Reported, by Canadian publication La Presse: Remote access and encryption of laptops, smart phones and tablets during a raid on the offices of Uber Montreal. (Links in French, because Quebec – link to a Google translation to English here.) Québecois tax authorities visiting two separate locations on May 14 of this year found that the devices they were attempting to access and copy were being remotely rebooted even as the raid took place, and rendered unreadable though encryption. As the article notes, “Technically, data that have been encrypted are not altered, but modified to make it unreadable without a password.” So there, Monsieur Taxman!
Android Issues, Part One: Fun With Your Accelerometer Data
Tracked, by researchers from Nanjing University: Travellers on commuter trains, using only motion sensor data swiped from their Android phones. Since Android doesn’t protect accelerometer data, this allowed the team to uniquely identify and trace the movements of up to 92 percent of the test subjects, and could be used as a malware attack vector which would be especially efficient in cities like New York and Tokyo where most of the population uses mass transit. (We also like the forthright title of their research paper: We Can Track You If You Take the Metro.)
Android Issues, Part Two: Reset…Doesn’t.
Tested and found wanting, by scientists at the University of Cambridge: the default data-wiping system built into Android devices. Access to theoretically-deleted content – including Google and Facebook tokens and data like text messages, videos and photos – can be gained due to a flawed factory reset procedure that leaves an estimated half a billion devices open to exploitation. (Note that tests were performed on Android releases from 4.3 back through 2.1 – current versions, however, are presumed to be similarly vulnerable.)
NON-Android Issue, Just to Switch Things Up
Discovered, by reddit user aus10_t8um: A text message which crashes iPhones upon receipt. The issue is discussed in detail over at the Register – the short version is that Apple’s CoreText display library and Unicode occasionally get athwart each other’s hawse. In this instance, this has been finessed to create a text message of doom. Entirely doable, since Unicode is kind of insane. (Great, but insane.)
Ironic Certificate Expiration Issues, Number 1,247 in a Series
This week’s object lesson: The website of the UK’s Courts and Tribunals Judiciary, which threw visitors a “This Connection Is Untrusted” message as of May 27th due to an expired SSL certificate. Although corrected pretty quickly, any visitors just wanting to catch up on the swearing-in of the new Lord Chancellor might be nonplussed to read “this error could mean that someone is tampering with your connection.”
Once again, we find there’s so much more than we can fit into one week’s roundup – nothing about this week’s crop of router exploits, no mention of how easy it is to tease data out of your FitBit, – but we’ll be back next Friday with more. As always, please let us know your take on these issues, and remember what SSL.com truly believes – a safer internet is a better internet.