Hello and welcome to #MobSec5. This week's all-you-can-eat buffet of mobile security news includes:
|
January 16 · Issue #39 · View online |
|
Hello and welcome to #MobSec5. This week’s all-you-can-eat buffet of mobile security news includes:
- Mobile data extractor Cellebrite compromised
- FDA confirms vulnerabilities in connected medical devices
- Nope, that’s not a backdoor in WhatsApp
Thanks for reading. Have a great weekend, be good, and stay safe.
|
|
There's No Security Backdoor in WhatsApp, Despite Reports | Gizmodo
“The supposed ‘backdoor’ the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone’s encrypted messages, something the company is extremely unlikely to do.” A story from the Guardian this morning originally described a University of California-Berkeley encryption researcher’s discovery as a backdoor in the WhatsApp messaging app. Since then, a number of people have questioned usage of the “backdoor” terminology, and the Guardian removed the term from the headline. The Verge reported, “The bug described in the article had long been known by security professionals, and there’s no evidence WhatsApp ever tried to conceal it.” A security researcher that spoke to Gizmodo called the issue “ignorable.” Another researcher told TechCrunch that the Guardian story was “supremely inaccurate”.
|
Hacker Steals 900 GB of Cellebrite Data | Motherboard
“A hacker provided Motherboard with a large cache of customer information, databases, and more.” The data Motherboard received may include customer usernames and passwords for Cellebrite accounts (potentially identifying Cellebrite’s customers) in addition to files containing evidence seized from mobile devices – which, if true, could present chain-of-custody problems. Cellebrite markets a product that can extract data from mobile devices including call logs, SMS, MMS, media, e-mail, location information, and more. It’s rumored that the FBI hired Cellebrite to unlock the iPhone of San Bernadino suspect Syed Farook, though neither organization has confirmed. Are you running into obstacles trying to gather the data you need to diagnose and investigate mobile security incidents? Save a seat for NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” included in the Mobile & IoT Security track at RSA Conference 2017 in February (and visit us at booth N3334).
|
Buggy Domain Validation Forces GoDaddy to Revoke Certs | Threatpost
“A bug in GoDaddy’s domain validation process forced the registrar to revoke SSL certificates and reissue more than 6,000 certs.” By exploiting this now resolved flaw, an attacker could obtain a forged certificate for a domain they don’t own. GoDaddy has stated that approximately 7,500 affected certificates have been re-validated. The flaw could have allowed an attacker to execute a man-in-the-middle (MITM) attack on a mobile app by acquiring a forged certificate for the domain of a back-end server used by the app. Read more on the NowSecure blog about how flaws like the GoDaddy bug affect mobile app security.
|
FDA warns that certain pacemakers are vulnerable to hacking | Engadget
“According to a cybersecurity notice from the Food and Drug Administration, certain pacemakers and cardiac devices are currently vulnerable to hacking.” The FDA’s report explains vulnerabilities in St. Jude Medical’s Merlin@home™ transmitter that wirelessly monitors implantable pacemakers and defibrillators, and comes on the tail of cybersecurity guidance for medical devices published by the agency in December 2016. On Monday, St. Jude announced the release of security updates for the Merlin@home transmitter. Cybersecurity company MedSec discovered security flaws in St. Jude’s technology and partnered with investment firm Muddy Waters to announce the vulnerabilities this past summer. Both companies hoped to profit from a short sale of St. Jude shares thinking prices would drop with news of the security issues going public. On their website, Muddy Waters wrote that St. Jude’s announcement was vindication but said the security update failed to fix all of the reported vulnerabilities. Of the update, MedSec CEO Justine Bone wrote, “severe vulnerabilities remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin@home device.”
|
Cyber war has a new weapon: Your smartphone | TheHill
“If an enemy or criminal gains access to someone’s cellphone, they gain access to all aspects of that person’s life — both work and personal.”
|
Israel says Hamas hacked Facebook accounts, cellphones of army recruits | The Washington Post
“The Israeli army said it uncovered a covert operation by Hamas to spy on the military via social media and cellphones.”
|
DARPA developing secure data sharing wireless technology | Network World
“The program will ‘secure tactical mobile handheld devices to support distributed multilevel information sharing without the need for reaching back to large-scale fixed infrastructure, create new networks based on resilient and secure architectures that work in challenging environments, and develop software that rapidly configures security across the network,’ DARPA says.”
|
Google Introduces New Cloud Encryption Key Management Service | eWeek
“Google cloud KMS is designed to help organizations create, use, rotate and destroy AES-256 standard symmetric encryption keys for protecting data in cloud environments.”
|
Security hardened, pah! Expert doubts Kaymera's mighty Google's Pixel | The Register
“Independent mobile security experts have questioned whether the technology offers much by way of benefits over that offered by native Pixel smartphones.”
|
Qualcomm releases whitepaper detailing pointer authentication on ARMv8.3 | Qualcomm
“Now it’s much harder for an attacker to modify protected pointers in memory without being detected.”
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
|
|
|