European Commission airs out new IoT device security draft law – interested parties have a week to weigh in

Posted on August 25, 2021 by Robin Edgar

Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention.

Draft regulations applying to “internet-connected radio equipment and wearable radio equipment” are open for public comment until 27 August – and the resulting laws will apply across the bloc from the end of this year, according to the EU Commission.

Billed as assisting Internet of Things device security, the new regs will apply to other internet-connected gadgets in current use today, explicitly including “certain laptops” as well as “baby monitors, smart appliances, smart cameras and a number of other radio equipment”, “dongles, alarm systems, home automation systems” and more.

[…]

The Netherlands’ FME association has already raised public concerns about the scope of the EU’s plans, specifically raising the “feasibility of post market responsibility for cybersecurity”.

The trade association said: “If there is a low risk exploitable vulnerability; at what level can the manufacturer not release or delay a patch, and what documentation is required to demonstrate that this risk assessment was conducted with this outcome of a very low risk vulnerability?”

While there are certainly holes that can be picked in the draft regs, cheap and cheerful internet-connected devices pose a real risk to the wider internet because of the ease with which they can be hijacked by criminals.

[…]

Certain router makers have learned the hard way that end-of-life equipment that contain insecurities can have a reputational as well as security impact. That said, it’s perhaps unreasonable to expect kit makers to keep providing software patches for years after they’ve stopped shipping a device. Consumers cannot rely on news outlets shaming makers of internet-connected goods into providing better security; new laws are the inevitable next stage, and there’s a growing push for them on both sides of the Atlantic.

Device makers being banned from selling in the EU over security and data protection issues is not new. In 2017, the German telecoms regulator banned the sale of children’s smartwatches that allowed users to secretly listen in on nearby conversations and later that year, the French data protection agency issued a formal notice to a biz peddling allegedly insecure Bluetooth-enabled toys – Genesis Toys’ My Friend Cayla doll and the i-Que robot, because the doll could be misused to eavesdrop on kids. The manufacturers are also obliged to comply with the GDPR. However, the new draft law is evidence that certain loopholes might soon begin to close

Source: European Commission airs out new IoT device security draft law – interested parties have a week to weigh in • The Register

A Misused Microsoft Tool Leaked Data from 47 Organizations

Posted on August 25, 2021 by Robin Edgar

New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records.

Microsoft’s Power Apps, a popular development platform, allows organizations to quickly create web apps, replete with public facing websites and related backend data management. A lot of governments have used Power Apps to swiftly stand up covid-19 contact tracing interfaces, for instance.

However, incorrect configurations of the product can leave large troves of data publicly exposed to the web—which is exactly what has been happening.

Researchers with cybersecurity firm UpGuard recently discovered that as many as 47 different entities—including governments, large companies, and Microsoft itself—had misconfigured their Power Apps to leave data exposed.

The list includes some very large institutions, including the state governments of Maryland and Indiana and public agencies for New York City, such as the MTA. Large private companies, including American Airlines and transportation and logistics firm J.B. Hunt, have also suffered leaks.

UpGuard researchers write that the troves of leaked data has included a lot of sensitive stuff, including “personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.”

[…]

Following UpGuard’s disclosures, Microsoft has since shifted permissions and default settings related to Power Apps to make the product more secure.

Source: A Misused Microsoft Tool Leaked Data from 47 Organizations

OnlyFans CEO on why site is banning porn: ‘The short answer is banks’

Posted on August 25, 2021 by Robin Edgar

After facing criticism over the app’s recent decision to prohibit sexually explicit content starting in October, OnlyFans CEO Tim Stokely pointed the finger at banks for the policy change.

In an interview with the Financial Times published Tuesday, Stokely singled out a handful of banks for “unfair” treatment, saying they made it “difficult to pay our creators.”

Source: OnlyFans CEO on why site is banning porn: ‘The short answer is banks’ – CNET

Belarus Hackers Seek to Overthrow Government, release huge trove of sensitive data

Posted on August 25, 2021 by Robin Edgar

[…]

The Belarusian Cyber Partisans, as the hackers call themselves, have in recent weeks released portions of a huge data trove they say includes some of the country’s most secret police and government databases. The information contains lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers and secret recordings of phone calls from a government wiretapping system, according to interviews with the hackers and documents reviewed by Bloomberg News.

A screenshot of footage the hackers obtained from inside Belarusian detention centers where protesters were held and allegedly beaten.

Source: Belarusian Cyber Partisans

Among the pilfered documents are personal details about Lukashenko’s inner circle and intelligence officers. In addition, there are mortality statistics indicating that thousands more people in Belarus died from Covid-19 than the government has publicly acknowledged, the documents suggest.

In an interview and on social media, the hackers said they also sabotaged more than 240 surveillance cameras in Belarus and are preparing to shut down government computers with malicious software named X-App.

[…]

the data exposed by the Cyber Partisans showed “that officials knew they were targeting innocent people and used extra force with no reason.” As a result, he said, “more people are starting to not believe in propaganda” from state media outlets, which suppressed images of police violence during anti-government demonstrations last year.

[…]

The hackers have teamed up with a group named BYPOL, created by former Belarusian police officers, who defected following the disputed election of Lukashenko last year. Mass demonstrations followed the election, and some police officers were accused of torturing and beating hundreds of citizens in a brutal crackdown.

[…]

The wiretapped phone recordings obtained by the hackers revealed that Belarus’s interior ministry was spying on a wide range of people, including police officers—both senior and rank-and-file—as well as officials working with the prosecutor general, according to Azarau. The recordings also offer audio evidence of police commanders ordering violence against protesters, he said.

[…]

Earlier this year, an affiliate of the group obtained physical access to a Belarus government facility and broke into the computer network while inside, the spokesman said. That laid the groundwork for the group to later gain further access, compromising some of the ministry’s most sensitive databases, he said. The stolen material includes the archive of secretly recorded phone conversations, which amounts to between 1 million and 2 million minutes of audio, according to the spokesman.

[…]

The hackers joined together in September 2020, after the disputed election. Their initial actions were small and symbolic, according to screenshots viewed by Bloomberg News. They hacked state news websites and inserted videos showing scenes of police brutality. They compromised a police “most wanted” list, adding the names of Lukashenko and his former interior minister, Yury Karayeu, to the list. And they defaced government websites with the red and white national flags favored by protesters over the official Belarusian red and green flag.

Those initial breaches attracted other hackers to the Cyber Partisans’ cause, and as it has grown, the group has become bolder with the scope of its intrusions. The spokesman said its aims are to protect the sovereignty and independence of Belarus and ultimately to remove Lukashenko from power.

[…]

Names and addresses of government officials and alleged informants obtained by the hackers have been shared with Belarusian websites, including Blackmap.org, that seek to “name and shame” people cooperating with the regime and its efforts to suppress peaceful protests, according to Viačorka and the websites themselves.

[…]

Source: Belarus Hackers Seek to Overthrow Local Government – Bloomberg

Samsung Galaxy Z Fold 3’s camera breaks after unlocking the bootloader

Posted on August 25, 2021 by Robin Edgar

[…]

Samsung already makes it extremely difficult to have root access without tripping the security flags, and now the Korean OEM has introduced yet another roadblock for aftermarket development. In its latest move, Samsung disables the cameras on the Galaxy Z Fold 3 after you unlock the bootloader.

Knox is the security suite on Samsung devices, and any modifications to the device will trip it, void your warranty, and disable Samsung Pay permanently. Now, losing all the Knox-related security features is one thing, but having to deal with a broken camera is a trade-off that many will be unwilling to make. But that’s exactly what you’ll have to deal with if you wish to unlock the bootloader on the Galaxy Z Fold 3.

According to XDA Senior Members 白い熊 and ianmacd, the final confirmation screen during the bootloader unlock process on the Galaxy Z Fold 3 mentions that the operation will cause the camera to be disabled. Upon booting up with an unlocked bootloader, the stock camera app indeed fails to operate, and all camera-related functions cease to function, meaning that you can’t use facial recognition either. Anything that uses any of the cameras will time out after a while and give errors or just remain dark, including third-party camera apps.

Thanks to XDA Senior Member ianmacd for the images!

It is not clear why Samsung chose the way on which Sony walked in the past, but the actual problem lies in the fact that many will probably overlook the warning and unlock the bootloader without knowing about this new restriction. Re-locking the bootloader does make the camera work again, which indicates that it’s more of a software-level obstacle. With root access, it could be possible to detect and modify the responsible parameters sent by the bootloader to the OS to bypass this restriction. However, according to ianmacd, Magisk in its default state isn’t enough to circumvent the barrier.

[…]

Source: Samsung Galaxy Z Fold 3’s camera breaks after unlocking the bootloader

Dust-sized supercapacitor packs the same voltage as a AAA battery

Posted on August 25, 2021 by Robin Edgar

By combining miniaturized electronics with some origami-inspired fabrication, scientists in Germany have developed what they say is the smallest microsupercapacitor in existence. Smaller than a speck of a dust but with a similar voltage to a AAA battery, the groundbreaking energy storage device is not only safe for use in the human body, but actually makes use of key ingredients in the blood to supercharge its performance.

[…]

These devices are known as biosupercapacitors and the smallest ones developed to date is larger than 3 mm³, but the scientists have made a huge leap forward in terms of how tiny biosupercapacitors can be. The construction starts with a stack of polymeric layers that are sandwiched together with a light-sensitive photo-resist material that acts as the current collector, a separator membrane, and electrodes made from an electrically conductive biocompatible polymer called PEDOT:PSS.

This stack is placed on a wafer-thin surface that is subjected to high mechanical tension, which causes the various layers to detach in a highly controlled fashion and fold up origami-style into a nano-biosupercapacitor with a volume 0.001 mm³, occupying less space than a grain of dust. These tubular biosupercapacitors are therefore 3,000 times smaller than those developed previously, but with a voltage roughly the same as an AAA battery (albeit with far lower actual current flow).

These tiny devices were then placed in saline, blood plasma and blood, where they demonstrated an ability to successfully store energy. The biosupercapacitor proved particularly effective in blood, where it retained up to 70 percent of its capacity after 16 hours of operation. Another reason blood may be a suitable home for the team’s biosupercapacitor is that the device works with inherent redox enzymatic reactions and living cells in the solution to supercharge its own charge storage reactions, boosting its performance by 40 percent.

Prof. Dr. Oliver G. Schmidt has led the development of a novel, tiny supercapacitor that is biocompatible

Jacob Müller

The team also subjected the device to the forces it might experience in blood vessels where flow and pressure fluctuate, by placing them in microfluidic channels, kind of like wind-tunnel testing for aerodynamics, where it stood up well. They also used three of the devices chained together to successfully power a tiny pH sensor, which could be placed in the blood vessels to measure pH and detect abnormalities that could be indicative of disease, such as a tumor growth.

[…]