Home » Cybersecurity » IoT & ICS Security » The Shared Security Weekly Blaze – The Insecure Internet of Things, Spectre Patch Updates, Android Malware

The Shared Security Weekly Blaze – The Insecure Internet of Things, Spectre Patch Updates, Android Malware

by Tom Eston on March 19, 2018

This is the Shared Security Weekly Blaze for March 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.

Show Transcript
This is your Shared Security Weekly Blaze for March 19th 2018 with your host, Tom Eston.

In this week’s episode: The Insecure Internet of Things, Spectre Patch Updates and Android Malware.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Shout outs this week to @Yohun, @ClarkWillClark, @drheleno_ca and @eg0sum on Twitter as well as @heath_robinson on Instagram and Tom, Shawn and Jamie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support!

Sponsorships Available

A new paper called the “Secure by Design Report” from the UK government’s Department for Culture Media and Sport describes 13 new security guidelines for manufactures of Internet of Things devices ( also abbreviated as IoT). If you’ve have been listening to past episodes of the podcast or have been paying attention to the news, we’ve seen a huge increase in devices such as smart watches, Internet enabled camera’s and hundreds of other connected devices like coffee machines and even toasters. Yes, you can actually buy a connected toaster that you can control from your mobile phone just in case you want to really fine tune your toasting process.

Over the last several years Internet of Things devices have been found to have many different kinds of security vulnerabilities such as being configured with default passwords, having no mechanism to be updated and the lack of features to delete private data. In fact, insecure devices like these have been hacked to steal information and can be hijacked to be used in botnets, like the Marai botnet in 2016, that infected over 300,000 IoT devices with malware. These new guidelines aim to educate manufactures so they can build and eventually sell secure products.

I think these guidelines are a great start to advocate good security practices for IoT device manufactures, however, guidelines are just guidelines. Will manufactures listen to this advice or will they continue to sell devices that are easily hackable. Unfortunately, it’s very difficult to determine if the IoT device that you’re purchasing is secure or not. From what we’ve seen in the past, many of these new IoT products are cheaply made with the purpose of getting cool technology out to the market to make a quick sale. In fact, it’s really easy to do a quick search on Amazon for pretty much any “connected” device these days to find manufactures or sellers that no one has ever heard of.

One tip I’ve found helpful is to check reviews and comments left by owners of products that you may be interested in purchasing to find out if any security or privacy configurations are being discussed or if there are known security issues that the manufacture is aware of and is addressing. Like these guidelines state, it’s up to the device manufactures to bear the burden of securing their products. For us consumers we either need to accept the risk that these products may compromise our security and privacy or just not purchase these devices all together. I mean, it’s still possible to make toast with a regular toaster and not a connected one.

Intel is almost ready to release more updated patches for the critical Spectre vulnerability that affects almost all computer processors manufactured within the last 20 years. If you have a Dell, Lenovo or HP PC you should start seeing these updates showing up through your update software within the next few weeks. Spectre and it’s close cousin, Meltdown, are critical hardware vulnerabilities which allow attackers to steal data that is being processed within your computer. This data could include sensitive information such as passwords, emails, photos and documents. You may remember that back in late January after releasing the original updates, Intel told PC manufactures to stop the deployment due to random reboots and the “blue screen of death” happening after the patch was installed. These patches need to update the firmware of your PC so make sure you have your software update feature enabled and working.

Many times after we buy our PC’s we automatically assume that software update applications that are installed by default are “bloatware” and we either remove or disable this software. We highly recommend you check to see if this software is running, as well as your Windows security updates to ensure you’re receiving timely security patches for your operating system. If you would like more information on the Spectre and Meltdown vulnerabilities, check out episode 72 of the podcast where Scott and I discuss these vulnerabilities in much more detail.

Researchers from the Check Point Mobile Security Team released a report this past week about a new form of malware that was found to be installed on over 5 million Android phones called “RottenSys”. Apparently, the malware was found on several different brands of Android phones including some Samsung devices through the phone manufacturing supply chain, which is a frequent security problem for Android device manufactures to control. The malware is disguised as a system wi-fi service app which communicates to a server that downloads the malware to the phone. Once the malicious code is installed it pushes adware to an infected device in order to generate revenue for the malware authors. If that wasn’t bad enough, the malware also has the capability to download other malicious components for accessing things like your microphone or camera and even allow the infected device to join a botnet of other infected Android phones.

As mentioned on the show previously, Android has very specific security challenges like supply chain attacks as well as a problem called “device fragmentation” where security updates for Android devices may be hit or miss depending on your device manufacture and wireless carrier. Check out our recent Weekly Blaze podcast where we discussed Android device fragmentation in more detail. For this specific malware, be sure to check out this week’s show notes to see the list of devices affected and on how to remove this malware if your device has the malware installed.

That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.