There were three events last week that I thought didn’t get enough news coverage:
1. Good news: Proposed restrictions on warrantless electronic device border searches
Bills were proposed in the Senate and House to require a probable cause warrant before searching the digital devices of US citizens and legal permanent residents at the border. This is great. Customs and Border Protection have been asserting that they’re allowed to search travelers’ digital devices because they fall under the “border search exception” to the Fourth Amendment. However, digital devices contain vast amounts of personal information. It’s unreasonable to expect a person to reveal everything about themselves just to get back into their own country. Thank you Senators Wyden and Paul and Representatives Polis, Smith, and Farenthold! More info.
2. Bad news: Hacking into a smart TV by sending it radio signals
Apparently some guy got full access to a smart TV by sending it specially crafted radio signals. Some new smart TVs have built in video cameras. This means a hacker could turn on your TV’s video camera and watch you. This should terrify you. More info
3. More bad news: Remote execution bug in embedded Wi-Fi code in a tremendous number of mobile devices
It’s not clear how severe this is. In the worst case an attacker could execute code on your phone just by being near it. Or maybe it’s only possible if the attacker is connected to the same Wi-Fi network as your phone. In any case, you should apply software updates ASAP, and as always, avoid connecting to random Wi-Fi networks. Only use Wi-Fi at your house and your office. According to Google’s blog post, potentially affected phones are, at a minimum: all iPhones since the iPhone 4, Google Nexus 5, 6, and 6P, and “most Samsung flagship devices.” That’s a shit ton of phones and that’s not even a complete list.
More info: Google’s blog post, Ars Technica main article, Ars Technica iOS article, April 2017 Android Security Bulletin link 1 and link 2, and Samsung security update announcement.
A few takeaways:
- Always update your software/firmware/OS as soon as possible.
- Don’t connect to untrusted or non-password protected Wi-Fi networks. You’re putting yourself at risk.
- Google Project Zero should try harder for coordinated and responsible disclosure. I’m using a Nexus 5X, one of Google’s own phones, and I don’t even have the fix yet. The latest security patch level available to me is March 5, 2017. Imagine how screwed all the normal people are whose mobile providers really suck at providing software updates. Also, maybe don’t provide attack code immediately? I understand the rationale for wide disclosure once one vendor makes the issue public (Apple released their security update on April 3rd), but you don’t need to give the attack tools to the entire world. Edit: I want to add that I’m extremely grateful to Google and the Project Zero researchers. They’re doing fantastic work and we’re absolutely better off because of them (unrelated to this issue, but by all accounts Tavis Ormandy is absolutely crushing it). I just wish this specific issue was a little more coordinated.
- This feels like it’s only the beginning. Vulnerability testing of this type of code is difficult (read Google’s disclosure blog post if you don’t believe me). I suspect embedded code like this hasn’t gotten a lot of eyeballs and we’ll see an increase in these types of discoveries in the future.