Pardon the Intrusion #6: When SMS becomes buggy

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

We live in an era of constant communication. There are a plethora of chat apps to keep us connected to friends and family, so many that our conversations are now fragmented across siloed platforms.

Enter SMS, or short message services, and its fancier successor, RCS, or rich communication services.

RCS upgrades the carrier-based messaging standard with status information, typing indicators, location sharing, group messaging, file transfers, and better media support — features that’re now the default in most messaging apps today.

But RCS isn’t without its share of security issues. For one, the service isn’t end-to-end encrypted, meaning carriers can read your messages.

Google, which is trying its best to make RCS happen through its Google Messages app for Android, has said it’ll add encryption to the over-the-top messaging service at some point in the future.

As if these practical limitations weren’t enough, it turns out variants of RCS implemented by all major US telcos come with their own share of bugs — allowing a baddie to impersonate users and even hijack conversations.

I asked Security Research Labs researchers Luca Melette and Sina Yazdanmehr what they think: “These attacks make current RCS deployments as vulnerable to hacking as legacy mobile technologies, such as 2G and SS7. This is surprising for a technology built on internet technology and underactive design.”

Although the flaws can be mitigated by adopting proper countermeasures, the development is ample proof of what can happen in the absence of a true universal standard, as well as when carriers are left to develop their own custom RCS solutions.

Because let’s face it, bugs are part and parcel of software.

***

Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

What’s trending in security?

Healthcare and security firms continued to fall prey to ransomware attacks, T-Mobile, OnePlus, and Mixcloud suffered data breaches affecting millions of users, a TrueDialog database containing millions of SMS messages was found unsecured online, Docker hosts with exposed API endpoints were exploited by hackers to mine cryptocurrency, Microsoft’s Advanced Threat Protection team discovered a mutating cryptocurrency miner called Dexphot, Stantinko botnet was caught using YouTube to mine Monero, and hackers injected Monero’s official website with coin-stealing malware.

• Password data and other personal information belonging to as many as 2.2 million users of GateHub cryptocurrency wallet service and RuneScape have been posted online. [Ars Technica]
• This new kind of Android malware — called “FakeAdsBlock” — poses as an ad-blocker, only to annoy users with multiple ads. In another instance of mobile malware, “CallerSpy” has been stealing victim’s personal information, including files and location data, by masquerading as a chat app called Apex. [ZDNet | Trend Micro]
• The Chinese government targeted users of an app called Zapya to detain the Uighur Muslim population in Xinjiang. [International Consortium of Investigative Journalists]
• Britain’s National Crime Agency took down a remote-access hacking tool — called “Imrat” — that had been sold to 14,500 buyers in 124 countries. For just $25, the tool gave access to webcams, and personal data on infected devices. What a bargain! [BBC News]
• Google found evidence of Russian state-backed hackers — known as Sandworm — to infect Android phones with rogue apps. [WIRED]
• The California DMV was found to make $50M buy selling drivers’ personal information, including names, physical addresses, and car registration details. [Motherboard]
• Cellular carriers are big on hoarding customers’ location histories. AT&T retains it for 5 years, T-Mobile for 2, Sprint for 1.5, and Verizon for a full year. [USA Today]

• This nefarious Python-based trojan malware — dubbed “PyXie RAT” — gives attackers control of target Windows systems with the ability to monitor actions and steal sensitive data. [BlackBerry Cylance]
• Google said it warned 12,000 people between July and September who were possibly targeted by state-sponsored attacks. 90% of the potential victims were targeted by credential phishing emails. [Google]
• It’s been 5 years since the terrible Sony Pictures hack, and we’re still nowhere closer to figuring out who’s behind it. [The Hollywood Reporter]
• A jumbo data leak comprised of 1.2 billion records, complete with Facebook, Twitter, and LinkedIn profiles, was found exposed on a single server owned by an unidentified entity before the FBI jumped in to take it down. [WIRED]
• Several popular cybersecurity professionals on Twitter were approached by influencer marketer VizSense to promote Lenovo’s secure line of products and security services. [Axios]
• Security researchers uncovered a broad hacking campaign — Golden Falcon aka DustSquad or APT-C-34 — targeting Kazakhstan. The campaign attempted to spy on journalists, foreign diplomats, researchers, and military personnel. [Qihoo 360]

• Adobe-owned Magento e-commerce platform disclosed a new data breach that exposed account information of Magento marketplace users to unknown hackers. [The Hacker News]
• Microsoft outlined plans to leverage Mozilla’s Rust programming language through Project Verona, which aims to make Windows more secure by eliminating memory issues. [ZDNet]
• Google’s elite bug hunters Threat Analysis Group revealed a new in-the-wild Bad Binder zero-day exploit, a local privilege escalation vulnerability that gives the attacker full read and write access to vulnerable Android devices. The exploit, allegedly created by NSO Group, could be delivered via a browser bug, and was used to install the notorious Pegasus spyware. [Project Zero]
• Microsoft fixed a bug that could be potentially used to trick unsuspecting users into giving over complete access to their online accounts to attackers. [TechCrunch]
• Google announced a new bug bounty program, offering to pay as much as $1.5M to uncover bugs in its Titan M security chip used to store sensitive data on Pixel phones. [Android Vulnerability Rewards]
• Researchers found 36 malicious apps were exploiting an unpatched Android vulnerability — named “StrandHogg” — to pose as legitimate apps and record audio or video, take photos, read text messages, or phish login credentials. [Promon]

Data Point

HIPAA Journal’s Healthcare Data Breach Report revealed that October 2019 had the largest number of data breaches officially reported by US healthcare entities. This pushes the total number of breached healthcare records in 2019 past the 38 million mark, the highest since 2015, when health insurance provider Anthem suffered a data breach affecting 78.8 million people.

Takeaway: With ransomware and social engineering attacks becoming a source of headache for entities in the healthcare sector, it’s careless if companies don’t invest in better cybersecurity practices, such as isolating critical network infrastructure and taking periodic data backups. At this stage, you’re practically inviting a cyber attack if you don’t practice basic security hygiene.

Tweet of the week

That’s it. See you all in 2 weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)