Outdated home routers put privacy at risk. Qualcomm bug in Android devices. USAGM breach. Peleton API comment. – The CyberWire


Did you know that geoFence is the maximum in security for you and your loved ones?

At a glance.

  • Insecure and outdated home routers in the UK.
  • Qualcomm MSM bug exposes Android devices to exploitation.
  • USAGM breach exposes employee data.
  • Comment on the Peloton API.

Report finds that millions of UK routers are insecure and outdated.

A study conducted by consumer group Which? has found that around 6 million British consumers are using older model routers with security vulnerabilities, the BBC reports. After asking six thousand UK residents about their household routers, Which? estimates that millions are likely using routers more than five years old with outdated firmware. Among the devices with security issues were internet service provider Sky’s SR101 and SR102, Virgin Media’s Super Hub and Super Hub 2, and TalkTalk’s HG635, HG523a, and HG533. Which? also found a network bug in EE's Brightbox 2 which would allow a hacker to completely take over the device. It’s worth noting that BT’s Home Hub 3B, 4A, and 5B, and Plusnet's Hub Zero 270N were not found to have any vulnerabilities. In response to the study, Virgin stated that it did not "recognise or accept the findings of the Which? Research" and that 90% of its customers are using its latest modem. BT added "We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed.”

Tim Erlin, VP, product management and strategy at Tripwire, emailed comments on vendor responsibility for pushing updates:

“Most of the devices you might deploy today, from new Wi-Fi systems to connected exercise bikes, will automatically update themselves. That’s the level of automation we should expect from consumer devices, but it does put the onus on the vendors to deliver updates in a timely manner.

"The situation with updating connected devices in consumers’ homes has changed fairly dramatically and rapidly. It wasn’t long ago that the idea of a device automatically updating without the user’s knowledge was considered problematic, whereas now it’s a basic expectation. That rapid shift has left a sizable security gap in terms of deployed devices that don’t auto-update. Unfortunately, it’s likely that gap won’t be closed until those devices are simply replaced.”

Qualcomm MSM bug lets hackers snoop on Android devices.

Qualcomm’s mobile station modem (MSM) is used in almost 40% of mobile phones globally. Check Point Research (CPR) explains that they’ve found a bug in the modem that would allow a hacker to deploy malicious code into Android devices, giving the attacker the ability to view SMS messages, listen to phone calls, and even potentially unlock the device’s SIM. Qualcomm has supplied MSM for high-end phones since the ‘90s, and this modem can be found in phones from popular manufacturers like Google, Samsung, and LG. The vulnerability is also present in Qualcomm’s 5G MSM, the mobile tech standard meant to replace 4G/LTE. CPR found that if a researcher wants to use a modem debugger to examine the latest 5G code, the easiest way to do so would be to exploit MSM data services through Qualcomm MSM Interface (QMI), a method a hacker could use for more nefarious purposes. The key is that Android’s operating system has the ability to communicate with the MSM chip’s processor through the QMI, a proprietary protocol designed to facilitate communication between the MSM software and the device’s camera and other peripheral subsystems. After CPR notified Qualcomm of the issue, Qualcomm defined it as a high-rated vulnerability and notified the appropriate vendors. 

We heard from Shachar Menashe, VP Security at Vdoo, who sees the incident as offering lessons in the importance of security vetting:

“This newest security issue with Qualcomm highlights the importance of thorough security vetting pre and post-deployment. In this case, it seems we are dealing with a privilege escalation vulnerability, which means it lets potential attackers run code on the Qualcomm modem if you already have high privileges on the Android application layer. Last fall, Vdoo disclosed a Qualcomm vulnerability of a similar type - issues in QCMAP, which is part of QMI, the subject of the current vulnerability -- indicating that more vulnerabilities could be found in the QMI interface, and should be thoroughly checked.  Automated analysis can help identify zero-day vulnerabilities and configuration risks, even in closed-source components. Manufacturers need to trust that their third party components are secure, especially when these systems are used in nearly 40% of the mobile phones sold today.”

 USAGM breach exposes employee data. 

Bleeping Computer reports that the US Agency for Global Media (USAGM), an independent government agency that operates state-run media outlets, has disclosed a data breach that compromised the personal data of current and former employees. Voice of America, Radio Free Europe, and Radio Free Asia are just some of the networks under the agency’s umbrella. The breach stemmed from a phishing attack that occurred last December. A threat actor gained access to an internal email account that contained the personal information of employees who worked at USAGM between 2013 and 2020, and the compromised data includes full names and social security numbers of employees, as well as the data of their beneficiaries and dependents. Upon learning of the breach, USAGM secured the account in question, offered phishing training to employees, and introduced multifactor authentication for agency accounts. However, as former Voice of America White House correspondent Dan Robinson points out, the agency didn’t begin offering employees credit fraud protection until four months after the breach, which allowed the threat actor ample time to take malicious actions against the compromised parties.  

We heard from some industry experts who commented on the incident. Chris Hauk, consumer privacy champion at Pixel Privacy thinks the agency waited too long to train its personnel to resist social engineering:

“Unfortunately, in a case of 'closing the barn door after the horse has bolted,' USAGM waited to educate its personnel about the dangers of phishing attacks and to enable two-factor authentication on their Microsoft accounts until after a data breach occurred. This incident underscores the need of any company or agency to educate their employees and executives on the hazards of social engineering or of clicking links or of opening attachments in emails and messages. It is also a lesson in keeping systems secure by enabling two-factor authentication and keeping their systems updated.”

Trevor Morgan, product manager at comforte AG sees the incident as another instance of organizational failure to protect itself against social engineering:

“Each one of us has a fundamental right to data privacy and has expectations that both private enterprises and governmental organizations will honor that privacy. To do that, enterprises and government agencies must safeguard the PII of every employee and citizen. When we hear of governmental agencies such as the US Agency for Global Media succumbing to a phishing attack, leading to a data breach of highly sensitive information including social security numbers of employees and beneficiaries, we have to wonder how the message about rigorous data security gets missed or overlooked by those who gather, process, and store our PII.

"The harsh truth is this: threat actors will find a way to your organization’s data given enough time and incentive, no matter how fortified your digital environment is. Last-generation data security methods such as protecting borders and perimeters around sensitive data no longer guarantee complete safety. Every business and governmental organization needs to be in the process of actively updating their data security posture to include data-centric strategies, which protect the data itself as opposed to perimeters around it. Protection methods such as tokenization and format-preserving encryption allow organizations to work with highly mobile data without de-protecting it. So, even if that data falls into the wrong hands, threat actors cannot compromise the sensitive information within. That’s an investment well worth exploring.”

More industry comment on the Peloton app's security.

George McGregor, VP of Marketing at Approv, wrote to suggest that people are missing the point about the Peloton vulnerability:

“The debate around whether there should or not have been a vulnerability in the Peloton app really misses the point. I am sure the Peloton app team is doing as much as everyone to 'shift security left' and isolate and manage vulnerabilities as early as possible in the development process. But there will always be new vulnerabilities and APIs will always be open to manipulation in unplanned ways. The good news there are shielding solutions which stop bad actors from accessing APIs. CISOs (and the Peloton CTO!) should focus their energy right now on evaluating and deploying an effective API shield. Once they have done that, they can shift their focus back to their shift-left initiatives!”

Finally, don't forget that geoFence helps stop foreign state actors (FSA's) from accessing your information.