Google forms alliance with some Android security specialists

The App Defense Alliance brings together Google, ESET, Lookout, and Zimperium to combat baddies on Android.

Considering how huge and diverse the Android ecosystem is it’s surprising how few malware catastrophes it has had. Maybe that thanks in part to the work of companies like Lookout, that offer freemium security apps on the Play Store. Google has apparently decided to be a bit more proactive on the security front itself, but without undermining all the good work that has already been done, hence the creation of the App Defense Alliance.

Working closely with our industry partners gives us an opportunity to collaborate with some truly talented researchers in our field and the detection engines they’ve built,” blogged Dave Kleidermacher, VP, Android Security & Privacy. “This is all with the goal of, together, reducing the risk of app-based malware, identifying new threats, and protecting our users.”

The clever bit involves integrating the Google Play Protect detection systems with each partner’s scanning engines. This will result in several pairs of eyes having a close look at apps that are in the queue for publication on the Play store and, in theory, resuce the chances of any of them containing any moody code.

Judging by an interview Kleidermacher gave Wired, from Google’s perspective this is all about coordinating the security efforts of a bunch of previously autonomous players. What’s in it for the other partners isn’t so obvious. In the Wired article they said all the right things about being greater than the sum of their parts, but we wouldn’t be surprised if a bit of Google cash helped persuade them too.

Biometric authentication gathers momentum in the UK

The introduction of biometric authentication might have been met with some scepticism, and the technology still has its critics, but it does seem to be gaining traction in the UK.

According to credit reporting agency Equifax, not only are more Brits using the technology, but they are open to adopting such authentication and identification techniques in a wider range of scenarios. Opening a smartphone might be the most widely-adopted use of the technology, but how about age authentication in the pub?

71% of respondents for the survey are happy with finger-print or facial recognition to complete replace traditional PIN verification for accessing smartphones, while another 64% would be happy to see the technologies replace passwords for laptops. 60% of respondents are happy for biometric authentication for age verification and 58% would even be open to see voting ballots given the same upgrade.

Interestingly enough, the challenge which the industry will face is most likely to be around privacy and data protection concerns. With data breaches and leaks being reported in the press with continued regularity, consumer confidence will certainly be impacted. And the irony this survey has been sponsored by Equifax, the source of one of the biggest data breaches to date, has not been lost on us.

That said, while there are still data protection and privacy concerns to be ironed-out, new technologies will be needed to address the dangers and risks of the digital economy.

“As the rise in financial fraud continues, particularly when it comes to identity theft, it’s essential we develop and embrace new and innovative means to protect consumers,” said Keith McGill, Head of ID & Fraud at Equifax.

“The techniques being used to scam Brits are increasingly sophisticated and breaking into the old world of signatures and pin codes is bread and butter for today’s fraudsters.

“Further implementation of biometric options within the financial services sector will go a long way to tackle this. Tapping into our unique biological passcodes can help businesses and consumers stay ahead of the curve, and as the technology develops, it will become even more widespread, trusted and popular in the years to come.”

One telco which is trialling a similar proposition is Telia. Teaming up with Finnish bank OP, the duo is testing facial recognition payment solutions for an ice-cream truck. Using the biometric template uploaded through a camera prior to the purchase with the customers bank, a connected device is used by the merchant to authenticate the individual. The customer then authorises the purchase with a simple click once their face has been recognised.

This is of course a very rudimentary application of the technology, but with the introduction of 5G, edge-computing gathering pace and greater adoption of blockchain technology, biometric authentication could be a very reliable, efficient and secure means of managing identification and transactions in the digital economy.

The next big challenge will be the public perception of not only the technology, but a company’s ability to safely collect, store and manage data. The frequency of data breaches and leaks could undermine progress here, though a more responsible attitude towards security does seem to be emerging. Security does seem to be more than a pitch for PR points today, a welcome trend if the digital economy is to be an enabler not a risk to society and the economy.

Chinese state-linked hackers compromise Western telco networks

A new malware family used by state-linked Chinese hacking group APT41 has been used to compromise telco servers, potentially exposing text messages from military and government officials.

Unveiled by security firm FireEye, the malware was discovered on Linux servers operating as Short Message Service Centres (SMSC) servers. These machines are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient’s device is available.

“Named MessageTap, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts,” FireEye states on its blog.

“APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day.”

Starting in 2012, Chinese cyber threat group APT41 has carried out numerous state-sponsored espionage activity, as well as financially motivated operations to line its own pockets.

The list of industries which APT41 targets is extensive, though it generally falls in-line with the 5-year economic development plan of the Chinese Government. Big tech, telco and education have been the most recent targets, though it has consistently attempting to manipulate digital currencies for its private financial gain.

In this specific example, FireEye suggests the call detail record (CDR) databases indicates foreign high-ranking individuals of interest to the Chinese intelligence services were the primary targets. With this tool, APT41 was able to capture the content of text messages, as well as the intended recipient.

The revelation does underscore the increasing concern Chinese authorities are illegally monitoring high-profile targets around the world. The US might be somewhat buoyed by the news, as it does as credibility to the case that its allies should build network void of Chinese component and products.

However, as the compromised telcos have not been identified, it is impossible to state conclusively that Chinese equipment was a contributing factor. The compromised telco might not have made use of Chinese equipment, therefore this should not necessarily be viewed as evidence to support the condemnation of Huawei and ZTE.

Unfortunately for the users who might feel they are a target, FireEye has suggested it is incredibly difficult to defend against this type of malware. That said, it does promote the case for end-to-end encryption, a technology which has proven to be unhackable to date.

What remains to be seen is the impact which this incident will have on the on-going trade war which has dogged the economy for months, and the attitude of European Governments towards working with Chinese network equipment manufacturers. Cybercriminals are common place, so it might not cause too many ripples, however it might just reinvigorate the friction which has largely dominated 2019.

US Senators suspect TikTok could be a national security threat

Republican Senator Tom Cotton and Senate Minority Leader Chuck Schumer have written to the Intelligence Community to request a national security investigation into social media video app TikTok.

Although TikTok has been paid particular attention in the request, the duo is asking other China-based applications with a significant US presence are also given some consideration. The move could represent an expansion of the aggression towards China and strain trade-talks between the two parties further.

“We write to express our concerns about TikTok, a short-form video application, and the national security risks posed by its growing use in the United States,” the pair said in the letter to Acting Director of National Intelligence Joseph Maguire.

“TikTok’s terms of service and privacy policies describe how it collects data from its users and their devices, including user content and communications, IP address, location-related data, device identifiers, cookies, metadata, and other sensitive personal information. While the company has stated that TikTok does not operate in China and stores US user data in the US, ByteDance is still required to adhere to the laws of China.”

The comments above pay homage to a Chinese law which requires Chinese companies to comply with requests from the Government and its intelligence agencies. While the law also states Chinese companies can refuse the request if it contradicts with the domestic laws in which the company operates, it is clear the US and others do not believe this clause holds much credibility or weight.

After being launched in 2017 by ByteDance, TikTok has proven to be a very successful additional to the social media scene. The app boasts more than 110 million downloads in the US alone and became the world’s most downloaded app on Apple’s App Store in the first half of 2018.

While this is the first-time politicians have waded into the waters, there has been criticism of TikTok from other avenues. US think tank Peterson Institute for International Economics described TikTok as a ‘Huawei-sized problem’, posing a national security threat to ‘the West’. The thinking here seems to be that the app collects location and biometric data and is unable to deny requests from the Chinese Government.

TikTok has proven to be an immense success in its short life, though the attention from security agencies in the US is an ominous sign. Alongside the shadow of doubt which will be cast on the app in the eyes of US citizens, it is not unfeasible for some sort of restrictions to be placed on the business.

Study suggests its quite easy to hack smart speakers

German security research consultancy Security Research Labs has dropped a security bomb on Amazon and Google, questioning the competence of security features and reviews.

As with all these revelations, the vulnerabilities were shared with the two companies prior to being made public. The hacks which have been discussed this week have now been addressed by Amazon and Google, though it does demonstrate the awareness consumers need to acquire should these devices maintain their presence in the living room.

“Alexa and Google Home are powerful, and often useful, listening devices in private environments,” the firm said in a blog entry.

“The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood. Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.”

Although there is no such thing as 100% secure anymore, the competency of Amazon and Google has been called into question here. Vulnerabilities are nothing new in the digital economy, though the simplicity of some of these hacks are a little bit embarrassing for the internet economy’s poster boys.

The first hack is quite remarkable in the sense it is so simple. Security Research Lab created an application using the normal means and even submitted the application for review by the Amazon and Google security teams. Once the application had been green lit, the team went back in and changed the functionality, which did not prompt a second review from either of the review teams.

In this example, Security Research Lab created a fake error message to replace the welcome message to make the user think the application had not started properly, for example ‘this application is not available in this country’. After forcing the speaker to remain silent for an extended period of time, another message is introduced requesting permission for a security update. During this second message, the user is prompted to change his/her password, which is then captured and sent back to the Security Research Lab.

It is often said the simplest ideas are usually the best, and this is the same in the hacking world. Phishing is one of the most simplistic means to hack an individuals account via email, and this approach from Security Research Lab is effectively a phishing campaign translated to the voice user interface.

Amazon or Google would of course never ask a user for their password in this manner, but we suspect there are many users who would simply go with the flow. According to a Symantec security report, 71.4% of targeted attacks involved the use of spear-phishing emails so the approach clearly works. And now it can be applied to the voice interface.

While losing your password is a worry, the second hack unveiled by Security Research Lab is a bit more nefarious.

Once again, the application designed for the smart speakers are altered after the review from the security teams at Amazon and Google, however it is to do with when the speakers actually stop listening to the user. By introducing a second ‘intent’ which is linked to a command for the smart speaker to halt all functionality, the session can be extended.

In short, the device continues to listen and record its surrounding, before sending the data back to the attacker. This is obviously a very simplistic explanation, for more detail we would suggest following this link to the Security Research Lab blog.

Both of these examples are remarkably simple to introduce as the security review function of both Amazon and Google looked to be nothing more than a box-ticking exercise. Changes are seemingly ignored once the application has been passed the first time, offering a lot of freedom to the hacker. Both Amazon and Google will now have introduced new processes to block such attacks and improve the security review system, though it does appear to be a massive oversight.

Aside from the inadequacies shown here by Amazon and Google, Security Research Lab is perhaps demonstrating some of the biggest dangers of the digital economy; a lack of awareness by the general public. Most people download apps without checking the security credentials or reputation of the developer, and the same assumption could be made for growing ecosystem for smart speakers.

Trump’s blocking techniques finally start to trouble Huawei

President Donald Trump has seemingly been on a mission to cripple the prospects of Huawei and it seems one of the haymakers have finally landed.

If the quest to undermine the carrier business group through influencing allied nations towards bans is failing, the entry onto the Entity List to supper plans in the consumer unit seems to now be causing the desired level of discomfort. Speaking to the Financial Times this weekend, a Huawei executive confirmed the absence of Google’s Android and the various services is proving troublesome.

“After the entity list, we were able to figure out some of the alternative solutions,” said Joy Tan, VP of public affairs at Huawei’s US business. “The most challenging part is Google-managed services. We can continue to use the Android platform, since it is open-source, but we cannot use the services that help apps run on it.”

This was always going to be a challenge to circumnavigate, though it certainly took some time to bed in. Whether it is because Android is arguably the best operating system on the market, Google services are widely utilised or there is a strong feeling of trust towards Google, replicating or replacing these elements on the smartphones was a big ask.

Officials in the White House might have been frustrated, as despite efforts to tarnish the reputation of the Chinese firm, sales continued to grow. For the first nine months of the year, Huawei sales grew 24% year-on-year, an increase from the last earnings statement, which suggested growth was 23% year-on-year for the first two quarters. However, this revelation will spur on some confidence in the Trump vendetta.

Google has proven to be the stumbling point for Huawei. Much to the horror of US suppliers, the firm has largely managed to replace US components in its supply chain, it has even started producing 5G base stations completely void of US parts, though the smartphone business has bore the brunt of the damage.

In launching its own operating system, which is based on the Android open-source code, the building blocks of an OS are there, but many would have suspected it was little more than a pale imitation. Firstly, Huawei would have to bridge the trust question which lurks at the back of the mind of many Western customers, and secondly, it would have to prove it could match the standards of Android. Let’s not forget, Android currently accounts for roughly 76% market share in the OS segment.

This is the toughest part of the equation. Huawei has pushed huge amounts of cash towards creating a developer ecosystem, but the number of applications simply are not going to be able to meet what Android offers. Secondly, time is not a friend here. Tan highlighted the Google Maps product is difficult to replicate, but unfortunately there is no quick-fix here.

The Google Maps product is market leading because of years of investment, billions of man-hours of tweaking and a colossal amount of data which has been fed into the machine to improve accuracy and performance. There is no substitute for time here and it is one of the reasons few can dream of competing with Google in this segment.

Unfortunately for Huawei, this is a monumental blow to the attractiveness and performance of its smartphone devices. Android and the Google services are trusted by billions around the world and, in some cases, are the best on the market. We’ve already seen what happens when some smartphone OEMs attempt to produce their own OS; it very rarely works out for the better.

This is not the end for Huawei as a business, or as a smartphone manufacturer. It still has a domestic market which boasts roughly a sixth of the world’s population and China’s influence on the global stage should hold strong in some markets. But in the Western markets, the very ones which have underpinned success for the smartphone business, which has in turn fuelled growth across Huawei during the last few years, it does not look good.

Samsung Galaxy S10 has a flaw that allows the fingerprint reader to be hacked

Following the discovery by a UK user that any fingerprint could unlock their phone, Samsung has announced it will issue a software patch.

The flaw was first made public earlier this week when Lisa Neilson from Castleford told the Sun newspaper about her discovery that she could unlock her Samsung Galaxy S10 with any finger, including her husband’s. It seems that the hack became possible when she put a screen protector on as the fingerprint reader in the S10 is embedded in the screen.

It looks like the reader was reading some kind of pattern on the screen protector rather than the finger pressing on it. Samsung rather unhelpfully responded that people should only buy Samsung-branded stuff, conveniently overlooking the fact that Samsung UK doesn’t even seem to sell screen protectors anyway.

There is also no advice offered on the problem anywhere on the Samsung UK site that we could see, but multiple media are reporting the following statement from Samsung: “We are investigating this issue and will be deploying a software patch soon.”

If it takes more than a software patch then Samsung would have to do yet another expensive product recall. For the ultrasonic fingerprint sensor to be hacked by something as simple as a screen protector is pretty embarrassing for Samsung. Furthermore, if it doesn’t provide a definitive answer to this issue very quickly then public trust in the security of its latest phones will start to erode rapidly.

Europe’s security vision undermined by lack of compulsory requirements

For the most part, companies have to be forced to take security seriously, but perhaps these changes are on the horizon in Europe at least.

Cybersecurity is always a topic of conversation which is never too far away, though you have to question the substance behind the statements. Security and privacy are always top priorities for a company if you listen to the CEO, though the fact that security breaches still persist undermines these bold claims.

To be fair to the companies involved, this is a fast-paced and ever evolving aspect of the technology landscape. Is there such thing as 100% secure? No. Can the companies do more to protect their customers? Yes.

This is where the European Commission plays a critical role in developments. Speaking at Broadband World Forum in Amsterdam, Julie Ruff. Directorate for Digital Society, Trust & Cybersecurity, outlined the challenges, as well as the ways and means to combat these threats, and the telcos will be central to these efforts.

“First of all, they are obvious targets for cyber-attacks [the networks], very attractive targets,” said Ruff.

“The networks can be used as vectors for attack.”

The network is the lynchpin for tomorrow’s economy, the backbone of the virtual world. It’s the digital superhighway which connects anything, everything and everyone. The networks owners need to lead from the front, but they are not the only character in this nefarious saga.

As part of the latest iteration of the Cyber Act, the European Commission has introduced a certification framework for ICT digital products, services and processes. This framework will provide a comprehensive set of rules, technical requirements, standards and procedures to ensure consumers and businesses are protected from the dangers lurking in the dark corners of the world wide web.

This is all well and good, but here is the major problem; the certification process is currently voluntary.

At the largest companies, resources can be redirected towards such initiatives to ensure the demands and nuances of the framework are being adequately met. However, this is not going to be the biggest problem the digital economy will face. The start-ups and SMEs, those who can easily find other means to spend valuable and limited funds, will not voluntarily direct investment towards cost-centres and away from profit-builders.

However, with more risks being realised further afield in the ecosystem, a comprehensive approach to security is needed everywhere and anywhere. As Ruff pointed out during her presentation, the interconnected nature of the digital economy means that cybercriminals can infiltrate networks through weak points in the chain.

This is where the European Commission needs to move forward to ensure the certification framework is compulsory not voluntary. It might come as a financial burden to the start-ups, but it is the only way to most effectively mitigate risk. The investments being made by multi-nationals and telcos could be completely undermined by a rogue device connected to the network.

For the digital economy to be anywhere near ‘safe’, connected devices, whatever they may be, need to be secure out of the box and providers need to ensure timely and regular security updates. Unfortunately, this perfect scenario can only be achieved through effective regulation and a compulsory certification framework.

A good vision has been outlined by the European Commission, but this needs to be backed-up by effective and compulsory regulation.

Germany isn’t banning Huawei from its 5G network, but Sweden still could

The German government will not prevent any networking vendor from being used in the country’s 5G network but the Swedes may not be so accommodating.

The German news comes courtesy of Reuters, which attended a press conference in which the government announced the results of its security review. “We are not taking a pre-emptive decision to ban any actor, or any company,” German government spokesman Steffen Seibert is quoted as saying.

As the biggest European economy and effective leader of the European Union, Germany’s decision has a symbolic significance beyond just going against the wishes of the US. Germany and the EU are effectively declaring their independence from the US on geopolitical matters and asserting their desire to make decisions based solely on their own interests.

Opinion is still divided across the broader bloc, however, with Swedish publication SVT reporting on a proposed new law that will allow Huawei and other Chinese vendors to be blocked from the country’s 5G network. The law seems to only be at the proposal stage right now, and all manner of conflicting political interests will be brought to bear on it, but if it goes through the matter of China and 5G could end up being a major schism within the European Union.