Increasingly, law enforcement agencies and lawmakers are asking smartphone developers like Apple and Google to create backdoors into the encryptions that protect user data. But even without them, investigators can access your data.
Wired recently reported that cryptographers at John Hopkins University used publicly available documentation from Apple and Google to study the hardness of the Android and iOS encryptions. Lead researcher and cryptographer Matthew Green found that smartphone operating systems aren’t extending encryptions as far as he originally assumed. Vulnerabilities that allow access to decryption keys, which open access to additional data, are more than often found when a phone is unlocked for the first time after rebooting.
Apple states that these types of attacks are very costly to develop and aren’t typical type of security work they focus on to protect personal information from hackers, thieves, and criminals. Security layers could be deeper, but Apple’s goal is to balance security with user experience and convenience.
Google states that these types of attacks on Android would require physical access and the just the right type of exploitable flaws. Both companies work to patch flaws on a regular basis, but it’s exactly this type of vulnerability that governments and law enforcement can easily use by purchasing smartphone access tools.
A recent report from the nonprofit Upturn found nearly 50,000 cases where 44 police departments had extracted data from phones, but researchers assume the true total could be much higher. These tools are also being bought to be used in other settings, like US schools.
“This study shows that — even if your information is encrypted — so long as someone has physical access to a device, there still could be ways to access the encryption keys using system vulnerabilities,” commented Avast Security Evangelist Luis Corrons. “In order to minimize risk, and make sure your device is protected against all known vulnerabilities, it is an absolute must to have your system (iOS or Android) updated to the last version.”
Ransomware still affecting Scottish Environment Agency
Since Christmas eve, the Scottish Environment Protection Agency (SEPA) has lost 1.2GB of data stolen in a ransomware attack. Even though SEPA’s internal systems, contact center, and internal communications have all been affected, the agency is still able to provide flood forecasting and warning services. SEPA’s ongoing attack has been confirmed as “likely to be by international serious and organized cybercrime groups intent on disrupting public services and extorting public funds.” ZDNet reports that an investigation into the incident is still ongoing.
How the SolarWinds attack opened a Microsoft 365 cloud breach
Last month’s supply chain attack on Microsoft, Cisco, FireEye, and network management company SolarWinds effectively disabled vital levels of security controls needed to identify and stop the attack. These types of attacks are particularly dangerous because the attacker can pose as anyone in the organization and bypass primary security controls. SC Media describes further details about the four separate techniques hackers used and summarizes recommendations for companies to defend against these types of attacks.
Trump’s parting cyber-interference order
Two days before the inauguration, President Trump signed an executive order aimed to prevent the use of cloud computing platforms for malicious cyber interference against the US. The order directs the Commerce Department to create rules that require cloud service providers to lD and take action against foreign entities suspected of using the services for malicious cyber-enabled activities. CNET reports the order came two weeks after a sophisticated malware campaign attacked an email system used by senior leadership at the Treasury Department. Several US intelligence agencies attribute the massive breach to Russia, while Trump suggested instead that China is to blame for the attack.
Vaccine supply chains are being sped-up by the latest tech
The incoming Biden administration has pledged to administer 100 Million doses in the next three months, but vaccine delivery is nothing like ordering socks and candy bars — and it certainly isn’t easy. Depending on conditions, as soon as the vaccine leaves its freezer containers a dose can last about a month to only a few hours. Planning for demand across many locations, schedules, re-schedules and two separate visits is no small feat. Computational analytics — like those used in meteorology, manufacturing or air traffic — are the only way to understand the entire system. But accelerating distribution of the vaccine doesn’t stop with analyzing big data. Machine learning is being used to predict shortages and blockchains are preventing counterfeit attempts. Mobile apps are helping with contract-tracing and AI is forecasting early signs of supply disruption. Read more at ZDNet.
Exams week’s ‘must-read’ on The Avast Blog
Ever wondered what your Fitbit knows about you? While many users realize that their Fitbit gives them a lot of information about their bodies, they may not be aware of the data that it collects on them. In the first installment of our What Does the Internet Know About Me? series, we break down the exchange of data that users sign up for when making use of their Fitbit.