Sony Released Its Playstation Classic Console In A Way That Makes It Eminently Hackable

from the wait-sony? dept

Gamers of a certain age will be very familiar with the insanity from roughly 2010 that was Sony's reaction to having its Playstation 3 console hacked to return functionality that Sony initially advertised and then rescinded via a firmware update. While PS3 owners cheered on the hack, as many of them loved the function that Sony took away, Sony instead began a full on legal war with the Geohot, the hobbyist who gave users what they wanted. The whole thing was a complete mess that made Sony look awful and ultimately resulted in the Playstation 4 of course not having the function that users wanted, and the console being much, much more locked down at release.

I'm going to take a moment again to remind you that this all occurred only roughly 8 years ago. Why? Well, because Sony recently released its Playstation Classic retro console... and apparently made it very, very easy to hack.

The PlayStation Classic was a great idea that was disappointingly executed. Not surprisingly, hackers have been hard at work trying to crack the novelty console as they’ve done already with Nintendo’s NES Classicand SNES Classic.

The job’s been made easier, the hackers claim, thanks to Sony reportedly housing the key to decoding the PlayStation Classic’s firmware on the device itself, rather than utilizing a private key held by Sony. The underlying code that runs on game console is encrypted to prevent people from tampering with it, but in this case the tools to unlock and start changing how the console operates were available to anyone who dug through the code by copying it onto a PC. As first reported by Ars Technica, console hacker yifanlu pointed it out on Twitter late last week in-between streaming his attempts to break open the console’s digital architecture on Twitch. So far they’ve been able to play unincluded PS1 games like Spyro using a thumb drive and are currently working on getting other emulators working on it as well.

Here again we see hackers enabling what gamers wanted out of their Playstation Classic devices, but which Sony failed to provide. The biggest disappointment in the Playstation Classic has been the short game library. By screwing around with the console, tinkerers can enable playing many, many more games. And, given that this is Sony we're talking about that just went through all of this with the PS3, you have to wonder just how much of this was done on purpose, and how much is Sony not having things buttoned up on their end.

“There really isn’t any security on the device at all,” yifanlu told Kotaku in an email. “Sony managed to accidentally include their firmware update private keys on every console.”

If that's true, you have to wonder if another round of stupid of the kind we saw with the PS3 is about to happen. Sony is notoriously protective of its hardware, often leading it down a litigious path. But if the company were to once again attack tinkerers and deprive users of useful features for its product, and did so after so willfully ignoring securing its consoles from this type of thing, that would nearly smack of a honeypot rather than Sony having any true gripe.

Filed Under: consoles, games, hacking, playstation classic, sony playstation
Companies: sony

Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack

from the internet-of-broken-things dept

We've long noted how the painful lack of security and privacy standards in the internet of (quite broken) things is also a problem in the world of connected toys. Like IOT vendors, toy makers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

When this problem is studied, time and time again we're shown how most modern, internet-connected toys can be fairly easily hacked and weaponized. Granted since we haven't even gotten more pressing security and privacy problems tackled (like the vulnerability of our critical infrastructure), problems like Barbie's need for a better firewall tend to fall by the wayside.

Another recent case in point: A location-tracking smartwatch worn by thousands of children has proven... you guessed it... rather trivial to hack. The MiSafes Kid's Watcher Plus is a "smart watch for kids" that embeds a 2G cellular radio and GPS technology, purportedly to let concerned helicopter parents track their kids' location at all times. But security researchers at UK's Pen Test Partners have issued a report calling the devices comically unsecure. As with many IOT devices, the researchers found that the devices and systems they rely on did not encrypt any of the data being transmitted:

"I proxied the iOS app through Burp and could see that the traffic was not encrypted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext."

The researchers were quick to note that the only check the system's API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, allows an attacker to return the watch location and device_id associated with that family. Since the watch updates the GPS coordinates to the API every five minutes, it provides a hacker near real-time insight into your kid's location. Worse, spoofing a caller ID would let said theoretical attacker covertly listen in on your kids, or contact them... while pretending to be you:

"The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch.

Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch. As shown below, the child would think that it was their Dad that was calling. Would a child do what they were asked if a call came in like this?

Yeah, that's not creepy at all.

Of course like so many IOT devices, MiSafes' child-tracking smartwatches, which have been on the market in since 2015, are made by a Chinese company that had no interest responding to inquiries by security researchers. And being sold at around £9 ($11.50) per pop, there's certainly no incentive for its makers to suddenly start dramatically improving their security and privacy standards. It's another reason why efforts to standardize the inclusion of security and privacy problems in product reviews is something we all need to get behind, since it's abundantly clear legislation and regulation alone can't really address the problem.

Filed Under: hacking, internet of things, iot, security, smart watch

Georgia's Brian Kemp And The No Good, Very Bad Claim That Democrats Were Hacking Voter Registration System

from the can-we-not? dept

Okay, let's start with this. Can we all agree -- no matter what your party, ideological, or candidate preference -- that in any election where you are up for one of the offices, that you shouldn't be the one in charge of safeguarding the integrity of the election? This seems like a fairly basic point concerning democracy, that if you're a candidate for office, you should recuse yourself from anything involving election integrity. However, that's not the way things work around here, apparently. In at least three key elections this year, current secretaries of state, who are in charge of election integrity, are running for higher office while being in charge of counting their own votes. It just so happens that this year all three of those cases involve Republicans (and all three of those Republicans have a long and fairly detailed history of voter suppression tactics), but the issue applies equally to Democrats who might be in the same position. No one who is in charge of election integrity should ever be in the position of running for office at the same time.

But let's focus in on just one of the three individuals in that situation this year: Republican Brian Kemp, Georgia's Secretary of State, who is in a very heated campaign to be Governor of Georgia, campaigning against Democrat Stacey Abrams. As you may know, our stated policy on Techdirt is that we tend not to name the party affiliation of any politician, unless it truly matters to the story. That's because in this age of red team/blue team insanity, many people determine what they agree or disagree with depending on the color of the uniform. However, in this story, the party affiliations matter, not for which one is which (we could have posted an identical story with the party's changed), but because the dispute here clearly involves partisan politics.

As you may have heard, on Sunday, just two days before the election, Kemp (who's been getting hit with a bunch of bad headlines around his failed attempts at voter suppression in that state) announced that he had opened an investigation into an alleged "failed attempt to hack the state's voter registration system" by the Democratic Party of Georgia. Most of the headlines about this correctly noted that Kemp's office provided basically zero details to support this claim. Indeed, the entire announcement was two very short paragraphs long:

After a failed attempt to hack the state's voter registration system, the Secretary of State's office opened an investigation into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018. Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted.

"While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes," said Candice Broce, Press Secretary. "We can also confirm that no personal data was breached and our system remains secure."

Before we dig into what appears to have happened, it's time to take a little jump back in time. You see, back in 2016, Georgia Secretary of State Kemp also raised the alarm about what he claimed was an attempt by the US Department of Homeland Security to "breach" his office's firewall. Kemp sent an angry letter to then DHS boss Jeh Johnson, insisting that this was a sneaky attempt by DHS to do penetration testing and test the security of Georgia's election systems without permission.

Except... none of that was accurate. Six months later, the investigation revealed that Kemp misinterpreted someone from DHS checking an openly accessible database on the Secretary of State's site to check firearms licenses.

An earlier, internal DHS investigation into the reported incident showed that the "attempt to penetrate the Georgia Secretary of State's firewall" was actually residual traffic from a Federal Law Enforcement Training Center employee checking the Georgia firearms license database. That employee said he was doing due diligence on private security contractors for the facility.

That traffic, the first report determined, was caused by the employee cutting and pasting data from the database to Microsoft Excel, which sent light traffic to the Georgia server while parsing the data. That traffic would have been in no way abnormal.

The DHS inspector general, which operates independently from the DHS chain of command, conducted a second investigation. It validated the first report's results

That report further noted that "the DHS internet addresses that contacted the Georgia systems could not be used to attack those systems in the way Kemp described."

And, as you'll see, this article is already so long that we won't bother with more other than a link to another story about how Kemp has been credibly accused of destroying evidence in a still ongoing lawsuit about whether or not Georgia's voting system was hacked.

So, Kemp already has some credibility problems with "crying wolf" about supposed hacks of his computer systems before. And those should only increase given what appears to have lead to yesterday's claim of an "investigation." The small, but respected investigative journalism site WhoWhatWhy has a fairly detailed look at what happened and it looks really, really bad for Kemp. You see, on Saturday, the Democratic Party of Georgia had discovered massive vulnerabilities in the voter registration system overseen by Kemp, and had passed those details on to security experts... and then someone passed them along to WhoWhatWhy.

Just before noon on Saturday, a third party provided WhoWhatWhy with an email and document, sent from the Democratic Party of Georgia to election security experts, that highlights “massive” vulnerabilities within the state’s My Voter Page and its online voter registration system.

According to the document, it would not be difficult for almost anyone with minimal computer expertise to access millions of people’s private information and potentially make changes to their voter registration — including canceling it.

The publication spoke to a bunch of security experts, who all noted (correctly) that actually testing the vulnerabilities would be illegal, but...

...several logged onto the My Voter Page to look at the code used to build the site — something any Georgian voter could do with a little instruction — and confirmed the voter registration system’s vulnerabilities.

They all agreed with the assessment that the data of voters could easily be accessed and changed.

“For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian,” Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. “They should not be trusted with personally identifiable information again. They have showed incompetence in proper privacy-protecting data custodian capabilities.”

From the reporting, it appears that the vulnerability is the kind of mistake that was common on the web two decades ago, that once you've logged in you can access anyone else's content just by changing the URL. Basically anyone with any degree of knowledge of online security learned to block such a vulnerability at least a decade or more ago. It is astounding that such a vulnerability might still exist online, let alone on something as vital and key to democracy as a state election system.

It appears that this is the basis of Kemp's new investigation. The Democratic Party had discovered just how poorly Kemp's own team had built its online voter registration system, and his response is to blame the messenger. Of course, we see this kind of thing all the time in writing about vulnerabilities reporting, and we've always pointed out how ridiculous it is. But here, it's been taken to a new level, because beyond the usual dynamic, here we have the Republican running for Governor overseeing the insecure voting registration system, and it's the opposing candidate's party who discovered the vulnerability. This is beyond "blame the messenger." It's "blame the messenger who not only showed my own incompetence, but is also running against me for my shot at the big time."

A later story on WhoWhatWhy details that it wasn't the Democratic Party who had discovered the vulnerability in the first place, but rather someone else, who then contacted a lawyer for someone already suing Kemp over weaknesses in Georgia's election system:

A man who claims to be a Georgia resident said he stumbled upon files in his My Voter Page on the secretary of state’s website. He realized the files were accessible. That man then reached out to one of Cross’s clients, who then put the source and Cross in touch on Friday.

The next morning, Cross called John Salter, a lawyer who represents Kemp and the secretary of state’s office. Cross also notified the FBI.

As noted above, WhoWhatWhy reached out to multiple security experts who all confirmed the vulnerability -- and apparently all five of them noted that actually testing the vulnerability would be illegal. But all five of them were able to just look at the code on the site and confirm the vulnerability was real and could be used to alter voter information in the rolls, which is an especially big deal considering that one of Kemp's voter suppression methods was to insist that if any tiny bit of your information did not match what was in the rollbook, you couldn't vote.

The report further notes that the security researchers approached by WhoWhatWhy reached out to both US intelligence officials and the Coalition for Good Government, who also reached out to Kemp's own lawyers to alert him to the problems in the system:

Bruce Brown, a lawyer for the group, then reached out to Kemp’s attorneys to alert them of the problem. At 7:03 PM Saturday night, he emailed John Salter and Roy Barnes, former governor of Georgia, in their capacities as counsel to Secretary of State Kemp, to notify them of the serious potential cyber vulnerability in the registration files that had been discovered without any hacking at all, and that national intelligence officials had already been notified.

[....]

“What is particularly outrageous about this, is that I gave this information in confidence to Kemp’s lawyers so that something could be done about it without exposing the vulnerability to the public,” Brown told WhoWhatWhy. “Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.”

You really should read the entire WhoWhatWhy article (or, actually, both of the ones I've linked to here) because it goes into much more detail than I've described here, and all of it is mind-bogglingly stupid. Just to give you a taste, the report details not just one, but multiple vulnerabilities, including this:

In the code of the website — which anybody can access using their internet browser — there is a series of numbers that represent voters in a county. By changing a number in the web browser’s interface and then changing the county, it appears that anybody could download every single Georgia voter’s personally identifiable information and possibly modify voter data en masse.

In addition, voter history, absentee voting, and early voting data are all public record on the secretary of state’s website. If a bad actor wanted to target a certain voting group, all of the information needed is available for download.

“It’s so juvenile from an information security perspective that it’s crazy this is part of a live system,” Constable said.

Oh, and then there's this: while Kemp's office insist what they are misleadingly calling a hack from the Democratic Party "failed," according to the various security experts WhoWhatWhy spoke to, there didn't appear to be any logging, meaning there wouldn't necessarily be a way to see if anyone had actually changed the information. It goes on and on like this.

And, rather than admitting a fuck up of colossal proportions for a voting system, Kemp is claiming the Democratic Party of Georgia hacked the election system. Again, no matter who you support as a candidate, can we at least all agree that something is rotten in the state of Georgia when it comes to how they manage their election systems?

Filed Under: brian kemp, democratic party, election systems, georgia, hacking, politics, stacey abrams, voter suppression, vulnerabilities

Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes

from the voting-village-strikes-again dept

Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:

Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false.

Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this:

Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.

Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter:

Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they're "breaking licensing agreements" is not a good look. But, it's the hill ES&S has ridiculously decided to die on:

In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.

And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website:

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Lots of other hackers were successful as well:

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.

And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:

Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.

Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.

“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”

The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”

While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines.

Filed Under: defcon, e-voting, hacking, voting, voting integrity
Companies: es&s

Global Russian-Linked Router Malware Even Worse Than Originally Stated

from the Putin-gonna-Putin dept

Late last month, the FBI announced that hackers working for the Russian government had managed to infect roughly 500,000 routers in 54 countries with a particularly-nasty piece of malware known as VPN Filter. The malware, which infected routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP, gave attackers the ability to track a victim's internet usage, launch attacks on other networks, and permanently destroy the devices upon command.

A subsequent Cisco advisory about the malware noted that the infection rate steadily increased since it was first observed sometime in 2016:

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries...The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols."

A subsequent report by The Daily Beast noted that the FBI had managed to seize a key domain being used to manage the massive botnet of infected devices. The report also managed to obtain an FBI affidavit highlighting that the hacking group behind the malware was none other than Sofacy, aka Fancy Bear, Sednit, and Pawn Storm -- the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

As is usually the case with these kinds of security issues, new data from Cisco indicates that the malware has since evolved into something even more nasty than the original variant:

"Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device."

The new, updated Cisco analysis is well worth a read for those that are interested, and notes that in addition to being more powerful than originally stated, the malware is also targeting a far larger volume of hardware vendors than originally believed, including gear from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The vulnerabilities being exploited that allow VPN Filter to be installed vary from device to device, as do the steps needed to identify whether a router is infected and how to purge it of the malware.

Originally, the FBI issued a statement indicating that owners of potentially-impacted devices simply needed to reboot their routers to thwart the infection, thanks to the FBI's seizure of the controlling ToKnowAll.com domain.

But it's now clear that rebooting alone only temporarily disrupted the botnet, and doesn't purge the infection. The interesting bit: it's incredibly difficult for ordinary end users to even know if their router is infected, meaning that to be safe, users may need to wipe their routers completely and restore them to factory defaults. After that, the standard caveats usually apply: make sure to update your router to the latest firmware, disable remote administration functionality, and make sure you change any default username and password combinations the device may have shipped with.

Filed Under: fbi, hacking, malware, routers

Latest Privacy Fracas Drops Facebook In The Middle Of Anti-Huawei Hysteria

from the evidence-optional dept

Facebook is under fire yet again for potentially being far too casual in its treatment of private consumer data.

Earlier this week, the New York Times issued a report noting that Facebook had struck deals with more than 60 different hardware vendors since at least 2010, providing them with "vast amounts" of private user data. According to the report, these partnerships allowed some devices to retrieve personal information even from users’ friends who believed they had barred any sharing with third party vendors, potentially violating a 2011 FTC consent decree that banned such sharing without obtaining express customer permission.

To be clear, the partnerships are notably different from the deals struck with companies like Cambridge Analytica, which we now know routinely let app makers hoover up private data under false pretenses, then use that data for other purposes (like oh, riling up partisans ahead of an election). And Facebook was quick to issue a blog post trying to downplay the scope of the revelations:

"This is very different from the public APIs used by third-party developers, like Aleksandr Kogan. These third-party developers were not allowed to offer versions of Facebook to people and, instead, used the Facebook information people shared with them to build completely new experiences."

And while that's all well and good, the problem for Facebook is that nobody trusts that they routinely policed whether this data was being abused. And while the data was all stored locally on user devices, privacy experts were quick to point out that this could still wind up being a problem:

"You might think that Facebook or the device manufacturer is trustworthy,” said Serge Egelman, a privacy researcher at the University of California, Berkeley, who studies the security of mobile apps. “But the problem is that as more and more data is collected on the device — and if it can be accessed by apps on the device — it creates serious privacy and security risks."

These are all legitimate questions that Facebook will need to answer in the wake of the Cambridge scandal.

That said, this story was initially reported on Sunday without too much attention. But things took a turn with additional reports by both the Washington Post and New York Times indicating that some of these partner companies included Chinese gear makers like Huawei.

"The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo and TCL. The four partnerships remain in effect, but Facebook officials said in an interview that the company would wind down the Huawei deal by the end of the week."

Given that the Trump administration is currently trying to blacklist companies like Huawei amidst allegations of being proxies for the Chinese government, the story's overall tone quickly shifted to one of mass hyperventilation:

The problem: as we've noted a few times now, the allegations that employee-owned Huawei routinely spies on American consumers for the Chinese government isn't backed up by any publicly-available evidence, something both the Post and Times oddly don't mention.

An 18 month investigation by the White House found no evidence of such spying, and companies like Cisco have been caught routinely fanning such fears among gullible lawmakers in the hopes of thwarting overseas competitors. That hysteria has been notably escalated in recent years thanks to U.S. networking vendors being afraid to compete with cheaper Chinese gear as they jockey for 5G deployment contracts with wireless carriers worldwide.

While it's certainly possible Huawei spies on the U.S., there's just not much evidence for it. And you'd also have to ignore the U.S.' epic hypocrisy on that particular subject. You know, like the time Snowden docs revealed that the NSA was caught hacking into Huawei, stealing the company's source code, and attempting to install backdoors in Huawei gear so they could spy on countries that were avoiding the use of U.S. networking gear. You know, the exact thing we're accusing Huawei of. Except with supporting evidence.

Again, it's certainly plausible that Huawei might spy on U.S. citizens. But you'd think somebody could reveal some public evidence of this nefarious behavior before the Trump FCC pondered blacklisting them, a move that's opposed by NSA bosom buddies AT&T and Verizon. The reality is that the entire Huawei fracas is driven more by protectionism than national security, largely because, as one DC insider told the Washington Post back in 2012, it's extremely easy for U.S. networking makers like Cisco to get gullible lawmakers all hot and bothered on the subject:

"“What happens is you get competitors who are able to gin up lawmakers who are already wound up about China,” said one Hill staffer who was not authorized to speak publicly about the matter. “What they do is pull the string and see where the top spins.”

But some experts say these concerns are exaggerated. These experts note that much of Cisco’s own technology is manufactured in China."

That's not to say Facebook still doesn't need to answer some questions about whether all of these partnerships have been unwound, and how it ensured that the data stored on these vendors' devices wasn't abused in any fashion. That said, the focus should remain on the 60 companies in total that Facebook struck these deals with, without getting too hung up on the CHINA CHINA CHINA aspect of the story. Lax treatment of private data is the norm, not the exception (especially in the telecom sector), and getting too hung up on Huawei alone tends to miss the forrest for the trees.

Filed Under: data sharing, evidence, hacking, privacy
Companies: facebook, huawei

Another Report Highlights How Wireless SS7 Flaw Is Putting Everyone's Privacy At Risk

from the we'll-get-around-to-it dept

Last year, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

Again the flaw isn't new; a group of German hackers revealed the vulnerability in 2008 and again in 2014. It's believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. But the flaw has gained renewed attention in recent weeks after Senator Ron Wyden sent a letter to the FCC (pdf) complaining that the agency isn't doing enough (read: anything) to address it:

"One year ago I urged you to address serious cybersecurity vulnerabilities in U.S. telephone networks. To date, your Federal Communications Commission has done nothing but sit on its hands, leaving every American with a mobile phone at risk."

Apparently, shoring up national security wasn't as big of a priority as gutting net neutrality or eliminating consumer privacy protections at Comcast and AT&T's behest. Wireless carriers have been downplaying the flaw, in part because of the cost of fixing it. But they also worry it will be used to justify more meaningful privacy protections here in the States. When the DHS published a 125 page report (pdf) detailing the scope of the problem, lobbyists for the industry called the problem "theoretical," and the report "unhelpful," calling the report's advocacy for regulatory and legislative solutions "alarming."

And while carriers have implemented some security standards to address the SS7 probem, at its core SS7 lacks a mechanism to ensure that carriers sending data requests are who they claim to be. And while some of the firewall solutions carriers have adopted can protect some of their own consumers, these fixes don't extend to users who may be roaming on their networks. By and large, a large chunk of the problem is that these companies don't want to spend the necessary time and money to engineer a real solution, especially if their intelligence partners are benefiting from it.

In a follow up report over at the Washington Post, the paper notes how the flaw at this point is far from theoretical, and is routinely exploited en masse by numerous intelligence agencies (including the United States):

"Wyden said the risks posed by SS7 surveillance go beyond privacy to affect national security. American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance, experts say, and private-sector vendors have put systems within the reach of dozens of other governments worldwide. Sophisticated criminals and private providers of business intelligence also use the surveillance technology.

Other experts said SS7 surveillance techniques are widely used worldwide, especially in less developed regions where cellular networks are less sophisticated and may not have any protection against tracking and interception. But the experts agreed that Americans are significant targets, especially of rival governments eager to collect intelligence in the United States and other nations where Americans use their cellphones.

And again, that's a particular problem for a country whose President thinks basic phone security is too much of a hassle. For a country that's currently spending an ocean of calories trying to blacklist Chinese network vendors under breathless claims of national security, you'd think a massive problem with global privacy and security implications would get a little more attention.

Filed Under: hacking, mobile carriers, privacy, ss7

Democratic National Committee's Lawsuit Against Russians, Wikileaks And Various Trump Associates Full Of Legally Nutty Arguments

from the slow-down-there-dnc dept

This morning I saw a lot of excitement and happiness from folks who greatly dislike President Trump over the fact that the Democratic National Committee had filed a giant lawsuit against Russia, the GRU, Guccifier 2, Wikileaks, Julian Assange, the Trump campaign, Donald Trump Jr., Jared Kushner, Paul Manafort, Roger Stone and a few other names you might recognize if you've followed the whole Trump / Russia soap opera over the past year and a half. My first reaction was that this was unlikely to be the kind of thing we'd cover on Techdirt, because it seemed like a typical political thing. But, then I looked at the actual complaint and it's basically a laundry list of the laws that we regularly talk about (especially about how they're abused in litigation). Seriously, look at the complaint. There's a CFAA claim, an SCA claim, a DMCA claim, a "Trade Secrets Act" claim... and everyone's favorite: a RICO claim.

Most of the time when we see these laws used, they're indications of pretty weak lawsuits, and going through this one, that definitely seems to be the case here. Indeed, some of the claims made by the DNC here are so outrageous that they would effectively make some fairly basic reporting illegal. One would have hoped that the DNC wouldn't seek to set a precedent that reporting on leaked documents is against the law -- especially given how reliant the DNC now is on leaks being reported on in their effort to bring down the existing president. I'm not going to go through the whole lawsuit, but let's touch on a few of the more nutty claims here.

The crux of the complaint is that these groups / individuals worked together in a conspiracy to leak DNC emails and documents. And, there's little doubt at this point that the Russians were behind the hack and leak of the documents, and that Wikileaks published them. Similarly there's little doubt that the Trump campaign was happy about these things, and that a few Trump-connected people had some contacts with some Russians. Does that add up to a conspiracy? My gut reaction is to always rely on Ken "Popehat" White's IT'S NOT RICO, DAMMIT line, but I'll leave that analysis to folks who are more familiar with RICO.

But let's look at parts we are familiar with, starting with the DMCA claim, since that's the one that caught my eye first. A DMCA claim? What the hell does copyright have to do with any of this? Well...

Plaintiff's computer networks and files contained information subject to protection under the copyright laws of the United States, including campaign strategy documents and opposition research that were illegally accessed without authorization by Russia and the GRU.

Access to copyrighted material contained on Plaintiff's computer networks and email was controlled by technological measures, including measures restricting remote access, firewalls, and measures restricting acess to users with valid credentials and passwords.

In violation of 17 U.S.C. § 1201(a), Russia, the GRU, and GRU Operative #1 circumvented these technological protection measures by stealing credentials from authorized users, condcting a "password dump" to unlawfully obtain passwords to the system controlling access to the DNC's domain, and installing malware on Plaintiff's computer systems.

Holy shit. This is the DNC trying to use DMCA 1201 as a mini-CFAA. They're not supposed to do that. 1201 is the anti-circumvention part of the DMCA and is supposed to be about stopping people from hacking around DRM to free copyright-covered material. Of course, 1201 has been used in all sorts of other ways -- like trying to stop the sale of printer cartridges and garage door openers -- but this seems like a real stretch. Russia hacking into the DNC had literally nothing to do with copyright or DRM. Squeezing a copyright claim in here is just silly and could set an awful precedent about using 1201 as an alternate CFAA (we'll get to the CFAA claims in a moment). If this holds, nearly any computer break-in to copy content would also lead to DMCA claims. That's just silly.

Onto the CFAA part. As we've noted over the years, the Computer Fraud and Abuse Act is quite frequently abused. Written in response to the movie War Games to target "hacking," the law has been used for basically any "this person did something we dislike on a computer" type issues. It's been dubbed "the law that sticks" because in absence of any other claims that one always sticks because of how broad it is.

At least this case does involve actual hacking. I mean, someone hacked into the DNC's network, so it actually feels (amazingly) that this may be one case where the CFAA claims are legit. Those claims are just targeting the Russians, who were the only ones who actually hacked the DNC. So, I'm actually fine with those claims. Other than the fact that they're useless. It's not like the Russian Federation or the GRU is going to show up in court to defend this. And they're certainly not going to agree to discovery. I doubt they'll acknowledge the lawsuit at all, frankly. So... reasonable claims, impossible target.

Then there's the Stored Communications Act (SCA), which is a part of ECPA, the Electronic Communications Privacy Act, which we've written about a ton and it does have lots of its own problems. These claims are also just against Russia, the GRU and Guccifer 2.0, and like the DMCA claims appear to be highly repetitive with the CFAA claims. Instead of just unauthorized access, it's now unauthorized access... to communications.

It's then when we get into the trade secrets part where things get... much more problematic. These claims are brought against not just the Russians, but also Wikileaks and Julian Assange. Even if you absolutely hate and / or distrust Assange, these claims are incredibly problematic against Wikileaks.

Defendants Russia, the GRU, GRU Operative #1, WikiLeaks, and Assange disclosed Plaintiff's trade secrets without consent, on multiple dates, discussed herein, knowing or having reason to know that trade secrets were acquired by improper means.

If that violates the law, then the law is unconstitutional. The press regularly publishes trade secrets that may have been acquired by improper means by others and handed to the press (as is the case with this content being handed to Wikileaks). Saying that merely disclosing the information is a violation of the law raises serious First Amendment issues for the press.

I mean, what's to stop President Trump from using the very same argument against the press for revealing, say, his tax returns? Or reports about business deals gone bad, or the details of secretive contracts? These could all be considered "trade secrets" and if the press can't publish them that would be a huge, huge problem.

In a later claim (under DC's specific trade secrets laws), the claims are extended to all defendants, which again raises serious First Amendment issues. Donald Trump Jr. may be a jerk, but it's not a violation of trade secrets if someone handed him secret DNC docs and he tweeted them or emailed them around.

There are also claims under Virginia's version of the CFAA. The claims against the Russians may make sense, but the complaint also makes claims against everyone else by claiming they "knowingly aided, abetted, encouraged, induced, instigated, contributed to and assisted Russia." Those seem like fairly extreme claims for many of the defendants, and again feel like the DNC very, very broadly interpreting a law to go way beyond what it should cover.

As noted above, there are some potentially legit claims in here around Russia hacking into the DNC's network (though, again, it's a useless defendant). But some of these other claims seem like incredible stretches, twisting laws like the DMCA for ridiculous purposes. And the trade secret claims against the non-Russians is highly suspect and almost certainly not a reasonable interpretation of the law under the First Amendment.

Filed Under: cfaa, conspiracy, dmca, dnc, donald trump junior, ecpa, gru, hack, hacking, jared kushner, julian assange, paul manafot, rico, roger stone, russia, sca, trade secrets
Companies: dnc, wikileaks

There Is No Going Dark: Another Vendor Selling Tool That Cracks All iPhones

from the FBI's-dystopian-fiction-develops-another-plot-hole dept

The FBI continues to push its "going dark" theory. It's not interested in the truth. It would rather have a legislative mandate or a string of favorable court decisions than utilize options vendors have made available. These are the candles the FBI will forgo to publicly curse the darkness. A recent Inspector General's report made it crystal clear: those charged with finding a way to crack open the San Bernardino shooter's cell phone slow-walked their search in hopes of ending up with a judicial mandate forcing Apple to crack its own encryption.

The complaints about the darkness continue, even as vendors like Cellebrite have shown they can crack any iPhone given enough money and time. There are solutions out there, but the FBI doesn't want them. Cellebrite isn't the only company with an iPhone crack for sale. As Joseph Cox reports for Motherboard, another device has surfaced that can brute force its way past iPhone lock screens. The FBI may continue its disingenuous push for weakened encryption, but law enforcement agencies around the nation are more than willing to pay for a solution that doesn't involve Congressional reps or federal judges.

Grayshift has been shopping its iPhone cracking technology to police forces. The firm, which includes an ex-Apple security engineer on its staff, provided demonstrations to potential customers, according to one email.

"I attended your demo presentation recently held at the Montgomery County Police Headquarters and was pleased by your product's potential," an Assistant Commander from the Technical Investigations Section at the Maryland State Police wrote in an email to Grayshift in March.

The GrayKey itself is a small, 4x4 inches box with two lightning cables for connecting iPhones, according to photographs published by cybersecurity firm Malwarebytes. The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants. Marketing material seen byForbes says GrayKey can unlock devices running iterations of Apple's latest mobile operating system iOS 11, including on the iPhone X, Apple's most recent phone.

According to documents obtained by Motherboard, multiple state and local law enforcement agencies have purchased Grayshift's device. The documents also show many agencies expressing an interest in picking up a GrayKey, including some at the federal level, like the DEA and, oddly enough, the FBI. The FBI doesn't appear to have acquired one yet, but if that's the case, it's lagging behind local PDs with less funding and tech expertise. It's also trailing the State Department, which has already acquired at least one of the devices.

The device comes in two flavors: an online version with a fixed number of unlocks or an offline version that retails for twice as much ($30,000) but can be used as often as the purchaser wants (or until Apple fixes the vulnerability, whichever comes first). The brute force method deployed takes anywhere from 2 hours to several days, depending on passcode complexity.

"Going dark" is a convenient lie. The FBI has been deliberately misconstruing reality for a couple of years now, beginning with then-director James Comey's coining of the phrase. Even while Comey was peddling his "going dark" theory to security researchers, Congressional reps, and federal judges, the FBI was rarely having trouble accessing device contents. In 2016, the FBI admitted it could access the contents of passcode-protected devices 87% of the time. Somehow, despite only incremental changes in encryption offerings, the small number of locked devices has grown from ~880 to over 7,000 in two years. This suggests FBI officials are more interested in generating a "going dark" narrative than actually deploying available tech to access contents of seized devices.

The existence of another device capable of cracking iPhone encryption should be good news for the FBI. Other law enforcement agencies apparently view this as a plus. The downside for those not employed by the government is that there's a vulnerability in iPhones Apple hasn't fixed yet. And, given the intense secrecy surrounding vendors of exploits, we have no idea how many governments have purchased iPhone-cracking devices. It's unlikely Hacking Team is the only exploit vendor selling to authoritarian governments and UN-blacklisted countries. It's just the only one to have been caught doing it. An exploit is an exploit and it will be used by the good and the bad.

Not that relegating it to "good" law enforcement agencies is necessarily a huge improvement. Authoritarian regimes may use tools like this to go after critics and stifle dissent, but let's not forget the FBI has a long history of doing exactly the same thing under the guise of protecting public safety. And, at this point, the FBI isn't being honest about its weapons stockpiles during this Crypto Cold War. Sure, it needs to retain some sort of tactical advantage -- whether it's pursuing bad guys or legislation -- but it should never be granted full credibility when it talks about thousands of unlocked phones, the coming darkness, and how much security we should be forced to give up in the name of public safety.

Filed Under: doj, encryption, fbi, going dark, hacking, iphones, smartphones
Companies: apple, cellebrite, grayshift