Versions of the package window-control before 1.4.5 are vulnerable to Command Injection via the sendKeys function, due to improper input sanitization.

@@ -15,6 +15,12 @@ const linuxGetWindowList = path.join(\_\_dirname, 'linux', 'getWindowList.sh') const macGetWindowList \= path.join(\_\_dirname, 'mac', 'getWindowList.applescript') const winGetWindowList \= path.join(\_\_dirname, 'windows', 'listOpenWindows.bat')  
const sanitiseUserInput \= (input) \=> { let newInput \= (' ' + input).slice(1) newInput \= newInput.replaceAll("'", ""); return newInput }  
/\*\* \* Focuses the first window of the process with the PID given \* @param {integer} id PID to use to find the application window @@ -63,7 +69,7 @@ const sendKeys = (id, keys, {resetFocus = false, pressEnterOnceDone = true} = {} keys \= keys.replace('"', '\\\\"')  
if ( process.platform \=== 'darwin' ) { exec(\`osascript "${macFocusAndSendKeys}" ${id} "${keys}" ${resetFocus} ${pressEnterOnceDone}\`, (error, stdout, stderr) \=> { exec(\`osascript "${macFocusAndSendKeys}" '${sanitiseUserInput(id)}' '${sanitiseUserInput(keys)}' ${resetFocus} ${pressEnterOnceDone}\`, (error, stdout, stderr) \=> { if (error) reject(error) if (stderr) reject(stderr) resolve(stdout) @@ -76,7 +82,7 @@ const sendKeys = (id, keys, {resetFocus = false, pressEnterOnceDone = true} = {} keys \= keys + '~' }  
exec(\`${winSendKeysToWindowName} "${windowTitle}" "${keys}"\`, (error, stdout, stderr) \=> { exec(\`${winSendKeysToWindowName} '${sanitiseUserInput(windowTitle)}' '${sanitiseUserInput(keys)}'\`, (error, stdout, stderr) \=> { if (error) reject(error) if (stderr) reject(stderr) resolve(stdout) @@ -86,7 +92,7 @@ const sendKeys = (id, keys, {resetFocus = false, pressEnterOnceDone = true} = {} // TODO: add option to reset focus on linux // TODO: add option to not press enter once keys have been sent const windowID \= id // although the function calls it pid, iin this case it's a windowID exec(\`${sendTextToWindowWithId} ${windowID} "${keys}"\`, (error, stdout, stderr) \=> { exec(\`${sendTextToWindowWithId} '${sanitiseUserInput(windowID)}' '${sanitiseUserInput(keys)}'\`, (error, stdout, stderr) \=> { if (error) reject(error) if (stderr) reject(stderr) resolve(stdout) @@ -199,4 +205,4 @@ module.exports = { focusWindow: focusWindow, sendKeys: sendKeys, getWindowList: getWindowList, } }

CVE-2022-25926: fix: add sanitisation to user input · bruno-robert/window-control@075c854

**DUBLIN****,** **Jan. 4, 2023** **/PRNewswire/ --** The "Global Mobile Biometrics Market Size, Share & Industry Trends Analysis Report By Industry, By Technology, By Authentication Mode (Single Factor and Multi Factor), By Component (Hardware, Software and Service), By Regional Outlook and Forecast, 2022 - 2028" report has been added to  ResearchAndMarkets.com's offering.

The Global Mobile Biometrics Market size is expected to reach $91.9 billion by 2028, rising at a market growth of 21.8% CAGR during the forecast period.  
Mobile biometric authentication uses biometrics to recognize and confirm a person's identity when they attempt to access any mobile application. Authentication can be carried out using these mobile biometric devices in a number of different ways, including face recognition, fingerprint readers, voice recognition, and others. Mobile biometrics solutions straddle the line between identity and connectivity.  
They make use of smartphones, tablets, other forms of handheld devices, wearable technologies, and Internet of Things devices for their flexible deployment capabilities. Controlling access to information, locations, and systems have become more and more necessary over time. Many businesses currently use cards, PINs, or passwords to verify users' identities before granting access. However, there are significant problems with this conventional method.  
In recent years, biometric technology has gained popularity on mobile devices. The technology improved in terms of user-friendliness and consumer affordability. This biometric solution is a method used to authenticate a person who is in possession of a mobile device and uses it as a distinctive biometric identifier. Single-factor authentication (SFA) and multi-factor authentication (MFA) are the two different authentication mechanisms used by mobile biometric systems.  
These systems operate using a variety of techniques, including Deep Neural Networks and Keystroke Dynamics. Together, these procedures form a mobile biometrics system that provides coordinated security for mobile devices. The demand for this effective security solution typically increases significantly. In order to determine similarity, biometric authentication compares data for a person's features to that person's biometric "template".  
**COVID-19 Impact Analysis**  
The pandemic had a positive impact on the mobile biometrics market. This was due to a significant shift toward the rise of digital stores and e-commerce platforms, which has led to an increase in the use of online payments. The potential for an increase in cyberattacks in the form of fraud and identity theft also guided the market. Secure authentication services for different banking and financial applications, like client KYC and money transfer, are required in such a situation, and the usage of top-notch security tools is crucial.  
**Market Growth Factors**

**Increase In Platforms Using Biometric Authentication**  
The demand for biometric solutions has increased over the past few years as digital media and internet content delivery have grown. Traditional methods of authentication, like signatures and text-based credentials, have been shown to be more difficult for users to use because they are so vulnerable to contemporary cyberattacks. Furthermore, customers really need to develop faster methods of authentication due to the growing quantity of digital services.  
**Assurance Of Higher Security With Biometrics Usage**  
One of the key factors propelling the growth of mobile biometrics is the increasing demand for intelligence security devices in mobile devices to secure the data saved in the devices, such as bank account information, photos, recordings, contacts, and other personalized data. By confirming a physical, real-world characteristic that is (typically) specific to that person, such as fingerprints, facial features, voice articulation, and others, biometric solutions can give providers a higher level of assurance that the person is real.  
**Market Restraining Factors**

**Wrong And Inaccurate Results Through Biometrics**  
False positives and inaccuracy are two of the most significant challenges. Biometric authentication procedures rely on insufficient data to confirm a user's identity. For instance, during the enrollment step, a mobile biometric device will scan a whole fingerprint and turn it into data. Future fingerprint biometric authentication, however, will only require a portion of the print to confirm identity, making the process speedier overall.

**Scope of the Study**

**Market Segments Covered in the Report:**

**By Industry**

*   Public Sector
*   BFSI
*   Healthcare
*   IT & Telecommunication
*   Others

**By Technology**

*   Fingerprint Recognition
*   Face Recognition
*   Voice Recognition
*   Others

**By Authentication Mode**

*   Single Factor
*   Multi Factor

**By Component**

*   Hardware
*   Software
*   Service

**By Geography**

*   North America
*   US
*   Canada
*   Mexico
*   Rest of North America
*   Europe
*   Germany
*   UK
*   France
*   Russia
*   Spain
*   Italy
*   Rest of Europe
*   Asia Pacific
*   China
*   Japan
*   India
*   South Korea
*   Singapore
*   Malaysia
*   Rest of Asia Pacific
*   LAMEA
*   Brazil
*   Argentina
*   UAE
*   Saudi Arabia
*   South Africa
*   Nigeria
*   Rest of LAMEA

**Key Market Players**

**List of Companies Profiled in the Report:**

*   3M Company
*   Apple Inc.
*   NEC Corporation
*   BIO-key International, Inc.
*   Fujitsu Limited
*   HID Global Corporation
*   Precise Biometrics AB
*   M2SYS Technology, Inc.
*   Aware, Inc.

For more information about this report visit https://www.researchandmarkets.com/r/vwb2z6

Insights On the Mobile Biometrics Global Market To 2028 - Increase In Platforms Using Biometric Authentication Drives Growth

By Waqas
Apparently, the server belongs to a company based in the US with offices around the globe including India.
This is a post from HackRead.com Read the original post: Top ERP Firm Exposing Half a Million Indian Job Seekers Data

At the time of writing, a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider based in California, United States was still exposing data to public without any security authentication or password.

An **Elasticsearch server** belonging to a major international IT recruitment and software solution provider is currently exposing the personal data of more than half a million Indian candidates looking for jobs.

However, the data is not limited to jobseeker as the server is also exposing the company’s employees’ data. Another important aspect of this data exposure is the fact that it also contains the company’s client records from different companies, including Apple and Samsung.

This was confirmed to Hackread.com by **Anurag Sen**, a prominent independent security researcher. What is worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server was being exposed since late December 2022.

It all started when Anurag scanned for **misconfigured databases on Shodan** and noted a server exposing more than 6GB worth of data to public access. Anurag said that the server belongs to a company originally based in the United States with offices around the globe  
including India. Whilst the database contains details of job seekers in **India**.

Hackread.com would not share the name of the company in this article because the server is still exposed.

**Exposed Data**

Anurag’s analysis of the server revealed that the exposed records contain personal data of over 575,000 individuals, while the size of the data is over 6.3GB and increasing with new data with each day passing. This data includes the following:

*   Full Name
*   Date of birth
*   Email address
*   Phone number
*   Resume details
*   Employer details

The screenshot below shows the candidate details and client data that are currently being exposed:

Image credit: Anurag Sen – Hackread.com

The screenshot below was taken from the live server that shows the company’s client details. Some of these are top companies Apple, Samsung, Sandisk, Unilog, Moody, Intuit, NEC Corporation, Falabella and many more.

The company’s client list also indicates that its a high-profile business with a presence all over the globe.

Screenshot credit: Anurag Sen – Hackread.com

**Indian CERT Alerted**

Since the server is still live at the time of writing; Anurag alerted the Indian Computer Emergency Response Team over the weekend. However, there has been no response from the authorities yet.

**India and server misconfiguration**

India is home to almost 1.4 billion people. This makes the country a lucrative target for businesses as well as cybercriminals. The more the investment, the more widespread and vulnerable the IT infrastructure becomes.

Last year, several top data exposure-related incidents involving tens of millions of victims were reported from India. These included **Indian Federal Police and banking records**, **Covid antigen test results**, **MyEasyDocs**, online packaging marketplace **Bizongo**, etc.

**Impact**

It is yet unclear whether a third party accessed the database **with malicious intent**, such as ransomware gangs or threat actors. However, if it did, it would be devastating for the victim and the healthcare firm responsible for the server.

Furthermore, considering the extent and nature of the exposed data, the incident can have far-reaching implications, such as bad actors downloading the data, carrying out phishing scams, or identity theft-related fraud.

Hackers can hold the company’s server or **data for ransom** and leak it on cybercrime forums if their demands are not met. Nevertheless, the victims in this situation are the job hunters who trusted authorities with their personal information.

**Misconfigured Databases – Threat to Privacy**

Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. **In 2020**, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. 

**In 2021**, the number increased to 399,200 exposed databases. The top 10 countries with top database leaks due to misconfiguration in 2021 included the following:

*   USA – 93,685 databases
*   China – 54,764 databases
*   Germany – 11,177 databases
*   France – 9,723 databases
*   India – 6,545 databases
*   Singapore – 5,882 databases
*   Hong Kong – 5,563 databases
*   Russia – 5,493 databases
*   Japan – 4,427 databases
*   Italy – 4,242 databases

1.  **Hackers claim to be selling 13TB of Domino’s India data**
2.  **Hackers leak data of 29 million Indian job seekers for download**
3.  **India’s COVID-19 surveillance tool exposed millions of user data**
4.  **Hackers leak millions of Airtel India user data with Aadhaar numbers**
5.  **9,517 unsecured databases identified with 10 billion records globally**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Top ERP Firm Exposing Half a Million Indian Job Seekers Data

Categories: Android
Categories: Apple
Categories: News
Tags: devices

Tags:  recycle

Tags:  back up

Tags:  reset

Tags:  android

Tags:  mac

Tags:  apple

Tags:  iphone

Tags:  ipad

Tags:  windows

Tags:  chromebook

Before we hand down, sell on, or recycle our old device we will want to make sure all personal data are backed up and deleted from the device. Here's how...



(Read more...)




The post New device? Here's how to safely dispose of your old one appeared first on Malwarebytes Labs.

Until recently I had two old phones, one tablet and about 20 hard drives in storage that I was afraid to give up for recycling, or to pass on to someone that could use them. I wanted to dispose of them, but knowing how easy it is to retrieve data—such as personally identifiable information—even from apparently "clean" devices, I was cautious. Having researched the subject for this article I now feel a lot safer about disposing of them, and I hope you will feel a lot safer about disposing of your devices too.

Back in November I found out that it wasn’t just me. A survey in the Netherlands showed that 55% of the population keep their old phones in a drawer instead of selling them on or recycling them.

There are two reasons for people to hold on to old devices:

*   Keeping unique data on the device like pictures, etc.
*   Fear of spilling information that is left behind on the device.

So, what we need to cover for peace of mind when we do get rid of our old devices are **backups**, so you don't lose your data when you get rid of your device, and **scrubbing**, so that usable data isn't left on the device.

**Backups******Windows****

**For Windows users there are many software packages and built-in tools available to back up your old PC. The simplest method is to manually back up your files and settings to removable media or a network location. You can specify the files and settings that you want to back up and how often you want to perform a backup. Which tools and software are available to you very much depends on the Windows version you are using.**

To backup and wipe the old hard drives that came from my Windows computers, I bought a hard drive docking station that came with the software to do all that, so that was easy. If the number of hard drives is limited you could opt to keep the drives and use such a docking station to retrieve files when the need arises. But I had so many old, and small, hard drives, it was worth copying the data section to a large external drive. You can also choose to copy your data to a cloud account. Even if some of your drives are very old, you wouldn't want to end up being that person that threw away 150 million in Bitcoin.

****Mac****

There are 2 ways to make a backup of the most important files on your Mac device. Make a backup with Time Machine or make a backup with iCloud.

Time Machine is an Apple program with which you can easily copy the data on your Mac to an external storage device. When you make a backup, always choose a drive with a larger storage capacity than your Mac.

*   Click on the Apple logo in the upper left corner and click on System Preferences
*   Click on Time Machine
*   Click on Select Disk
*   Select the hard drive you want to use for the backup
*   Confirm the drive you're going to use. It's possible the drive has to be emptied, formatted, or configurated first
*   Check Back Up Automatically to keep making backups

With iCloud, you can store files in the cloud on the Apple server. You have access to iCloud with your Apple ID. As opposed to Time Machine, which makes a complete backup, you can only use iCloud to store the parts that fall within iCloud. That are your Contacts, Calendar, Keychain, Photos, and iCloud Drive, for example.

*   Click on the Apple logo in the bottom left and click on System Preferences
*   Click on Apple ID
*   Click on iCloud on the left, and click on what you want to store in iCloud on the right
*   Also select iCloud Drive and click on Options. You can select all programs, files, and data you want to store in your iCloud here
*   iCloud Drive is now available in Finder. You can manually drag the files you want to keep there.

****Android****

You can back up content, data and settings from your phone to your Google Account and you can restore your backed up information to the original phone or to some other Android phone. To create a backup:

*   Open your phone's Settings app.
*   Tap Google and then Backup.
*   Tap Back up now.

Because there are lots of variations of Android, the procedure for your device might be slightly different. If these steps don't match your phone's settings, try searching your Settings app for "Backup" or get help from your device manufacturer.

****iPhone/iPad****

There are basically three methods you can use to create backups of the information on your iPhone or iPad, depending on your preferences and what you have available.

*   Copy your data to iCloud
*   Copy your data to a Mac
*   Use iTunes to copy your data to your PC

****Chromebook****

To create a backup of your Chromebook:

*   On your Chromebook, at the bottom right, select the time.
*   Select Settings, and then Advanced, then Developers.
*   Select Linux and then Back up and restore.
*   To manually back up your Linux apps and files, select Back up.
*   At the left, under "My files," choose where to save your files.
*   Write your file name and select Save.
*   At the bottom right, a backup progress notification will appear.

**Scrubbing**

One thing to remember for all kinds of devices is to disable any Find My Device options, and remove them from any lists of services that associates the device with your account.

Then, uninstall any banking apps manually before wiping the device, because you may be prompted to perform some important steps during the removal process. This depends on your bank and the type of app.

****Windows:****

If the drive is still in a working Windows machine, your safest bet is to install and use wiper software, because deleting files only removes the pointer to a file, so it could be possible to use recovery software to make them accessible again. The same is true for formatting, since that does not actually wipe data either. If you are not afraid someone will scrutinize your hard drive with recovery software, Windows 8.1 and later do have a built-in utility you can use:

1.  Select **Settings**
2.  Select **Update & Security**, then **Recovery** > **Reset this PC** > **Get Started**.
3.  Choose **Remove everything**, then **Remove files and clean the drive**
4.  Then click **Next > Reset > Continue**

****Mac:****

Apple has a support page that tells you what to do before you sell, give away, or trade in your Mac. But if the machine has File Vault turned on, you can save a few steps. Since all the data is encrypted anyway, a simple erase will work. What we typically do is just:

*   Reboot in recovery mode
*   Open Disk Utility
*   Erase the hard drive
*   Quit Disk Utility
*   Reinstall macOS

On the most recent Macs, there's even an Erase All Content and Settings option that should make it all easier.

But if that option is not there and you do not have File Vault enabled that could turn out to be a problem. If the machine is equipped with a spinning hard drive rather than an SSD, then using Disk Utility's secure erase option will work. There are several levels of secure erase, with the most secure overwriting all data with random 1s and 0s multiple times.

Unfortunately, if it came with an SSD, the wear leveling technology will prevent secure erase from working properly. Since wear leveling will try to spread writes out evenly, there's no way to guarantee that you've overwritten specific bytes in the SSD. You'd be able to overwrite some bytes, at random, but not all, so any unencrypted data could remain intact and recoverable.

****Android:****

To remove all data from your Android device, you can reset your device to factory settings. Factory resets are also called formatting or hard resets.  On most phones, you can reset your phone through the settings app. If you can't find the option in your phone's settings app, you can try factory resetting your phone using its power and volume buttons. We recommend checking your manufacturer's support site for device-specific instructions.

****iPhone/iPad:****

Apple has a support page that tells you what to do before you sell, give away, or trade in your iPhone or iPad. Make sure to unpair any other devices like your AppleWatch and sign out of iTunes, iCoud, and the App Store. Then go to Settings and tap General > Transfer or Reset \[device\] > Erase All Content and Settings and follow the instructions from there.

****Chromebook:****

A factory reset for a Chromebook is called a Powerwash. A powerwash will erase everything on your device, apps and files included.

*   Click the time in the bottom-right corner of your screen to open the quick settings menu.
*   Click the gear icon near the top-right corner of this menu to open your device's full settings menu.
*   In the left sidebar, click Advanced to reveal more options, and then click Reset settings.
*   You'll see a Powerwash option. Click Reset, and then Restart in the pop-up that appears.
*   Your Chromebook will restart automatically. Once it turns back on, your lock screen will be replaced by a screen labeled Reset this Chromebook.
*   Click Powerwash in the bottom-right corner, and then click Continue.

Once it's done, you'll be prompted to set it up again, just like you did when you first got it.

**Recycle**

Once you have created a backup and removed all the data from your device, it is now safe to hand it down, sell it on, or have it recycled.

There are plenty of nonprofit organizations and local communities that offer options to help you recycle old electronics.

If you don’t feel like giving them away for free, Amazon offers gift cards for just about any kind of electronics device. Apple's GiveBack program offers gift cards or in-store credit for qualifying products. And many other companies will give you store credit for your old devices, no matter where you bought them.

New device? Here's how to safely dispose of your old one

Categories: Podcast
This week on Lock and Code, we talk about we technology no longer excites the public, and whether that's because of worse products, or worse promises. 



(Read more...)




The post Why does technology no longer excite us? Lock and Code S04E01 appeared first on Malwarebytes Labs.

When did technology last excite you? 

If Douglas Adams, author of The Hitchhiker's Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his death, Adams had come up with "a set of rules that describe our reactions to technologies." They were simple and short: 

1.  Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
2.  Anything that's invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
3.  Anything invented after you're thirty-five is against the natural order of things.

Today, on the Lock and Code podcast with host David Ruiz, we explore why technology seemingly no longer excites us. It could be because every annual product release is now just an iterative improvement from the exact same product release the year prior. It could be because just a handful of companies now control innovation. It could even be because technology is now fatally entangled with the business of _money-making_, and so, with every one money-making idea, dozens of other companies flock to the same idea, giving us the same product, but with a different veneer—Snapchat recreated endlessly across the social media landscape, cable television subscriptions "disrupted" by so many streaming services that we recreate the same problem we had before. 

Or, it could be because, as was first brought up by Shannon Vallor, director of the Centre for Technomoral Futures in the Edinburgh Futures Institute, that the _promise_ of technology is not what it once was, or at least, not what we once _thought_ it was. As Vallor wrote on Twitter in August of this year: 

> "There’s no longer anything being promised to us by tech companies that we actually need or asked for. Just more monitoring, more nudging, more draining of our data, our time, our joy."

For our first episode of Lock and Code in 2023—and our first episode of our _fourth season_ (how time flies)—we bring back Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to ask: Why does technology no longer excite them? 

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Why does technology no longer excite us? Lock and Code S04E01

By Deeba Ahmed
The issue was caused by the software architecture used in Google Home devices.
This is a post from HackRead.com Read the original post: Google Home Vulnerability: Eavesdropping on Conversations

Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.

Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability in **Google Home Smart speakers** could allow attackers to control the smart device and eavesdrop on user conversations indoors.

**Findings Details**

The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.

**Possible Dangers**

The vulnerability could let an adversary present within the device’s wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the user’s LAN range because making malicious requests **exposes the Wi-Fi password** of the device and provides the attacker direct access to all devices connected to the network.

**What Caused the Issue?**

Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their target’s smart home devices.

A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actor’s account to the victim’s device.

In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud\_device\_id. They could use the information and connect their account to the victim’s device.

According to Matt’s **blog post**, the attacker could perform a range of functions, such as turning the speaker’s volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim won’t suspect anything because just the device’s LED turns blue when the exploitation happens, and the user would think the firmware is being updated.

Matt successfully connected an unknown user account to a Google Home speaker. He created a **backdoor account** on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:

It is worth noting that there’s no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received a **bug bounty** worth $107,500 for detecting this security flaw.

1.  **Google Home Mini Secretly Recorded Conversations**
2.  **Voice assistant devices manipulated with ultrasonic waves**
3.  **Comcast voice remote control could be turned into a spying tool**
4.  **Using laser on Alexa and Google home to unlock your front door**
5.  **DolphinAttack: Voice Assistant Apps Siri and Alexa Can Be Hacked**

Google Home Vulnerability: Eavesdropping on Conversations

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalog across 58 updates from January to end of November 2022, according to Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalog were older vulnerabilities dating back to before 2022.

"Many were published in the previous two decades," noted Grey Noise's vice president of data science, Bob Rudis, in the report.

Several of the vulnerabilities in the KEV catalog are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

"The fact that they are a part of CISA KEV is quite telling as it indicates that many organizations are still using these legacy systems and therefore become easy targets for attackers," CSW wrote in its "Decoding the CISA KEV" report.

Even though the catalog was originally intended for critical infrastructure and public-sector organizations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalog's curated list of CVEs under active attack to create their priority lists.

In fact, CSW found a bit of a delay between when a CVE Numbering Authority (CNA), such as Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For example, a vulnerability in Apple WebKitGTK (CVE-2019-8720) received a CVE from Red Hat in October 2019 was added to the KEV catalog in March because it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW's report).

An organization relying on the NVD to prioritize patching would miss issues that are under active attack.

Thirty-six percent of the vulnerabilities in the catalog are remote code execution flaws and 22% are privilege execution flaws, CSW found. There were 208 vulnerabilities in CISA’s KEV Catalog associated with ransomware groups and 199 being used by APT groups, CSW found. There was an overlap, as well, where 104 vulnerabilities were being used by both ransomware and APT groups.

For instance, a medium-severity information disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is associated with 39 ransomware groups, CSW said. The same analysis from CSW found that a critical buffer overflow vulnerability in the ListView/TreeView ActiveX controls used by Office documents (CVE-2012-0158) and a high-severity memory corruption issue in Microsoft Office (CVE-2017-11882) are being exploited by 23 APT groups, including most recently by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.

The spike in March 2022 is the result of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been known to exploit in businesses, governments, and critical infrastructure organizations, Grey Noise said. The vast majority – 94% – of the vulnerabilities added to the catalog in March were assigned a CVE before 2022.

CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue. In 2022, enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, with a new alert typically issued every four to seven days, Rudis wrote. The defenders were just as likely to have just a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

Any multifactor authentication adds protection, but a physical token is the best bet when it really counts.

In August,  the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers. 

Cloudflare wasn't the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.

The protection isn't new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.

“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.” 

Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can't simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it's usually not the end of the world, because someone who finds it won't know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.

You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took major steps in 2022 toward a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don't use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren't going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.

“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”

While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you'll get plenty of mileage from just using them on a couple of, ahem, _key_ accounts.

The Password Isn’t Dead Yet. You Need a Hardware Key

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.
The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.

The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt, disclosed in a technical write-up published this week.

In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021.

The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google user account to a target's home automation device.

In an attack chain detailed by the researcher, a threat actor looking to eavesdrop on a victim can trick the individual into installing a malicious Android app, which, upon detecting a Google Home device on the network, issues stealthy HTTP requests to link an attacker's account to the victim's device.

Taking things a notch higher, it also emerged that, by staging a Wi-Fi deauthentication attack to force a Google Home device to disconnect from the network, the appliance can be made to enter a "setup mode" and create its own open Wi-Fi network.

The threat actor can subsequently connect to the device's setup network and request details like device name, cloud\_device\_id, and certificate, and use them to link their account to the device.

Regardless of the attack sequence employed, a successful link process enables the adversary to take advantage of Google Home routines to turn down the volume to zero and call a specific phone number at any given point in time to spy on the victim through the device's microphone.

"The only thing the victim may notice is that the device's LEDs turn solid blue, but they'd probably just assume it's updating the firmware or something," Matt said. "During a call, the LEDs do not pulse like they normally do when the device is listening, so there is no indication that the microphone is open."

Furthermore, the attack can be extended to make arbitrary HTTP requests within the victim's network and even read files or introduce malicious modifications on the linked device that would get applied after a reboot.

This is not the first time such attack methods have been devised to covertly snoop on potential targets through voice-activated devices.

In November 2019, a group of academics disclosed a technique called Light Commands, which refers to a vulnerability of MEMS microphones that permits attackers to remotely inject inaudible and invisible commands into popular voice assistants like Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple