Two of the articles this week deviate from cyber security, however, they are topical and relevant to painting a larger ‘buyer beware’ theme. Malicious actors sell counterfeit eclipse viewing glasses, Roomba's map your house (potentially for the highest bidder), embedded ultrasonic signals played through a TV can allow malicious actors to track your movement, DJI plans to remove a Trojan from its ‘Go’ app, and shared smartphone application libraries libraries expose content to hackers.
1. Counterfeit Eclipse glasses
Libraries, science museums, hardware stores and Amazon have all had a run on eclipse glasses, cardboard glasses, with film so dark that it’s impossible to see through without looking at the sun.
Unfortunately, there have been some malicious individuals that have turned to selling fake eclipse glasses to make a quick dollar. NASA and the American Astronomical Society published a list of reputable manufacturers
To thwart copycats, the manufacturers have printed ISO numbers on the glasses. However, this was soon copied by the counterfeiters.
Using eclipse glasses that don’t meet NASA standards will result in retina damage. Our retina’s don’t have pain receptors in them, so we can burn our fovea’s without even realizing it.
List of reputable manufacturers:
What happens to your eye without protection:
2. Vacuum Mapping – iRobot autonomous vacuums poised to collect and sell mapping data on your home
In an interview with Reuters, iRobot (maker of Roomba cleaners) CEO, Colin Angle, recently shared some insights regarding how mapping data of a user’s homes, which has been collected for years, could be leveraged to deliver a better smart home experience when combined with other IoT devices. Angle says his company could reach a deal to share its map data for free (with customer consent) to one or more of the Big Three (Amazon/Apple/Google) in the next couple of years. Angle believes the mapping technology used in top-end iRobot models could improve other Smart home devices. He is basing the company’s strategy on it. In March, iRobot became compatible with Amazon’s Alexa voice assistant.
"There's an entire ecosystem of things and services that the smart home can deliver once you have a rich map of the home that the user has allowed to be shared," said Angle.
After the article was released iRobot released a clarifying statement:
iRobot does not sell customer data. Our customers always come first. We will never violate our customer’s trust by selling or misusing customer-related data, including data collected by our connected products. Right now, the data Roomba collects enables it to effectively clean the home and provides customers with information about cleaning performance. iRobot believes that, in the future, this information could provide even more value for our customers by enabling the smart home and the devices within it to work better, but always with their explicit consent.
3. The Day the Music Spied - Researchers demonstrate a method for turning smart devices into sonar tracking devices.
A team of University of Washington researchers demonstrated a way to inject undetectable high frequency audio signals into common IoT devices, such as TV’s, to track movement within a house. The team used a 42-inch Sharp TV and embedded an inaudible signal into songs played on the TV. The system then uses the device’s microphone to listen to how the signal bounces and can track the movements of anyone near the TV.
The technology known as CovertBand was tested in five different homes and was able to track the movements of multiple people, gestures and motions within 7 inches of accuracy. CovertBand can also track and distinguish people through walls, though less accurately.
Attackers could slip this into ads, music, or videos and gain insights into when you are home and what you are doing.
More info and video of CovertBand
4. DJI Drone software removed from Apple Store for Trojan Horse patching framework JSPatch
A hot-patching feature baked into DJI’s GO app violates an Apple’s App Store terms and conditions.
Hot patching apps allow significant changes to be slipped into the application without triggering a review by Apple. Updates that skirt a review raise a red flag as developers could use existing permission in ways not disclosed to users.
DJI sources have said that the functionality will be removed from both Apple and Android Apps.
Additional details on TheRegister:
5. Security researchers at Oxford and Cambridge show how shared application libraries could be used to expose smartphone data
The researchers studied data from a pool of 30,000 smart phones. They found, on average a smartphone has 25 installed applications. Many third-party application libraries have the ability to collect sensitive data from devices by using “intra-library collusion.”
“We demonstrate that several popular libraries already collect enough data to facilitate this attack. Using historical data, we show that risks from intra-library collusion have increased significantly over the last two-and-a-half years.”
15,000 apps with over a million downloads were decompiled to identify the libraries they were linked to and analyzed for intra-library collusion potential.
The top 3 most popular libraries
com/facebook – 11.9% of apps use
com/google/android/gms/analytics – 9.8% of apps use
com/flurry – 6.3 % of apps use
Jailbreaking or rooting phones increases the phone’s exposure to malicious libraries as the checks and balances in the publishing process are removed.
Link to researher's whitepaper