Daily Archives: April 30, 2024

UK becomes first country to ban default bad passwords on IoT devices

Posted on by

[…] On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

Manufacturing and design practices mean many IoT products introduce additional risks to the home and business networks they’re connected to. In one often-cited case described by cybersecurity company Darktrace, hackers were allegedly able to steal data from a casino’s otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank.

Under the PSTI, weak or easily guessable default passwords such as “admin” or “12345” are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.

Products that fail to comply with the rules could face being recalled, and the companies responsible could face a maximum fine of £10 million ($12.53 million) or 4% of their global revenue, whichever is higher.

The law will be regulated by the Office for Product Safety and Standards (OPSS), which is part of the Department for Business and Trade rather than an independent body.

[…]

Similar laws are being advanced elsewhere, although none have entered into effect. The European Union’s Cyber Resilience Act is yet to be finally agreed, but its similar provisions aren’t expected to apply within the bloc until 2027.

There is no federal law about securing consumer IoT devices in the United States, although the IoT Cybersecurity Improvement Act of 2020 requires the National Institute of Standards and Technology “to develop and publish standards and guidelines for the federal government” on how they use IoT devices.

Source: UK becomes first country to ban default bad passwords on IoT devices

Russia arrests in absentia former world chess champion Garry Kasparov on foreign agent and terrorist charges

Posted on by

Russia has arrested Garry Kasparov and charged him in connection with foreign agent and terrorist charges – much to the former chess champion’s amusement.

The city court in Syktyvkar, the largest city in Russia‘s northwestern Komi region, announced it had arrested the grandmaster in absentia alongside former Russian parliament member Gennady Gudkov, Ivan Tyutrin co-founder of the Free Russia Forum – which has been designated as an ‘undesirable organisation in the country – as well as former environmental activist Yevgenia Chirikova.

All were charged with setting up a terrorist society, according to the court’s press service. As all were charged in their absence, none were physically held in custody.

[…]

Kasparov responded to the court’s bizarre arrest statement in an April 24 post shared on X, formerly Twitter. “In absentia is definitely the best way I’ve ever been arrested,” he said. “Good company, as well. I’m sure we’re all equally honoured that Putin’s terror state is spending time on this that would otherwise go persecuting and murdering.”

Kasparov has found himself in Russian President Vladimir Putin’s firing line after he voiced his opposition to the country’s leader. He has also pursued pro-democracy initiatives in Russia. But he felt unable to continue living in Russia after he was jailed and allegedly beaten by police in 2012, according to the Guardian. He was granted Croatian citizenship in 2014 following repeated difficulties in Russia.

[…]

Source: Russia arrests former world chess champion Garry Kasparov on foreign agent and terrorist charges – World News – Mirror Online

Apple’s ‘incredibly private’ Safari not so private in Europe, allows

Posted on by

Apple’s grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking.

Developers Talal Haj Bakry and Tommy Mysk looked into the way Apple implemented the installation process for third-party software marketplaces on iOS with Safari, and concluded Cupertino’s approach is particularly shoddy.

tl;dr: The way Apple has added support for third-party app stores lets any website, when visited by Safari on iOS at least, to ping a chosen approved software marketplace with a unique per-user identifier. That means as users move from website to website, or use a website, these sites can quietly disclose that activity to a non-Apple app store – revealing the sort of things individual netizens find interesting. That info can be used for targeted app promotions, ads, and so on. This appears to apply to iOS 17.4 users in the EU. Whether anyone will exploit this in the wild remains to be seen – but the potential is there.

“Our testing shows that Apple delivered this feature with catastrophic security and privacy flaws,” wrote Bakry and Mysk in an advisory published over the weekend.

Apple – which advertises Safari as “incredibly private” – evidently has undermined privacy among European Union Safari users through a marketplace-kit: URI scheme that potentially allows approved third-party app stores to follow those users around the web.

[…]

The trouble is, any site can trigger a marketplace-kit: request. On EU iOS 17.4 devices, that will cause a unique per-user identifier to be fired off by Safari to an approved marketplace’s servers, leaking the fact that the user was just visiting that site. This happens even if Safari is in private browsing mode. The marketplace’s servers can reject the request, which can also include a custom payload, passing more info about the user to the alternative store.

[…]

Apple doesn’t allow third-party app stores in most parts of the world, citing purported privacy and security concerns – and presumably interest in sustaining its ability to collect commissions for software sales.

But Apple has been designated as a “gatekeeper” under Europe’s Digital Markets Act (DMA) for iOS, the App Store, Safari, and just recently iPadOS.

That designation means the iBiz has been ordered to open its gated community so that European customers can choose third-party app stores and web-based app distribution – also known as side-loading.

But wait, there’s more

According to Bakry and Mysk, Apple’s URI scheme has three significant failings. First, they say, it fails to check the origin of the website, meaning the aforementioned cross-site tracking is possible.

Second, Apple’s MarketplaceKit – its API for third-party stores – doesn’t validate the JSON Web Tokens (JWT) passed as input parameters via incoming requests. “Worse, it blindly relayed the invalid JWT token when calling the /oauth/token endpoint,” observed Bakry and Mysk. “This opens the door to various injection attacks to target either the MarketplaceKit process or the marketplace back-end.”

And third, Apple isn’t using certificate pinning, which leaves the door open for meddling by an intermediary (MITM) during the MarketplaceKit communication exchange. Bakry and Mysk claim they were able to overwrite the servers involved in this process with their own endpoints.

The limiting factor of this attack is that a marketplace must first be approved by Apple before it can undertake this sort of tracking. At present, not many marketplaces have won approval. We’re aware of the B2B Mobivention App marketplace, AltStore, and Setapp. Epic Games has also planned an iOS store. A few other marketplaces will work after an iThing jailbreak, but they’re unlikely to attract many consumers.

Nope, the costs to set up your own store are prohibitive and you still have to funnel proceeds to Apple – see also Shameless Insult, Malicious Compliance, Junk Fees, Extortion Regime: Industry Reacts To Apple’s Proposed Changes Over Digital Markets Act

“The flaw of exposing users in the EU to tracking is the result of Apple insisting on inserting itself between marketplaces and their users,” asserted Bakry and Mysk. “This is why Apple needs to pass an identifier to the marketplaces so they can identify installs and perhaps better calculate the due Core Technology Fee (CTF).”

They urge iOS users in Europe to use Brave rather than Safari because Brave’s implementation checks the origin of the website against the URL to prevent cross-site tracking.

Back when Apple planned not to support Home Screen web apps in Europe – a gambit later abandoned after developer complaints and regulatory pressure – the iGiant justified its position by arguing the amount of work required “was not practical to undertake given the other demands of the DMA.” By not making the extra effort to implement third-party app stores securely, Apple has arguably turned its security and privacy concerns into a self-fulfilling prophecy.

In its remarks [PDF] on complying with the DMA, Apple declared, “In the EU, every user’s security, privacy, and safety will depend in part on two questions. First, are alternative marketplaces and payment processors capable of protecting users? And, second, are they interested in doing so?”

There’s also the question of whether Apple is capable of protecting users – and whether it’s interested in doing so.

[…]

Source: Apple’s ‘incredibly private’ Safari not so private in Europe • The Register