Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday August 20th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes Dinah Davis, vice-president of research and development at managed service provider Arctic Wolf will be here to discuss some of the news from the past seven days. But first the highlights:
American cellular provider T-Mobile has admitted that someone recently copied data on almost 48 million current, former or prospective customers. Most were people who had applied for credit with the carrier, but the stolen data included their names, dates of birth, Social Security numbers and driver’s license numbers. This is one incident Dinah and I will talk about.
UPDATE: After this podcast was reported T-Mobile added more information about the hack. The total number of victims has increased, as has some of the data stolen.
Initially the carrier said informatiion from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, social security numbers and driver’s license/ID information, were compromised. It has since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
The carrier also initially said that information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information were compromised. T-Mobile now says phone numbers, as well as IMEI and IMSI information — which are the typical identifier numbers associated with a mobile phone — were also compromised. Additionally, it has identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
BlackBerry warned software developers and manufacturers using its QNX operating system that some older versions of its development platform as well as special versions of the OS have a vulnerability that has to be patched immediately. QNX is a real-time embedded operating system used in a wide range of industrial systems including medical ventilators, medical robots, train controls, cars, and factory automation systems. How many devices are affected isn’t known.
The SynAck ransomware group has rebranded itself as El_Cometa. According to one news site the low profile group apparently wants to be bigger, because it plans to launch a ransomware-as-a-service platform to draw partners and spread their malware. Chuck Everette, director of cybersecurity advocacy at Deep Instinct, told me this week that ransomware groups often re-brand themselves if they start getting bad publicity after attacking sensitive things like hospitals and oil pipelines.
Speaking of oil pipelines, Colonial Pipeline in the U.S. has started alerting some 5,800 current and former employees that their personal information was stolen during the ransomware attack in May.
A vulnerability has been found in a software development kit, or SDK, from a company called ThroughTek. Manufacturers use the platform because it has a protocol for wirelessly connecting products to a mobile app. Possible devices that could be hacked include certain models of baby monitors, wireless video cameras and digital video recorders.
Another vulnerability was found in a software development kit that goes with some chipsets made by Realtek. These chipsets and SDKs might be in certain models of internet gateways, Wi-Fi equipment and even toys that have been sold for years. Dinah and I will have a few words to say about SDKs.
Finally, in another one of those ‘oopsy’ moments, someone left open on the internet a terrorist watch list created by U.S. authorities. A security researcher found it. We don’t know if anyone else did.
(The following is an edited transcript. To hear the full talk play the podcast.)
Howard: Hi Dinah. I thought today we‘d talk about the T-Mobile data breach, two incidents involving software development kits and the Blackberry QNX alert.
Let’s start first with Blackberry. For those who don’t know, QNX is a secure operating system that is embedded in devices. It can be found in everything from car entertainment systems to aircraft cockpit displays to running nuclear reactors. In this case, Blackberry found a vulnerability in its software development platform and two specialized versions of QNX, one called QNX Safety for applications that demand extra safety certification and QNX for medical devices. You used to work for BlackBerry. Do you have a little bit of a familiarity with the QNX operating system?
Dinah: A little bit. I worked on the handheld side, but I was at the company when we purchased them. It’s a strong system … And you know, BlackBerry’s a company that is quite focused on security. I know when I was there, we had three pillars and one of those pillars was always security. So it is this Blackberry story is a little surprising cause they usually come out on top in the security conversations.
Howard: One of the things that’s controversial are allegations on the news site Politico that U.S. cyber authorities believe that QNX was vulnerable to the same memory overflow bug that was found a number of months ago by Microsoft. And the claim is Blackberry didn’t want to publicly acknowledge this. I tried to get hold of Blackberry to talk about this and, and the alert that they had issued, but they would only refer me to their press release.
Dinah: These decisions can be hard for companies. Did Blackberry make the right decision and holding on to this information? I don’t know. I’m always a little bit more towards disclosure, but there might’ve been good reasons not to. Maybe they were worried about hackers taking advantage [of news of the vulnerability]. I can only speculate. There’s something going on here and it would seem that maybe they should have disclosed sooner when everyone else was disclosing about the same kind of bug that Microsoft had found.
Howard: The other thing that I found interesting about this news was that it raises the issue of the ability of companies to patch embedded operating systems. Some manufacturers have internet-connected toys, surveillance, cameras, drones, baby monitors and they’ll use free operating systems in these devices to cut costs. And a number of them don’t care if the software can’t be patched. I would assume that companies that have to pay for the Blackberry QNX would have capabilities built into their systems so that they can be updated. Can you talk a bit about the difficulty of updating, systems that run on the operational technology [OT] side, which is where QNX would be used?
Dinah: Anytime you’re using an underlying system in for your product, you’re going to be beholden to it. We all use some type of operating system, whether it’s iOS, MacOS or Windows. And anytime there’s a vulnerability in one of those things, we’re all beholden to that. The key is a lot of these operating systems will ensure that they have an update mechanism. So, similarly, when Microsoft licenses their [Windows] operating system to Dell or Lenovo or other companies they still have mechanisms to update because it’s software running on hardware. The tricky becomes when it’s software running in the background. It’s not like a user can go and choose to do an upgrade.
So manufacturers have to make sure that they’re also allowing for updates to occur. In some cases you need to make sure that you’ve implemented the APIs and the calls that will allow for those updates. And one would hope that anyone using QNX has done that, because it’s usually bought by people who are building substantial things like medical devices. If they haven’t and they overlooked that, then there are going to be devices out there that are going to have issues.
Howard: And it‘s up to the IT department to make sure that devices that are bought by various departments [can be updated]. If a hospital’s medical staff are buying scanners and other technical devices that have operating systems the IT department has to make sure that they have their finger on the pulse of the products so that when they hear that there are updates that are available they find time to make sure that the devices are patched.
There was related news in some ways about the two major software development kit vulnerabilities that were described this week. Can you tell us, first of all, what’s a software development kit?
Dinah: A software development kit, or you will hear us call it an SDK, is a set of tools, libraries, documentation code samples that allow to the creation of software applications on a specific platform. So a really great analogy to an SDK in the physical world is Lego. Lego is like a development kit. You get all kinds of blocks and pieces, and you can do anything with them. You can build a castle. But if one of the bricks has a hidden door in it, anyone can get in. That brick is like a software vulnerability.
Howard: As I understand it, if there’s a vulnerability in the kit and you’re creating a code or using libraries from the kit that go into the application, they just carried the vulnerabilities from the kit into the application.
The other thing, is sometimes the actual software development kit is embedded within the application.
Howard: So tell us about these two vulnerabilities that emerged this week.
Dinah: The first one’s with Realtek SDK. Realtek makes chipsets that vendors buy to build into their electronics, which come with an SDK to implement the functionality that’s available on the chipset. Realtek chips are used in hundreds and thousands of devices from at least 65 different vendors. Security researchers found a vulnerability that allows unauthenticated attackers to gain access to the target device, and then execute arbitrary code with the highest level of privilege — basically as root or admin. The researchers found four CVEs with a [seriousness] score above eight out of 10. … Some vendors had done penetration tests and actually found these issues in the overall product, fixed it in their usage of the SDK, but didn’t notify Realtek about it — which is really irresponsible in, in my opinion.
If you find something that’s part of an issue in an SDK you should really be pushing that up to the original creator. It is hard to know how many of these hundreds of thousands of devices are affected by these particular issues. I would say there’s a high probability that most of them are.
The other one is a little scarier to me. There’s a company named ThroughTek. They make IoT devices for cloud surveillance. They have an SDK called the Kalay platform to connect devices to the internet. Just like RealTek they provide a chipset that manufacturers can put into webcams and audio listening devices. The particular vulnerability that was found has a seriousness score of 9.6. This could enable adversaries to remotely compromise the victims’ IoT devices to listen to audio, watch real-time videos and even remotely control those devices. So this is a pretty bad one.
Howard: And the point I think we want to make is do the manufacturers have a way of updating their internet-connected products so that when an application developer finds a [SDK] problem that they can be fixed. From what a lot of experts tell me, this is a really big problem, especially with consumer devices: A lot of manufacturers don’t care or don’t have the capability. That’s one problem. The other, the other problem is of course, many buyers of devices, don’t check with the manufacturer’s website to see if there are patches available.
Dinah: There’s no reason manufacturers can’t make updates automatic. I think it’s actually their responsibility to ensure they do that.
Howard: And of course, the problem is for both home and business is if an attacker can get in through an internet-connected device, it’s not merely that they can hack the device tey can use that to get into your computer system and therefore read your email, destroy documents, steal documents.
The final thing I thought we should look at was the T-Mobile hack. T-Mobile is a big wireless carrier in the U.S. and acknowledged that someone got into their system and copied personal information of about 47 million current or former customers, or customers who had actually applied for service. According to something that the attackers posted on the web, T-Mobile left some sort of access to that data open. We don’t know what it was, whether it was a database or databases that weren’t password-protected or whether it was a weak website.
Dinah: What we’re hearing is that it wasn’t anything like a zero day vulnerability. Apparently it was, it was a mistake on T-Mobile’s part.
Howard: Certainly the point, the point was the hackers were able to find it and exploited. There were a couple of things that I found very notable about this: First was T-Mobile admitted that it only found out about the data theft when it was told that someone was making claims that the company had been hacked on an online forum. So for all of T-Mobile’s [cyber] defenses it didn’t detect this. The second thing was some of the data that was stolen included names, dates of birth and social insurance numbers, all of which will help crooks create phony ID. And the names, phone numbers, and account PIN numbers of approximately 850,000 active T-Mobile prepaid customers were also exposed. Now T-Mobile has reset all of those pin numbers as a precaution, but if they didn’t act fast enough, you can get access to their peoples’ cell phones, and if you can get access to the cell phone, that you may be able to get into their email and, and, and from there into their corporate account. The final little tidbit from this is, this is the sixth data breach at T-Mobile in four years. That’s just not a shining number for a company.
Dinah: They’re clearly not taking things as seriously as they could, you know, everybody’s going to get breached at some point. So you can’t blame somebody for getting breached at some point, but this seems not right.