Security Weekly 27

Security Weekly 27

Security Weekly 27: Researchers Found a Bug in Dolls With Built-in Bluetooth, Ubers Revealed a Lost of Client Data, Hackers Are Capable to Sink a Ship

When we do not look, the toys come to life and start making mucks – the Pixar studio would not take such a cartoon, but the reality turned out to be less legible. British Consumer Protection Organization Which? tested several interactive toys of common brands and found almost all the same problem. A savvy intruder can easily crack to use them to eavesdrop on what is happening in the family, talk to the child on behalf of his colorful friend or even try to get into the home network.

  • This time, the study was subjected to Furby Connect, I-Que Intelligent Robot, CloudPets and Toy-fi Teddy and a number of other models. Their manufacturers seem to have forgotten that Bluetooth operates within a 10 m radius: if a parent can connect to a toy robot through an unprotected application, what will prevent an attacker who stands on the street behind the wall, download the same application and send his own greetings?

Security Weekly 27 photo 2

This, by the way, the possibility of bullying a toy is not limited. If the house has, for example, a voice-controlled system, then a vulnerable robot, left near the microphone, can order an Amazon under the direction of an attacker. And after making an installation that can ride the streets, scanning the district for unprotected toys in the active state, you can put the operation of the bug on the flow. In general, there are a lot of possibilities.

  • Nevertheless, toy manufacturers – at least those who somehow commented on this story – found the problem not worthy of attention. Like, efforts to break toys are not worth the information that you can get with it. The answer is so helpless that even you do not want to dissect it.

It took only a few decades, that under the pressure of parents and outraged public eminent manufacturers stopped producing toys with lead paint or small parts, which irrepressible curiosity and prompts to shove in the nostril or ear. But before they protect the Bluetooth connection, at least with the password or the serial number of the toy, they are clearly not yet ripe.

Ubers Revealed a Lost of Client Data

Security Weekly 27 photo one

We have found on this week that a year ago Uber has lost a huge database of names, phone numbers and email addresses of customers. It turned out that in order to optimize this data was stored not somewhere, but on GitHub and Amazon S3. As a result, attackers stole data about 57 million users, among other things – 600 thousand driving licenses. According to Uber, more important user data, such as their credit card numbers and dates of birth, remained intact, because they were stored in the company’s own infrastructure.

  • As a result, Uber paid the thieves $ 100,000 to destroy the data. However, no one can guarantee that the information has been deleted, and not sold to anyone else.

Of course, the amount is considerable, but, on the other hand, if the European Data Protection Act (GDPR) came into force, Uber would have fallen into a fine of a couple of million. Foreign analysts tend to blame the leakage of imperfect laws that do not punish the company for stinginess and sloppiness when organizing data storage. This, of course, is true, but you can not correct the situation with punitive measures, you need a systematic approach to protecting cloud data.

Hackers Are Capable to Sink a Ship

Specialist Pen Test Partners came up with a truly creative way to sink a ship with the help of hacking skills. Hack into the ship’s navigation system and smash it against the rocks is difficult: there is reliable protection. But the exchange of messages between the port and the ships, especially with regard to the distribution of goods, is far from being so safe. As a rule, intruders are interested primarily in the instructions for moving containers in the port: by changing them, you can send the goods along a different route – in other words, steal. But if you intercept requests BAPLIE EDIFACT, with which you create plans for loading and placing goods in the hold of the ship, then you will open an exciting game in 3D-Tetris with real cargo …

  • To simply roughhouse, you can mix the designations of all the goods so that loading and unloading take many days instead of several hours. Although this will result in a million losses to the carrier.

And if you are overcome by the thirst for blood, you can change the center of gravity and weight of the largest cargo, so that they are not placed in the hold, as expected, but on the deck. In some ports, control weighing is carried out before loading, but not all. As cargo lifts cranes, and not people, deception has every chance of not being disclosed. As a result, the ship may well turn over.

Sunk at the exit from the port of a transporter is unlikely to lead to human casualties, but certainly fly into a penny and the port itself, and all the trucks that can not go to their destination.