Category Archives: News

Why ‘free’ Wi-Fi isn’t really free

How much would you ‘pay’ for ‘free’ Wi-Fi?

Would you give away your birthday? Your travel details? Your home address? Your phone number?

Well, a couple of weeks ago, a security researcher in the UK was looking around online, as you do…

…when he came across yet another company that had joined the 100 million club.

That’s the name we jokingly coined – we hoped we were making a joke at the time, though we quickly realised we weren’t – back in 2013 when Adobe infamously suffered a breach that exposed 150,000,000 encrypted password records in one go.

Despite the encryption – which Adobe hadn’t gone about in the right way – a significant minority of the passwords in the list could be figured out. (Adobe had stored the password hints in plaintext, and lots of users had just repeated their passwords in the hint field, as absurd as that sounds.)

Big breach society

Back then, we rather naively assumed that membership of this notional “100 million club” would remain thankfully rare.

But the low cost and ready availablity of cloud storage has, sadly, made it easier than ever for just about anyone to leak just about as many records as they care to share.

And that’s what seemed to have happened in the case that Jeremiah Fowler of Security Discovery stumbled upon in mid-February 2020.

Although the data, 146 million records’ worth of it, didn’t include deeply sensitive details such as as passwords (or even password hashes), payment card details or financial transactions, Fowler could see what looked like travel details in there.

He quickly tracked the source back through domain names in the data to a company that turns out to operate ‘free’ Wi-Fi’ hotspots, including at a number of train stations in England.

The company reacted quickly to Fowler’s report by sealing off the data it had accidentally exposed in the cloud – though it didn’t tell Fowler, leaving him to worry that his report wouldn’t get looked at until the following week).

So, why would anyone want to worry about 146,000,000 database entries relating to free Wi-Fi users connecting to a free Wi-Fi service?

The problem is, of course, that – in the UK at least – ‘free’ Wi-Fi seems to divide into two categories.

There’s ‘free if you come into the coffee shop and buy something, here’s the password, help yourself, no need to register, and why not try the carrot cake while you’re about it, you will like it more than you think‘ (true).

And there’s the ‘free in return for a bunch of personal data that will help us market to you in a way that makes your retail/station/airport experience so much more enjoyable‘ (not-so-true).

The problem with the second sort of ‘free’ Wi-Fi is that the company that’s giving you the ‘free’ service can only really make money out of it – by which we mean that they can only make you pay for it – if they keep track who you are and what you do when you connect.

That’s why Fowler found all sorts of scammer-friendly information logged in the records of the database he came across, including names, email addresses, age ranges and device data of users of the service.

As Fowler remarks:

In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user.

So, just how much personal data should you give away in return for a ‘free’ service such as Wi-Fi?

In an era of affordable mobile data – especially in the UK, where pay-as-you-go SIM cards are cheap and can be bought without much fuss at just about any supermarket checkout – do you even need free-as-in-paid-for-indirectly Wi-Fi at all?

What to do?

Here’s an idea: sit down one evening, decide how much your various items of personal data are worth to you, and then stick to your valuation whenever you hit an online sign-up page.

For example, in our opinion, your age in general and your birthday in particular – still treated as a factor of identification by many organisations – is worth too much to hand over in return for free Wi-Fi, even though it’s a data point many Wi-Fi services seem to want.

If a company demands data that you think is worth more to them than you are getting in return, our advice is simple: “Stay away.”

After all, if they don’t value your data as highly as you do, there’s not much incentive for them to look after your data with the zeal you might expect.

Incidentally, it seems that in this case, the Wi-Fi provider did offer a “don’t want to give you that data” option during sign-up, and that would have been the wise choice.

Remember: you don’t have to fill in optional fields in web signup forms, and life is a lot simpler if you routinely leave them blank.

After all, if you don’t hand over data in the first place, there’s no way the company at the other end can ever lose it in a data breach.

Digital piggy bank sevice broken into by cybercrooks

Saving money, at least in modest amounts, used to be a very simple business.

The easiest approach – many of us still do it, even in this online age – is the coin jar (or piggy bank, if you’re really old-school).

Instead of frittering away your small change on daily inconsequentials, you dump unused coins in the big glass jar in the corner of the living room, and just before it’s too heavy to pick up and move altogether…

…you drag it down to the bank and are often be pleasantly surprised how much money has accumulated in there.

But that’s a very 1990s approach! Why not put your money into a digital piggy bank, instead?

And, better yet, why not choose a piggy bank that deliberately starts out in debt?

It sounds bizarre – you essentially take out a loan you can’t touch, and clock up your “savings” by paying it off.

At the end of the period – a year, say – you’ve paid off the loan, so you not only get access to your loan capital as your “savings”, but also have a year’s worth of loan repayments that boost your credit rating.

By deliberately racking up debt to save against, your savings end up acting both as credit and as credit history.

That’s the business model of UK company Loqbox, which says it keeps the service free due to the affiliate fees it gets from the banks into which its customers release their funds after paying off a loan:

After making monthly payments for a year, your loan is repaid and you leave LOQBOX with an improved credit score and your money back into a new account for free.

[…]

We get paid by our partner banks for opening a new account for you, which is how we keep LOQBOX free. But if you’d prefer, you can opt for our Flexi Unlock premium add-on and unlock into an existing account for £30.

So far, so good…

…except that there’s a lot riding on you being able to keep up your “savings” payments for the period of the loan.

If you raid the coin jar every now and then (we’ve all done it – it’s part of the game!), the worst that can happen is you end up with nothing saved, or you take longer to fill the jar than you hoped.

But even though you can take an early exit from debt-based savings systems like Loqbox’s, and get back what you you’ve put in so far, you won’t then have finished the loan process in full, as – as the company warns – unlocking early could harm your credit history.

And you can’t just skip payments at will, in the same way that you can go a few weeks without putting coins in the jar, because that really would harm your credit history.

In other words, as well as keeping up your side of the repayments, and taking care of your online account, you’d better hope nothing bad happens to your account data at the other end.

Crooks in the piggy bank

Unfortunately, according to customer tweets and news reports, Loqbox has just suffered a data breach that uncovered enough personal data to make most affected customers uncomfortable, apparently including names, emails, phone numbers, postal addresses and dates of birth.

Additionally, partial bank account and card number details were stolen, too.

UK IT publication The Register claims that this “external attack” got at bank account sort codes plus two digits of the account number, as well as credit card expiry dates plus 10 digits’ worth of the card number.

Fortunately, those numbers don’t identify customers’ accounts or cards precisely enough to let them be abused directly.

Sort codes generally identify the bank and a branch, which crooks could guess at from your home address anyway; UK bank account numbers are usually eight digits long; and credit cards typically have 16 digits.

Also, the 10 card digits stolen apparently include the parts of the number that are often disclosed or can be figured out anyway, namely:

  • The first six digits, which identify the financial provider. These digits make up what’s called the BIN, short for Bank Identification Number. A glance at your credit card’s colour or design is often enough to figure out those numbers anyway.
  • The last four digits, which are routinely printed on receipts or sent in unencrypted emails. These are pretty much used as semi-public “check digits” to make it easy for you to see which card you used for what transactions.

In short, the breach sounds bad, but not that bad.

There’s no mention of passwords or password hashes being stolen, which almost certainly means that the crooks can’t use the breached data to wander into your Loqbox online account with ease, and there’s no mention of any transactional data or other credit history information being accessed.

What to do?

Loqbox doesn’t seem have any information about the breach on its own website or blog so we’re assuming that affected customers will hear by email.

Note that it doesn’t mean you are entirely off the hook if you haven’t yet heard from Loqbox – breach investigations can take quite some time to complete.

And even if you have heard from Loqbox already, the company may need to contact you again in the future as investigations continue – and you can probably see where the issue that “you might well be expecting an email some time soon” is going.

Our tips are therefore:

  1. Keep a closer eye than usual on your statements. Simply put, if you see something, say something. (But note #2.)
  2. Watch out for emails or calls that know more about you than you might expect. Even without full details of your bank account or payment card, crooks with data from this breach will be in a much more believable position to scam you into thinking they are legitimate. (And see #3.)
  3. Never contact Loqbox or any other financial provider using information from an email or a call. Get out your original paperwork (or turn your payment card over) and use contact details from there – that way, you won’t get tricked into talking to an imposter.
  4. Speak to your card provider about getting a new number. If your card provider thinks there’s now a risk of fraud on your current card, they’ll probably issue you a new card and cancel the old one.
  5. Don’t pick passwords that crooks could guess from your customer data. The more crooks know about you, even if it’s just your birthday and where you live, the more clues they have to guess poorly-chosen passwords. In fact, don’t pick guessable passwords at all – use a password manager if you’re struggling to come up with good passwords yourself.

HOW TO PICK A PROPER PASSWORD

[embedded content]

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Nvidia patches severe flaws affecting GeForce, Quadro NVS and Tesla

Denial of service, local escalation of privileges, and information disclosure are not security worries most computer users will associate with their racy graphics card or its drivers.

And yet fixes for precisely these issues are part of February’s Nvidia GPU display update, all of which could compromise Windows or Linux PCs, allowing an attacker to gain local access after a malware attack.

In all, the update covers five desktop CVE vulnerabilities, including one, CVE‑2020‑5957, rated as critical. This is in the Windows GPU Display Driver control panel for the GeForce, Quadro  NVS, and Tesla products leading to a corrupt system file and escalation of privileges or denial of service.

A second control panel flaw affecting the same products is CVE‑2020‑5958, which might allow the planting of a malicious DLL file with the same results as above along with information disclosure.

The Virtual GPU Manager gets three fixes addressing CVE‑2020‑5959, CVE‑2020‑5960, and CVE‑2020‑5961, with the first of these rated critical.

Nvidia is also readying separate updates for its enterprise products, namely the Virtual GPU Manager (various hypervisors), and vGPU graphics driver for guest OS (Windows and Linux), which is also affected by some of the above flaws.

Depending on the driver version affected, these will be available in the week of 9 March 2020, with updates during April promised for organizations using either version 10.0 or 10.1 for any of the above products.

These days, updating graphics drivers needs to be part of the standalone user’s patching cycle along with Microsoft’s Patch Tuesday, Intel’s regular CPU and product patches, not forgetting browsers and individual products such as Adobe’s PDF Reader and various plugins .

Nvidia ships fixes for its products almost every month, with missed months made up for by two releases the following month.

Almost all include critical updates for severe vulnerabilities which could cause major problems if left unpatched.

November 2019’s update fixed 11 mostly severe flaws across its desktop products, while August 2019 saw a similar story.


Latest Naked Security podcast

Siri and Google Assistant hacked in new ultrasonic attack

Unsettling news for anyone who relies on smartphone voice assistants: researchers have demonstrated how these can be secretly activated to make phone calls, take photos, and even read back text messages without ever physically touching the device.

Dubbed SurfingAttack by a US-Chinese university team, this is no parlor trick and is based on the ability to remotely control voice assistants using inaudible ultrasonic waves.

Voice assistants – the demo targeted Siri, Google Assistant, and Bixby – are designed to respond when they detect the owner’s voice after noticing a trigger phrase such as ‘Ok, Google’.

Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can’t hear, providing an attacker has a line of sight on the device and the distance is short.

What SurfingAttack adds to this is the ability to send the ultrasonic commands through a solid glass or wood table on which the smartphone was sitting using a circular piezoelectric disc connected to its underside.

Although the distance was only 43cm (17 inches), hiding the disc under a surface represents a more plausible, easier-to-conceal attack method than previous techniques.

As explained in a video showcasing the method, a remote laptop generates voice commands using text-to-speech (TTS) Module to produce simulated voice commands which are then transmitted to the disc using Wi-Fi or Bluetooth.

The researchers tested the method on 17 different smartphones models from Apple, Google, Samsung, Motorola, Xiaomi, and Huawei, successfully deploying SurfingAttack against 15 of them.

The researchers were able to activate the voice assistants, commanding them to unlock devices, take repeated selfies, make fraudulent calls and even get the phone to read out a user’s text messages, including SMS verification codes.

Responses were recorded using a concealed microphone after turning down the device’s volume so this communication would not be heard by a nearby user in an office setting.

DolphinAttack rides again

In theory, voice assistants should only respond to the owner’s voice, but these can now be cloned using machine learning software such as Lyrebird, as was the case in this test. It’s a defence of sorts – the need to capture and clone the victim’s voice.

A bigger might simply be the designs of individual smartphones – the team believe the two that did not succumb to SurfingAttack, Huawei’s Mate 9 and Samsung’s Galaxy Note 10, did so because the materials from which they were constructed dampened the ultrasonic waves. According to the researchers, putting the smartphone on a tablecloth was better still.

SurfingAttack was inspired by the 2017 DolphinAttack proof-of-concept, which showed how voice assistants could be hijacked by ultrasonic commands.

Elsewhere, sound has also proved interesting to researchers looking to jump air gaps, and exfiltrate data from computer fan noise.

While hacking voice assistants remains a lab activity with no known real-world attacks to speak of, there’s always a risk that could change. At some point, smartphone makers will surely have to come up with better countermeasures.


Latest Naked Security podcast

Let’s Encrypt issues one billionth free certificate

Last week was a big one for non-profit digital certificate project Let’s Encrypt – it issued its billionth certificate. It’s a symbolic milestone that shows how important this free certificate service has become to web users.

Publicly announced in November 2014, Let’s Encrypt offers TLS certificates for free. These certificates are integral to the encryption used by HTTPS websites.

HTTPS is HTTP that uses the Transport Layer Security (TLS) protocol for privacy and authentication. Your browser uses it to be confident that you’re not visiting an evil website that’s impersonating your real destination using a DNS spoofing attack. It also encrypts the information passing between your browser and the web server so that someone who can snoop on your traffic still can’t tell what you’re doing.

Netscape created HTTPS in 1994, but in 2014 a minority of websites used it. That’s because it could be technically difficult to implement, it was time consuming and it cost money. There was too much friction. That’s what Let’s Encrypt set out to change.

The project is a non-profit effort from the Internet Security Research Group (ISRG), an organisation sponsored by a mixture of privacy advocates and those who benefit from making the online ecosystem healthier. The Electronic Frontier Foundation (EFF) is a sponsor, along with Cisco, Facebook, Google, the Internet Society (which houses the Internet Engineering Task Force or IETF), Mozilla, and French cloud service provider OVH.

The project issues free certificates, keeping them valid for 90 days before forcing people to renew. It isn’t just the free nature of these certificates that has helped them flood the internet. The other key to the puzzle is automation. Let’s Encrypt created a protocol called Automated Certificate Management Environment (ACME). This is a challenge-response system that automates enrolment with the certificate authority and validation of the domain.

Version two of ACME became a proposed internet standard in May 2019 (did we mention that the IETF’s parent organization is a sponsor?) giving it more credence still. There are various ACME clients, and some have been baked directly into default Linux server distributions, enabling Apache and nginx web servers to run automatic scripts to handle the whole process.

Let’s Encrypt’s approach isn’t perfect. For one thing, it only offers domain validation that checks a person is in control of a domain, rather than extended validation certificates that go the extra mile to validate the legal name of the owner. This has led to some problems, such as Let’s Encrypt’s automatic validation of PayPal phishing sites.

This isn’t a mistake – it’s simply that the organization’s goal is to encrypt as many websites as possible rather than investigate their content, which it prefers to leave to others like Google. Eagle-eyed readers of today’s other stories will spot that the certificate issued on the Stripe phishing scam domain was also from Let’s Encrypt.

Thanks to this flood of free certificates, the web is a lot more encrypted than it was a few years ago. In June 2017, 58% of webpage loads were delivered over HTTPS, the project stated, adding that the number has grown to 81% today. That’s due in large part to free and automated certificate provisioning, but also to a firmer hand by web browser developers. Mozilla now shames any web pages that don’t use HTTPS, while Google removes the ‘secure’ label for HTTP-only sites and gives them a lower search ranking than HTTPS ones.


Latest Naked Security podcast

go top