Thursday, December 11, 2014

Smartwatch Hacked, how to access data exchanged with Smartphone

Security experts at BitDefender demonstrated how is possible to access data exchanged between a smartwatch and a smartphone via Bluetooth.

The paradigm of Internet of Things is influencing modern society and the way it approaches the technology in everyday life.
An impressive amount of Intelligent devices surround us, but often we ignore the repercussion in term of security and privacy. The IoT devices are designed to improve our experience with technology, but we must consider thta they enlarge our surface of attack.
Today we will discuss the risk related to the use of a Smartwatch that is able to dialog with an Android smartphone.
A group of security researchers at BitDefender have demonstrated that the data sent between the Smartwatch and the Android mobile phone could be intercepted by an attacker that could be able to decode users’ data, including text messages to Google Hangout chats and Facebook conversations.
The attack is possible because the security of a Bluetooth communication between most Smartwatches and Android devices relies on a PIN code composed by six digits. But a secret code composed of six-digit has a “key space” composed of one million of possible key combinations, the bad news is that is can be quite easy to brute-force the code to access data exchanged on the secure communication.
The flaw is serious if we consider the rapid diffusion of smartwatch, and more in general of smart devices that use similar communication channels and mechanism to protect them.
The experts at Bitdefender made a proof-of-concept hack against a Samsung Gear Live smartwatch and a paired Google Nexus 4 handset running the super secure Android L Preview. The researcher demonstrated how to hack the communication by using sniffing tools available, the team was able to discover the PIN used to protect the Bluetooth connection between the smartwatch and the smartphone device.
smartwatch samsung_gear_live_specs
Basically, the attacker tried all possible combinations of PIN value until finding the correct one that allowed them to monitor the data stream between the devices.
To mitigate the attack, the experts suggest adoption of NFC pairing procedure in pin code exchange or the use of passphrases. The first suggestion required the adoption of NFC devices that add a supplementary layer of encryption at the application level, but this has an impact battery life due to extra encryption computations.
“Part of the mitigation process involves using NFC pairing when sending the pin code or the use of pass-phrases. Of course, there’s always the option of adding a secondary layer of encryption at the application level, but this might shorten battery life due to extra encryption computations.” states the blog post published by BitDefender.
The experts also highlighted that Over-the-air Bluetooth encryption is handled by the baseband co-processor, that is present in the majority of Android devices, but this baseband co-processor can be tampered with via over-the-air updates.
Our research involved analyzing the raw traffic before being sent over the air via the baseband co-processor. This means that relying only on baseband co-processors to handle the encryption is not a fool-proof security mechanism. It also raises the question of how easy it is for someone to update the firmware on the baseband co-processor once a vulnerability is disclosed.”

Mac OS X is no longer immune, reveals Kaspersky’s 2014 Malware countdown

Apple’s Mac OS X is no longer immune to malware and bugs says Kaspersky Security Lab.A survey of 2014 reveals that more malware attacks targeted Mac.

For years, Mac OS X has been flaunted as the most immune OS to malwares and bugs. Well, the reign of Mac might end in 2014, with users’ on the receiving end of over 1,499 new malicious programs, which is just a fraction of the 3,693,936 malwares targeted on Mac users, according to a 2014 security bulletin by a Russian anti-virus and internet security firm Kaspersky Labs.
“Over the past few years, we’ve discovered more and more malicious samples targeting Mac devices. Yet, there still remains a common misconception that Mac OS X is safe from malware and viruses,” said David Emm, principal security researcher at Kaspersky Lab.
Adware top the list of 20 most malicious programs targeted on Mac OS users. Adware are spread through legitimate programs downloaded from App stores rather than buying from official websites of the developers. Once installed on the computer, the adware can add advertising extensions to browsers, change the default search engine among a host of other malicious activities says Kaspersky.
The 2014 malware countdown won’t be complete without WireLurker malware which freaked out millions of Mac users earlier this year. The malware which originated from Chinese App store, Trojanized over 467 App and infected over 300,000 Apple users.
“WireLurker malware not only threatened OS X itself, but also used Macs as a carrier to get to iOS devices connected to the infected Mac,” notes Kaspersky
Other notable malware threats to Mac users as reported by Kaspersky include;
  • OSX.Callme- a malicious program distributed through MS word, which gave online fraudsters remote back door access to a system while at the same time propagating itself to all listed contacts on the compromised machine.
  • OSX.Laoshu- malicious program which makes screenshots every minute. The malware is signed by the trusted certificate of the developer therefore eluding many anti-malware programs in the victim’s system.
  • Trojan spyware with a remote control function that enabled hackers to intercept key strokes
  • Trojan-Spy.OSX.CoinStealer – a one of its kind malicious programs designed to steal bitcoins for OS X. It imitates different bitcoin utilities built from open source code while it installs a malicious browser extension and/or a patched version of bitcoin-qt.
Geographically, Mac users in US suffered the most malware infections in 2014, leading the pack at 39.14%, followed by Germany 12.56%, Japan 5.51% UK 5.49% Russia 4.87% and France 3.69% of all reported infections.
mac os x virus trojan

Its terms of vulnerabilities, ShellShock is probably the bug of the year for Mac OS X users. The bug is coding mistake Bash, a software originally authored by Brian fox in the 70’s. Shellshock affected all Unix based operating systems including Apple Mac OS X, Linux and GNU. It allowed a malicious hacker to gain full control of a compromised system without a password or encryption key.
In such a precarious environment, Mac OS X users can no longer afford to be complacent in terms of keeping up with security updates and fortifying the defense mechanism.
“The myth of Mac OS X being invulnerable no longer stands true, and as cyber criminals continue to evolve their attack methods, users should also evolve by taking the necessary steps to bolster security on their Mac devices,” said Emm.
Kaspersky 2014 bulletin listed Oracle Java as the most vulnerable application used by fraudsters to spread malwares to users. Oracle Java accounted for 45% of malware sent to users, a significant drop from 90% last year. Other vectors include Browsers, Adobe Reader, Adobe flash player and Microsoft office.
Kaspersky is also cautioned users against a growing threat on mobile users. In 2014 alone, the antivirus firm blocked at least 1,363,549 unique attacks on mobile user compared to 335,000 attacks recorded last year. This trend is expected to continue in 2015 with more mobile banking Trojan expected in the coming year.
“In 2014 mobile malware focused on financial issues: the number of mobile banking Trojans was nine times greater than in the previous year and development in this area is continuing at an alarming rate,” said Roman Unuchek, senior mobile malware analyst at Kaspersky Lab.

Tuesday, December 9, 2014

Take care of Recovery Key for Apple Two-step verification system to avoid permanently lock Apple account




If you lose your recovery key with two-step verification Apple can’t help you.By forgetting Recovery Key could completely lock a person out of their account
More that one year ago Apple has introduced the two-step verification system to implement a two-factor authentication process and improve security for Apple IDs. Since March 2013 Apple has progressively extended the two-step verification system to other countries and has introduced the feature to protect other services offered by the company, including the Apple iCloud for which the feature was added in September after the Fappening case. In September, the CEO Tim Cook announced the imminent implementation of a two-factor authentication mechanism to protect the access to the iCloud service from a mobile device that was effective with the iOS 8.0.

The login to iCloud service from iPhones and iPads will be allowed to users is possession of the couple Apple ID and password, plus the an authentication code sent to the device through SMS or generated at the time of sign-up. Tim Cook highlighted the great importance reserved by Apple to the user’s privacy, confirming that the company will do even more to protect user’s data.

The two-step verification system requires a user to provide the number of a second “trusted” device that is used to verify the user’s identity in addition to an extra security code called the “Recovery Key”. The reporter at The Next Web’s Owen Williams explained that the Recovery Key mechanism could cause completely lock a person out of their Apple account if they’re being hacked.

Williams discovered that someone had tried to hack his Apple iCloud account despite the Apple’s two-step verification system. The mechanism correctly avoided the unauthorized access to the system and blocked the account, unfortunately, denying both the would-be hacker and Williams access it.
“Earlier this week, a strange message popped up on my Mac that I thought nothing of. “You can’t sign in because your account was disabled for security reasons.” I dismissed it in my tired haze, thinking it would solve itself and went to sleep.” states the post on TheNextWeb.

two-step verification system user lock-out

The reporter then tried to recover the password with the Apple iForgot procedure. To unlock the account, it is requested to provide Recovery Key or the number of a trusted device as he was led to believe by an Apple Support document, but he was wrong.

“The Apple support page relating to lockouts assured me it would be easy to recover my account with a combination of any two of either my password, a trusted device or the two-factor recovery key. When I headed to the account recovery service, dubbed iForgot, I discovered that there was no way back in without my recovery key. That’s when it hit me; I had no idea where my recovery key was or if I’d ever even put the piece of paper in a safe place. I’ve moved since I set up two-factor on iCloud.” states the post.

two-step verification system user lock-out 2



Unfortunately, Williams was not able to retrieve a screenshot or a print copy of the Recovery Key he had taken for extra safekeeping, then he contacted the Apple customer support and was told that there was no way Apple could help him despite he offered a scan of his government ID, his trusted devices and other proof that it was him.

In a second call, he made to the support he received the following reply:

“We take your security very seriously at Apple” she told me “but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID.”

After a couple more days of talking to Apple customer support, the reporter discovered that it was impossible to unlock the account without a Recovery Key even though Apple’s support document explains that it is possible with a trusted device.

Williams shared with the web his experience, warning the reader on possible consequences in managing Apple Recovery Key for the two-step verification system. Williams explained that losing the recovery key could permanently lock a user out of their Apple ID with Apple unable to do anything to help.

“I know it was stupid that I’d lost the recovery key but I’d set it up so long ago I couldn’t remember where it would conceivably be. There’s only so many things I can keep track of. Besides, I figured I’d be able to use trusted device to get out of a mess like this.” he said.

Manage your two-step verification system now, before an attack will force you to do it in difficult conditions.