Connect with us

Expert Speak

Security Flaws in Smartphone Chip Could Have Led Hackers to Eavesdrop on Android Users

Published

on

Check Point Research (CPR) identified security flaws in the smartphone chip made by Taiwanese manufacturer MediaTek. Found in 37% of the world’s smartphones, MediaTek’s chip serves as the main processor for nearly every notable Android device, including Xiaomi, Oppo, Realme, Vivo, and more. The security flaws were found inside the chip’s audio processer. Left unpatched, the vulnerabilities could have enabled a hacker to eavesdrop on an Android user and/or hide malicious code.

Background 
MediaTek chips contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research. CPR grew curious around the degree to which MediaTek DSP could be used as an attack vector for threat actors. For the first time, CPR was able to reverse engineer the MediaTek audio processor, revealing several security flaws.

Attack Methodology
To exploit the security vulnerabilities, a threat actor’s order of operations, in theory, would be:

  • A user installs a malicious app from the Play Store and launches it
  • The app uses the MediaTek API to attack a library that has permissions to talk with the audio driver
  • The app with system privilege sends crafted messages to the audio driver to execute code in the firmware of the audio processor
  • The app steals the audio flow

Responsible Disclosure
CPR responsibly disclosed its findings to MediaTek, creating the following: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663. These three vulnerabilities were subsequently fixed and published in the October 2021 MediaTek Security Bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin. CPR also informed Xiaomi of its findings.

Slava Makkaveev, Security Researcher at Check Point Software, said, “MediaTek is known to be the most popular chip for mobile devices. Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers. We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application. Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign. Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. In summary, we proved out a completely new attack vector that could have abused the Android API. Our message to the Android community is to update their devices to the latest security patch in order to be protected. MediaTek worked diligently with us to ensure these security issues were fixed in a timely manner, and we are grateful for their cooperation and spirit for a more secure world.”

Tiger Hsu, Product Security Officer at MediaTek said “Device security is a critical component and priority of all MediaTek platforms. Regarding the Audio DSP vulnerability disclosed by Check Point Software, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store. We appreciate the collaboration with the Check Point research team to make the MediaTek product ecosystem more secure.”

Cyber Security

Measuring and Mitigating Cyber Risk

Published

on

Written by Saket Modi, Co-Founder, and CEO at Safe Security

As businesses continue to invest in digital transformation and base their business models on technology, cyber threats only become more imminent. Cyber Risk is no longer an IT problem, but a boardroom concern. With cyberattacks disrupting business continuity, they pose a direct impact on the top and bottom line of an organization’s balance sheet. Thus, making cybersecurity one of the top priorities of every organization.

Challenges with traditional cybersecurity approach
The evolving breach trends verify that complying with frameworks alone can no longer holistically safeguard organizations. Frameworks such as ISO, NIST, PCI DSS, and others are used as reference checklists for cybersecurity and risk management practices, however, they provide limited visibility. Cybersecurity must be aligned in every organization; threats and mission-critical business needs, provided by products that deliver holistic and actionable insights.

The Frameworks approach to risk-posture assessments is subjective, labor-intensive, and only offers point-in-time snapshots/assessments. They rely on a qualitative scale without any objective and quantitative measure to assess the security posture of an organization.

Similarly, Security Rating Services represent an independent source of publicly accessible data to support some use cases. However, these services don’t provide a complete assessment of security controls, as their information is primarily sourced from publicly accessing internet IP addresses, honeypots, analyzing Deep and Dark web content, and individual proprietary data warehouses.

A new approach to cybersecurity
Today, the delegation of risk decisions to the IT team cannot be the only solution and has to be a shared responsibility. The board and business executives are expected to incorporate the management of cyber risk as part of their business strategy since they are accountable to stakeholders, regulators, and customers. For the CROs, CISOs, and Security and Risk Management Professionals to be on the same page, there has to be a single source of truth for communicating the impact that cyber risk has on business outcomes, in a language that everyone can understand.

This is where Cyber Risk Quantification becomes a game-changer. There is a need for a solution that integrates with the entire security stack and gives a measurable analysis that supplements decision-making. This comprehensive information empowers CISOs and executives to make informed and timely data-backed decisions to ensure the cybersecurity of the organization.

Continuous Assessment of Cyber Security is the need of the hour
Compliance and government guidelines mandate the move to go beyond periodic assessments and into continuous monitoring of sensitive and critical information. In such situations, a CISO may often be unable to quantify the maturity of the Information Security measures deployed in the organization. Continuous Assessment of cybersecurity risk posture lets an organization prioritize the key focus areas across their Critical Assets and most vulnerable technology, third parties, or employees. This ensures that adequate measures towards holistic Cyber Security maturity are adopted throughout the organization.

Objectivity and simplicity should be at the core of a cybersecurity strategy
Cybersecurity posture cannot be represented by lengthy reports anymore. It needs to become objective and help decision-makers across the organization truly understand the risk posture and the financial value of the risk that the organization faces. It also needs to be free from IT jargons to enable the boardroom to have a clearer view of the risk posture, thereby facilitating data-driven and informed decisions. Executives can get overwhelmed with excruciating details from multiple tools or people. They can now rely on all the data that has been collected and converted from these sources into a simple yet comprehensive risk metric that they can use to track and build their trust on.

Benefits of Cyber Risk Quantification
With quantified cybersecurity risk management practices, organizations have:

  1. A unified cybersecurity strategy: Cybersecurity that is presently siloed, will have a single pane of glass view for security leaders to make quicker, data-driven decisions.
  2. An objective metric of communication: The potential financial impact of a cyber attack converts its risks to a direct business threat. It becomes a simple and effective means to communicate risks to all internal and external stakeholders.
  3. Real-time visibility: Dynamic visibility of what is going well and what needs improvement is enabled by a real-time cohesive output – breach-likelihood across people, process, technology, and third-party.
Continue Reading

Cyber Security

Top 10 Bad Cybersecurity Habits to Shed in 2022

Published

on

Written by Phil Muncaster, guest writer at ESET

The new year is a new opportunity to rewire your digital life. An increasingly important part of this is cybersecurity. In fact, 2021 is already shaping up to have been one of the most prolific years yet for cybercriminals. Almost 19 billion records were exposed in the first half of the year alone. Better security should mean you’re more insulated from the risk of identity fraud and financial loss. The cost of these scams reached a record $56bn in 2020, with most of this coming online. Although the organizations you interact with have a duty, and often a legal responsibility, to keep your data protected, it’s important to do your bit.

If you’re still feeling reluctant to find new ways to protect your digital world, consider this: a third of US identity crime victims have claimed they didn’t have enough money to buy food or pay for utilities last year as a result of fraud, according to the U.S. Identity Theft Resource Center.

Be alert, be proactive and break these 10 bad habits to improve your cyber-hygiene in 2022:

Using outdated software
Vulnerabilities in operating systems, browsers, and other software on your PCs and devices are one of the top ways cyber-criminals can attack. The problem is that more of these bugs were discovered in 2020 than any year previously: over 18,100. That amounts to more than 50 new software vulnerabilities per day. The good news is that by switching on automatic update functionality and clicking through to update when prompted, this task needn’t intrude too much on day-to-day life.

Poor password hygiene
Passwords represent the keys to our digital front door. Unfortunately, as we have so many to remember these days – around 100 on average – we tend to use them insecurely. Using the same password for multiple accounts and easy-to-guess credentials gives hackers a massive advantage. They have software to crack weak encryption, try commonly-used variants and attempt to use breached passwords across other accounts (known as credential stuffing). Instead, use a password manager to remember and recall strong, unique passwords or passphrases. And switch on two-factor authentication (2FA) on any account that offers it.

Using public Wi-Fi
We’re all getting out-and-about more these days. And that brings with it a temptation to use public Wi-Fi. But there are risks. Hackers can use the same networks to eavesdrop on your internet usage, access your accounts and steal your identity. To stay safe, try to avoid these public hotspots altogether. If you must use them, don’t log in to any important accounts while connected.

Not thinking before clicking
Phishing is one of the most prolific cyber threats out there. It uses a technique known as social engineering, where the attacker tries to trick their victim into clicking on a malicious link or opening a malware-laden attachment. They take advantage of our hard-wired credulity and often try to force rapid decision-making by lending the message a sense of urgency. The number one rule to thwart these attacks is to think before you click. Double-check with the person or company sending the email to make sure it is legitimate. Take a breath. Don’t be pressured into taking over-hasty action.

Not using security on all devices
It goes without saying that in an era of prolific cyber-threats, you should have anti-malware protection from a reputable provider on all of your PCs and laptops. But how many of us extend the same security to our mobile and tablet devices? Research suggests we spend nearly 5,000 hours each year using these gadgets. And there’s plenty of opportunities to come across malicious apps and websites in that time. Protect your device today.

Using non-secure websites
HTTPS sites use encryption to protect the traffic going from your web browser to the site in question. It has two purposes: to authenticate that website as genuine and not a phishing or fraudulent web property; and to ensure cybercriminals can’t eavesdrop on your communications to steal passwords and financial information. It’s not a 100% guarantee nothing bad will happen as even many phishing sites use HTTPS these days. But it’s a good start. Always look for the padlock symbol.

Sharing work and personal lives
Many of us have spent a large part of the past two years merging a once clearly defined line between our work and our personal lives. As the line has become more blurred, cyber risk has crept in. Consider the use of work emails and passwords to register on consumer shopping and other sites. What if those sites are breached? Now hackers may be able to hijack your corporate account. Using unprotected personal devices for work also adds extra risk. Keeping business and pleasure discrete is worth the extra effort.

Giving out details over the phone
Just as email and SMS-based phishing use social engineering techniques to trick users into clicking, so voice phishing, also called vishing, is an increasingly popular way to elicit personal and financial info from victims. The scammers often disguise their real number to add legitimacy to the attack. The best rule of thumb is not to hand out any sensitive info over the phone. Ask who they are and where they’re calling from and then ring the company directly to check – not using any phone numbers provided by the caller.

Not backing up
Ransomware is costing businesses hundreds of millions annually. So it’s sometimes easy to forget that there are still variants lying in wait for consumers. Imagine if you were suddenly locked out of your home PC. All the data on it, and potentially cloud storage, could be lost forever – including family photos and important work documents. Regular backups, according to the 3-2-1 best practice rule, provide peace of mind in case the worst happens.

Not protecting the smart home
Nearly a third of European houses are fitted out with smart gadgets like voice assistants, smart TVs, and security cameras. But by fitting them with connectivity and intelligence, these devices also become a more attractive target for criminals. They can be hijacked and turned into botnets to launch attacks on others, or used as a gateway to the rest of your devices and data. To keep them secure, change default passwords on start-up. Also, be sure to choose a vendor who has a track record of fixing known vulnerabilities in their products and research potential security flaws before purchasing a gadget.

Continue Reading

Expert Speak

The Six Tech Trends Affecting the Security Sector in 2022

Published

on

By Ettiene van der Watt, Regional Director – Middle East & Africa at Axis Communications

The beginning month of any year is characterised by many articles listing the technology trends that will shape industry sectors in the next one. But over the years, one can see a pattern develop, a roadmap that reveals the sentiments, and technologies we should be prioritising.

In this case, the keyword is ‘trust’, which is an interesting one. The 2021 Edelman Trust Barometer shows that among online survey respondents in 28 countries, trust in the technology sector is declining globally, along with concerns of climate change, job losses, and cyberattacks. Worries that are all valid to the global security and surveillance sector.

In the pursuit of realising a smarter, safer, and more sustainable world built on the back of a trustworthy and reliable ecosystem of innovation, these are the technologies and insights that will continue to transform security in 2022 and beyond.

A post-pandemic world
The impact of the COVID-19 pandemic continues to be felt in multiple ways. We see its physical manifestation in the challenges to supply chains, with global manufacturing brought to a near standstill and companies having to re-evaluate where and how they source key components and equipment for their respective products and services. We also see it in deployed technology – how intelligent solutions in video and monitoring are used to enforce social distancing and implement public health strategies.

A global shortage of semiconductors has also seen companies explore in-house manufacturing and the potential of systems on a chip (SoC) for relevant sectors. While this may be a very specific trend, combined with the substantial shifts caused by the pandemic, more businesses will consider SoCs for their security solutions going forward.

Embracing a sustainable future
Sustainability is no longer just a trend, nor should it be deemed as such. With a global focus and push towards environmentally friendly principles and practices, exemplified by initiatives such as the UN Sustainable Development Goals towards industry, human settlements, and consumption and production, a business must exhibit sustainability in its offerings and examine new possibilities through a sustainable lens.

Companies must pay closer attention to their processes from end to end. They need to scrutinise their products and services in terms of sustainability factors, such as power efficiency, building materials, and ethical deployments. These discussions are already taking place at events like Expo 2020, where the conversations have taken on a more forward-thinking position, and real progress is being made for long-term impact. More conversations like this need to be had, and it’s up to companies to facilitate them.

Healthy scepticism equals effective cybersecurity
|We don’t always think of scepticism as a positive trait, but in relation to cybersecurity it can be a prudent one. In a highly connected world with an increasing number of interconnected systems, comprehensive security strategies must ensure that if one area is compromised, the rest of the system won’t collapse.

A trend that’s emerged from taking a sceptical eye towards technology is zero trust networks. Built on the fundamental assumption that no device or entity connected to a network can be trusted, the deployment of these architectural setups is likely to accelerate and become the default approach. In turn, this will dramatically impact video surveillance in the form of encryption, identification, and hardware and software maintenance. COVID-19 has also played a role in forming this approach, as remote working solutions call for more connected devices in a wider context.

This high-impact technology conference at Expo 2020 further unpacks cybersecurity as the cornerstone of trust.

5G is connecting the world
What is commonly used as a buzzword for the next era of internet connectivity is starting to see real-world applications. With 5G networks projected to cover one-third of the world’s population by 2025, this technology is starting to make its way into the security and network video surveillance sectors, hinting at it being more than just a trend.

A specific 5G-related trend that is likely to grow in leaps and bounds is the deployment of private 5G networks – wireless networks that use 5G-enabled technology and dedicated bandwidth to serve as a closed solution for a company. They are faster than public networks, more reliable, and offer an ideal situation for specific industries. These networks also present security benefits that, when applied to the sector, could potentially streamline and improve solutions of varying size. This specific manifestation of technology is one to watch out for.

Artificial intelligence, formalised
No trends piece for the next decade would be complete without mentioning artificial intelligence (AI). In the case of security and surveillance, this ranges from image quality and analytics to camera configuration and performance. By taking a simple process and applying AI to it, you optimise that process to its full potential.

With more widespread use comes the need for regulation, specifically for the applications of AI. The solution is legislation on multiple levels of governance, ensuring AI is being used ethically and without bias. With a common agreement on local, regional, and international levels, we will be able to lay the foundation for the next industrial revolution and the growth of other technological trends, most notably smart cities.

Increased authentication measures
With the question of trust and increased scrutiny in cybersecurity, authenticity is becoming the next big hurdle in the age of data manipulation. This is valid for both hardware networks and video surveillance itself. How can you trust surveillance when you assign no value to its authenticity?

Deepfake technology is a growing threat. With improved methods of manipulating and altering images and videos, the authenticity of captured real-world events and people is compromised. This is not a problem exclusive to the security sector, but it is one that requires comprehensive solutions to overcome, such as applying digital signatures and verifying the source of data to specific hardware. The application of AI also shows promise in being able to detect when manipulation has occurred. Regardless, this is a challenge that multiple sectors have to contend with and work harder to combat.

All these trends factor into the need for businesses and other entities to rethink their security solutions for 2022 and beyond. With a focused and driven approach and by embracing the technology of the future, today’s challenges can be met head-on.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.