Information security is a job that can never be completed. Threats multiply, and new vectors of attack become apparent. A couple of new ones were publicized in last week.
For starters, internet security company Bastille advised that thieves can access a wireless keyboard’s “unencrypted radio communication protocols, enabling an attacker to eavesdrop on all the keystrokes typed by the victim from several hundred feet away using less than $100 of equipment. Wireless keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.”
Bastille published a list of keyboard manufacturers impacted and the statements the companies issued in response. You can tell an awful lot about a vendor by how it reacts to this kind of situation. Only three have responded so far.
Kensington seems to have reacted the best. “Kensington has released a firmware update that includes AES encryption, which has been adopted by the U.S. government and is now widely used across the globe,” it said. But it opened with this muddled statement: “We are happy to report that, to our knowledge, no security incidents have been reported to us since this product originally launched in 2005.” (What is that “to our knowledge” doing in there?) The big problem with that is that the fact that such incidents haven’t been reported to you does not mean — even a little bit — that nothing leaked. Because of the nature of this hole, victims would likely be unaware of the leak. And if they did somehow learn of the leak, chances are that they would blame the operating system or a site they visited. Anything other than their mouse.
In a less satisfying response, Anker said that it had “decided to suspend sales of our Ultra Slim 2.4gHz Wireless Compact Keyboard indefinitely” and that for a very limited time (until Aug. 30) it will be offering to swap out the devices for its Bluetooth keyboard — but only if the impacted keyboard is still under warranty.
Three thoughts. One: When you’ve been caught selling an insecure product, is that really the best time to enforce a warranty time limit? Presumably, customers weren’t aware that the Anker product was ludicrously insecure until Bastille reported it. Two: If customers had wanted Bluetooth, they would have purchased that initially. Three: Here’s a wacky thought. How about fixing this product by adding encryption and then offering to send the fixed units to all customers for free, with no limits? That’s how you regain customers’ trust.
Anker also said it had received no customer complaints, but it at least didn’t sound as if its internal communications were a giant mess: “We are happy to inform that we haven’t received any reports or complaints concerning this issue, to date.”
The third response was from Jasco Products, which is licensed to market its keyboards under the General Electric brand. Its statement amounted to a promise to do something just next door to nothing. Jasco, it said, “is aware of the issues reported by Bastille Threat Research Group in reference to the 98614 Keyboard and Mouse Combo and will work directly with its customers of this product to address any issues or concerns.”
No promise to fix this, even in future versions. No word about encryption. Merely a vague promise to deal with any customer complaints as they come up. Jasco is definitely going on my list of vendors to avoid.
Tripwire added to the perils of peripherals when it reported that ”74 percent of the 50 top-selling consumer routers on Amazon shipped with security vulnerabilities, including 20 different models where the latest firmware from the vendor was exploitable.”
The Tripwire report was scary: “All requests containing a particular string received ‘200 OK’ responses. By creatively adding this string to other requests, I was able to get response data intended only for authenticated queries. Denial of Service: There is a particular page accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable. This is a serious issue as the product relies on HTTP when used as a hot spot. Information Disclosure: The device’s serial number is exposed by the HTTP server. It is unclear whether this has any direct security impact but it may be useful to an attacker as part of a social engineering ploy. I have also observed other products where the serial number is used as a means to prove ownership of a device. I also found that authenticated requests for a certain page would trigger excessive memory consumption causing the HTTP server to reload, as well as possible disruption to other services. This vector is exploitable via GET requests and therefore lends itself to CSRF attacks through malicious image tags in HTML documents or emails.”
To cap things off, I got a jolt about one of my favorite low-effort privacy protections: leaving my phone in airplane mode unless I want to do something such as check email or make a call. I have always figured that by keeping my iPhone off of cellular and Wi-Fi networks, I was keeping the bad guys at bay, while still being able to use it for Apple Pay transactions. That was overly optimistic, I now know.
Consider this, from PubPub: “Turning off radios by entering airplane mode is no defense. For example, on iPhones since iOS 8.2, GPS is active in airplane mode.”
Good old Apple, allowing us to be tracked more effortlessly than ever — while doing very little to let us know about it. Maybe there are some people who want to use Maps while in airplane mode, but I can’t help but see it as a privacy issue. Let’s say that I go to BigBoxStore while my phone is in airplane mode. I have on that phone an app from a competitor, BiggerBoxStore, that can use my current location. Because the phone was in airplane mode, I thought BiggerBoxStore wouldn’t get a heads up that I had been to BigBoxStore. But I was wrong.
The PubPub article went on: “Furthermore, airplane mode is a ‘soft switch’ — the graphics on the screen have no essential correlation with the hardware state. Malware packages, peddled by [thieves] at a price accessible by private individuals, can activate radios without any indication from the user interface. Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”
In other words, I might just think I’m in airplane mode. It’s depressing.
For most people, the leaky wireless keyboards and routers are the greater concern. Enterprises spend a lot of money on high-security systems and then allow them to connect in various ways, including over VPN, with insecure peripherals. Many times, IT has no way to know this.
It makes little sense to secure data if it can easily leak out the instant it’s unencrypted.
This story, "There’s never a shortage of security holes" was originally published by Computerworld.