Recently, the Edina Police Department (Minneapolis, U.S.A.) issued a remarkable warning to residents. Following the investigation of nine apartment burglaries, the police concluded that thieves were disrupting the Wi-Fi connection in the apartments. They did this to prevent the home’s smart surveillance cameras from alerting the owners of the danger and transmitting video to them. Is such a technologically advanced burglary really possible? It is. Are there other ways to attack smart-home security systems? Definitely. What can be done about it? Great question. Let’s find out!…

Defenseless defenders

Protection devices — whether they be locks, cameras, alarms, or anything else — should, in theory, be completely secure against any kind of hostile action. After all, they could be deliberately targeted by attackers hoping to break in! Unfortunately, in practice, manufacturers are not always prudent. They make various mistakes: in smart locks, the mechanical part is often not made reliable enough; in cameras, video streams are transmitted openly, allowing unauthorized persons to view or even interfere with them; and in alarms, control channels are poorly protected. This is in addition to other smart-home vulnerabilities that we’ve written about before.

What’s even more worrying is that many of these devices are vulnerable to two really simple attacks: power disruption and communication disruption.

Home Wi-Fi can be disrupted in various ways — from crudely jamming the entire radio-wave frequency range to more specialized attacks on a specific network or Wi-Fi client. There are other ways besides messing with radio waves, too. The internet in a home is usually connected through one of four easily recognizable cables: fiber optic, telephone, twisted pair (Ethernet), or coaxial television. One can reliably disrupt the connection simply by cutting these cables.

In case the entire security system relies on the power grid without backup sources, simply cutting off the power to the apartment can easily knock out the smart protection.

Improving protection performance

Most of the problems described above can be dealt with. As with any security measures, none of the solutions below guarantees 100% protection, but they will significantly reduce the likelihood of a burglary.

Choose the right equipment. All of the issues mentioned above should be considered before purchasing any security systems. This way, you can formulate additional requirements for the equipment:

an autonomous power supply
the ability to transmit information without Wi-Fi
an adequate level of mechanical protection
the manufacturer’s compliance with high cybersecurity standards

The first two requirements are perfectly combined in cameras that operate using Power over Ethernet (PoE) technology. Both data and power are transmitted through a single cable. You just need to buy either a PoE-enabled Ethernet router/hub or a separate PoE converter and connect it to the power grid using an uninterruptible power supply (UPS). This will make the internet in the home, the functionality of the cameras and sensors, and their connection to the router resistant to power outages and Wi-Fi interference.

If it’s not suitable for you to have Ethernet cables running through your home, you could consider cameras with an autonomous power supply (batteries) or, at worst, cameras connected through a capacious power bank. This would protect against power outages, but the problem of attackers interfering with Wi-Fi would remain. To protect against this, you could choose devices that operate on 3G/4G/5G. It’s worth noting that they’re usually designed for houses rather than apartments, so they often have “outdoor” features: waterproof casing, long-range IR illumination, and so on.

Many cameras have the ability to record to an SD card, but this doesn’t help much in quickly responding to an incident.

A sufficient level of mechanical security is mainly important for locks, but it’s also relevant for cameras, doorbells and sensors, which are directly accessible to intruders. The level of security is difficult to assess before purchasing, but you can search the internet for tests for burglary and vandalism resistance, as well as customer reviews.

Assessing the cybersecurity level of a specific camera or doorbell is also not easy: you’d have to carefully study the manufacturer’s website and its reputation in terms of technical support and release of updates. We’ve given some useful tips on this topic before.

Implement “redundancy”. Even if you’ve already bought some equipment, some additional measures would help improve home security. It’s highly advisable to provide redundancy for the internet channel. Depending on the situation, the backup channel could be launched either through a 4G modem or using a second wired connection and a second router. The main difficulty is configuring the router and the rest of the equipment so that the connection automatically switches to the backup channel when the main one goes down. In some routers this isn’t difficult — the function is called backup channel — while in others it’s impossible. Of course, both routers (if there are two of them) would need power through a UPS. If you don’t already have uninterrupted power, it’s time to get some.

If it’s difficult to provide redundancy for the internet channel and automatic switching at the router level, as a relatively simple alternative, you could install a redundant camera: one would operate through the main internet channel, while the other — through the backup one.

Protect against cyberattacks. To hinder targeted attacks on security devices, it’s important to follow the main rules of cybersecurity, which we’ve written about many times: protect your router, choose strong Wi-Fi passwords, regularly update the firmware of smart devices and the router, and use a comprehensive security solution for all computers, smartphones, and smart devices in your home network.

Kaspersky official blog – ​Read More

Episode 335 of the Transatlantic Cable Podcast kicks off with news that Apple are already preparing for a post-quantum world with their latest iMessage update. From there the team discuss criticism around Google’s ‘woke’ AI picture issues.

Following that, the team wrap up with two stories, the first around Air Canada’s chatbot giving incorrect refund advice to a customer, and a spoon-bending magician says he was paid to create a fake Biden robocall.

If you like what you heard, please consider subscribing.

Post-quantum iMessage: the next step in privacy protection
Google to fix AI picture bot after ‘woke’ criticism
Air Canada must honor refund policy invented by airline’s chatbot
A magician says a Democratic op paid him to make the fake Biden call

Kaspersky official blog – ​Read More

Kaspersky experts recently studied the security of a popular toy robot model, finding major issues that allowed malicious actors to make a video call to any such robot, hijack the parental account, or, potentially, even upload modified firmware. Read on for the details.

What a toy robot can do

The toy robot model that we studied is a kind of hybrid between a smartphone/tablet and a smart-speaker on wheels that enables it to move about. The robot has no limbs, so rolling around the house is its only option to physically interact with its environment.

The robot’s centerpiece is a large touchscreen that can display a control UI, interactive learning apps for kids, and a lively, detailed animated cartoon-like face. Its facial expressions change with context: to their credit the developers did a great job on the robot’s personality.

You can control the robot with voice commands, but some of its features don’t support these, so sometimes you have to catch the robot and poke its face the built-in screen.

In addition to a built-in microphone and a rather loud speaker, the robot has a wide-angle camera placed just above the screen. A key feature touted by the vendor is parents’ ability to video-call their kids right through the robot.

On the front face, about halfway between the screen and the wheels, is an extra optical-object-recognition sensor that helps the robot avoid collisions. Obstacle recognition being totally independent of the main camera, the developers very usefully added a physical shutter that completely covers the latter.

So, if you’re concerned that someone might be peeping at you and/or your child through that camera — sadly not without reason as we’ll learn later — you can simply close the shutter. And in case you’re worried that someone might be eavesdropping on you through the built-in microphone, you can just turn off the robot (and judging by the time it takes to boot back up, this is an honest-to-goodness shutdown — not a sleep mode).

As you’d expect, an app for controlling and monitoring the toy is available for parents to use. And, as you must have guessed by now, it’s all connected to the internet and employs a bunch of cloud services under the hood. If you’re interested in the technical details, you can find these in the full version of the security research, which we’ve published on Securelist.

As usual, the more complex the system — the more likely it is to have security holes, which someone might try to exploit to do something unsavory. And here we’ve reached the key point of this post: after studying the robot closely, we found several serious vulnerabilities.

Unauthorized video calling

The first thing we found during our research was that malicious actors could make video calls to any robot of this kind. The vendor’s server issued video session tokens to anyone who had both the robot ID and the parent ID. The robot’s ID wasn’t hard to brute-force: every toy had a nine-character ID similar to the serial number printed on its body, with the first two characters being the same for every unit. And the parent’s ID could be obtained by sending a request with the robot ID to the manufacturer’s server without any authentication.

Thus, a malicious actor who wanted to call a random child could either try to guess a specific robot’s ID, or play a chat-roulette game by calling random IDs.

Complete parental account hijack

It doesn’t end there. The gullible system let anyone with a robot ID retrieve lots of personal information from the server: IP address, country of residence, kid’s name, gender, age — along with details of the parental account: parent’s email address, phone number, and the code that links the parental app to the robot.

This, in turn, opened the door for a far more hazardous attack: complete parental-account hijack. A malicious actor would only have needed to have taken a few simple steps:

The first one would have been to log in to the parental account from their own device by using the email address or phone number obtained previously. Authorization required submitting a six-digit one-time code, but login attempts were unlimited so trivial brute-forcing would have done the trick.
It would only have taken one click to unlink the robot from the true parental account.
Next would have been linking it to the attacker’s account. Account verification relied on the linking-code mentioned above, and the server would send it to all comers.

A successful attack would have resulted in the parents losing all access to the robot, and recovering it would have required contacting tech support. Even then, the attacker could still have repeated the whole process again, because all they needed was the robot ID, which remained unchanged.

Uploading modified firmware

Finally, as we studied the way that the robot’s various systems functioned, we discovered security issues with the software update process. Update packages came without a digital signature, and the robot installed a specially formatted update archive received from the vendor’s server without running any verifications first.

This opened possibilities for attacking the update server, replacing the archive with a modified one, and uploading malicious firmware that let the attacker execute arbitrary commands with superuser permissions on all robots. In theory, the attackers would then have been able to assume control over the robot’s movements, use the built-in cameras and microphones for spying, make calls to robots, and so on.

How to stay safe

This tale has a happy ending, though. We informed the toy’s developers about the issues we’d discovered, and they took steps to fix them. The vulnerabilities described above have all been fixed.

In closing, here are a few tips on staying safe while using various smart gadgets:

Remember that all kinds of smart devices — even toys — are typically highly complex digital systems whose developers often fail to ensure secure and reliable storage of user data.
As you shop for a device, be sure to closely read user feedback and reviews and, ideally, any security reports if you can find them.
Keep in mind that the mere discovery of vulnerabilities in a device doesn’t make it inferior: issues can be found anywhere. What you need to look for is the vendor’s response: it’s a good sign if any issues have been fixed. It’s not a good thing if the vendor appears not to care.
To avoid being spied or eavesdropped on by your smart devices, turn them off when you’re not using them, and shutter or tape over the camera.
Finally, it goes without saying that you should protect all your family members’ devices with a reliable security solution. A toy-robot hack is admittedly an exotic threat — but the likelihood of encountering other types of online threats is still very high these days.

Kaspersky official blog – ​Read More

In today’s episode of the Transatlantic Cable podcast, the team look at news that companies at the fore-front of generative AI are looking to ‘take action’ on deceptive AI in upcoming elections. From there, the team discuss news that the Canadian government is set to take action against devices such as Flipper Zero, in an apparent fight against criminal activity.

To wrap up, the team discuss news that international police agencies have taken down LockBit – the infamous ransomware gang. Additionally, the team discuss a bizarre story around Artificial Intelligence, blue aliens and job applications – yes, really.

If you liked what you heard, please consider subscribing.

Big tech vows action on ‘deceptive’ AI in elections
Feds Want to Ban the World’s Cutest Hacking Device
UK leads disruption of major cyber-criminal gang
Service Jobs Now Require Bizarre Personality Test From AI Company

Kaspersky official blog – ​Read More

Time was when any ransomware incident would spark a lively press and public reaction. Fast forward to the present, and the word “ransomware” in a headline doesn’t generate nearly as much interest: such attacks have become commonplace. Nonetheless, they continue to pose a grave threat to corporate security. This review spotlights the biggest and most high-profile incidents that occurred in 2023.

January 2023: LockBit attack on the UK’s Royal Mail

The year kicked off with the LockBit group attacking Royal Mail, the UK’s national postal service. The attack paralyzed international mail delivery, leaving millions of letters and parcels stuck in the company’s system. On top of that, the parcel tracking website, online payment system, and several other services were also crippled; and at the Royal Mail distribution center in Northern Ireland, printers began spewing out copies of the LockBit group’s distinctive orange ransom note.

As is commonly the case with modern ransomware attacks, LockBit threatened to post stolen data online unless the ransom was paid. Royal Mail refused to pay up, so the data ended up being published.

February 2023: ESXiArgs attacks VMware ESXi servers worldwide

February saw a massive automated ESXiArgs ransomware attack on organizations through the RCE vulnerability CVE-2021-21974 in VMware ESXi servers. Although VMware released a patch for this vulnerability back in early 2021, the attack left more than 3000 VMware ESXi servers encrypted.

The attack operators demanded just over 2BTC (around $45,000 at the time of the attack). For each individual victim they generated a new Bitcoin wallet and put its address in the ransom note.

Just days after the attack began, the cybercriminals unleashed a new strain of the cryptomalware, making it far harder to recover encrypted virtual machines. To make their activities more difficult to trace, they also stopped giving out ransom wallet addresses, prompting victims to make contact through the P2P messenger Tox instead.

March 2023: Clop group widely exploits a zero-day in GoAnywhere MFT

In March 2023, the Clop group began widely exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) tool. Clop is well-known for its penchant for exploiting vulnerabilities in such services: in 2020–2021, the group attacked organizations through a hole in Accelon FTA, switching in late 2021 to exploiting a vulnerability in SolarWinds Serv-U.

In total, more than 100 organizations suffered attacks on vulnerable GoAnywhere MFT servers, including Procter & Gamble, the City of Toronto, and Community Health Systems — one of the largest healthcare providers in the U.S.

April 2023: NCR Aloha POS terminals disabled by BlackCat attack

In April, the ALPHV group (aka BlackCat —  after the ransomware it uses) attacked NCR, a U.S. manufacturer and servicer of ATMs, barcode readers, payment terminals, and other retail and banking equipment.

The ransomware attack shut down the data centers handling the Aloha POS platform — which is used in restaurants, primarily fast food — for several days.

Essentially, the platform is a one-stop shop for managing catering operations: from processing payments, taking online orders, and operating a loyalty program, to managing the preparation of dishes in the kitchen and payroll accounting. As a result of the ransomware attack on NCR, many catering establishments were forced to revert to pen and paper.

May 2023: Royal ransomware attack on the City of Dallas

Early May saw a ransomware attack on municipal services in Dallas, Texas — the ninth most populous city in the U.S. Most affected were IT systems and communications of the Dallas Police Department, and printers on the City of Dallas network began churning out ransom notes.

Later that month, there was another ransomware attack on an urban municipality: the target this time was the City of Augusta in the U.S. state of Georgia, and the perpetrators were the BlackByte group.

June 2023: Clop group launches massive attacks through zero-days in MOVEit Transfer

In June, the same Clop group responsible for the February attacks on Fortra GoAnywhere MFT began exploiting a zero-day vulnerability in another managed file transfer tool — Progress Software’s MOVEit Transfer.

This ransomware attack — one of the largest incidents of the year — affected numerous organizations, including the oil company Shell, the New York City Department of Education, the BBC media corporation, the British pharmacy chain Boots, the Irish airline Aer Lingus, the University of Georgia, and the German printing equipment manufacturer Heidelberger Druckmaschinen.

July 2023: University of Hawaii pays ransom to the NoEscape group

In July, the University of Hawaii admitted to paying off ransomwarers. The incident itself occurred a month earlier when all eyes were fixed on the attacks on MOVEit. During that time, a relatively new group going by the name of NoEscape infected one of the university departments, Hawaiian Community College, with ransomware.

Having stolen 65GB of data, the attackers threatened the university with publication. The personal information of 28,000 people was apparently at risk of compromise. It was this fact that convinced the university to pay the ransom to the extortionists.

Of note is that university staff had to temporarily shut down IT systems to stop the ransomware from spreading. Although the NoEscape group supplied a decryption key upon payment of the ransom, the restoration of the IT infrastructure was expected to take two months.

August 2023: Rhysida targets the healthcare sector

August was marked by a series of attacks by the Rhysida ransomware group on the healthcare sector. Prospect Medical Holdings (PMH), which operates 16 hospitals and 165 clinics across several American states, was the organization that suffered the most.

The hackers claimed to have stolen 1TB of corporate documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver’s licenses, patient medical records, as well as financial and legal documents. The cybercriminals demanded a 50BTC ransom (then around $1.3 million).

September 2023: BlackCat attacks Caesars and MGM casinos

In early September, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains — Caesars and MGM — in one stroke. Behind the attacks was the ALPHV/BlackCat group, mentioned above in connection with the assault on the NCR Aloha POS platform.

The incident shut down the companies’ entire infrastructure — from hotel check-in systems to slot machines. Interestingly, the victims responded in very different ways. Caesars decided to pay the extortionists $15 million, half of the original $30 million demand.

MGM chose not to pay up, but rather to restore the infrastructure on its own. The recovery process took nine days, during which time the company lost $100 million (its own estimate), of which $10 million was direct costs related to restoring the downed IT systems.

October 2023: BianLian group extorts Air Canada

A month later, the BianLian group targeted Canada’s flag carrier, Air Canada. The attackers claim they stole more than 210GB of various information, including employee/supplier data and confidential documents. In particular, the attackers managed to steal information on technical violations and security issues of the airline.

November 2023: LockBit group exploits Citrix Bleed vulnerability

November was remembered for a Citrix Bleed vulnerability exploited by the LockBit group, which we also discussed above. Although patches for this vulnerability were published a month earlier, at the time of the large-scale attack more than 10,000 publicly accessible servers remained vulnerable. This is what the LockBit ransomware took advantage of to breach the systems of several major companies, steal data, and encrypt files.

Among the big-name victims was Boeing, whose stolen data the attackers ended up publishing without waiting for the ransom to be paid. The ransomware also hit the Industrial and Commercial Bank of China (ICBC), the largest commercial bank in the world.

The incident badly hurt the Australian arm of DP World, a major UAE-based logistics company that operates dozens of ports and container terminals worldwide. The attack on DP World Australia’s IT systems massively disrupted its logistics operations, leaving some 30,000 containers stranded in Australian ports.

December 2023: ALPHV/BlackCat infrastructure seized by law enforcement

Toward the end of the year, a joint operation by the FBI, the U.S. Department of Justice, Europol, and law enforcement agencies of several European countries deprived the ALPHV/BlackCat ransomware group of control over its infrastructure. Having hacked it, they quietly observed the cybercriminals’ actions for several months, collecting data decryption keys and aiding BlackCat victims.

In this way, the agencies rid more than 500 organizations worldwide of the ransom threat and saved around $68 million in potential payouts. This was followed in December by a final takeover of the servers, putting an end to BlackCat’s operations.

Various statistics about the ransomware group’s operations were also made public. According to the FBI, during the two years of its activity, ALPHV/BlackCat breached more than a thousand organizations, demanded a total of more than $500 million from victims, and received around $300 million in ransom payments.

How to guard against ransomware attacks

Ransomware attacks are becoming more varied and sophisticated with each passing year, so there isn’t (and can’t be) one killer catch-all tip to prevent incidents. Defense measures must be comprehensive. Focus on the following tasks:

Train employees in cybersecurity awareness.
Implement and refine data storage and employee access
Back up important data regularly and isolate it from the network.
Install robust protection on all corporate devices.
Monitor suspicious activity on the corporate network using an Endpoint Detection and Response (EDR)
Outsource threat search and response to a specialist company if your in-house information security lacks the capability.

Kaspersky official blog – ​Read More