- Mobil -

Last update 09.10.2017 12:35:47

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6 

Hackers Hit Air Canada Mobile App
31.8.2018 securityweek  Mobil

Air Canada this week notified customers of malicious activity around its mobile app and prompted users to reset their passwords, as a precautionary measure.

The company says it detected unusual login behavior with its mobile application between Aug. 22 and 24, 2018, and that the password reset was the result of that incident.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data,” the company said.

Out of the 1.7 million Air Canada mobile App user profiles, approximately 20,000 profiles might have been improperly accessed during the attack and the company says it is contacting potentially affected customers directly.

However, all of the company’s mobile users were asked to reset their passwords using improved password guidelines.

Air Canada says users’ credit card information is protected, but recommends keeping an eye on all transactions. The basic profile data stored on the mobile app account includes name, email address, and telephone number.

However, users may also add their Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance, and country of residence. The Aeroplan password is not stored in the app.

“Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” the company says.

As Mark Sangster, VP and industry security strategist at Canadian-based cyber security company eSentire, told SecurityWeek in an emailed statement, one major issue related to this incident is that many of Air Canada’s users are frequent travelers who spend in different countries and geographies, thus “making it harder for credit card providers to identify anomalous spending tied to their accounts.”

He also applauds Air Canada’s swift reaction to the incident, noting that “the window between the point of detection and point of response is critical.” The sooner users learn about a data breach, the quicker they can take action to secure sensitive information.

Matt Chiodi, VP of Cloud Security at RedLock, agrees. “It’s important to note that were it not for the swift actions of Air Canada’s security teams, it could have been exponentially worse since the 20,000 records that were accessed only represented 1% of their overall database,” Chiodi said in an emailed comment.

“As the frequency and voracity of cyberattacks continue to increase, privacy and protection laws, such as the ones introduced in Europe (General Data Protection Rules), and here in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA), become more critical. These laws need to tighten, ensuring companies have well understood rules and triggers for privacy and data breach notification, timelines for response, and fully understand their obligations when it comes to protecting the information of its employees and customers. Until then, it’s open season on our data and hard-earned wealth,” Sangster concluded.

A study of car sharing apps
2.8.2018 Kaspersky  Mobil

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?
The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security
So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.
Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges
Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength
Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack
It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.

Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying
Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users
Don’t make your phone number publicly available (the same goes for your email address)
Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
Do not use rooted devices.
Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.
Recommendations to car sharing services
Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
Use mechanisms to detect operations on rooted devices.
Allow the user to create their own credentials; ensure all passwords are strong.
Notify users about successful logons from other devices.
Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
Protect your application interface from being overlaid by another app.
Add a server certificate check.

Researchers show how to manipulate road navigation systems with low-cost devices
19.7.2018 securityaffairs Mobil

Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers and manipulate road navigation systems.
Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers. The kit could be used to deceive receivers used by navigation systems and suggest drivers the wrong direction.

“we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed.” reads the research paper published by the experts.

“Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions.”

The group of researchers is composed of three teams from Microsoft, Virginia Tech in the US, and the University of Electronic Science and Technology of China.

The boffins were able to spoof packets transmitted by satellites to mobile devices and navigation systems used in the automotive industry.

The tests conducted by experts allowed to remotely change the routes with up to 95 per cent accuracy. The researchers built a radio-transmitting device based on Raspberry Pi, they used just $223 of components.

The radio transmitting device broadcasts fake location data and makes it impossible for the receivers to have the real positioning data from the satellite.

In a Real attack scenario, the device could be used to deceive navigation systems in cars.

navigation systems

“We show that adversaries can build a portable spoofer with low costs (about $223), which can easily penetrate the car body to take control of the GPS navigation system.” continues the paper.

“Our measurement shows that effective spoofing range is 40–50 meters and the target device can consistently latch onto the false signals without losing connections,”

In order to make the attack stealth the researchers experimented with stashing the spoofing device in the trunk of a car or under the back seat.

They were able to add new route details via a cellular network connection without following the target.

In a test in field conducted in a Chinese parking lot, the researchers deceived a navigation system in 48 seconds by hiding the device in the truck, while if it was under the seat, it took just 38 seconds.

The expert used data from OpenStreetMap to construct routes the target.
“Compared to spoofing a drone or a ship, there are unique challenges to manipulate the road navigation systems. First, road navigation attack has strict geographical constraints. It is far more challenging to perform GPS spoofing attacks in real-time while coping with road maps and vehicle speed limits.” continues the paper.

“In addition, human drivers are in the loop of the attack, which makes a stealthy attack necessary.”

Experts highlighted that the spoofing attacks could be very effective, 40 volunteer drivers involved in a trial found that 95 per cent of the time the attackers were able to trick the targets into following the fake routes.

Such kind of attacks could be particularly dangerous especially when dealing with self-driving cars and trucks.

Researchers provided also countermeasures to prevent the attacks such as the use of encrypted data also for civilian GPS signals.

How crooks conduct Money Laundering operations through mobile games
19.7.2018 securityaffairs Mobil

Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards.
A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.

The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)

“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.

“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”

The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.

The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.

The cash out was made later when crooks re-sold the game features or premiums online for real money.

Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.

The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.

The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue. Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.

money laundering games

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.

App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $
Yearly revenue

Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 – $99.99 per item 684 002 250M
Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 – $99.99 per item 153 150 56M
Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 – $99.99 per item 64 296 23.5M
The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.

The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.

“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.

“iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/“

A Samsung Texting App bug is sending random photos to contacts
3.7.2018 securityaffairs Mobil

Some Samsung devices are randomly sending photos taken with the camera to contacts in the address book without permission.
Do you have a Samsung smartphone? There is something you need to know.

Some devices are randomly sending photos taken with the camera to contacts in the address book without permission.

The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected.

The news was first reported by Gizmodo, several users reported the anomalous behavior on Reddit and the company official forums.

“Sending pictures to others is one of the most basic functions of a smartphone, but when your phone’s texting app starts randomly pushing out photos without your knowledge, you got a problem..” reported Gizmodo

“And unfortunately, according to a smattering of complaints on Reddit and the official Samsung forums, it seems that’s exactly what happened to a handful of Samsung phone users, including owners of late model devices such as the Galaxy Note 8 and Galaxy S9.”

One user explained that his phone sent all his photos to his girlfriend over the night, but there was no record of it on his messages app. The expert discovered that there was a record of this activity on the mobile logs.

“Last night around 2:30 am, my phone sent her my entire photo gallery over text but there was no record of it on my messages app. However, there was record of it on tmobile logs. Why would this happen?” wrote the user on Reddit.

The unwanted messages were sent out via the Samsung Messages app, some users discovered the issue after they received a response from the recipients that received the photos.

A Samsung confirmed it is aware of the reports” and that its technical staff is investigating the problem.

samsung s9

Below the list of problems observed since the RCS Messaging was enabled and occurs with the SCHEDULED TEXT feature.

Scheduled Messages are sent prematurely
Scheduled text Messages end up in WRONG threads
Messaging incorrectly displays scheduled messages as “sent” when, in fact, the other party has not received them.
Clearly many users are speculating this glitch was introduced with the push of RCS messaging updates by telco carriers.

As a temporary measure, Samsung owners can revoke Samsung Message’s permissions to access storage (Settings -> Apps -> Samsung Messages -> Permissions -> Storage).

Concerned customers are encouraged to contact us directly at 1-800-SAMSUNG

One more reason to hate your cellphone battery when it sends private data to the bad actors

26.6.2018 securityaffairs Mobil

Security Researchers demonstrated how a “poisoned” cellphone battery in smartphones can be leveraged to “infer characters typed on a touchscreen
We’ve heard about stealing information through blinking hard drive lights and computer speakers but would you believe the battery in your cell phone can also leak potentially sensitive information?

Researchers at Technion Center for Security Science and Technology (CSST), Hebrew University and University of Texas at Austin have published a paper (Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices) explaining how “poisoned” batteries in smartphones can be leveraged to “infer characters typed on a touchscreen; to accurately recover browsing history in an open-world setup; and to reliably detect incoming calls, and the photo shots including their lighting conditions.” Going further, the researchers also describe how the Battery Status API can be used to remotely capture the sensitive information.

The “attack” starts by replacing the battery in the target smartphone with a compromised battery. Perhaps by poisoning the supply chain, gaining secretive access to the device, or selling the batteries through aftermarket resellers. The specific method is left as a thought exercise, but for the risk analysis, we assume that the battery has been replaced and is thus exploitable.

cellphone battery 1

Smartphone users will tell you that the battery is the most frustrating component of their devices. To improve this experience, smartphone batteries include technology to report on current charge rates, discharge rates, charging method, etc. With this information, the device can provide feedback to the user and change operating behavior to maximize battery life.

This requires a communications channel between the battery and the smartphone, and this is the channel the researchers leveraged to exfiltrate data. The information is not restricted to only the operating system but, also exposed to the Battery Status API as defined by the W3C organization meaning it can be captured by a malicious website if accessed through a vulnerable browser (Chrome.) So the attack starts with a compromised battery, leverages the Battery Status API to expose the captured data and sends it to a malicious website through a vulnerable browser. Lots of moving pieces to line up, but plausible. So what information can be exposed this way?

cellphone battery 2

The researchers showed an ability to identify the characters typed on the screen, identify incoming phone calls, determine when a picture is taken and identify metadata for that photo. The characters being typed aren’t read directly, but the poisoned battery infers what is typed by measuring the effect on battery parameters.

This has an effect on the accuracy of the information being captured. Determining when a picture is taken or when a call is received is accurate 100% of the time. But identifying what characters are typed is only accurate 36% of the time. If the eavesdropper is able to narrow the potential characters being typed, for example, if it is known the person is typing a website URL or booking tickets on a travel website, accuracy increases to 65%.

When considering all of the potential cyber threats that exist, this definitely counts as a low risk. Replacing a cell phone battery is difficult to do without the owner being aware, and even if you manage to change the battery, the information it gathers is prone to error and capturing the information remotely is a complex endeavor. But the risk is tangible, and if not mitigated, it could grow to become significant. Mozilla and Apple have already removed support for the Battery Status API from their browsers, and the W3C organization has updated the Battery Status API specification.

Currently, Chrome is the only “vulnerable” means of exfiltrating the data through this specific attack. However as we have seen repeatedly, once a novel approach is identified, others will expand and evolve the attack. This will be an interesting one to watch.

Thousands of Mobile Apps Leak Data from Firebase Databases
21.6.2018 securityweek  Mobil

Thousands of mobile applications running on iOS and Android have exposed over 113 gigabytes of data from 2,300 unsecured Firebase databases, enterprise mobile security firm Appthority says in a new report.

The new research follows last year’s report into the HospitalGown attack vector, which revealed that more than 1,000 mobile apps on enterprise devices were exposing potentially sensitive data via insecure connections with backend servers.

Similar to the HospitalGown vulnerability, which was found in mobile applications’ architecture and infrastructure, the new security flaw resides in mobile app developers failing to require authentication to a Google Firebase cloud database.

One of the most popular backend database technologies for mobile apps, Firebase does not secure user data by default. It does not warn developers when data is not secure and does not provide third-party encryption tools either.

To ensure data is secure, app builders need to specifically implement user authentication on all database tables and rows, but that rarely happens, Appthority explains in a report (PDF). Because of that, an attacker can easily find open Firebase app databases and access private records.

The security issue, which the security firm refers to as the Firebase vulnerability, has a huge impact, leaking 100 million records (113 gigabytes) of data from unsecured Firebase databases.

After digging through millions of applications, the security researchers discovered 28,502 mobile apps (27,227 Android and 1,275 iOS apps) connected to a Firebase database, 3,046 of which (10.69%) were found vulnerable (2,446 Android and 600 iOS apps).

The 3,000 vulnerable applications, the security firm notes, exposed over 100 million records of data from 2,300 vulnerable databases (1 in 10 Firebase databases, or 10.34%, were found vulnerable). On Android alone, the vulnerable applications had more than 620 million downloads.

Impacted applications belong to multiple categories, including tools, productivity, health and fitness, communication, finance and business apps, and impact over 62% of enterprises.

Affected organizations included banks, telecoms, postal services, ride sharing companies, hotels and educational institutions in the United States, Europe, Argentina, Brazil, Singapore, Taiwan, New Zealand, India, and China.

Analysis of the exposed data revealed 2.6 million plain text passwords and user IDs; more than 4 million Protected Health Information records (including chat messages and prescription details); 25 million GPS location records; 50 thousand financial records including banking, payment and Bitcoin transactions; and over 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens.

The report reveals that 975 (40%) of the vulnerable apps were business-related, installed in active customer environments, leaking corporate private keys and access credentials (potentially allowing attackers to exfiltrate sensitive intellectual property), private business conversations, and sales information.

The number of applications connecting to Firebase databases has increased significantly since 2015, and so did the number of vulnerable applications. Between 2015 and 2016, apps using Firebase grew 2,112%, while the vulnerable apps grew 1,225%. Between 2016 and 2017, the growth rates were of 271% and 74%, respectively.

“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data. The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security,” Seth Hardy, Appthority Director of Security Research, commented.

TrueMove H, the biggest 4G mobile operator in Thailand suffered a data leak
16.4.2018 securityaffairs Mobil

TrueMove H, the biggest 4G mobile operator in Thailand suffered a data leak, 46000 people’s data store on an AWS bucked were left on accessible online, including driving licenses and passports.
Let’s speak about a new data breach, this time the victim is TrueMove H, the biggest 4G mobile operator in Thailand.

The operator exposed online customers personal data that were stored in an Amazon AWS S3 bucket.

The leaked data also includes scans of identity documents, the data were left accessible until April 12, when the company restricted the access.

The huge trove of data was discovered by security researcher Niall Merrigan that attempted to notify the issue to TrueMove H, but the operator did not respond.

Merrigan told El Reg that the AWS bucked contained 46,000 records for a total of 32GB.
The experts published a blog post on the case, he explained that tools like bucket stream and bucket-finder allow scanning the internet for open S3 AWS buckers.

Merrigan used the bucket-finder tool to find open S3 Buckets when noticed the one belonging to the TrueMove H.
“The output from bucket-finder showed several issues such as config files, source code and other potential information disclosures. Bucket finder only gets the top 1000 files via the AWS S3 API. To simplify things, I loaded the results into a small SQL database for analysis. I found all the sites that had 1000 files and did a quick visual scan to see what they contained and if there was a way to identify the owner if the need arose.” wrote the expert.

“One such owner was True Move H, the second largest mobile operator in Thailand,”

TrueMove H

“Representatives of the telco initially told him to ring its head office when he asked for the contact details of a security response staffer before telling him his concerns had been passed on some two weeks later, after El Reg began asking questions on the back of Merrigan’s findings.” reported El Reg.

TrueMove H has issued a statement to clarify that the data leak affected their subsidiary I True Mart.

Blocking of Broadcom-Qualcomm Tie-up Highlights 5G Security Fears
13.3.2018 securityweek  Mobil

The unusual move by President Donald Trump blocking a proposed takeover of Qualcomm by Singapore-based chip rival Broadcom highlights growing concerns about the rise of Chinese competitors in the telecom sector and related national security issues.

Trump issued an order Monday barring the proposed $117 billion acquisition, citing credible evidence such a deal "threatens to impair the national security of the United States."

Trump's order made no mention of China, but an earlier letter from the US Treasury warned that a takeover might hurt US leadership in 5G, or fifth-generation wireless networks now being deployed, and consequently pose a threat to US security.

"It's a real threat," said James Lewis, a former US national security official who is now vice president at the Center for Strategic and International Studies in Washington.

"Every administration since 2002 has figured out we are vulnerable to Chinese espionage if they control the infrastructure. Qualcomm and to some degree Cisco are the last two that keep the US in the game when it comes to telecom, and we don't want to lose them."

The takeover, which would have been the largest in the tech sector, was under investigation by the normally secretive Committee on Foreign Investment in the United States (CFIUS).

Last week's Treasury letter said a takeover of Qualcomm could lead to a loss of US influence in 5G standards, opening the door for Chinese firms like Huawei to dominate.

"Huawei is maybe the only company that offers a full range of 5G products," Lewis said. "It is positioning itself to be the number one provider of 5G equipment."

Broadcom said it "strongly disagrees" a tie-up could raise national security concerns, and had pledged to invest to ensure US leadership in 5G, the superfast networks crucial to robotics, connected cars and other smart devices.

Lewis said it was possible US intelligence found something to warrant concern over the deal even as Broadcom was taking steps to redomicile in the United States by April 3, which would negate a CFIUS investigation.

"Maybe it's money, maybe it's control, maybe it's something we don't know that would justify this kind of extreme action," Lewis said.

- Fear of Huawei -

Paul Rosenzweig, a former Department of Homeland Security official who now has a consulting firm, had also voiced caution.

"Nobody knows for sure, but there is a suspicion going around that Broadcom's ultimate goal is to help Huawei and that this play is an attempt to squelch American 5G development," Rosenzweig wrote recently on the Lawfare national security blog.

Rosenzweig added Broadcom could fire Qualcomm management, cut research spending on 5G or stop Qualcomm from participating in the 5G standards-setting process.

"Perhaps more to the point, Qualcomm is an essential contracting partner of the US government, holding a top secret facility security clearance. If purchased by a foreign company that status might be in jeopardy," Rosenzweig added.

The Trump move underscores growing concerns over Huawei, the third-largest smartphone maker but also a leading telecom infrastructure producer.

Huawei earlier this year lost a bid for broader entry into the US smartphone market, when AT&T and Verizon canceled deals after US lawmakers expressed concern over the company's Chinese government ties.

- 'The 5G problem' -

Lewis said a controversial proposal floated earlier this year that would have nationalized the United States' 5G network shows how worried the administration is about espionage using telecom networks.

"This administration has woken up to the 5G problem," Lewis said.

Technalysis Research president Bob O'Donnell said Broadcom has gained a reputation as a cost-cutter while Qualcomm has been focused on innovating.

"Without the kinds of advancements the culture of Qualcomm has created, the telecom industry would not be as advanced as it is today," O'Donnell wrote in a blog post.

"Were Broadcom to purchase Qualcomm and apply the same principles it has to other acquisitions, the likely effect would be to dramatically slow those advances down, both through the company's tactics as well as the likely departures of key employees who would be averse to working for Broadcom."

Patrick Moorhead, an analyst with Moor Insights & Strategy, said an independent Qualcomm will keep innovating in 5G and that "the industry is breathing a collective sigh of relief" with the deal blocked.

"Qualcomm funds a lot of the 5G interoperability testing and troubleshooting between device makers like Samsung, carrier equipment manufacturers like Ericsson and networks like AT&T, and I believe this will continue with an independent Qualcomm," Moorhead said.