Pretty much every aspect of the effort to create easy-to-understand labels for Internet-of-Things (IoT) products is up in the air, according to participants in the process.

The effort to create informative labels to give buyers insight into the cybersecurity of connected devices continues to advance, but very slowly, according to technology firms and the US government.

Last week, Google published a blog post outlining the company's stance on what should be included in product labels for Internet of Things (IoT) devices. It described five principles that should guide the industry, including a minimum security baseline, adherence to international standards, and allowing the label to change as knowledge of the security landscape changes. The need for a statement focusing on basics highlights the slow paces at which the standards are being developed.

One reason that IoT cybersecurity labelling standards are in their "early stages" is because the Internet of Things includes a massive number of products and categories, says Dave Kleidermacher, vice president of engineering for Android Security & Privacy at Google.

"Simplification of IoT security remains a challenge that the industry continues to work on," he says. "This is largely due to the fact that IoT has a broad spectrum of product categories like light bulbs and smart displays, which have very different levels of required security."

Google's published statement comes two weeks after the White House called together technologists from government and private industry for a summit on the progress in IoT labeling, and more than a year after the US National Institute of Standards and Technology (NIST) held its "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software," an effort to create IoT product labels that communicate the security state of applications and connected devices.

Both meetings were striving to deliver on the Biden administration's May 2021 "Executive Order on Improving the Nation's Cybersecurity," which mandates developing standards. The goal of the latest meeting was to continue progress toward a nutrition label or an Energy Star-like system that speaks to the security of any connected device, the Biden administration said in a statement.

"\[The\] dialogue focused on how to best implement a national cybersecurity labeling program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label," the White House said in an Oct. 20 statement. "Government and industry leaders discussed the importance of a trusted program to increase security across consumer devices that connect to the Internet by equipping devices with easily recognized labels to help consumers make more informed cybersecurity choices."

**No to Printed Labels, Yes to International Standards**

Progress is slow, Google stated in its blog post. Almost all of the details of IoT product labeling are up in the air, including "the definition of labeling, what labeling needs to convey in terms of security and privacy, where the label should reside, and how to achieve consumer acceptance."

Printed labels should be avoided, because security is ever-changing, and any label would only document a point in the past, Kleidermacher says.

"Labels need to be digital," he says. "Because the security posture of a device can change in a matter of days, providing a printed label could inadvertently hurt the user by providing potentially stale information or lead a consumer to buy a device which is no longer safe."

Google pointed to security label specifications being created by the IoT-focused Connectivity Standards Alliance (CSA) and the GSM Association, a mobile device industry group, as potential starting places.

"Being able to offer helpful, useful information to allow consumers to enable better purchase decisions is the core of the consensus building around IoT security labeling," Kleidermacher says. "The rest is still very much up for debate, including how the label should look — that is, binary or multi-level — where it should reside, and what the label should include."

**Binary Labels Get NIST's Nod**

One area of disagreement is whether labels should be binary — yes, a product meets standards, or no, it does not — or allow for a spectrum of cybersecurity ratings. In its final draft of its "Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products," NIST recommended in September a binary label for the baseline standard. In a statement published in October, the Biden administration committed to quickly develop the standards for labeling of "the most common, and often most at-risk, technologies — routers and home cameras."

Google's Kleidermacher noted that the binary approach deviates from multitiered labeling schemes adopted in other countries, such as Singapore. The company hopes that the United States and other countries can work through industry alliances to create a standard global approach for attesting to cybersecurity.

"Because these organizations bridge industry and policy makers, we hope that this could help drive speedy adoption through collaboration, coordination, and the sharing of ideas," he says. "Many countries have already started mandating minimum security baselines through regulation efforts, so it is imperative that the United States participate in international discussions to create coherent, interoperable standards."

Cybersecurity 'Nutrition' Labels Still a Work in Progress

Multifactor authentication has gained adoption among organizations as a way of improving security over passwords alone, but increasing theft of browser cookies undermines that security.

When the malware group Lapsus$ needed to gain access to systems compromised in recent breaches, it not only searched for passwords but also for the session tokens — that is, cookies — used to authenticate a device or browser as legitimate.

Their tactics for initial access highlights a trend among attackers, who will buy passwords and cookies on the criminals underground use them to access cloud services and on-premises applications. In addition, when they do get access to a system, attackers prioritize stealing cookies for later use or for sale. Session cookies have become the way for attackers to bypass multifactor authentication (MFA) mechanism that otherwise protect systems and cloud services from attackers, says Andy Thompson, global research evangelist at CyberArk Labs.

In a presentation at Black Hat Middle East and Africa next week, CyberArk researchers will demonstrate how attackers can steal session cookies and then use them to gain access to business and cloud services.

"The crazy part is that this applies to all types of multifactor, because stealing these cookies bypasses both authentication and authorization," Thompson says. "Once you have authenticated using multifactor, that cookie is established on the endpoint, and the attacker can then use it for later access."

Stealing session cookies has become one of the most common ways that attackers circumvent multifactor authentication. The Emotet malware, the Raccoon Stealer malware-as-a-service, and the RedLine Stealer keylogger all have functionality for stealing sessions tokens from the browsers installed on a victim's system

In August, security software firm Sophos noted that the popular red-teaming and attack tools Mimikatz, Metasploit Meterpreter, and Cobalt Strike all could be used to harvest cookies from the browsers' caches as well, which the firm called "the new perimeter bypass."

"Cookies associated with authentication to Web services can be used by attackers in 'pass the cookie' attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to Web services without a login challenge," Sean Gallagher, a threat researcher with Sophos, stated in the August blog post. "This is similar to 'pass the hash' attacks, which use locally stored authentication hashes to gain access to network resources without having to crack the passwords."

**An Easy Attack for Sustaining Access**

Stealing cookies is a pretty basic attack, but one that has grown in importance as more companies adopt adaptive authentication strategies, which use a cookie to allow a users on a specific browser and device to access a protected service, without having to reenter a multifactor authentication code.

For attackers, there is very little needed to make the attack successful. As long as they have some sort of access to a machine, they can grab the cookies, says CyberArk's Thompson.

"Most attacks require some sort of elevation of privilege to install software," he says. "With this, we have everything we need, regardless of the level of privilege. Even as a non-admin, we are still vulnerable to cookie harvesting."

**Attackers Take on MFA by Necessity**

While stealing session cookies are a common way that attackers bypass multifactor authentication, there are a host of others as well. Keylogging can circumvent MFA by grabbing the one-time password used by many companies, while an adversary-in-the-middle attack can capture security information being sent both to and from a targeted service.

Attackers can also attempt to access an account repeatedly, with the backend system sending an authentication request to the actual user. Known as MFA bombing, the technique's goal is to overwhelm the user with requests and, from fatigue or from too little skepticism, have them click to allow the access. Attackers used stolen cookies and MFA bombing to compromise ride-share giant Uber and entertainment firm Take-Two Interactive.

Overall, the way to prevent attackers from bypassing MFA is to have additional security software on systems to detect the theft of cookies, says CyberArk's Thompson. So rather than just push users to adopt password managers and MFA and call that sufficient, companies need to adopt some sort of endpoint control as well, he says.

"We also need some ability to have a sort of least privilege or application control, antivirus, or EDR/XDR — any of those are really critical in solving the gap," Thompson says. "We want to prevent malicious tools and actors from harvesting passwords or harvesting cookie information from memory."

Cookies for MFA Bypass Gain Traction Among Cyberattackers

The bug affects several Aiphone GT models using NFC technology and allows malicious actors to potentially gain access to sensitive facilities.

A vulnerability in a series of popular digital door-entry systems offered by Aiphone can enable hackers to breach the entry systems — simply by utilizing a mobile device and a near-field communication, or NFC, tag.

The devices in question (GT-DMB-N, GT-DMB-LVN, and GT-DB-VN) are used by high-profile customers, including the White House and the United Kingdom's Houses of Parliament.

The vulnerability was discovered by a researcher with the Norwegian security firm Promon, who also found there is no limit to the number of times an incorrect password can be entered on some Aiphone door-lock systems.

After finding the admin passcode, the malicious actor could then inject the serial number of a new NFC tag containing the admin passcode back into the system's log of approved tags.

"This would give the attacker both the code in plaintext that can then be punched into the keypad, but also an NFC tag that can be used to gain access to the building without the need to touch any buttons at all," a blog post reporting the vulnerability explained.

Because the Aiphone system does not keep logs of the attempts, there is no digital trace of the hack.

Promon first alerted Aiphone to the issue in June 2021. The company said systems built before Dec. 7 of that year are unable to be fixed, but any systems built after that date include a feature limiting the number of passcode attempts that can be made.

The Promon report noted Aiphone alerted its customers to the existence of the vulnerability, which is tracked as CVE-2022-40903.

Despite the alarming top-line findings, Promon security researcher Cameron Lowell Palmer, who discovered the vulnerability, calls this kind of IoT security oversight "fairly typical." From an administrative standpoint, adding NFC was a win, but it exposed the system to this new attack vector, he explains.

"The system started off with some reasonable design choices, and with the addition of the NFC interface, the design became dangerous," he explains. "This product seems, to me, predicated upon the notion of physical security, and when NFC was added, they added a touchless high-speed data port on the exterior of the building, which violated the premise."

**Nobody Thought of Brute Force NFC Access**

Mike Parkin, senior technical engineer at Vulcan Cyber, says the lack of throttling or lockout features indicates that no one thought of an attacker trying to brute-force NFC access when the product was designed.

"Or, if they did, they believed the risk of an attacker doing it in the field was low enough to omit those security features," he adds.

He says the real questions are how many of these inherently vulnerable systems are deployed, and, just as important, what other products, from this or other vendors, use digital access without throttling or lockout timers to blunt a brute-force attack.

Palmer adds that NFC and IoT are challenging technologies to secure, which makes him think that vendors that are not collaborating with others for security are walking down a dangerous path.

"Developers and companies try to make the very best product they can, which is already hard," he says. "It is especially easy to make security gaffes, because security is usually not their area of expertise, and in many cases it does not directly improve the user experience."

Roger Grimes, data-driven defense evangelist at KnowBe4, is harsher, and says the vulnerability suggests that Aiphone did not even do basic threat modeling.

"It makes me suspicious of their entire design, security-wise," he says. "This is not just a problem with this vendor. You can name nearly any vendor or product you like, and they are also not doing the appropriate threat modeling."

**No Security by Design for IoT**

Jason Hicks, field CISO and executive adviser at Coalfire, explains that in recent years there has been a push to integrate things like remote access, voice over IP (VoIP), and newer wireless technologies like NFC to physical security systems.

"This introduces new attack vectors that physical access designers are not used to having to consider how to secure," he says. "The same basic security best practices we apply to IT equipment needs to be extended to these systems in a consistent manner."

For instance, "storing passwords in a plaintext file is something that should be avoided for obvious reasons," he says.

Hicks adds that there are many IoT devices whose compromise would not create much of a security issue — but access control systems are not one of them. A hack here could result in loss or physical harm.

Therefore, vendors need to train all developers on how to develop secure software and secure products.

"It's always seemed ironic to me that security vendors supplying me a \[physical\] security product don't train — or require — their developers in how to securely develop software and products," Grimes says. "How can you expect a developer with no training in secure development to naturally just figure it out?"

Palmer advises IoT companies to take even simple steps: Hire outside experts and have them test out the security of the devices regularly, for example.

**For Organizations, It's Tough Avoid IoT Dangers**

Bud Broomhead, CEO at Viakoo, says IoT represents the fastest-growing attack surface, adding that there are many reasons for that, starting with the fact that users often overlook security implications.

"IoT devices are typically managed by the line of business and not IT, so there is both a lack of skills and knowledge about maintaining cyber hygiene," he says.

He adds that many IoT systems are budgeted as a capital expenditure but do not always have the operating budget assigned to them to maintain their security.

"They are very hard to patch manually, and often have out-of-date firmware when they are brand new, and they exist in the supply chain for long periods of time," he says.

They also use a lot of open source software containing vulnerabilities and lack software bills of material (SBOMs) to quickly determine if the device contains those vulnerabilities. Broomhead adds there are often multiple makes/models that perform similar functions, so when a vulnerability is present, it takes multiple manufacturers to provide patches.

"There needs to be auditable compliance requirements, and coordination between the silos within an organization so that IoT security is shared across multiple disciplines including IT, CISO office, and the lines of business," he says.

For organizations struggling to protect a rapidly expanding volume of IoT devices, he adds, IoT fingerprinting could help with security and management.

Knock, Knock: Aiphone Bug Allows Cyberattackers to Literally Open (Physical) Doors

Chinese government employs spyware to detect so-called "pre-crimes" including using a VPN, religious apps, or WhatsApp, new analysis reveals.

As part of its widely documented, brutal suppression of Muslim Uyghur populations, the Chinese government has been deploying spyware to hunt down what it deems to be "religious extremists" and detain them.

Researchers at Lookout Threat Labs reported People's Republic of China-backed threat groups have widely distributed spyware called BadBazaar and Moonshine across Uyghur-language sites and social media. The spyware is trying to catch what Lookout's report ominously called "pre-crimes," like using a VPN, Muslim religious apps, or even WhatsApp.

Notably, these malicious apps attract Uyghur-speaking people across the globe, not just inside China.

One campaign Lookout documented distributed a link from the Twitter handle @MalwareHunterTeam that appeared to be a legitimate English-Uyghur dictionary application, but was instead loaded with malware. The Lookout team was able to trace the malicious app back to the Chinese-backed group APT15.

In all, the researchers found more than 100 BadBazaar samples scattered across Uyghur-language communications channels.

**Phony Apps, Long-Term Consequences**

The new report is yet another reminder that it's critical for users to be careful about what they download and to be aware that they may be targeted by sophisticated phishing lures, Darren Guccione, CEO of Keeper Security, explains to Dark Reading.

"Malware disguised as legitimate applications can have devastating and long-term adverse consequences, particularly when used for espionage to propagate human rights abuses," Guccione says. "These phony apps can unknowingly collect a host of information from location data to text messages, photos, and phone calls."

Kristina Balaam, staff security intelligence engineer at Lookout, adds that users should stick with reputable sources for their applications.

"If you're unable to download an app you want on Google Play, for example, there's probably a good reason for that," Balaam tells Dark Reading. "The official app stores go through vigorous vetting processes to ensure consumers are downloading apps that are safe and free from malware and other threats that can cause damage. Once consumers start looking for workarounds, they could be unintentionally exposing themselves to malicious threats."

For Uyghurs, downloading the wrong applications can mean arrest or worse. On Oct. 31, 50 countries issued a joint statement denouncing the Chinese government's ongoing human rights abuses against Uyghur populations.

Uyghurs Targeted With Spyware, Courtesy of PRC

With only about 15% of vulnerabilities actually exploitable, patching every vulnerability is not an effective use of time.

As a security researcher, common vulnerabilities and exposures (CVEs) are an issue for me — but not for the reason you might think.

While IT and security teams dislike CVEs because of the threat they pose and the mountain of remediation work they create for them, what troubles me is the way our modern security procedures relate to CVEs. Our mitigation strategies have become too focused on "vulnerability management" and are too CVE-centric, when what we really need is a hacker-centric approach to effectively reduce our exposure.

Vulnerability management as a primary strategy doesn't really work. According to the National Institute for Standards and Technology, 20,158 new vulnerabilities were discovered in 2021 alone. This represented the fifth consecutive year of record numbers for vulnerability discovery, and it looks like 2022 may very well continue the trend. Security teams cannot reasonably patch 20,000 new vulnerabilities a year, and even if they could, they shouldn't.

This might sound counterintuitive, but there are a few reasons why it's not. The first is that recent research reveals that only about 15% of vulnerabilities are actually exploitable, and so patching every vulnerability is not an effective use of time for security teams that have no shortage of tasks. The second and equally important reason is that even if you did continuously patch 100% of the CVEs in your network, this likely still wouldn't be effective at stopping hackers.

**Hacker Strategies Are Vast and Varied**

Phishing, spear-phishing, varying levels of social engineering, leaked credentials, default credentials, unauthenticated access using standard interfaces (FTP, SMB, HTTP, etc.), accessible hotspots with no passwords, network poisoning, password cracking — the list of strategies that hackers are employing is vast and varied, and many don't even require a high-level CVE, or any CVE at all, to be dangerous to an organization. The recent Uber breach is an excellent example of how hackers exploited an organization without utilizing the latest CVEs or overly complicated attack methods to target organizations.

Depending on whether you believe what the hacker claimed on Uber's Slack channel, or Uber's recent comments, the hacker was either an 18-year-old who exfiltrated data from an Uber staffer via a clever social-engineering/spear-phishing attack, or the work of South American hacking group Lapsus$, which executed a spear-phishing attack, utilizing the leaked credentials of a third-party contractor obtained from the Dark Web. In either scenario, there was no complicated coding or vulnerability exploitation that went on here. Instead, it was a variation on an old-school tactic that is tried and true.

**It's Not The Vulnerability but the Vector That Matters**

I don't want anyone to get the wrong idea. Patching is very important; it's a critical part of a strong security posture, and a crucial component of every security strategy. The issue is that many tools today prioritize remediation recommendations based solely on Common Vulnerability Scoring System (CVSS) scores, and what gets lost is the organizational context; the understanding of how to separate the meaningful 15% of vulnerabilities from the other 85%.

As an experienced penetration tester in the Israeli Defense Forces and vice president of research, leading a team of ex-pen testers and red teamers at Pentera, what I've learned is that it's not the vulnerability but the vector that matters. Just because your attack doesn't begin with a major vulnerability doesn't mean it won't end with one. The most dangerous vulnerability to your organization might be a 5.7/10 CVSS score hidden at the bottom of a list of high-scoring false positives.

**Leaked Credentials Are a Bigger Threat**

Leaked credentials likely pose a far greater threat to the average organization than the next dozen CVEs to be announced combined, yet many organizations have no protocol in place to discover if any of their credentials are floating around in the darker parts of the Web. We act as if hackers will spend countless hours developing new CVEs, while they are really just looking for the most efficient way to access our networks. Many of today's hackers, and hacking groups, are financially motivated, and like any organization they want the best ROI for their time. Why spend time executing a complicated attack when you can just buy or scrape the credentials?

Right now, our defenses aren't working, and we, as security professionals, need to reexamine where the weak points are. While vulnerability management is definitely a core part of any meaningful security strategy, we need to move away from it as a primary methodology. Instead, we need to take a good look at the strategies hackers are utilizing and base our security strategies on how to stop them. If we want our security to actually be effective toward reducing our exposure, our strategies must focus on understanding the real-world techniques and methodologies that hackers are using to exploit us.

Why CVE Management as a Primary Strategy Doesn't Work

Okta Worforce Identity Cloud has all three identity functions – identity access management, identity governance, and privilege access management – under the hood.

Identity is at the cornerstone of everything people do online – and is one of the biggest security challenges. In a bid to help organizations streamline how they manage logins and identity, Okta introduced the Okta Workforce Identity Cloud at its annual Oktane22 conference this week.

Organizations have to ensure that the right levels of access is given only to those authorized to have them. The fact that people are now more mobile than ever – they can be on any number of devices, in various geographic locations, and connecting to different networks – complicates the task even further. Organizations are also juggling identity and access requirements from customers, employees, contractors, and partners.

Workforce Identity Cloud unifies identity governance and administration, identity access management, and privilege access management. For many organizations, these three functions are often handled by three distinct tools, forcing security teams to cobble together integrations and handoffs that check users are who they say they are and to give them the right level of access for the task they are trying to accomplish.

The resulting effort tends to be cumbersome, brittle, and difficult to scale. It's also harder to identify the security gaps. Identity and access management providers are increasingly addressing the fact that IAM has to go hand-in-hand with identity governance and privileged access.

Workforce Identity Cloud brings together Okta's core identity and access management tools; Okta Identity Governance, which simplifies the process of requesting and granting access to resources; and Okta Privileged Access, which secures highly-privileged credentials for administrator and root accounts, as well as to monitor and record privileged access. There is also an orchestration layer for automation.

The platform provides identity validation services for consumers as well as for enterprise customers, according to Okta. Phishing-resistant measures include a WebAuthn allow list to restrict WebAuthn enrollment to specific hardware keys. IT can also manage passkeys and apply enhanced security checks for unmanaged devices. Most capabilities are available today, and more features (such as support for "highly regulated identity" management) will be added by the end of next year's second quarter, according to Okta.

"Workforce Identity Cloud unifies the identity market’s previously siloed legacy solutions into a cohesive and holistic offering that makes identity a growth driver for enterprises," Sagnik Nandy, President and Chief Development Officer, Workforce Identity at Okta, said in a statement.

Okta Launches New Workforce Identity Cloud

The line between criminal and political aims has become blurred, but motivations matter less than the effects of a breach.

Cybersecurity professionals have long discussed the notion that future conflicts will no longer be fought just on a physical battlefield, but in the digital space as well. Although recent conflicts show that the physical battlefield isn't going anywhere soon, we are also seeing more state-backed cyberattacks than ever before. It is therefore vital that businesses, individuals, and governments ensure they are prepared for an attack. In the digital battleground it isn't just soldiers being targeted — everyone is in the line of fire.

Broadly speaking, an act of cyberwar is any state-backed malicious online activity that targets foreign networks. However, as with most geopolitical phenomena, real-world examples of cyberwarfare are far more complex. In the murky world of state-backed cybercrime, it isn't always government intelligence agencies directly carrying out attacks. Instead, it's far more common to see attacks from organized cybercriminal organizations that have ties to a nation-state. These organizations are known as advanced persistent threat (APT) groups. The infamous APT-28, also known as Fancy Bear, that hacked the Democratic National Committee in 2016 is a great example of this type of espionage.

The loose ties between APT groups and state intelligence agencies mean the lines between international espionage and more traditional cybercrime are blurred. This makes defining whether a particular attack is an "act of cyberwarfare" difficult. As such, security analysts are often only able to hypothesize whether an attack was state backed by percentages and degrees of certainty. This, in a way, is the perfect cover for malicious state agencies that wish to target and disrupt critical infrastructure while lowering the potential for generating a geopolitical crisis or armed conflict.

**If the Enemy Is in Range, So Are You**

Regardless of whether a cyberattack is directly linked to a foreign state agency, attacks on critical infrastructure can have devastating consequences. Critical infrastructure does not just refer to state-owned and operated infrastructure such as power grids and government organizations; banks, large corporations, and ISPs all fall under the umbrella of critical infrastructure targets.

For example, a targeted "hack, pump, and dump" scheme, where multiple personal online trading portfolios are compromised in order to manipulate share prices, could be undertaken by a state-backed group to damage savings and retirement funds in another nation, with potentially catastrophic consequences for the economy.

As governments and private organizations continue to adopt smart and connected IT networks, the risks and potential consequences will continue to grow. Recent research by the University of Michigan found significant security flaws in local traffic light systems. From a single access point, the research team was able to take control of over 100 traffic signals. Although the flaw in this system has subsequently been patched, this highlights the importance of robust, up-to-date inbuilt security systems to protect infrastructure from cyberattacks.

**Defend Now or Be Conquered Later**

With larger and more complex networks, the chance that vulnerabilities can be exploited increases exponentially. If organizations are to stand any chance against a sophisticated state-backed attack, every single endpoint on the network must be continually monitored and secured.

Some have already learned this lesson the hard way. In 2017, US food giant Mondelez was denied a $100 million insurance pay-out after suffering a Russian ATP cyberattack because the attack was deemed to be "an act of war" and not covered under the firm's cybersecurity insurance policy. (The conglomerate and Zurich Insurance recently settled their dispute on undisclosed terms.)

Endpoint security has never been more critical than today. The use of personal mobile devices as a work tool has become pervasive across almost every single industry. Scarily, this rise in bring-your-own-devices policy has in part been driven by the false assumption that mobile devices are inherently more secure than desktops.

However, several governments and ATP groups with well-established cyber capabilities have adapted to and exploited the mobile threat landscape for over 10 years with dangerously low detection rates. Attacks on government and civilian mobile networks have the potential to take down large portions of a workforce, grinding productivity to a halt and disrupting everything from government decision-making to the economy.

In today's threat landscape, cyberattacks aren't just a potential risk but are to be expected. Thankfully, the solution to minimize the damage is relatively straightforward: Trust no-one and secure everything.

IT and security managers may not be able to prevent a cyberattack or a cyberwar; however, they can defend themselves against the worst outcomes. If a device is connected to the infrastructure, whether physically or virtually, it is a potential back door for threat actors to access data and disrupt operations. So, if organizations want to avoid being caught in the crossfire of cyberwarfare, endpoint security must be the first priority in all operations, from mobile to desktop.

Cyberwar and Cybercrime Go Hand in Hand

PIN-locked SIM card? No problem. It's easy for an attacker to bypass the Google Pixel lock screen on unpatched devices.

The November 2022 Android update includes a remediation for a bug that could allow an attacker to bypass the Google Pixel lock screen.

The researcher behind the discovery, David Schütz, reported the Google Pixel security flaw back in June after a series of errors led him to finding the vulnerability. He had forgotten his PIN after his device ran out of battery and died. After reboot, Schütz entered an incorrect PIN number three times, triggering the SIM card to lock itself. 

Luckily, he explained in a blog post this week, he had the original SIM packaging with the factory personal unlocking key (PUK) code to open the SIM card. From there he was able to gain access to the device without ever entering the correct PIN.

"After I calmed down a little bit, I realized that indeed, this is a got d\*mn full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too," he wrote. 

The Google Pixel lock screen bypass vulnerability is tracked under CVE-2022-20465. Here are the bypass steps, according to Schütz: 

1.  Enter the wrong PIN three times.
2.  Hot-swap the device SIM for an attacker-controlled SIM with known PIN code.
3.  Enter the new SIM's eight-digit PUK code. 
4.  Enter the new device PIN.
5.  Presto! The device unlocks.

For his efforts, Schütz said he was awarded a $70,000 bug bounty, along with bragging rights. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

5 Easy Steps to Bypass Google Pixel Lock Screens

We commend vets in cyber, with this slideshow look at how the training and experience of former military personnel can be a big, differentiating asset in cybersecurity environments.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Veterans Day Salute: 6 Reasons Why You Want Vets in Your Cyber Platoon

Lea Kissner was one of three senior executives to quit this week, leaving many to wonder if the social media giant is ripe for a breach and FTC action.

Twitter CISO Lea Kissner has become the latest high-ranking executive to leave the company following Elon Musk's controversial $44 billion acquisition of the social media giant last month.

In a tweet Thursday, Kissner said they had resigned from Twitter but did not offer any reason for the decision. "I've made the hard decision to leave Twitter," Kissner wrote. "I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done."

It's unclear who is now in charge of security at the tech behemoth, or how much manpower is devoted to it. In the less than two weeks since he took charge, Musk has laid off some 3,700 Twitter employees so far, or roughly half of its workforce.

**Executive Exodus?**

Kissner's resignation follows the reported resignations of two other high-ranking Twitter executives this week: chief compliance officer Marianne Fogarty and chief privacy officer Damien Kieran. Casey Newton, founder and editor of Platformer, on Wednesday reported the exits of Fogarty and Kieran based on messages shared in Twitter Slack, which he claimed to have seen.

Twitter did not immediately respond to a Dark Reading request seeking confirmation of the reported resignations of Fogarty and Kieran.

Alex Stamos, former CSO at Facebook, described the exits of Kissner, Fogarty, and Kieran as a big deal for Twitter. 

"Twitter made huge strides towards a more rational internal security model and backsliding will put them in trouble with the FTC, SEC, 27 EU DPAs and a variety of other regulators," he said — ironically, in a tweet. "There is a serious risk of a breach with drastically reduced staff."

Many others also view the cuts and the exodus of senior executives — both voluntarily and involuntarily — as severely crippling the social media giant's capabilities, especially in critical areas such as security, privacy, spam, fake accounts, and content moderation.

"These are huge losses to Twitter," says Richard Stiennon, chief research analyst at IT-Harvest. "Finding qualified replacements will be extremely expensive."

Kissner's exit is sure to add to what many view as a deepening crisis at Twitter following Musk's takeover. Among those that have been axed previously are CEO Parag Agarwal, chief financial officer Ned Segal, legal chief Vijaya Gadde, and general counsel Sean Edgett. Teams affected by Musk's layoffs reportedly include engineering, product teams, and those responsible for content creation, machine learning ethics, and human rights.

For his part, Musk has described the cuts as being necessitated by a catastrophic drop in ad revenue because major companies are suspending their ad spending on the platform following his takeover.

**Potentially Severe FTC Impact**

Twitter's most immediate concern might be on the compliance front. In response to a Dark Reading inquiry, a Federal Trade Commission (FTC) spokeswoman said the agency is taking note of what's going on at Twitter.

“We are tracking recent developments at Twitter with deep concern," the spokeswoman said in an emailed statement. "No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

Twitter is currently already under heavy FTC scrutiny. In May, the agency slapped Twitter with a $150 million fine for violating the terms of a previous 2011 consent decree involving the use of deceptively collected data — such as email and phone numbers — for ad targeting.

In announcing the fine, the FTC also imposed fresh restrictions on the company's ability to use account security data to sell targeted ads. The FTC consent decree, among other things, prohibits Twitter's use of phone numbers and email addresses to serve ads. The decree requires Twitter to provide users with multifactor authentication options that do not involve phone numbers and requires the company to notify users about any improper use of phone numbers and emails and explain how they can turn off personalized ads. 

The FTC has also asked Twitter to strengthen its privacy program, implement a beefed-up information security program, and submit to security audits by an independent third party.

The company's ability to live up to these commitments is sure to remain a focus at the commission following the recent layoffs and executive exodus at the company. 

And indeed, Newton — the reporter who saw Twitter's Slack feed — quoted an employee as saying that for the moment, at least, it is up to Twitter engineers to “self-certify compliance with FTC requirements and other laws."

Stiennon says it would not be surprising if the three executives who resigned this week left because the new regime does not value what they do and treats their functions as secondary to the business goals.

"The teams have been cut to the quick," Stiennon says, "and the leaders are resigning because they cannot fulfill their responsibilities when they are understaffed and under resourced."

Source

DARKReading