Pacemaker Panic

The FDA recently released an emergency notice last recalling several implantable pacemakers due to recently discovered cyber security vulnerabilities. According to the FDA, devices manufactured by Abbott’s (formerly St. Jude Medical) could be compromised by hackers with exploits that would allow a third party to affect the speed of the device or deplete its batteries. Fortunately, a simple firmware update will protect patients from any outside interference. Frequency Failure According to the FDA, hackers could take advantage of radio-frequency-enabled pacemakers to compromise the device’s authentication algorithm. Under the right circumstances, bypassing the device’s authentication key and time stamp would allow a nearby attacker to send “unauthorized commands” to the pacemaker via RF communications. Additionally, because the number of “RF wake-up” commands are not limited by these specific pacemakers, a third-party could repeatedly send commands to the device to drain its battery life. Both the Accent and Anthem pacemakers could also potentially reveal patient information to unauthorized parties. As of yet, there are no reports of any real-world infiltrations, and both the FDA and the Department of Homeland Security confirmed the exploit code is “not publicly available.” The Department of Homeland Security warns potential hackers would need to be physically near their intended target. Additionally, the Department of Health promises only “an attacker with high skill would be able to exploit these vulnerabilities.” Nevertheless, the potential for real harm exists, especially because the flaw in the device’s software would allow a third party to slow or stop the device. Even though the possibility of of injury or death remains remote, influencing the speed or power on a pacemaker could result in life-threatening injury, thus spurring the FDA’s recall action. “These vulnerabilities, if exploited, could allow an unauthorized user (i.e., someone other than the patient’s physician)...

Trojan Apps

Google has eliminated 300 apps from its online store after discovering a secret plugin silently installed across several Android devices. The seemingly innocuous apps were all secretly outfitted with the WiredX botnet. WiredX commandeers vulnerable Android phones and tablets, using the gadgets to kick off a DD0S attack. While Google does not yet have an official account of just how many devices currently host the WiredX botnet, Chad Seaman, a senior engineer at Akamai, a cyber security firm, estimates the number could reach 70,000 or more. “I know in the cases where we pulled data out of our platform for the people being targeted we saw 130,000 to 160,000 (unique Internet addresses) involved in the attack,” said Seaman. Silent, but Deadly The initial WiredX outbreak occurred on August 17th, when several Content Delivery Networks (CDNS) reported similar DDoS attacks. A search for the source eventually landed at the doorstep of Google’s Play Store, prompting the tech firm to pull hundreds of affected applications from its store and initiate procedures to remove the malware from infected devices. “We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” a Google spokesperson said. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.” The apps chosen to host the plugin provided genuine services, like ringtones and video players, but included hidden malware designed to commandeer the device for potential DDoS attacks. Once powered on, any infected phone or tablet mainly served as a soldier in a broader DDoS army – all unbeknownst to the user. While the apps themselves operated as promised, the malware surreptitiously connected to an internet server run by the WiredX...

Game of Hacks

On Monday, HBO confirmed hackers breached the company’s servers and stole an unconfirmed amount of the company’s data including scripts, unreleased television episodes and much more. The incident is already being compared to the 2014 Sony hack, when approximately 26 gigabytes of data, including inflammatory emails and employee data, were released online. Though some of the network’s content has been leaked in the past – two years ago, stolen DVDs containing the four first episodes of Game of Thrones season five were leaked online – this is the first time HBO has experienced a cyber-attack of this scope. “HBO recently experienced a cyber-incident, which resulted in the compromise of proprietary information,” the company said in a statement. “We immediately began investigating the incident and are working with law enforcement and outside cyber security firms. Data protection is a top priority at HBO, and we take our responsibility seriously to protect the data we hold.” While the total size of the data stolen has not yet been confirmed, the hackers claim they’ve accessed up to 1.5 terabytes of data. Experts believe the stolen information could include sensitive financial information and even employee records. Already leaks of some HBO content are appearing online, including upcoming episodes of Ballers and Room 104, as well as the alleged script for the fourth episode of Game of Thrones. In an email sent to reporters on Sunday night, the hacker group confirmed they planned to leak more of the information in the coming days, writing: “Hi to all mankind. The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. It’s HBO and Game of Thrones……!!!!!! You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread...

Ransomware Rundown

Though some experts predicted the final payoff would hit one billion dollars, Friday’s ransomware attack – believed to be one of the largest ever perpetrated – ended with a fizzle over the weekend with the hackers barely pulling in $26,000 before being  temporarily stopped in their tracks by an anonymous cyber security expert. Summarizing the situation Monday morning, Jan Op Gen Oorth, senior spokesman for Europol, told the AFP, “The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success.” “It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates.” A Simple Fix According to Gizmodo the damage was mitigated, in part, due to the quick action of an “anonymous 26-year-old security researcher” named MalwareTech, who managed to temporarily slow the spread of the ransomware attack late Friday. After discovering the domain name associated with the ransomware, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwe- a.com was available for purchase for just $10.69, MalwareTech bought the domain and halted the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freak out until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian. According to Matthieu Suiche, founder of cybersecurity firm Comae Technologies, MaltechWare’s registration of the domain stopped the malware from spreading throughout the US. “The kill switch is why the U.S. hasn’t been touched so far,” he told the New York Times on Saturday. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.” A Global Attack The flurry of ransomware attacks shut down several...

Beast of Burden Mar26

Beast of Burden

What can Disney’s Beauty and the Beast teach us about smart homes and the impact of the Internet-of-Things on network security? At first glance, there doesn’t seem to be much of a connection between network security and a fairy tale about an enchanted castle, but a closer look reveals a surprising synergy. In a (mostly) tongue-and-cheek write up for Wired, Anna Vlastis argues that Disney’s live-action remake of one of their most celebrated films is nothing short of “a cautionary tale about the smart home.” Charmed Into Complacency It’s one thing to watch an animated teapot sing, quite another to see a live actor slip into its CGI rendering. As Vlastis points out, using humans to represent enchanted appliances makes the film “feel less like a workplace sitcom and more like dystopian novel.” Vlastis goes on to warn that consumers shouldn’t be fooled by the novelty of a “Stanley Tucci-voiced harpsichord.” These enlivened utensils hide a more sinister motive beyond entertaining musical numbers. Their anthropomorphism lulls us into complacency, allowing us to forget just what they are capable of. While Vlastis plays this insight for laughs, she makes a valid point. Our smart homes are vulnerable precisely because we underestimate the capabilities of our wired toasters and internet-enabled lightbulbs. In the wrong hands, these devices provide an easy entryway for hackers and ne’er-do-wells. “Over the last few years, we’ve been connecting anything and everything we can to the internet under the guise of simplicity,” writes Lifehacker’s Thorin Klosowski. “Security with IoT devices is so bad that when we hear about a hacked IoT device, we generally release a large collective shrug. This isn’t a huge deal yet, but it’s going to be.” “We’ve brought this stupid future on ourselves.” Surveillance through Passive Consent With...