Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security

from the ill-communication dept

Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

T-Mobile customers aren't the only users who've experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency. And while AT&T tried hard to have the case dismissed, a Los Angeles federal judge last week issued a mixed ruling that nixed AT&T's request to dismiss the case, but demanded that Terpin do a better job highlighting how AT&T is directly responsible:

"Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin's claimed $24 million loss. However, Wright dismissed the claims with "leave to amend," meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible."

AT&T, as you might expect, has argued in court and in public that it's not liable for, well, anything. Ever.

Carriers frequently aren't keen on talking about the problem, in part because their employees keep getting busted for helping the scammers. And keep in mind AT&T keeps having these kinds of problems. Repeatedly. In just the last few years AT&T has been: fined $18.6 million for helping rip off programs for the hearing impaired; fined $10.4 million for ripping off a program for low-income families; and fined $105 million for helping "crammers" by intentionally making such bogus charges more difficult to see on customer bills.

In short this isn't a company with a great track record when it comes to ethical behavior or protecting its subscribers from scams. Terpin, for his part, has been given an additional three weeks to beef up his case before it proceeds:

"I am grateful that Judge Wright is allowing my case to proceed," Terpin said. "We must hold AT&T accountable. If AT&T demonstrated the same zeal to totally revamp its porous security system as it does to suppress the damning evidence of its callous indifference to its customers, we would not be in court."

Filed Under: cryptocurrency, liability, michael terpin, security, sim hijacking
Companies: at&t

William Barr Turns Up The Heat On The DOJ's Anti-Encryption Rhetoric

from the 4000-words,-zero-concessions dept

The DOJ has now spent more than a year dodging an obligation it created itself. For years, FBI directors and DOJ officials have told anyone who'd listen -- conference attendees, Congressional reps, law enforcement officials -- the world was going dark. Device encryption was making it far more difficult for the FBI to collect evidence from seized devices and the problem was escalating exponentially.

It wasn't. Every new "going dark" speech contained a larger number of impenetrable devices the FBI was sure contained all sorts of juicy evidence. When the FBI was asked about these devices by members of Congress, it finally decided to take a look at its numbers. The numbers were wrong. The FBI said there were around 8,000 locked devices in its possession. In reality, the number is probably less than 2,500.

The problem is we don't actually know what the correct number is. The DOJ has been promising an update since May 2018, but it has yet to release this number. Instead, it has released the mouth of its top man -- William Barr, a longtime fan of domestic surveillance.

Barr's keynote address to the International Conference on Cyber Security didn't deal much with cybersecurity. Instead, it was 4,000-word anti-encryption rant. William Barr wants encryption backdoors. There's no use in the DOJ denying after his verbal assault on device encryption and device manufacturers. There is no subtlety and no hedging. The only concession Barr makes is that encryption shouldn't vanish entirely. But any form of encryption that remains should leave a key under the doormat for the G-men.

While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society’s ability to defend itself against other types of criminal threats. In other words, making our virtual world more secure should not come at the expense of making us more vulnerable in the real world. But, unfortunately, this is what we are seeing today.

Service providers, device manufacturers and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances. As a result, law enforcement agencies are increasingly prevented from accessing communications in transit or data stored on cell phones or computers, even with a warrant based on probable cause to believe that criminal activity is underway. Because, in the digital age, the bulk of evidence is becoming digital, this form of “warrant proof” encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy.

According to Barr, the government has a right to the contents of encrypted devices. He attempts to draw this conclusion by referring repeatedly to the Fourth Amendment. This safeguards citizens against unreasonable searches. Unreasonable searches can be performed as long as the government has a warrant. That's as far as Barr takes this line of thought. As he sees it, encryption shouldn't be able to nullify a search warrant. He believes encryption does this.

The Fourth Amendment strikes a balance between the individual citizen's interest in conducting certain affairs in private and the general public's interest in subjecting possible criminal activity to investigation. It does so, on the one hand, by securing for each individual a private enclave around his “person, house, papers, and effects” — a "zone" bounded by the individual's own reasonable expectations of privacy. So long as the individual acts within this "zone of privacy,” his activities are shielded from unreasonable Government investigation. On the other hand, the Fourth Amendment establishes that, under certain circumstances, the public has a legitimate need to gain access to an individual’s zone of privacy in pursuit of public safety, and it defines the terms under which the Government may obtain that access. When the Government has probable cause to believe that evidence of a crime is within an individual’s zone of privacy, the Government is entitled to search for or seize the evidence, and the search usually must be preceded by a judicial determination that "probable cause" exists and be authorized by a warrant.

Nothing is preventing the government from seizing devices. The warrant can still accomplish that. What Barr is arguing is that the Fourth Amendment guarantees government access to evidence, which it doesn't. It only gives it the right to search for it. A search warrant may result in a searched house or vehicle, but there's no guarantee any useful evidence will be recovered. The evidence it's looking for may not be on the premises. Or it may reside in a safe law enforcement isn't able to crack. Or it simply may not exist at all.

The "locked safe" is the closest equivalent to an encrypted device. The government is free to continue trying to open the safe, but the warrant only allows it to seize evidence or items likely to contain evidence. It doesn't obligate the safe manufacturer to build master keys for all safes and distribute them to law enforcement. Encryption backdoors make that demand. And they make that demand of any device manufacturer or software developer that secures customers' communications and data with encryption.

So, how does Barr think this will be accomplished? It appears he thinks everyone else should spend time figuring that out and let the DOJ get back to the difficult work of not answering questions about the FBI's encrypted device stash.

He thinks the courts should fix it, pointing to the Supreme Court's 1925(!!) decision creating the automobile exception to search warrant requirements. He feels this concession to law enforcement (one that's abused frequently by cops searching for seizable cash) should be followed by more concessions. Courts may not be able to order across-the-board backdoors, but they can create useful precedents for compelled access -- either for device owners or device manufacturers.

He thinks society in general should fix this, even if it can't contribute directly. What society can do is stop arguing about the deliberate weakening of encryption and just accept the fact that governments (and whoever else can find the backdoor) should have access to their communications and data. It's a sacrifice we, the people, should be willing to make for our government, which pretty much has only its own interests in mind.

And Barr thinks the tech community should fix it. He lists a bunch of bad proposals, one of which was proposed by none other than the UK's version of the NSA. He talks up Ray Ozzie's take on key escrow and (former GCHQ security specialist) Matt Tait's "layered envelopes" pitch he made for a blog that's headed by noted surveillance state apologist, Ben Wittes. Those are the "experts:" the GCHQ, a former GCHQ employee, and a software pioneer.

Barr says the real risk posed by compromised encryption is worth it. He doesn't explain how it's worth to the millions of people he'll put at risk in exchange for law enforcement access, but he seems to assume we'll all feel much better about it when criminals start disappearing from the streets.

[T]he argument is that a business is thwarted in its purpose of offering the best protection against bad actors unless it can also override society’s interest in retaining lawful access. Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability — a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.

In the end, Barr hopes we'll be hit with a tragedy so awful, Congress will decide to end the debate by outlawing un-backdoored encryption.

Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

This is much worse than the handful of spoken asides uttered by FBI directors and a handful of DOJ officials. This was the only focus of Barr's 4,000-word keynote address. He spent a few words at the opening to at least indicate to the crowd he knew where he was (a cybersecurity conference) before spending the rest of it arguing against effective encryption. This is Barr's DOJ and, by extension, his FBI. This is the issue the DOJ's going to run with as long as he's in charge.

Filed Under: backdoors, doj, encryption, security, william barr

Researchers Build App That Kills To Highlight Insulin Pump Exploit

from the remote-fatality dept

By now the half-baked security in most internet of things (IOT) devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.

Case in point: just about two years ago, security researchers discovered some major vulnerabilities Medtronic's popular MiniMed and MiniMed Paradigm insulin pumps. At a talk last year, they highlighted how a hacker could trigger the pumps to either withhold insulin doses, or deliver a lethal dose of insulin remotely. But while Medtronic and the FDA warned customers about the vulnerability and issued a recall over time, security researchers Billy Rios and Jonathan Butts found that initially, nobody was doing much to actually fix or replace the existing devices.

So Rios and Butts got creative in attempting to convey the scope and simplicity of the threat: they built an app that could use the pumps to kill a theoretical patient:

"We’ve essentially just created a universal remote for every one of these insulin pumps in the world," Rios says. "I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago."

To target a specific insulin pump, a hacker would need to know the proper serial number of the device they're targeting. But the app simplifies this process by quickly running through all potential serial numbers until it hits the correct one. The gambit seems to have worked: a week after the team demonstrated its proof of concept app to FDA officials in mid-June of this year, Medtronic announced a voluntary recall program. Years after Medtronic first learned about the flaws in these devices, there's now a structure in place that allows patients to use the devices if they want, and replace them for free if they don't.

That said, the researchers are still quick to point out that this kind of dysfunction (offering potentially fatally compromised products but having no avenue to correct them) is fairly common in the medical sector:

"...the climate for medical device vulnerability disclosures is still clearly fraught if researchers feel that they need to take extreme, and even potentially dangerous, steps like developing a killer app to spur action.

"If you think about it, we shouldn't be telling patients, 'hey, you know what, if you want to you could turn on this feature and get killed by a random person.' That makes no sense," QED Security Solutions' Rios says. "There should be some risk acceptance; this is a medical device. But an insecure feature like that just needs to be gone, and they had no mechanism to remove it."

And of course that's not just a problem in the medical sector, but most internet-connected tech sectors. As security researcher Bruce Schneier often points out, it's part of a cycle of dysfunction where the consumer and the manufacturer of a flawed product have already moved on to the next big purchase, often leaving compromised products, and users, in a lurch. And more often than not, when researchers are forced to get creative to highlight the importance of a particular flaw, the companies in question enjoy shooting the messenger.

Filed Under: insulin pump, iot, minimed, minimed paradigm, security
Companies: medtronic

UK ISPs Vilify Mozilla For Trying To Secure The Internet

from the ill-communication dept

Over the years, UK ISPs have been forced by the government to censor an increasing array of "controversial" content, including copyrighted material and "terrorist content." In fits and spurts, the UK has also increasingly tried to censor pornography, despite that being a decidedly impossible affair. Like most global censorship efforts, these information blockades often rely on Domain Name Server (DNS) level blacklists by UK ISPs.

Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla recently announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it difficult to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in the government, ISP, or other organizational efforts to use DNS records to block and filter content or track user activity.

Apparently thinking they were helping(?), the UK Internet Services Providers’ Association (ISPA), the policy and trade group for UK ISPs, last week thought they'd try and shame Mozilla for... trying to secure the internet. The organization "nominated" Mozilla for the organization's meaningless "internet villain" awards for, at least according to ISPA, "undermining internet safety standards in the UK":

Of course Mozilla is doing nothing of the sort. DNS over HTTPS (which again Mozilla hasn't even enabled yet) not only creates a more secure internet that's harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn't coalesce with the UK's routinely idiotic and clumsy efforts to censor the internet, that doesn't somehow magically make it a bad idea.

Of course, many were quick to note that ISPA's silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn't heard of it previously:

The silly PR stunt also reminded everybody how the bigger players in telecom sector (be it in the US, UK, or elsewhere) are usually all too happy to buckle to requests to censor the internet or spy on internet users. That said, one smaller UK ISP, Andrews and Arnold, decided to donate some money to Mozilla:

UK spy agency GCHQ and the Internet Watch Foundation (which manages the UK's internet watchlist) have also complained that the DNS security upgrade makes it harder to censor content and spy on users. But again, Mozilla says the effort is simply under discussion, won't be enabled by default, wouldn't break things like parental controls, and there's not even a hard date for deployment yet. For those interested, Cloudflare operates a DNS-over-HTTPS-compatible public DNS server at 1.1.1.1.

Update: It looks like ISPA is now in full retreat and have pulled the Mozilla nomination entirely, but not before issuing a "sorry not sorry" press release:

Filed Under: censorship, dns, dns over https, privacy, security, streisand effect, uk
Companies: andrews and arnold, cloudflare, ispa, mozilla, uk ispa

D-Link Settles With FTC, Agrees To Fix Its Shoddy Router Security

from the slowly-getting-the-message dept

While the shoddy Internet of Things sector gets ample heat for being a security and privacy dumpster fire, the traditional network gear sector has frequently been just as bad. A few years ago, for example, hardware vendor Asus was dinged by the FTC for offering paper-mache grade security on the company's residential network routers. The devices were frequently being shipped with easily guessable default usernames and passwords, and contained numerous, often obvious, security vulnerabilities.

In 2017, the FTC also filed suit against D-Link, alleging many of the same things. According to the FTC, the company's routers and video cameras, which the company claimed were "easy to secure" and delivered "advanced network security," were about as secure as a kitten-guarded pillow fort. Just like the Asus complaint, the FTC stated that D-Link hardware was routinely shipped with easily-guessable default usernames and passwords, making it fairly trivial to compromise the devices and incorporate them into DDoS botnets (or worse).

Like any good company, D-Link at the time professed its innocence, insisting there was nothing wrong with its products and that the FTC claims were "vague and unsubstantiated." Fast forward to this week, when the company struck a settlement with the FTC, and, according to an FTC press release, has agreed to fix security flaws it previously had claimed didn't exist:

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

It has taken a while, but router manufacturers have started to finally get the message that their routers' installation process should prompt users to pick a unique username and password before finalizing device setup. As part of D-Link's agreement, it not only has to implement new and comprehensive security testing protocols, it's required every two years to obtain independent third-party assessments of its software security programs.

Granted, whether we're talking about routers or the latest IoT doodad, there are far too many security vulnerabilities out there for the FTC to police them all right now. Which is why efforts by Consumer Reports and others to begin standardizing the inclusion of security and privacy weaknesses in product reviews are going to be so important in educating consumers.

Filed Under: ftc, privacy, routers, security
Companies: d-link

We're Apparently Scanning Our TVs For Viruses Now

from the internet-of-broken-things dept

We've noted for many years that (like so many "internet of things" devices) modern smart televisions have the security protection equivalent of damp cardboard. Not only are they often easily hacked (something intelligence agencies are super excited about since it gives them audio access to targets), but the companies that make them have been busted repeatedly for hoovering up user usage data (and even audio from your living room), and then failing to adequately secure it.

This week, Samsung took a bit of heat for urging the company's TV customers to, for the first time, occasionally run an antivirus scan on their television sets. The Tweet was online online briefly before Samsung deleted it, apparently realizing it only advertised the fact that you shouldn't be getting viruses on your TV set in the first place:

That's amusing for several reasons. One, because customers wouldn't be getting viruses on their television sets if these products had even the most basic security protections, something TV vendors have failed at for years. Two, because it highlights how many modern televisions have become insanely complicated. Not because consumers necessarily want them to be insanely complicated, but because most TV vendors want you using their embedded streaming platforms and as opposed to a third-party streaming device (like Roku, Chromecast, or a game console).

And of course they want you using their streaming platforms because they want to monetize your viewing and other profitable data. As a Vizio executive recently acknowledged, this can help subsidize the cost of cheaper TV sets. That creates a dilemma whereby the consumer is forced to pay a premium if they want a TV set that simply displays a god-damned image and doesn't hoover up their personal data:

The problem is if you've shopped for a TV lately, it's effectively impossible to find a "dumb" television that simply passes on signal from other devices. As in: they're simply not available at any meaningful scale, even if you were willing to pay a significant premium for them. Many people certainly are; most embedded TV OS platforms are kind of terrible, and users would rather buy a new streaming box (Roku, Chromecast, Apple TV) every few years than be forced to buy an entirely new TV set because the embedded streaming hardware becomes outdated (something TV vendors clearly would benefit from).

While some set vendors might argue that dumb televisions don't exist because there's no market demand for them, the fact is they haven't even bothered to try. And they haven't bothered to try because they're fixated on accelerating the TV upgrade cycle and collecting and selling your personal usage data to a universe of partners. Which again, might not be quite as bad if these companies had done a good job actually securing and encrypting this data, or designing television OS' that didn't feel like they were barfed up from the bowels of 1992 GUI design hell.

It's all kind of a silly circle dysfunction but pretty standard operating procedure in the internet of broken things era, where an endless list of companies now sell over-hyped internet-connected appliances, gleefully collect and monetize your data, but can't be bothered to adequately secure that data or provide consumers with clear options to avoid data collection entirely.

Filed Under: computer security, iot, security, smart tvs, viruses
Companies: samsung

The Flipside To Figuring Out What Content Do You Block: Cloudflare's Project Galileo Focuses On Who It Should Protect

from the case-studies dept

There has been so much discussion lately about the impossibility of doing content moderation well, but it's notable that the vast majority of that discussion focuses on what content to ban or to block entirely. I do wish there was more talk about alternatives, some of which already exist (from things like demonetization to refusing to algorithmically promote -- though, for the most part, these solutions just seem to annoy people even more). But there is something of a flipside to this debate which applies in perhaps somewhat more rare circumstances: what content or speakers to specifically protect.

I'm thinking of this, in particular, as Cloudflare has announced the 5th anniversary of its (until now, mostly secretive) Project Galileo offering, in which the company provides free security to around 600 organizations which are likely targets of attacks from well resourced attackers:

Through the Project, Cloudflare protects—at no cost—nearly 600 organizations around the world engaged in some of the most politically and artistically important work online. Because of their work, these organizations are attacked frequently, often with some of the fiercest cyber attacks we’ve seen.

Since it launched in 2014, we haven't talked about Galileo much externally because we worry that drawing more attention to these organizations may put them at increased risk. Internally, however, it's a source of pride for our whole team and is something we dedicate significant resources to. And, for me personally, many of the moments that mark my most meaningful accomplishments were born from our work protecting Project Galileo recipients.

The promise of Project Galileo is simple: Cloudflare will provide our full set of security services to any politically or artistically important organizations at no cost so long as they are either non-profits or small commercial entities. I'm still on the distribution list that receives an email whenever someone applies to be a Project Galileo participant, and those emails remain the first I open every morning.

At a first glance, this might not seem like much of a story at all: internet company does something good to protect those at risk doesn't necessarily seem that interesting at first, especially during a moment in time when everyone is so focused on attacking every internet company for bringing about all the evils of the world. However, I do think there are some very important lessons to be learned here, and some of them very much apply to the debates about content moderation. In some sense, Project Galileo is like the usual content moderation debates, but in reverse.

I was particularly interested in how Cloudflare chose which organizations to protect, and spoke with the company's CEO, Matthew Prince last week to get a more in-depth explanation. As he explained, they partnered up with a wide variety of trustworthy organizations (including EFF, Open Technology Institute, the ACLU, Access Now, CDT, Mozilla, Committee to Protect Journalists and the Freedom of the Press Foundation, among others), and would let those organizations nominate organizations which might be at risk or if organizations approached Cloudflare about being included in Project Galileo, Cloudflare could run their application by those trusted partners. What started with 15 partner organizations has now nearly doubled to 28.

Of course, such a system likely wouldn't work well in the other direction (figuring out what accounts to ban or otherwise punish) as people would undoubtedly flip out and attack them -- as many did a few years ago when Twitter announced its Trust and Safety Council of partner organizations that it relied on for advice on how it handled its trust and safety questions. Many critics of Twitter and its policies have continued to falsely insist that the organizations in this list are some sort of Star Chamber making decisions on who is allowed to use Twitter and who is not -- so any move to actually have such a system in place would likely be met with resistance.

However, there is something interesting about having a more thorough process involving outside experts, than just trusting a company to make these decisions entirely internally. It's obviously somewhat different with Cloudflare, in part because it's providing underlying security services that are not as upfront as the various social media sites, and also because it's about picking out who to "protect" rather than who to block. But it is worth looking at and thinking about all of the different challenges there are when it comes to content moderation that go beyond what most people normally talk about.

For what it's worth, this is also quite important as more and more politicians around the globe are gearing up to "regulate" content moderation in one way or another. It's one thing to say that social media sites should be required by law to block certain accounts (or to not block certain accounts), but think about how any of those laws might also apply to services like Project Galileo, and you can see why there should be caution in rushing in with regulatory solutions. The approach taken with something like Project Galileo ought to be entirely different than the process of determining whether or not a platform has decided to remove Nazi propagandists. But it's doubtful that those proposing new regulations are thinking that far ahead, and I worry that some new proposals may sweep up Project Galileo in a manner where it may become more difficult for Cloudflare to continue to run such a program.

Still, in this era when everyone is so focused on the bad stuff online and how to stop it, it's at least worth acknowledging a cool project from Cloudflare to note the good stuff online and how to protect it.

Filed Under: computer security, content moderation, project galileo, protection, security
Companies: cloudflare

Google Joins The Evidence-Optional Assault On Huawei

from the intercontinental-blackballing dept

So we've noted several times now how the US efforts to blacklist Huawei from global telecom markets haven't much in the way of, oh, supporting evidence. The Trump administration and FCC have taken all manner of actions to try and blackball the company, from pressuring U.S. carriers to drop plans to sell Huawei phones to the FCC's decision to ban companies from using Huawei gear if they want to receive federal subsidies.

The underlying justification for these moves has centered on the idea that Huawei operates as a surveillance extension of the Chinese government, something that still hasn't been proven despite a decade's worth of claims to this effect, and an eighteen month investigation by the White House.

That's not to say the Chinese government is an innocent little daisy. Nor is it meant to suggest that it's impossible that Huawei spies on Americans. But the lack of any actual public evidence of spying remains troubling all the same, given that if the shoe were on the other foot, there'd be no shortage of face-fanning consternation on the part of American politicians and industry.

Enter Google, which this week decided that it'd be joining the evidence-optional festivities by announcing it would be severing Huawei's Android license. The move forces Huawei to rely on the Android Open Source Project (AOSP), cutting it off from critical Google apps and services. The move, as Reuters notes, could prove devastating for one of the nation's biggest smartphone manufacturers:

"The suspension could hobble Huawei’s smartphone business outside China as the tech giant will immediately lose access to updates to Google’s Android operating system. Future versions of Huawei smartphones that run on Android will also lose access to popular services, including the Google Play Store and Gmail and YouTube apps."

As some were quick to note, the move may actually prove to be counterproductive, given the negative impact it could have on deploying timely security updates:

For its part, Google stated it was simply complying with the US Commerce Department’s decision to place Huawei on the “Entity List," a move that was justified as essential to ensuring network security. But the company largely ignored any criticism that such a move might actually undermine end-user security. And in the press, it's almost bizarre how few reporters have noticed that public evidence of spying allegations is nonexistent:

It's perfectly fine if your gut tells you Huawei is a surveillance proxy for the Chinese government, but that's not the same as evidence. Also lost in this conversation is the fact that companies like Cisco have a long history of trying to gin up lawmaker hysteria on this subject for competitive advantage, or that this blackballing effort just mysteriously materialized at the same time US gear makers were worried about competing with cheaper Chinese gear as they rush to secure international fifth-generation (5G) network contracts.

Again, perhaps Huawei really is a spy and the last decade of similar hand-wringing is perfectly justified. But if that's the case, it shouldn't be hard to provide some public evidence supporting that allegation. And while some of the concern about Huawei may very well be driven by legitimate national security concerns, another significant chunk of these efforts is pretty clearly driven by good old vanilla protectionism. To ensure US policy is being driven more by the former than the latter, it might be a good idea if the press stopped playing parrot and demanded a little more in the way of actual proof.

Filed Under: android, china, donald trump, entity list, protectionism, security, us, white house
Companies: google, huawei

Forget Huawei, The Internet Of Things Is The Real Security Threat

from the somebody's-watching-you dept

We've noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn't supported by much in the way of hard data. And while it's certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don't really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.

Week after week we've documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.

The latest case in point: a popular Chinese GPS tracker, used to track everything from vehicles to kids and the elderly, has been found to contain a significant flaw that can trick the device into handing over GPS data using little more than a text message. The devices, which are made in China and rebranded and sold by more than a dozen companies, can also be used as remote surveillance devices, notes cybersecurity researchers:

"Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless."

While the device can be protected with a PIN, that setting isn't enabled by default, and the researchers found the devices can be remotely reset, bypassing the pin anyway. This is, if you hadn't been paying attention, kind of the norm when it comes to IOT devices. By the time flaws like this are exposed the company involved has usually moved on to marketing new devices with an entirely new array of vulnerabilities. And since most such devices don't offer much in the way of transparency, consumers usually are largely clueless to the fact that their devices are putting their private data at risk.

Security researchers keep warning us that the check is going to come due on the internet of things front, and we're not taking the warnings seriously:

"This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”

As security researchers have been saying for several years, it's likely going to take a major attack on significant infrastructure and some significant fatalities before we wake up out of our collective stupor. In the interim DC is obsessed with whether companies like Huawei are covert Chinese spies, but largely apathetic to the fact that the internet of broken things already provides all the spying opportunities a nosy government or rogue actor would ever need.

Filed Under: computer security, internet of things, iot, security
Companies: huawei

Student Files $1 Billion Lawsuit Against Apple Over Supposedly Faulty Facial Recognition Tech That Falsely Accused Him Of Theft

from the probably-something-low-tech-going-on-here dept

An 18-year-old resident of New York City is suing Apple for $1 billion. His lawsuit alleges Apple uses facial recognition technology as part of its stores' security systems and that this led directly to him being accused of multiple thefts across a handful of states… despite him bearing zero resemblance to the thief caught on tape.

Ousmane Bah's lawsuit [PDF] alleges Apple failed in its duty of care by attributing all these thefts to him, despite him not being the thief, resulting in numerous harms and injuries.

As a result of this action, Defendant’s facial recognition technology associated the face of the perpetrator of multiple crimes with Mr. Bah’s name and address. This led to Mr. Bah being charged with multiple crimes of larceny across a number of states.

Mr. Bah has been undoubtedly harmed by Defendant’s wrongful actions. He has been forced to travel to multiple states, including Massachusetts, New Jersey, and Delaware. He has also been subject to a shocking and traumatic arrest made by the NYPD at his home at four o’clock in the morning.

Mr. Bah’s education has also been negatively affected due to Defendant’s actions. He has been forced to miss multiple days of school in order to travel in response to charges wrongfully made against him. Additionally, on the day that he was arrested in New York, he was supposed to take a midterm exam. His grade was negatively affected.

But while the lawsuit leans into the facial recognition theory, Apple has stated it does not use this tech in its store security systems -- ones run by Security Industry Specialists, Inc., which is the other defendant named in Bah's lawsuit.

While facial recognition tech is definitely in Apple's wheelhouse, to date it's only used as a biometric security feature. Phone owners can unlock their phones using their faces -- something that's definitely handy, if not of much help when Constitutional rights are at stake.

Bah's lawsuit leans into this theory, peppering it with links to Face ID articles and footnotes expressing concern about facial recognition tech's notorious unreliability. But Bah's lawsuit narrative seems to undercut his claims about facial recognition tech and the damage done.

There's a far more reasonable explanation for what happened here, and it's all in the narrative and allegations. This seems to be an old school case of mistaken identity, rather than unproven tech fingering the wrong suspect.

Bah had recently applied for a New York driver's license. He had a photoless paper permit to tide him over until his actual ID was mailed to him. He lost this permit, which then apparently made its way into the thief's hands and, ultimately, into the hands of Apple's security people.

This information was delivered to him by an NYPD detective's educated guesses about the source of theft claims against Bah.

Detective Reinhold of the NYPD soon realized that Mr. Bah was wrongfully arrested and that he was not the suspect of the crimes perpetrated against Defendant. Detective Reinhold stated that he had viewed the surveillance video from the Manhattan store and concluded that the suspect “looked nothing like” Mr. Bah.

At that point, Detective Reinhold also explained that Defendant’s security technology identifies suspects of theft using facial recognition technology. Further, he suspected that the person who had committed the crimes must have presented Mr. Bah’s interim permit as identification during one of his multiple offenses against Defendant which took place over many months and in multiple states.

Detective Reinhold's speculation about facial recognition tech may be faulty, but the fact that the suspect presented a photoless ID identifying himself as Ousmane Bah likely explains why Apple reported the faux Bah to the police. When the suspect stole things from other stores, security personnel saw it was the same person they only knew as Bah from the ID the suspect had presented to them.

Since Apple didn't have a photo to cross-reference with its camera footage, the Bah seen in the recordings was the only Bah it knew, even if it wasn't actually Ousmane Bah, upstanding citizen and recent high school graduate. Fortunately for the real Bah, charges have been dropped in all but one case. New Jersey is the sole holdout but those charges will likely follow the rest into the prosecutor's trash can.

Unfortunately for Bah, bogus charges result in real hardships, real reputational damage, and one very real 4 a.m. arrest. But is that $1 billion-worth of damages? It's highly unlikely Bah will walk away with anything approaching this amount. In fact, Apple's good faith efforts to catch a thief known only as "Ousmane Bah" don't really show the company acting negligently. It was working with the information it had. The information may have been bad, but Apple didn't have any way of knowing that when it turned over information to law enforcement.

Simply saying something does not make it so -- which is definitely going to get pointed out by a judge when they reach this part of Bah's arguments:

The identification of Mr. Bah and subsequent charges filed against him, as well as the traumatic arrest which took place at his home, were completely preventable by Defendant. All of these events were caused by Defendant’s negligent acceptance of an interim permit, which did not contain a photo, did not properly describe the suspect presenting it, and clearly stated that it could not be used for identification purposes, as a valid form of identification.

Additionally, had Defendant taken action to correct their error after it had become aware that its facial recognition technology had continuously wrongfully implicated Mr. Bah, further injury could easily have been avoided.

It's tough to "easily avoid" something Apple wasn't aware of until after Bah's arrest by the NYPD. Only after this arrest occurred did information begin to circulate that Bah wasn't the thief in the security videos -- information that first made its way to the Boston PD, not to Apple's security team.

Bah claims Apple kept "prosecuting" these charges even after it might have been aware it had misidentified the suspect. But Apple doesn't prosecute charges. Prosecutors do. There's nothing on the record at this point indicating Apple security was approached by law enforcement with information showing the wrong person had been named as a suspect but chose to continue pressing charges against Bah.

In the end, this appears to be a very unfortunate situation in which everyone did what they could but still ended up harming a teen with a clean criminal record. Apple worked with the information it had, aided in part by Bah never reporting his interim ID card going missing. The officers who did handle Bah's cases discovered he was the wrong person, passed that information on to others, and had prosecutors drop the charges. Facial recognition tech was dragged into this lawsuit via speculation from an NYPD detective, but Bah's narrative is just as speculative, accusing Apple of using faulty tech when it most likely used tech -- CCTV -- everyone's been using for years.

Filed Under: apple stores, face recognition, facial recognition, ousmane bah, security
Companies: apple