The RISKS Digest
Volume 33 Issue 22

Thursday, 19th May 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF
The Hacker News
PDF election ballots
Andrew Appel
New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars
The Hacker News
When Your Smart ID Card Reader Comes With Malware
KrebsOnSecurity
Sadly, this food delivery robot got caught on the tracks while trying to cross
Twitter
Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are Ripping Off Consumers
Buzzfeed News
Crypto meltdown highlights need for urgent regulatory intervention
Dave Farber
Eavesdroppers Can Hack 6G Frequency with DIY Metasurface
Jake Boyd
China's Internet Censors Try a New Trick: Revealing Users' Locations?
NYTimes
Exposure through identity verification?
Geoff Keunning
463 people's COVID benefits accidentally sent to one of them
Mark Brader
Zero-trust security: Assume everyone on the Internet is out to get you—and already has
techxplore
DOJ says it will no longer prosecute good-faith hackers under CFAA
????
TechCrunch
Selfies Further Endanger Rare Phallic Plant, Conservationists Fear
Richard C. Paddock
Artificial Intelligence
Colbert/Gervais via Lauren Weinstein
Re: Companies envision taxis flying above jammed traffic
Martin Ward John Levine Barry Gold
Re: Finding it hard to get a new job? Robot recruiters might be to blame
Amos Shapir
Info on RISKS (comp.risks)

Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Tue, 17 May 2022 18:00:14 -1000
A first-of-its-kind security analysis of iOS Find My function has identified
a novel attack surface that makes it possible to tamper with the firmware
and load malware onto a Bluetooth chip that's executed while an iPhone is
"off."

The mechanism takes advantage of the fact that wireless chips related to
Bluetooth, Near-field communication (NFC
<https://en.wikipedia.org/wiki/Near-field_communication>), and
ultra-wideband (UWB <https://en.wikipedia.org/wiki/Ultra-wideband>) continue
to operate while iOS is shut down when entering a "power reserve" Low Power
Mode (LPM).

While this is done so as to enable features like Find My
<https://thehackernews.com/2022/02/experts-create-apple-airtag-clone-that.html>
and facilitate Express Card transactions
<https://support.apple.com/en-us/guide/security/sec90cd29d1f/web>, all the
three wireless chips have direct access to the secure element, academics
from the Secure Mobile Networking Lab (SEEMOO
<https://www.seemoo.tu-darmstadt.de/>) at the Technical University of
Darmstadt said <https://arxiv.org/pdf/2205.06114.pdf> in a paper entitled
"Evil Never Sleeps."

"The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in
the NFC chip, storing secrets that should be available in LPM," the
researchers said.

"Since LPM support is implemented in hardware, it cannot be removed by
changing software components. As a result, on modern iPhones, wireless
chips can no longer be trusted to be turned off after shutdown. This poses
a new threat model."

The findings are set to be *presented*
<https://wisec2022.cs.utsa.edu/accepted-papers/> at the ACM Conference on
Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this
week.  [...]

https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html


PDF election ballots

Peter Neumann <neumann@csl.sri.com>
Thu, 19 May 2022 13:48:37 PDT
Andrew Appel:

A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified

https://freedom-to-tinker.com/2022/05/19/a-pdf-file-is-not-paper-so-pdf-ballots-cannot-be-verified/

  [PDF is an executable language.  Ballots can also be altered—or indeed
  executed, as seems to happens to certain disfavored candidates in certain
  countries.  PGN]


New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 19 May 2022 10:08:46 -1000
A novel Bluetooth relay attack can let cybercriminals more easily than ever
remotely unlock and operate cars, break open residential smart locks, and
breach secure areas.

"An attacker can falsely indicate the proximity of Bluetooth LE (BLE)
devices to one another through the use of a relay attack," UK-based
cybersecurity company NCC Group said.  "This may enable unauthorized access
to devices in BLE-based proximity authentication systems."

Relay attacks <https://en.wikipedia.org/wiki/Relay_attack>, also called
two-thief attacks, are a variation of person-in-the-middle attacks in which
an adversary intercepts communication between two parties, one of whom is
also an attacker, and then relays it to the target device without any
manipulation.

While various mitigations have been implemented to prevent relay attacks,
including imposing response time limits during data exchange between any
two devices communicating over BLE and triangulation-based localization
techniques, the new relay attack can bypass these measures.  [...]

https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html
https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/
https://research.nccgroup.com/2022/05/15/technical-advisory-kwikset-weiser-ble-proximity-authentication-in-kevo-smart-locks-vulnerable-to-relay-attacks/
https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/

   [Tom Van Vleck noted:
   New Bluetooth hack can unlock your Tesla— and all kinds of other devices
   The comments are really funny.
https://arstechnica.com/information-technology/2022/05/new-bluetooth-hack-can-unlock-your-tesla-and-all-kinds-of-other-devices/
   PGN]


When Your Smart ID Card Reader Comes With Malware (KrebsOnSecurity)

geoff goodfellow <geoff@iconia.com>
Tue, 17 May 2022 17:14:53 -1000
Millions of U.S. government employees and contractors have been issued a
secure smart ID card that enables physical access to buildings and
controlled spaces, and provides access to government computer networks and
systems at the cardholder's appropriate security level. But many government
employees aren't issued an approved card reader device that lets them use
these cards at home or remotely, and so turn to low-cost readers they find
online. What could go wrong? Here's one example. [...]

https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/


Sadly, this food delivery robot got caught on the tracks while trying to cross (Twitter)

geoff goodfellow <geoff@iconia.com>
Wed, 18 May 2022 11:16:05 -1000
https://twitter.com/tulipsmg/status/1525976684998144005

  [Gee whiz.  Two different food-delivery robots in successive issues.  This
  one should be in a Train "sears robot catalog", because it caught fire.
  (Funny only if you are my age, perhaps.)  PGN]


Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are Ripping Off Consumers (Buzzfeed News)

Monty Solomon <monty@roscom.com>
Wed, 18 May 2022 16:08:50 -0400
The global credit-card rivals maintain a strikingly permissive relationship
with companies that have been accused of fraud. For one of Mastercard' top
executives, that relationship went even further. A BuzzFeed News
investigation.

https://www.buzzfeednews.com/article/rosalindadams/mastercard-visa-fraud


Crypto meltdown highlights need for urgent regulatory intervention

Dave Farber <farber@keio.jp>
Fri, 20 May 2022 06:32:12 +0900
>From an OPED in Nikkei Asia 5/20 by David Farber and Dan Gilmor

You have to feel a twinge of sympathy for the people who "invested" their
savings in cryptocurrencies during the past few months and who subsequently
lost most or all of their money when the cryptocurrency marketplace
collapsed during the past several weeks.

The words "invested" is in quotes for a reason. This bubble was a classic in
the genre, and the people who are collectively losing the most money are
low-information gamblers, not investors, just as they are when every
economic bubble deflates.

And they were warned. Anyone paying the slightest attention had to have
heard the ever-more-strident cautions, including ours, that cryptocurrencies
were not what they seemed and that this "marketplace" was in large part a
mirage. And, as we said in the article, “Cryptocurrencies remain a gamble
best avoided,'' published online on Feb. 5, a rigged game.


Eavesdroppers Can Hack 6G Frequency with DIY Metasurface (Jake Boyd)

ACM TechNews <technews-editor@acm.org>
Wed, 18 May 2022 12:28:57 -0400 (EDT)
Jade Boyd, Rice University News, 16 May 2022, via ACM TechNews, 18 May 2022

Hackers can use common tools to construct a metasurface that allows them to
listen in on 6G wireless transmissions. Researchers at Rice and Brown
universities demonstrated that attackers could employ a sheet of office
paper covered with two-dimensional foil symbols to reroute part of a
150-gigahertz "pencil beam" signal between two users, calling it a
Metasurface-in-the-Middle exploit. In such a situation, the eavesdropper
designs a metasurface to diffract part of a signal to their location; Rice's
Zhambyl Shaikhanov said they then laser-print the metasurface by feeding
metal foil through a laminator. Brown's Daniel Mittleman said the
hot-stamping technique was developed to simplify metasurface manufacturing
for quick, affordable testing. Warns Rice's Edward Knightly,
"Next-generation wireless will use high frequencies and pencil beams to
support wide-band applications like virtual reality and autonomous
vehicles."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ea62x233db0x071353&


China's Internet Censors Try a New Trick: Revealing Users' Locations? (NYTimes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Wed, 18 May 2022 07:12:17 -0400
For years China's censors have relied on a trusted tool kit to control the
country's Internet. They have deleted posts, suspended accounts, blocked
keywords, and arrested the most outspoken.

Now they are trying a new trick: displaying social media users' locations
beneath posts.

Authorities say the location tags, which are displayed automatically, will
help unearth overseas disinformation campaigns intended to destabilize
China. In practice, they have offered new fuel for pitched online battles
that increasingly link Chinese citizens' locations with their national
loyalty. Chinese people posting from overseas, and even from provinces
deemed insufficiently patriotic, are now easily targeted by nationalist
influencers, whose fans harass them or report their accounts.

The tags, based on a user's Internet Protocol, or I.P., address that can
reveal where a person is located, were first applied to posts that mentioned
the Russian invasion of Ukraine, a topic authorities said was being
manipulated with foreign propaganda. Now they are being expanded to most
social media content, further chilling speech on a Chinese Internet
dominated by censorship and isolated from the world.

The move marks a new step in a decade-long push by Chinese officials to end
anonymity online and exert a more perfect control over China's digital town
squares.

https://www.nytimes.com/2022/05/18/business/china-internet-censors-ip-address.html


Exposure through identity verification?

Geoff Kuenning <geoff@cs.hmc.edu>
Mon, 16 May 2022 19:55:30 -0700
I got data-breach notice today from Assurance IQ, LLC and some of its
affiliated companies.  (I'm dang sure they wouldn't have told me if they
weren't forced to by law.)  Of course they said that "keeping personal data
safe and secure is very important" to them.

I guess that's why they didn't notice for 16 months that someone was
repeatedly using their site to extract personal data.  Based on their
description, it sounds like if you filled out a life insurance application
with someone's "name, address, and other information", they then "retrieved
a driver's license number that was then displayed...in the online
application."  Yup, either they helpfully auto-filled that number (if they
knew it, why did they need it filled in?) or, more likely, displayed it as a
method of identity verification.  "Please click here if you are the person
with DL number 1234567."

Did nobody review this design?

  [I suspect nobody who knew anything did.  PGN]


463 people's COVID benefits accidentally sent to one of them

Mark Brader <msb@Vex.Net>
Tue, 17 May 2022 09:49:17 -0400 (EDT)
https://english.kyodonews.net/news/2022/05/814926b5d433-man-mistakenly-sent-463-mil-yen-in-covid-funds-gambles-it-all-away.html


Zero-trust security: Assume everyone on the Internet is out to get you—and already has (techxplore)

Richard Stein <rmstein@ieee.org>
Thu, 19 May 2022 09:47:40 +0800
https://techxplore.com/news/2021-05-zero-trust-assume-internet-youand.html

"Using the public health analogy, a zero-trust approach to cybersecurity
assumes that an infection is only a cough—or, in this case, a click --
away, and focuses on building an immune system capable of dealing with
whatever novel virus may come along. Put another way, instead of defending a
castle, this model assumes that the invaders are already inside the walls."

"Zero Trust Architecture," from
https://csrc.nist.gov/publications/detail/sp/800-207/final(retrieved on
19MAY2022) documents a framework for infrastructure, processes, and policies
to establish a Zero Trust ecosystem.

A significant shift from the static, network-based Internet perimeter we
enjoy today, where trust—too much trust—enables convenient and
anonymous access easing navigation through infrastructure, Zero Trust
imposes constant credential authentication challenges for users, assets and
resources based on a centralized policy enforcement mechanism.

Policy enforcement subjects a user's identity to verification checks for
each new resource access request, and access is subject to mediation (via
privilege and allocation masks), logging, and analysis.

The US government now requires disclosure of industry cyber incidents.  For
businesses deemed "critical infrastructure," regulation will likely be
necessary to compel Zero Trust adoption. The days of voluntary business
cyber compliance are history.

Commercial enterprises will object to the transition cost. Ransomware and
business e-mail compromise payoffs are illegal—but weakly enforced, and
indictments of impacted business organizations have not materialized so
far. See "Ransomware Payments and the Law," from
https://www.lawfareblog.com/ransomware-payments-and-law (retrieved on
19MAY2022) for background. Incidents are inconvenient and embarrassing, a
mere business expense passed onto the customer as cyber-insurance premium
prices inflate.

An overview of Zero Trust architecture and prototype of how it operates can
be found in the video https://youtu.be/6I6bnNdZ5XU via "Zero-trust
architecture may hold the answer to cybersecurity insider threats"
https://techxplore.com/news/2022-05-zero-trust-architecture-cybersecurity-insider-threats.html.

["Get got" is a prerequisite for becoming "got got."]

  [As I must have noted here already, ZERO-TRUST is a horrible term.  There
  is always something that has to be trusted, whether you like it or not.
  "Minimal-trust" might make some sense, except today everything is a
  potential weak link, and NOTHING is trustworthy.  Applying it to bacterial
  and viral infections is similarly stupid.  PGN]


DOJ says it will no longer prosecute good-faith hackers under CFAA (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Thu, 19 May 2022 09:37:55 -0700
https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/


Selfies Further Endanger Rare Phallic Plant, Conservationists Fear (NYT) (Richard C. Paddock)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 19 May 2022 08:36:31 -0600
18 May 2022

  The three women shrieked and giggled as they plucked the tubular pitchers
  from rare carnivorous plants in the mountains of Cambodia. The phallic
  shape of the pitchers reminded them of something, they joked as a friend
  filmed the scene with a phone.

  The women broke off some of the distinctive appendages, which the plants
  use to trap insects. Holding them suggestively for the camera, they
  compared the pitchers' sizes to the physique of different men from various
  parts of Cambodia. "I want all of them," says the woman in blue,
  displaying four plucked pitchers for the camera.

  The widely viewed video prompted Cambodia's ministry of environment to
  warn the public last week not to pick the pitchers of the plant, which is
  an endangered species and protected by law. Conservationists are concerned
  that the growing popularity of smartphones and selfies could increase
  pressure on the rare plants.

https://www.nytimes.com/2022/05/18/world/asia/cambodian-plant-video.html


Artificial Intelligence

Lauren Weinstein <lauren@vortex.com>
Thu, 19 May 2022 08:47:14 -0700
* Stephen Colbert: "Are you afraid of artificial intelligence taking over?"

* Ricky Gervais: "I'd love for any intelligence to take over."


Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.21)

Martin Ward <martin@gkc.org.uk>
Tue, 17 May 2022 14:00:48 +0100
You are not thinking three-dimensionally.

Consider the famous "spaghetti junction"
(https://en.wikipedia.org/wiki/Gravelly_Hill_Interchange) where 18 different
roads intersect in a free-flowing junction over five different levels.
Flying cars can operate on an arbitrarily large number of different levels,
so you can indeed "just breeze through the sky".


Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.20)

"John Levine" <johnl@iecc.com>
16 May 2022 21:15:36 -0400
>Hasn't anyone considered that once flying cars/taxis are practical and
>popularized, the traffic jams will simply migrate from the roads to the
>air?

Maybe, maybe not.  Cars have to stay on the road, but in principle flying
vehicles can go point to point so long as they are able to avoid running
into each other (admittedly a significant "if".)  Also, flying vehicles can
fly at different altitudes.  Commercial planes fly at specified altitudes,
1000 vertical feet apart, with alternating levels for alternating
directions.

I have my doubts whether flying cars will ever be a mass market item, as
opposed to a toy for rich people and a niche item for people who have some
business reason that the time savings are worth it.  We've had small planes
for over a century and the cost to own and run a plane is still a lot more
than for a car.


Re: Companies envision taxis flying above jammed traffic

Barry Gold <BarryDGold@ca.rr.com>
Thu, 19 May 2022 10:15:54 -0700
Except that there's a lot more room in the air. Freeways are limited to
whatever land we can afford to buy for the purpose. Airways can use a huge
amount of space, and can use it on multiple levels. Even if you restricted
air traffic to the space above existing roadways (on the basis that
landowners also own the airspace above their land, at least up to wherever
the commercial airlanes start), you could stack traffic 2, 3, 5, 10, 20
levels high, where existing roadways are limited to 1 or at most 2 levels.

  [You seem to be completely ignoring the TCAS issues relating to changing
  altitudes.  PGN]


Re: Finding it hard to get a new job? Robot recruiters might be to blame (RISKS-33.21)

Amos Shapir <amos083@gmail.com>
Tue, 17 May 2022 12:32:45 +0300
The problem seems to be that such tools are deployed before testing if they
are actually adequate for the job.  It seems as if the rules are defined by
programmers, and if there are people who participate in the process on
behalf of the hiring company, they are of HR and not of the hiring
departments.  The result may give rise to Artificial Stupidity.

Testing such a tool should involve running it in parallel with screening
candidates by human managers, for a significant time period (I think at
least a year); and then comparing the results to catch any misfeatures or
biases in the design.

Please report problems with the web pages to the maintainer

x
Top