Vulnerabilities have been discovered in Samsung’s IoT software. A robotics supplier’s poor security exposed 10 years of sensitive data from automotive and other manufacturers. And Graham Cluley explains why Twitter won’t let you call yourself ‘Elon Musk’.
Welcome to Cyber Security Today. It’s Monday July 30th, and I’m filling in for Howard Solomon, who will be back on Wednesday. You can hear today’s episode below.
Cisco’s Talos blog is reporting that multiple vulnerabilities were discovered in Samsung’s SmartThings hub, a central controller that monitors and manages IoT devices such as smart locks, smart plugs, LED light bulbs, thermostats, and cameras. According to the researchers, these vulnerabilities could have allowed an attacker to execute operating system commands on affected devices – a worrisome proposition, given the sensitive information they often gather and protect. In accordance with Cisco policy, the company’s researchers have worked with Samsung to resolve the vulnerabilities and issue a firmware update to affected customers.
The sloppy security of robotics supplier Level One Robotics recently left 10 years of sensitive data from more 100 manufacturing companies including Chrysler, Ford, GM, Tesla, Toyota, and Volkswagen available for anyone to access. The 157 gigabytes of exposed data included assembly line schematics, factory floor plans, robotic configurations, ID badge request forms, VPN access request forms, and ironically enough, non-disclosure agreements. A fair bit of Level One’s own business and employee information was leaked too, including scans of driver’s licenses and passports, invoices, contracts, and bank account details. According to the UpGuard researchers who discovered the data, the information was exposed through rsync, a common backup tool. Naturally Level One closed the security hole after being warned by UpGuard, but there’s no telling how long the information was available.
Finally, there’s a good reason Twitter will block your account if your display name is Elon Musk. As HotForSecurity’s Graham Cluley explains, scammers have been creating Twitter profiles that pose as the tech billionaire in an attempt to defraud users. The scam works like this: The real Elon Musk posts a message to his 22 million Twitter followers; some of them reply; some of them receive responses from the genuine article. But many also receive responses from a fake Elon Musk profile, using his avatar, who steers the conversation to a suspicious website where users are told Tesla is giving away 5000 bitcoins, worth more than $30 million dollars USD. All you have to do is send the scammers between 0.1 and 5 bitcoins and you’ll get between one and 50 bitcoins back. As Cluley puts it, it’s almost inevitable that some of those 22 million followers have fallen for the scheme. So now, if you give your name as Elon Musk, Twitter will automatically lock down your account until you can verify that your name is, indeed, Elon Musk. And not that Elon Musk.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. Howard Solomon will return on Wednesday.