May 2017 news roundup

Target is still paying for their 2013 data breach

Remember Target’s data breach from a few years ago? They are still paying for that. Target recently agreed to an $18.5 million settlement with 47 states and the District of Columbia. That NYT article mentions a $202 million total for “legal fees and other costs since the breach” (I tried reading the linked SEC statement about those payments and lost interest immediately). I don’t know if that $202 million includes this $18.5 million amount, but that’s an expensive mistake any way you look at it.

Breaking news: IoT still terrible

New research shows that Internet of Things (IoT) devices can divulge a lot of information about their owners. The researchers found that a passive network tap on a home network allowed them to monitor traffic rates for several IoT devices. Even if they couldn’t read the traffic itself, the researchers were able to infer a lot just by watching DNS queries and changes in the traffic rates of devices like sleep monitors, motion-activated security cameras, and an Amazon Echo. (This technique of traffic analysis has a long history.)

So imagine that your story’s character needs to spy on someone. If she can identify an exploit for the wireless router the target uses for his home network, she could potentially eavesdrop on the traffic going in and out of his home. If the sleep sensor tells her that he’s sleeping, or if a camera shows movement in one part of the house, that might tell her something useful.

BTW, the Amazon Echo inspired what has become my favorite XKCD entry.

Defeating security cameras

This one is a little older, so vendors have at least partially addressed these specific vulnerabilities, but it’s pretty interesting. Someone published exploits against several consumer-grade security cameras. These cameras have a similar setup process:

  • Mount the camera somewhere
  • Download a vendor-supplied app to your phone
  • Use the app to configure the camera via bluetooth (your phone talks directly to the camera)
  • Configure the camera to connect to your home’s wireless network
  • The camera sends image data to the cloud: the camera has no local storage

The researcher found ways to interrupt the operation of several camera models. Sending certain specially-crafted bluetooth messages to the camera would cause it to reboot, taking it briefly offline. Sending another kind of bluetooth message would tell the camera to connect to a different wireless network. If the attacker brings along a wireless access point (WAP) transmitting the same SSID specified in the bluetooth message, the camera will connect to that WAP, rendering the camera ineffective.

This latter exploit provides a more plausible version of the overused trope of splicing into a camera’s feed, recording a few minutes of boring footage, and replaying it endlessly for the security guard. If the camera only sends data to the cloud when it detects motion, then the absence of data implies the absence of motion. The attacker just needs some off-the-shelf hardware, some publicly-available exploit code, and physical proximity (bluetooth range) to the camera.

Advertisements

Author: carl

A web programmer and Linux system administrator who would like to be a writer.