Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Android Vulnerable to Spyware Apps, Say Researchers

In a forthcoming paper, to be presented at the Privacy Enhancing Technologies Symposium in Zurich this (northern hemisphere) summer, researchers from UCSD, Cornell and New York Universities will recommend that the Android mobile OS enforce stricter requirements on which apps can hide icons.

At present, it is possible for spyware apps to not appear in the launch bar when they initially open, and to masquerade under innocuous names like "Wi-Fi" or "Internet Service", making it difficult for victims to identify spyware planted on their devices by a disgruntled spouse, partner or other stalker. The apps also resist attempts to install them, and some will also automatically restart themselves after being stopped by the Android system or after reboots. “We recommend adding a dashboard for monitoring apps that will automatically start themselves", say the researchers.

A secondary concern is that spyware apps often do little to protect sensitive information they collect; for example, many do not encrypt data as they upload it to their command and control servers - and this includes the login credentials of the spyware purchaser themselves. On other cases, the uploaded data is stored using public URL's - some of them easily predictable - that makes the data easily accessible. One leading spyware service had an authentication vulnerability that would allow all the data, for every account, to be accessed by third parties.

There are several lessons here. Obviously, some spyware products rely on simple tricks to evade detection on the victim's phone, and Android could easily be enhanced to eliminate these. But also, people who buy and use spyware are placing themselves at risk.

Patringenaru, Ioana, This is What Happens When Your Phone is Spying on You, UC San Diego Today, 13 March 2023. Available online at https://today.ucsd.edu/story/spywarestudy2023.

Samsung Exynos Modem Chips Vulnerable, Says Google

Sticking with Android for a few moments longer: TechCrunch reports that Google's Project Zero security team has found 18 different zero-day vulnerabilities in the Samsung Exynos modem chips used in many different Android phones, wearables and even vehicles. These include four severe vulnerabilities which could be used to compromise a victim's phone "at the baseband level with no user interaction, and require only that the attacker know the victim's phone number", according to Project Zero head Tim Willis.

Among the affected devices - although there are more - are:

• Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
  
• Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series;
  
• Google Pixel 6 and Pixel 7 series (patched in the March security update);
  
• Connected vehicles that use the Exynos Auto T5123 chipset.

While they wait for patches, suggested user mitigations include turning off wi-fi calling and Voice-over-LTE in the device settings. The remaining 14 vulnerabilities are less severe since they require either access to the device or internal access to the cellular network systems.

Whittaker, Zack, Google warns users to take action to protect against remotely exploitable flaws in popular Android phones, TechCrunch, 17 March 2023. Available online at https://techcrunch.com/2023/03/16/google-warning-samsung-chips-flaws-android/.

Australian Taxation Office, Centrelink, Accounts Vulnerable to Voice Deepfake Attack

Both the Australian Taxation Office and the Commowealth social services agency Centrelink give their clients the option of verifying their identity over the phone using a "voiceprint" along with some other information. Now a Guardian journalist has discovered that using just four minutes of training audio they were able to use a machine learning-based voice cloning app to generate a synthetic voiceprint and then use this, along with their customer reference number, to gain access to their own account.

This would allow an attacker to access sensitive information held by either government agency, and illustrates the danger of relying such an easily-fakable characteristic as a form of biometric authentication. The same technique has been adopted by a number of banks and other agencies world-wide, who should perhaps be putting their efforts behind cryptographic techniques instead.

Evershed, Nick and Josh Taylor, AI can fool voice recognition used to verify identity by Centrelink and Australian tax office, The Guardian, 17 March 2023. Available online at https://www.theguardian.com/technology/2023/mar/16/voice-system-used-to-verify-identity-by-centrelink-can-be-fooled-by-ai.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.