus may come along. Put another way, instead of defending a castle, this model assumes that the invaders are already inside the walls.”

“Zero Trust Architecture,” from https://csrc.nist.gov/publications/detail/sp/800-207/final(retrieved on 19MAY2022) documents a framework for infrastructure, processes, and policies to establish a Zero Trust ecosystem.

A significant shift from the static, network-based Internet perimeter we enjoy today, where trust—too much trust—enables convenient and anonymous access easing navigation through infrastructure, Zero Trust imposes constant credential authentication challenges for users, assets and resources based on a centralized policy enforcement mechanism.

Policy enforcement subjects a user's identity to verification checks for each new resource access request, and access is subject to mediation (via privilege and allocation masks), logging, and analysis.

The US government now requires disclosure of industry cyber incidents. For businesses deemed “critical infrastructure,” regulation will likely be necessary to compel Zero Trust adoption. The days of voluntary business cyber compliance are history.

Commercial enterprises will object to the transition cost. Ransomware and business e-mail compromise payoffs are illegal—but weakly enforced, and indictments of impacted business organizations have not materialized so far. See “Ransomware Payments and the Law,” from https://www.lawfareblog.com/ransomware-payments-and-law (retrieved on 19MAY2022) for background. Incidents are inconvenient and embarrassing, a mere business expense passed onto the customer as cyber-insurance premium prices inflate.

An overview of Zero Trust architecture and prototype of how it operates can be found in the video https://youtu.be/6I6bnNdZ5XU via “Zero-trust architecture may hold the answer to cybersecurity insider threats” https://techxplore.com/news/2022-05-zero-trust-architecture-cybersecurity-insider-threats.html.

[“Get got” is a prerequisite for becoming “got got.”]


DOJ says it will no longer prosecute good-faith hackers under CFAA (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Thu, 19 May 2022 09:37:55 -0700

https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/


Selfies Further Endanger Rare Phallic Plant, Conservationists Fear (NYT) (Richard C. Paddock)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 19 May 2022 08:36:31 -0600

18 May 2022

The three women shrieked and giggled as they plucked the tubular pitchers from rare carnivorous plants in the mountains of Cambodia. The phallic shape of the pitchers reminded them of something, they joked as a friend filmed the scene with a phone.
The women broke off some of the distinctive appendages, which the plants use to trap insects. Holding them suggestively for the camera, they compared the pitchers' sizes to the physique of different men from various parts of Cambodia. “I want all of them,” says the woman in blue, displaying four plucked pitchers for the camera.
The widely viewed video prompted Cambodia's ministry of environment to warn the public last week not to pick the pitchers of the plant, which is an endangered species and protected by law. Conservationists are concerned that the growing popularity of smartphones and selfies could increase pressure on the rare plants.
https://www.nytimes.com/2022/05/18/world/asia/cambodian-plant-video.html


Artificial Intelligence

Lauren Weinstein <lauren@vortex.com>
Thu, 19 May 2022 08:47:14 -0700

Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.21)

Martin Ward <martin@gkc.org.uk>
Tue, 17 May 2022 14:00:48 +0100

You are not thinking three-dimensionally.

Consider the famous “spaghetti junction” (https://en.wikipedia.org/wiki/Gravelly_Hill_Interchange) where 18 different roads intersect in a free-flowing junction over five different levels. Flying cars can operate on an arbitrarily large number of different levels, so you can indeed “just breeze through the sky”.


Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.20)

“John Levine” <johnl@iecc.com>
16 May 2022 21:15:36 -0400
>Hasn't anyone considered that once flying cars/taxis are practical and
>popularized, the traffic jams will simply migrate from the roads to the
>air?

Maybe, maybe not. Cars have to stay on the road, but in principle flying vehicles can go point to point so long as they are able to avoid running into each other (admittedly a significant “if”.) Also, flying vehicles can fly at different altitudes. Commercial planes fly at specified altitudes, 1000 vertical feet apart, with alternating levels for alternating directions.

I have my doubts whether flying cars will ever be a mass market item, as opposed to a toy for rich people and a niche item for people who have some business reason that the time savings are worth it. We've had small planes for over a century and the cost to own and run a plane is still a lot more than for a car.


Re: Companies envision taxis flying above jammed traffic

Barry Gold <BarryDGold@ca.rr.com>
Thu, 19 May 2022 10:15:54 -0700

Except that there's a lot more room in the air. Freeways are limited to whatever land we can afford to buy for the purpose. Airways can use a huge amount of space, and can use it on multiple levels. Even if you restricted air traffic to the space above existing roadways (on the basis that landowners also own the airspace above their land, at least up to wherever the commercial airlanes start), you could stack traffic 2, 3, 5, 10, 20 levels high, where existing roadways are limited to 1 or at most 2 levels.


Re: Finding it hard to get a new job? Robot recruiters might be to blame (RISKS-33.21)

Amos Shapir <amos083@gmail.com>
Tue, 17 May 2022 12:32:45 +0300

The problem seems to be that such tools are deployed before testing if they are actually adequate for the job. It seems as if the rules are defined by programmers, and if there are people who participate in the process on behalf of the hiring company, they are of HR and not of the hiring departments. The result may give rise to Artificial Stupidity.

Testing such a tool should involve running it in parallel with screening candidates by human managers, for a significant time period (I think at least a year); and then comparing the results to catch any misfeatures or biases in the design.

Please report problems with the web pages to the maintainer

x
Top