Daily Archives: January 26, 2025

Phone Metadata Suddenly Not So ‘Harmless’ When It’s The FBI’s Data Being Harvested

Posted on by

[…] While trying to fend off attacks on Section 215 collections (most of which are governed [in the loosest sense of the word] by the Third Party Doctrine), the NSA and its domestic-facing remora, the FBI, insisted collecting and storing massive amounts of phone metadata was no more a constitutional violation than it was a privacy violation.

Suddenly — thanks to the ongoing, massive compromising of major US telecom firms by Chinese state-sanctioned hackers — the FBI is getting hot and bothered about the bulk collection of its own phone metadata by (gasp!) a government agency. (h/t Kevin Collier on Bluesky)

FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants, a document reviewed by Bloomberg News shows.

[…]

The data was believed to include agents’ mobile phone numbers and the numbers with which they called and texted, the document shows. Records for calls and texts that weren’t on the AT&T network, such as through encrypted messaging apps, weren’t part of the stolen data.

The agency (quite correctly!) believes the metadata could be used to identify agents, as well as their contacts and confidential sources. Of course it can.

[…]

The issue, of course, is that the Intelligence Community consistently downplayed this exact aspect of the bulk collection, claiming it was no more intrusive than scanning every piece of domestic mail (!) or harvesting millions of credit card records just because the Fourth Amendment (as interpreted by the Supreme Court) doesn’t say the government can’t.

There are real risks to real people who are affected by hacks like these. The same thing applies when the US government does it. It’s not just a bunch of data that’s mostly useless. Harvesting metadata in bulk allows the US government to do the same thing Chinese hackers are doing with it: identifying individuals, sussing out their personal networks, and building from that to turn numbers into adversarial actions — whether it’s the arrest of suspected terrorists or the further compromising of US government agents by hostile foreign forces.

The takeaway isn’t the inherent irony. It’s that the FBI and NSA spent years pretending the fears expressed by activists and legislators were overblown. Officials repeatedly claimed the information was of almost zero utility, despite mounting several efforts to protect this collection from being shut down by the federal government. In the end, the phone metadata program (at least as it applies to landlines) was terminated. But there’s more than a hint of egregious hypocrisy in the FBI’s sudden concern about how much can be revealed by “just” metadata.

Source: Phone Metadata Suddenly Not So ‘Harmless’ When It’s The FBI’s Data Being Harvested | Techdirt

Trump Disbands Cybersecurity Board Investigating Worst Hack in US History: Massive Chinese Phone System Invasion

Posted on by

[…] We’re still nowhere near understanding just how bad the Chinese hack of our phone system was. The incident that was only discovered last fall involved the Chinese hacking group Salt Typhoon, which used the US’s CALEA phone wiretapping system as a backdoor to gain incredible, unprecedented access to much of the US’s phone system “for months or longer.”

As details come out, the extent of the hackers’ access has become increasingly alarming. It is reasonable to call it the worst hack in US history.

Soon after it was discovered, Homeland Security tasked the Cyber Safety Review Board (CSRB) to lead an investigation into the hack to uncover what allowed it to happen and assess how bad it really was. The CSRB was established by Joe Biden to improve the government’s cybersecurity in the face of global cybersecurity attacks on our infrastructure and was made up of a mix of government and private sector cybersecurity experts.

And one of the first things Donald Trump did upon retaking the presidency was to dismantle the board, along with all other DHS Advisory Committees.

It’s one thing to say the new president should get to pick new members for these advisory boards, but it’s another thing altogether to just summarily dismiss the very board that is in the middle of investigating this hugely impactful hack of our telephone systems in a way that isn’t yet fully understood.

Just before the presidential switch, the Biden administration had announced sanctions against a Chinese front corporation that was connected to the hack. And while the details are still sparse, all indications are that this was a massive and damaging attack on critical US infrastructure.

And one of Trump’s moves is to disband the group of experts who was trying to get to the bottom of what happened.

This seems… bad?

Cybersecurity researcher Kevin Beaumont said on the social media platform Bluesky that the move would give Microsoft a “free pass,” referring to the CSRB’s critical report of the tech giant — and Beaumont’s former employer — over its handling of a prior Chinese hacker breach.

Jake Williams, faculty at IANS Research, went even further on the same website: “We should have been putting more resources into the CSRB, not dismantling it,”he wrote. “There’s zero doubt that killing the CSRB [would] hurt national security.”

While some have speculated that this move is an attempt to cover up the extent of the breach or even deliberately assist the Chinese, a more likely explanation is simple incompetence[…]

Source: Trump Disbands Cybersecurity Board Investigating Massive Chinese Phone System Hack | Techdirt

Circle to Search now offers one-tap actions for phone numbers, emails and URLs

Posted on by

[…] As a reminder, Circle to Search is an AI-powered feature Google released at the start of last year. You can access it by long-pressing your phone’s home button and then circling something with your finger. At its most basic, the feature is a way to use Google Search from anywhere on your phone, with no need to switch between apps. It’s particularly useful if you want to conduct an image search since you don’t need to take a screenshot or describe what you’re looking at to Google.

As for those enhancements I mentioned, Google is adding one-tap actions for phone numbers, email addresses and URLs, meaning if Circle to Search detects those, it will allow you to call, email or visit a website with a single tap. Again, there’s no need to switch between apps to interact with those elements.[…]

Source: Circle to Search now offers one-tap actions for phone numbers, emails and URLs

Subaru Security Flaws Exposed Its System for Tracking, remote controlling Millions of Cars

Posted on by

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza’s internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru’s location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

Location Point Neighborhood Chart and Plot

A year of location data for Sam Curry’s mother’s 2023 Subaru Impreza that Curry and Shah were able to access in Subaru’s employee admin portal thanks to its security vulnerabilities.

Screenshot Courtesy of Sam Curry

“You can retrieve at least a year’s worth of location history for the car, where it’s pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company’s vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company’s staff allowed them to hijack an employee’s account to both reassign control of cars’ Starlink features and also access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies’ web tools that have yet to be discovered.

[…]

Last summer, Curry and another researcher, Neiko Rivera, demonstrated to WIRED that they could pull off a similar trick with any of millions of vehicles sold by Kia. Over the prior two years, a larger group of researchers, of which Curry and Shah are a part, discovered web-based security vulnerabilities that affected cars sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

[…]

In December, information a whistleblower provided to the German hacker collective the Chaos Computer Computer and Der Spiegel revealed that Cariad, a software company that partners with Volkswagen, had left detailed location data for 800,000 electric vehicles publicly exposed online. Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla’s report reads.

[…]

Source: Subaru Security Flaws Exposed Its System for Tracking Millions of Cars | WIRED

Magic packet Backdoor found on Juniper VPN routers

Posted on by

Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.

The devices were infected with what appears to be a variant of cd00r, a publicly available “invisible backdoor” designed to operate stealthily on a victim’s machine by monitoring network traffic for specific conditions before activating.

It’s not yet publicly known how the snoops gained sufficient access to certain organizations’ Junos OS equipment to plant the backdoor, which gives them remote control over the networking gear. What we do know is that about half of the devices have been configured as VPN gateways.

Once injected, the backdoor, dubbed J-magic by Black Lotus Labs this week, resides in memory only and passively waits for one of five possible network packets to arrive. When one of those magic packet sequences is received by the machine, a connection is established with the sender, and a followup challenge is initiated by the backdoor. If the sender passes the test, they get command-line access to the box to commandeer it.

As Black Lotus Labs explained in this research note on Thursday: “Once that challenge is complete, J-Magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software.”

While it’s not the first-ever discovered magic packet [PDF] malware, the team wrote, “the combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory-only agent, makes this an interesting confluence of tradecraft worthy of further observation.”

[…]

The malware creates an eBPF filter to monitor traffic to a specified network interface and port, and waits until it receives any of five specifically crafted packets from the outside world. If one of these magic packets – described in the lab’s report – shows up, the backdoor connects to whoever sent the magic packet using SSL; sends a random, five-character-long alphanumeric string encrypted using a hardcoded public RSA key to the sender; and if the sender can decrypt the string using the private half of the key pair and send it back to the backdoor to verify, the malware will start accepting commands via the connection to run on the box.

[…]

These victims span the globe, with the researchers documenting companies in the US, UK, Norway, the Netherlands, Russia, Armenia, Brazil, and Colombia. They included a fiber optics firm, a solar panel maker, manufacturing companies including two that build or lease heavy machinery, and one that makes boats and ferries, plus energy, technology, and semiconductor firms.

While most of the targeted devices were Juniper routers acting as VPN gateways, a more limited set of targeted IP addresses had an exposed NETCONF port, which is commonly used to help automate router configuration information and management.

This suggests the routers are part of a larger, managed fleet such as those in a network service provider, the researchers note.

[…]

Source: Mysterious backdoor found on select Juniper routers • The Register