Viewing entries tagged

Threatpost - Senator Demands Answers About CloudPets Breach

A U.S. senator has called Spiral Toys onto the carpet for its data security practices in light of the recent CloudPets breach.

Sen. Bill Nelson (D-FL), a ranking member of the Committee on Commerce, Science and Transportation and backer of a 2016 report on security and privacy concerns related to children’s toys, sent a letter to Spiral Toys CEO Mark Meyers. Nelson’s letter includes 10 questions he wants Meyers to address by March 23, most of which concern the toy maker’s data collection processes, how they’re secured and whether the system was compliant with the Children’s Online Privacy Protection Act (COPPA), which requires company’s secure personal information collected from children.

“The breach of Spiral Toys raises serious questions concerning how well your company protects the information it collects, especially information collected from children,” Nelson wrote.

Nelson’s report released last year was in response to the 2015 breach of VTech, which exposed the personal information of six million children. Nelson told Meyers that the VTech attack “should have served as a wakeup call for toymakers who were not adequately protecting the consumer information they collect.”

Specifically, Meyers is to provide Congress with a summary of the breach that includes details, not only on the data that was accessed, but when and how consumers were notified, security measures in place to protect against intrusions, whether the company had a security officer in place prior to the attack, and policies to control data collection. Nelson also wants to know whether the company discloses to customers that it collects personal information, whether that data is shared or sold to third parties, and specific security questions about controls and procedures in place to protect data, and whether the company had been breached before.

News broke of the CloudPets breach on Feb. 27 after researchers Troy Hunt and Victor Gevers independently and privately disclosed in December that millions of private messages sent through the internet-connected toy were exposed online, along with personal information of more than 800,000 registered users.

The company failed to acknowledge numerous attempts to reach a Spiral Toys security rep as well as Meyers, prompting the public disclosure two weeks ago.

The breach was related to a spate of attacks against MongoDB instances in which attackers were able to find and access the databases and in many cases, copy and delete the data, leaving behind ransom notes asking for money in exchange for the return of the stolen data.

The private recordings, many of which were made by children and meant for family members or others authorized to receive them, were not stored in the stolen database. But the database did contain reference file paths to the message files which were stored on an Amazon Web Services S3 storage bucket.

“The database contains the business logic to let application work. The database contains the metadata that links (like a ledger) to the random generated files in the AWS bucket system,” Gevers told Threatpost on March 1. “By knowing the paths to the files, you extract the data like that. So if you can write to the database you could change the ledger and point to other URLs.”

The database, Spiral Toys said in a notification letter it sent to California’s Attorney General, did include emails and encrypted passwords, which Hunt counters were not encrypted, but were hashed with bcrypt. Combined with a nonexistent password strength rule on Spiral Toys’ part, the hashed passwords could easily be cracked, Hunt said.

Nelson, meanwhile, was also critical of Spiral Toys’ lax security.

“Because Spiral Toys created no requirements for password strength, the hackers could have easily cracked many passwords by simply checking the data against common passwords,” Nelson wrote. “This information could then be used to access and download the private voice recordings of children and parents.”

It’s likely the attack against the CloudPets data was random and targeted exposed MongoDB instances instead. Spiral Toys said the database in question belong to a contracted third party that was performing a migration on behalf of the company. Spiral Toys said this was a temporary scenario, and as a result, it never received a ransom demand. The company also denied knowing about the breach until Feb. 22.

In the meantime, the case highlights the risks to data belonging to children, something that Nelson has been prominent in demanding protection for.

.author-name { display: none; }

Threat Post - Confide Updates App After Critical Security Issues Are Raised

The makers of the popular messaging app Confide said Wednesday that it has patched multiple security vulnerabilities that could have allowed hackers to intercept messages sent using its secure end-to-end messaging platform.

The flaws were identified in two separate reports, both released Wednesday, by security firms IOActive and Quarkslab. Both allege there are critical security vulnerabilities in versions of Confide’s encrypted messaging app, including version 4.0.4 for Android and 1.4.2 for Windows and OS X .

The security of Confide’s platform has taken center stage ever since reports surfaced last month that senior White House staff, including press secretary Sean Spicer, were using the app. Confide claims to offer “battle tested, military grade encryption.” According to Google Play, the Android app has been installed between 100,000 to 500,000 times.

Researchers with IOActive said the Confide suffered from a bevy of security vulnerabilities including:

  • Confide’s notification system did not require a valid SSL server certificate to communicate, therefore opening the door for an attacker to perform a man-in-the-middle attack.
  • The app lacked sufficient notifications when unencrypted messages were sent and received.
  • The application failed to have adequate protections to prevent brute-force attacks on user account passwords.
  • Confide’s website was vulnerable to an arbitrary URL redirection, which could facilitate social engineering attacks against its users.

IOActive also raised issues with Confide’s handling of public keys.

“Confide failed to provide a participant fingerprint authentication mechanism, allowing Confide to conduct man-in-the-middle attacks on encrypted messages by changing the public keys sent to parties of a conversation,” wrote IOActive researchers Mike Davis, Ryan O’Horo and Nick Achatz, who co-authored the report.

Quarkslab also took issue with some of security vulnerabilities highlighted by IOActive, and singled out the way Confide handled public and private encryption keys.

“The most obvious problem… is linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” wrote Jean-Baptiste Bédrune, security researcher with Quarkslab.

“The Confide server could generate its own key pair and transmit the public part to a client when the latter requests the public key of a recipient (we only note that Confide is able to do so, not that it does so). This client then unknowingly encrypts a message that can be decrypted by the server. Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient,” Bédrune wrote.

Similar public key concerns were raised earlier this year when researchers commented on how WhatsApp and earlier versions of iMessage handled key change notifications. In February, Jonathan Zdziarski, an independent security researcher and forensics expert, wrote about Confide’s key exchange approach.

“What seems different about (Confide) encryption is that it appears to regenerate the public key under certain circumstances. It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function. Key exchange is always the most difficult part of good encryption routines. Depending on whether or not Confide is able to detect this and warn the user, it’s possible (although not confirmed) that the application could be susceptible to the same types of man-in-the-middle attacks that we’ve seen theorized in WhatsApp (if you leave the alerts off) and iMessage,” Zdziarski wrote.

Bédrune said the confidentiality of the exchanged messages depends on the robustness of TLS.

“Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” he said.

Quarkslab also claims that security features in the Android, iOS and desktop app, such as message deletion and screenshot prevention, can be easily circumvented.

For its part, Confide co-founder Jon Brod told Threatpost via email Wednesday the company was able to fix the issues quickly.

“We were able to detect anomalous behavior and remediate many of the issues during IOActive’s testing in real time starting on February 24. We were able to quickly address the remaining issues after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. We do acknowledge the findings, but believe that the firm is overstating the severity level of some of them.”

IOActive claims the company privately disclosed its research to Confide in February and that Confide fixed the issues and updated the app on March 3, 2017.

Brod did not address the security concerns raised by Quarkslab.

“All the issues have been reported to Confide, and they are working on fixing them. In the meantime, do not consider your conversations to be so well concealed,” Bédrune wrote.

.author-name { display: none; }