The Shared Security Weekly Blaze – Bluetooth Vulnerabilities, Malicious Apps Removed from Twitter, Gmail Confidential Mode

by Tom Eston on July 30, 2018

This is the Shared Security Weekly Blaze for July 30th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!

Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Click here to leave your review in iTunes!

Show Transcript
This is your Shared Security Weekly Blaze for July 30th 2018 with your host, Tom Eston. In this week’s episode: Bluetooth vulnerabilities, malicious apps removed from Twitter and Gmail confidential mode.

The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Sponsorships Available

Researchers from the Israel Institute of Technology announced a critical vulnerability in Bluetooth technology which could allow an attacker, within physical proximity of the Bluetooth device, to intercept, monitor, or change the data being used by the Bluetooth device. Several vendors of Bluetooth implementations including Apple, Broadcom, Intel and Qualcomm have firmware and some software drivers that are vulnerable to this attack. The vulnerability is caused because the current Bluetooth specification recommends, but does not require, that a device supporting two specific features (called Secure Simple Pairing and LE Secure Connections) validate the public key received over the air when pairing a Bluetooth device. It’s important to note that there is no evidence that this vulnerability is being exploited in the wild and that vendors are working on patches if their implementations of Bluetooth are affected.

So what does this Bluetooth vulnerability mean for you? First, always stay up-to-date on patches for any Bluetooth device that you may be using. For this vulnerability in particular the good news is that Apple, Intel and Broadcom have already released patches. What may be more problematic is more obscure “Internet of Things” devices, which happen to use Bluetooth, that may never receive updates because they were either manufactured cheaply or were not designed with security updates in mind. This, of course, is a much larger problem that does not have an immediate solution. However, the risk here seems very low for most of us because an attacker needs to be in very close proximity of the victim.

Last week Twitter announced that it removed more than 143,000 malicious apps from their service. Twitter said that the applications were removed between April and June of this year but did not specify which apps were deleted but only saying that they removed these apps because developers have violated Twitter’s policies. Twitter stated in a blog post that “We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter”. In addition, Twitter announced a new app registration process for developers which have applicants go through a more rigorous approval process including having developers include all details on how their apps will be used and limiting the number of default apps that developers can create to 10.

This news from Twitter comes at a time where other large social networking companies like Facebook are cracking down on malicious and spammy apps. In Facebook’s case, the infamous Cambridge Analytica controversy made Facebook audit all apps that had requested user data in the past. Facebook has removed around 200 or so apps since they began this audit earlier this year. Facebook has also significantly changed its developer policies to align with better privacy data practices since the Cambridge Analytica controversy as well.

In related Facebook news, it’s worth noting that Facebook suffered its largest drop in market value to the tune of $119 billion dollars when they announced their Q2 quarterly earnings on a call with investors last Wednesday. Facebook stated that they will be taking a “privacy first” approach with their product development which will likely have impact on future revenue growth. This news caused the biggest ever one-day loss in market value for a U.S.-listed company in the history of the US stock market. This is an interesting development as the demand for greater privacy and transparency from Facebook users doesn’t really matter when it comes to how Facebook makes money. This is a huge conflict for Facebook to deal with and it will be really interesting to see how this plays out in the coming weeks.

Google’s Gmail has been rolling out its new redesign over the last several months which includes a new feature called “confidential” mode. Confidential mode allows you to restrict how sent emails can be viewed and forwarded. Recipients of confidential mail will not be able to forward or print email designated as confidential and you even have the ability to set an expiration date so that the email can be deleted in the recipients mailbox. You can also require a code via a text message which can be added for additional security of the email.

While all this sounds well and good, the Electronic Frontier Foundation notes that “confidential” mode does not mean that messages are end-to-end encrypted. Google can still see the contents of your emails because, as we all know, Google makes money off using your data for targeted advertising. The EFF also noted concerns about how expiring messages could be captured by a screenshot or picture of the screen and that any expiring message sent is actually kept in your sent items folder, which is really not an expiring message at all. Our advice is that you should use a more vetted and end-to-end encrypted messaging service like Signal or ProtonMail and only use Gmail’s confidential mode for non-confidential messaging.

In other Google news, if you happen to use Google Chrome as your web browser you will now start to notice that web sites you visit, that are not using HTTPS encryption, will be noted as “Not Secure” in the URL bar of the browser. This is not a total surprise to most of us as Google announced this change was coming earlier this year. There will also be more changes coming starting with Chrome version 70 (to be released in October) in which the “Not Secure” indicator will be red and not grey like it is now.

That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.