Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202208002

CVE ID

CVE-2022-38117

CVSS

5.5 (Medium)  
CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

影響產品

Juiker app v4.6.0311.1

問題描述

Juiker app 將AES Key Hard-code於應用程式原始碼中，本機端攻擊者取得root權限後，可利用該Key解密或竄改本機使用者的APP密文訊息。

解決方法

更新Juiker app版本至4.6.0915.1

漏洞通報者

RayHong(CCoE)

公開日期

2022-10-24

CVE-2022-38117: 揪科 Juiker app - Hard-coded Credentials

Information disclosure vulnerability in Android App 'IIJ SmartKey' versions prior to 2.1.4 allows an attacker to obtain a one-time password issued by the product under certain conditions.

Published:2022/10/14  Last Updated:2022/10/14

**Overview**

Android App "IIJ SmartKey" contains an information disclosure vulnerability.

**Products Affected**

*   Android App "IIJ SmartKey" versions prior to 2.1.4

**Description**

Android App "IIJ SmartKey" provided by Internet Initiative Japan Inc. contains an information disclosure vulnerability (CWE-200).

**Impact**

Under certain conditions, an attacker may obtain a one-time password issued by the product.

**Solution**

**Update the application**  
Update the application to the latest version according to the information provided by the developer.  
This vulneravility was fixed in version 2.1.4 released on June 16, 2020.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

This JVN publication was delayed to 2022/10/14 after the developer's fix was published.

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Naoaki Iwakiri reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2022-41986: Android App "IIJ SmartKey" vulnerable to information disclosure

Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

Published:2022/10/19  Last Updated:2022/10/19

**Overview**

Lemon8 fails to restrict access permissions.

**Products Affected**

*   Lemon8 App for Android versions prior to 3.3.5
*   Lemon8 App for iOS versions prior to 3.3.5

**Description**

Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.

**Impact**

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

**Solution**

**Update the Application**  
Update the application to the latest version according to the information provided by the developer.  
The developer has released the following versions:

*   Lemon8 App for Android version 3.3.5
*   Lemon8 App for iOS version 3.3.5

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Ryo Sato of BroadBand Security,Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2022-41797: Lemon8 App fails to restrict access permissions

Nok Nok, an inventor of FIDO authentication standards, announces full support for passkeys in its S3 Authentication Suite that allows organizations to replace passwords.

**San Jose, Calif., Oct. 24, 2022** — Nok Nok, a leader in FIDO customer authentication (Fast IDentity Online) and a founder of the FIDO Alliance, today announced full support for passkeys — the FIDO and key-based passwordless sign-in technology standard for replacing passwords.

As stated in Verizon’s 2021 Data Breach Investigations Report, over 80% of successful cyber-attacks start with an account takeover with cybercriminals using sophisticated phishing strategies to steal account credentials based on passwords and personal secrets. With cybercrime accelerating dramatically, online service providers are now only beginning to understand the real cost and risk of propagating the use of passwords and the legacy security infrastructure used to store and use them.

**The arrival of passkeys, the replacement for passwords**

Passkeys — the new name for passwordless FIDO credentials — are widely viewed as the replacement to end the use of passwords. Current FIDO standards for single-device passkeys are supported by major platforms today. In May 2022, Apple, Microsoft and Google announced multi-device passkeys will be natively available in the OEMs’ devices, operating systems and platforms to enable safer, faster, and more consistent sign-ins to consumer online services across web and mobile devices.

By offering the same safety and convenience for signing into online services as the trusted biometric authentication consumers use to sign into their devices, FIDO passkeys offer consumers modern, safe and fast access to all of their online services and in the future, to their in-home and IoT devices, and even to their vehicles.

To implement passkeys, online service providers must leverage a FIDO authentication server and related client software to support both single-device and multi-device passkeys.

**S3’s innovative approach to passkeys**

As an early inventor of FIDO specifications, Nok Nok and its S3 Authentication Suite offer the first customer passwordless authentication platform built from the ground up based on FIDO standards, with full support for both single-device and multi-device passkeys. Nok Nok’s S3 Suite provides privacy-compliant, passwordless authentication across platforms and is designed to operate in the most demanding consumer environments, at global scale. Nok Nok’s S3 Authentication Server also offers FIDO features that enable online service providers to offer safe and secure passkey access to consumer services leveraging home, entertainment and IoT devices.

For companies that have not yet incorporated FIDO-enabled technologies into their services, with the Nok Nok S3 solution they can now support traditional FIDO single-device credentials and the latest multi-device passkeys with a single authentication infrastructure. For companies who have already transitioned some or all of their customer authentication to leverage FIDO standards, with the Nok Nok S3 solution they can fully support passkey credentials with no code changes. For Nok Nok customers already supporting Nok Nok iOS FIDO authentication, the currently available passkeys “just-work.”

As stated by Dr. Rolf Lindemann, Nok Nok’s VP of Products and one of the original authors of the FIDO standard, “_Nok Nok has been working with the industry and our large customers to operationalize the FIDO protocols in the real world with real world benefits. This discipline of commercializing FIDO innovations has led to an extensive portfolio of patented FIDO capabilities and to the evolution from single device keys to multi-device passkeys.”_

Dr. Lindemann shared, _“For our customers who have already adopted our S3 platform, no code changes are required to support passkeys on iOS 16+ and we support the device public key option announced for Google’s Android. Additionally, our S3 Suite allows native consumer apps to combine single-device credentials through FIDO “silent authenticators” with multi-device credentials to improve the control of relying parties - even on platforms not supporting the device public key option, simplifying regulatory compliance.”_

The advanced granular adaptive orchestration of Nok Nok’s S3 authentication platform includes a rules engine that allows replying parties to easily configure sign-up, sign-in and recovery flows for passkeys that dynamically respond to contextual user data. In addition, Nok Nok’s S3 Intelligent Passwordless AuthenticationTM enables user experience flows to automatically respond to the (FIDO) authenticator characteristics of their consumers’ devices in real-time with passkeys.

**The FIDO benefits trifecta**

By making use of authentication signals on consumer devices, with FIDO sign-up and sign-in, Nok Nok’s customers have created seamless user experiences that remove friction and complexity associated with authentication and account recovery, which dramatically increases the speed and success rates of sign-in.

Many of Nok Nok’s banking, telco and fintech customers have achieved sign-in success rates of 99.5% and sign-in speed increases of 100% to 200% - with today’s single-device passkeys. Since multi-device passkeys are expected to dramatically increase consumer FIDO adoption across OEM devices, these substantial benefits are now available to all online service providers who support passkeys by implementing a leading FIDO server with robust authentication capabilities such as Nok Nok’s S3 Suite.

In addition, reductions in sign-up, sign-in and account recovery friction result in a material reduction of calls into customer care centers. At an industry-average cost of $70-$90 per call to remediate account-related problems, the adoption of FIDO passkeys can save online service providers millions of dollars in annual OPEX.

Last but most important, FIDO passkeys protect consumers from account takeovers that start with stolen credentials. Passkeys are described as “phishing-resistant”, although some of the OEMs have stated passkeys are “unphishable”. In sign-ins that only use passkeys, the keys are accessed during sign-in, but passkeys remain on the device and server. The keys are never passed for attackers to steal enroute - protecting consumers from sophisticated phishing attacks.

“_Ten years ago our founding industry group designed FIDO as a new framework for providing better usability, security and privacy. We also intended the framework to reduce the cost and complexity of enterprise infrastructure. Today, FIDO passkeys offer the trifecta of business benefits — improved customer security and privacy with less friction and lower operating cost to the enterprise. Passwords are the single greatest pain point on the internet and at Nok Nok, we are thrilled to announce our seamless platform support for consumer passkeys — signaling the beginning of the end of passwords worldwide,” said Nok Nok CEO Phillip Dunkelberger._

**About Nok Nok**

Nok Nok is a global leader in passwordless consumer authentication. Delivering the most innovative FIDO services for the authentication market today, Nok Nok empowers global organizations to dramatically improve their user experience and security, and reduce operating expenses, while meeting the most advanced privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-standards-based passwordless consumer authentication. Headquartered in Silicon Valley, California, the company has delivered unique inventions and innovations that are protected by a robust global patent portfolio. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in modern consumer authentication. Nok Nok’s global customers trust their customer authentication with the S3 platform and include Verizon, Intuit, T-Mobile, BBVA, NTT Docomo, MUFG, Japan Post Bank, AFLAC, Standard Bank, Fujitsu Limited, and Hitachi. For more information, visit www.noknok.com.

Nok Nok, a Global Leader in Customer Passwordless Authentication, Releases Full Support for Passkeys

Categories: News
Tags: week in security

Tags:  awis

Tags:  typosquatting

Tags:  cyberstalking

Tags:  Snapchat

Tags:  student loan relief scam

Tags:  Gas

Tags:  LAPSUS$

Tags:  Microsoft

Tags:  Ducktail

Tags:  Venus

Tags:  ransomware

Tags:  BYOD

Tags:  SMB security tips

Tags:  Log4Text

Tags:  DeadBolt

Tags:  spot a scam

Tags:  FaceStealer

Tags:  fake tractor fraud

Tags:  ThermoSecure

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 17 - 23) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 17 - 23)

Plus: A Microsoft cloud leak exposed potential customers, new IoT security labels come to the US, and details emerge about Trump’s document stash.

As Russia’s war in Ukraine drags on, Ukrainian forces have proved resilient and mounted increasingly intense counterattacks on Kremlin forces. But as the conflict evolves, it is entering an ominous phase of drone warfare. Russia has begun launching a series of recent attacks using Iranian “suicide drones” to inflict damage that is difficult to defend against. With Russian president Vladimir Putin escalating his rhetoric about the potential for a nuclear strike, and NATO officials watching closely for any signs of movement, we examine what indicators are available to the global community in assessing whether Russia is actually preparing to use nuclear weapons.

Meanwhile, an unrelenting string of deeply problematic vulnerabilities in Microsoft's Exchange Server on-premises email hosting service has left researchers to raise the alarm that the platform isn't getting the development resources it needs anymore, and customers should seriously consider migrating to cloud email hosting. And new research examines how Wikipedia's custodians ferret out state-sponsored disinformation campaigns in the crowdsourced encyclopedia's entries.

If you're worried about the ongoing threat of ransomware attacks around the world, researchers pointed out this week that middle-of-the-pack groups like the notorious gang Vice Society are maximizing profits and minimizing their exposure by investing very little in technical innovation. Instead, they simply run the most sparse and unremarkable operations they can to target under-funded sectors like health care and education. If you're looking to do something for your personal security, we've got a guide to ditching passwords and setting up “passkeys” on Android and Google Chrome.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in the United States have long warned of a potential national security threat because the wildly popular social video platform TikTok is owned by a Chinese company, ByteDance. But TikTok has always maintained that it is firewalled between ByteDance and its US userbase. But materials seen by _Forbes_ indicate that an internal ByteDance review board, the “Internal Audit and Risk Control department,” planned to direct TikTok to track the location of some specific US users. The group typically focuses on internal, employee issues, but the US-based individuals were reportedly not affiliated with TikTok or ByteDance. “In at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a US citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected,” _Forbes_ wrote.

Microsoft said this week that a misconfiguration exposed the data of some prospective customers of its cloud services. Researchers from the threat intelligence firm SOCRadar disclosed the leak to Microsoft on September 24, and the company quickly closed the exposure. SOCRadar said in a report that the exposed information stretched back to as far as 2017 and up to August of this year. The researchers linked the data to more than 65,000 organizations from 111 countries. Microsoft said the exposed details included names, company names, phone numbers, email addresses, email content, and files sent between potential customers and Microsoft or one of its authorized partners. Cloud misconfigurations are a longstanding security risk that have led to countless exposures and, sometimes, breaches.

There are no easy answers to improve the longstanding security dumpster fire created by cheap, undefended internet of things devices in homes and businesses around the world. But after years of problems, countries like Singapore and Germany have found that adding security labels to internet-connected video cameras, printers, toothbrushes, and more. The labels give consumers a better understanding of the protections built into different devices—and give manufacturers an incentive to improve their practices and get a gold seal. This week, the United States took a step in this direction. The White House announced plans for a labeling scheme that would be a sort of EnergyStar for IoT digital security. The administration held a summit with industry organizations and companies this week to discuss standards and guidelines for the labels. “A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards, and retailers to market secure devices,” National Security Council spokesperson Adrienne Watson said in a statement.

Sources told _The Washington Post_ this week that sensitive information related to Iran‘s nuclear program and the United States’ own intelligence operations in China were included in documents seized by the FBI this summer at former President Trump‘s Mar-a-Lago estate in Florida. “Unauthorized disclosures of specific information in the documents would pose multiple risks, experts say. People aiding US intelligence efforts could be endangered, and collection methods could be compromised,” the _Post_ wrote. The information could also potentially motivate retaliation by other countries against the US.

TikTok’s Security Threat Comes Into Focus

jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds.

**Package**

jadx-gui (binary release)

**Affected versions**

<= 1.4.4

**Impact**

Using jadx-gui to open a special zip file with entry containing HTML sequence like <html><frame> will cause interface to get stuck and throw exceptions like:

    java.lang.RuntimeException: Can't build aframeset, BranchElement(frameset) 1,3
    :no ROWS or COLS defined.
    	at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory.create(HTMLEditorKit.java:1387)
    	at java.desktop/javax.swing.plaf.basic.BasicHTML$BasicHTMLViewFactory.create(BasicHTML.java:379)
    	at java.desktop/javax.swing.text.CompositeView.loadChildren(CompositeView.java:112)
    

**References**

https://www.oracle.com/java/technologies/javase/seccodeguide.html

Guideline 3-7 / INJECT-7: Disable HTML display in Swing components:

Many Swing pluggable look-and-feels interpret text in certain components starting with as HTML. If the text is from an untrusted source, an adversary may craft the HTML such that other components appear to be present or to perform inclusion attacks.

To disable the HTML render feature, set the "html.disable" client property of each component to Boolean.TRUE (no other Boolean true instance will do).

label.putClientProperty("html.disable", true);

CVE-2022-39259: Jadx-gui: Swing HTML DOS attack

At the Authenticate Conference, Google and Microsoft demonstrated their passkey prototypes. Apple, meanwhile, already launched its version in iOS 16.

Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance's new passwordless authentication standard. But eliminating passwords won't happen overnight.

The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP).

**Passkeys Start to Roll Out**

As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.

Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.

Google's passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Birgisson noted. "This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account."

**Demonstrating the Future**

Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week's Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.

"The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes," Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.

Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren't vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft doesn't plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company's Authenticator app, according to senior program manager for identity Scott Bingham.

"Passkeys are multidevice, FIDO credentials that are a really compelling solution," Bingham said. "It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account." 

While Windows Hello provides biometric authentication for unlocking a PC's OS screen, it will also enable the new passkeys.

**Integrating Online Services and Apps**

For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.

Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn't yet support passkeys, if the user had already created one, they could access it by generating a QR code.

"This provides that amazing combination we've been waiting for, both convenience and security," Mello said. "Something that's absolutely required for us to be able to reach the large-scale consumer deployment that we'd be looking for worldwide."

While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance's Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can't remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.

**Adoption Will Be Slow**

Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.

"Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately," Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.

The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, "we'll finally see wide adoption of software-based roaming authenticators" embedded as mobile apps or within operating systems, he says.

Passkey Demos Hint at What's Ahead for Passwordless Authentication

A series of deadly attacks using Iranian “suicide drones” shows Russia is shifting gears in the conflict.

The war in Ukraine has an ominous new noise. People living in Afghanistan and Nagorno-Karabakh have talked about a sound that makes them run for cover. It’s not an explosion or a jet screaming overhead, it’s the menacing whirr of a drone. And on Monday, that whirr arrived in the skies above Kyiv.

Russia has ramped up its use of Iranian-made “suicide drones” in Ukraine, which travel in groups and explode by diving at their targets, obliterating themselves in the process. On Monday, dozens of drones attacked Ukrainian cities during morning rush hour, killing at least four people when they struck an apartment building in Kyiv, the Ukrainian capital. Drone and missile attacks have also destroyed 30 percent of the country’s energy infrastructure in the past 10 days, according to Ukrainian officials. Swathes of the country are now without power.

Armed drones have been involved in the fighting in Ukraine for months. Until now, both sides have mostly limited their use to the front lines, although Russia used Iranian drones to bombard the port of Odessa and military targets in the city center. But this week’s attacks by Russia mark the beginning of a dark new era for drone warfare in Ukraine. For the first time, drones are being used to target civilians and civilian infrastructure in a way that analysts say gives Russia little strategic advantage on the battleground. Instead, these attacks are designed to spread terror and crush morale—what German chancellor Olaf Scholz described as a Russian “scorched earth” tactic.

“\[Russia’s\] main goal … is to make sure that Ukrainians will have an extremely hard, dark, and cold winter,” says Kira Rudik, a member of Ukraine’s parliament, who is using a generator to power her laptop due to power restrictions in Kyiv. She compares the sound of the drones over the city to a loud motorbike. “It's pretty scary when you're sitting at home early in the morning and you hear \[the sound of\] a motorcycle passing by very loud,” she says. “And then you hear an explosion.”

Part of the psychological impact of these drones can be linked to that noise. Compared to missiles, drones are slow. The Iranian-made Shahed-136s travel at around 200 kilometers per hour, meaning civilians can see, hear, and even try to shoot at them before they hit, creating time for dread and panic to build. “This will likely have a significant psychological effect on Ukraine's civilian population, because everything could become a potential target of Russian attack,” says Ingvild Bode, associate professor at the Center for War Studies at the University of Southern Denmark.

Ukrainians are bracing for the possibility that a lot more of these drones will be heading their way. “We know that \[Russia\] has purchased over 1,000 drones from Iran,” says Rudik. The Shahed-136 is comparatively cheap and expendable, costing $2,000 to $3,000, analysts estimate. “We know that there will be more and more and more, and that is of course terrifying.” Iran has denied providing Russia with drones to use in Ukraine—a denial the US has called a lie. The White House said yesterday it had evidence Iranian troops were on the ground in Crimea, helping Russia to operate the drones.

While Ukraine has already had some success in intercepting these drones, the country is still scrambling to respond to Russia’s new strategy. The military was able to shoot down 15 of 20 Iranian drones launched yesterday, according to a Facebook post by the General Staff of the Armed Forces.

But shooting them down is easier said than done. A Shahed-136 is hard to detect. These drones fly low, meaning radar systems struggle to see them. “Unfortunately, it is not possible to hit 100 percent \[of them\] because the target is difficult,” Ukraine's air force spokesperson, Yuriy Ihnat, told Reuters. To compensate, Ukraine has started crowdsourcing ways to detect drones early. The country’s armed forces launched an Android app called ePPO, which asks civilians to report sightings of cruise missiles or drones, and share what direction they are traveling.

Once Ukrainians can detect the drones, they still need to figure out the best way to target them. Electronic warfare tools, such as GPS jammers, don’t work well, because analysts believe the Shahed-136s are programmed with their target’s location before they take off.

The ideal way to shoot them down would be with long-range missiles, says Marcel Plichtav, a former US Department of Defense analyst who is now a PhD candidate at the University of St. Andrews in Scotland. “But these are many, many times more expensive than the drone itself, which in terms of sustainability is an issue.” Shorter-range air defenses are cheaper, he says. “But they also have a lot less range, so you’re risking not being able to shoot them all down before they reach their targets.”

And if Ukraine focuses all its defenses on Shahed-136s, there’s a risk the drones could act as a decoy for other attacks. The conflict in Yemen between the Saudi-backed government and the Houthi rebels has shown that missiles are more likely to hit their targets if air defense systems are distracted with drones, says Plichtav.

The best option would be to stop or sabotage the drones before they ever take off, says Wim Zwijnenburg, project leader in humanitarian disarmament at PAX, a Dutch organization that campaigns to end armed violence. Yesterday, the European Union announced it would freeze the assets of three Iranian generals and Shahed Aviation Industries, the company responsible for developing the Shahed-136. Sabotaging the drones themselves, however, is made more difficult by the fact a Shahed-136 is estimated to have a 1,000-kilometer range, which means these drones have been launched by Russia from Belarus and Russian-occupied Crimea, according to Rudik.

Ukraine’s drone problem is one reason the country has been reaching out to Israel, Zwijnenburg says. “Israel has a lot of knowledge on the type of drones Iran produces.” However, Israel—which has previously limited its assistance to Ukraine to humanitarian relief—said this week it would only help the country develop an early-warning system to better protect civilians from air attacks.

“We need air force protection systems, the sophisticated ones,” says Rudik, adding it’s not just Israel who has these systems but also the US, the UK, and some European countries.

“This is something that we have been asking since day one of the invasion. And it's an incredible frustration for us that right now, eight months into the war, we are still asking for the same thing.”

Ukraine Enters a Dark New Era of Drone Warfare

New Android malware variant is part of long-running Domestic Kitten campaign being conducted by APT C-50 Group, analysts report.

Analysts have flagged a new Android malware variant being used by APT-C-50 as part of its wider Domestic Kitten campaign to spy on Iranian citizens. 

ESET researchers named the new spyware FurBall, but point out that aside from a few new scripts and tweaks, the basic functionality of the latest APT-C-50 malware iteration is unchanged from previous versions. The mobile surveillance spyware is delivered through a malicious app that offers Iranian translations of books and magazines. 

Domestic Kitten campaign was first discovered back in 2016. 

"The analyzed sample requests only one intrusive permission — to access contacts," the ESET team said about the new FurBall malware. "The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted via text messages."

However, if the attackers could expand the malicious app permissions, they would be able to steal additional device data, including text messages, location information, recorded voice calls, and more, the researchers added.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#android