ICYMI: iOS spyware, car vulnerabilities and Outlook privacy

This week's ICYMI column reviews the top stories on SC last week, from an espionage group targeting Apple iOS devices to Internet of Things flaws and privacy concerns around Outlook.

ICYMI: iOS spyware, car vulnerabilities and Outlook privacy
ICYMI: iOS spyware, car vulnerabilities and Outlook privacy

Prolific espionage group returns with iOS spyware

A prolific cyber-espionage group has been actively targeting politicians, journalists, military and other entities by using spyware against Apple iOS devices.

Following up on its first profile on the group back in October, anti-virus and cloud security firm Trend Micro found that those behind the ‘Operation Pawn Storm' espionage group have been using spyware against iOS devices to track economic, political, military, government and media entities, in order to steal personal data and monitor telephone conversations.

The spyware, which is related to the SEDNIT malware family previously found on Windows systems, is delivered via the malicious iOS apps Xagent and Madcap and crucially represents a change in tactics for the attackers. Rather than attempt to install the malware directly onto the target's device, they look to target their acquaintances.

BMW ConnectedDrive flaw exposes 2 million cars to remote unlocking

A German motoring organisation has highlighted a weakness in BMW's ConnectedDrive technology, a flaw that could lead to unauthorised users being able to open the vehicles.

ADAC, the German equivalent of the AA, hired a security expert to see how safe its cars were: the results were not good news for the auto-manufacturer. The anonymous expert found that the company was using DES encryption within its in-car system despite the well-known flaws that have been found in the technology. The experiment, revealed in German security publication, C't, showed how a determined hacker could intercept signals between car and BMW back-end and allow the door to be opened without a key.

That wasn't all: the security guru also discovered that BMW was using the symmetric keys in all its vehicles, that, in some models, there was no encryption in transition, that the internal Combox reveals the Vehicle Identification Number (VIN) through its use of NGTP technology and that the Combox has no protection against repeat attacks.

The security expert points out that there are fixes to most of these issues. For example: Facilities to implement encryption in transit are available, but are only used by some ConnectedDrive services. Additionally, the manufacturer individualises the control systems in question by programming in the VIN, so it should be possible to also program unique keys for every vehicle.

EU Parliament blocks Microsoft Outlook apps over privacy fears

The European Parliament has reportedly become the latest organisation to block members from using Microsoft's new Outlook apps because of "serious security issues".

According to a leaked email, the Parliament's IT department – DG ITEC – has moved to block the use of the new Outlook apps on iOS and Android, despite both apps having been updated recently.

“Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password,” it said. The IT department went on to warn that these apps would send password information on to Microsoft without permission, and will store emails in a third-party cloud service, over which the Parliament would have no control

The University of Wisconsin and Delft University in the Netherlands have also blocked access to the apps, and all three appear to be doing so for the same reasons; because data, including password information, is stored in the cloud and also because this information can also be sent back to Microsoft without user permission.

Not so smart: Samsung's web-connected TVs capture conversations

Samsung's latest line of internet-connected 'smart' TVs capture conversations through its Voice Recognition software, before sending this information onto third-parties.

This information came to light over the weekend after the South Korean consumer electronics conglomerate quietly detailed how its Smart TVs collect data in a new television privacy policy.

“Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features,” reads a brief extract from the policy.

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party." The firm did not go into additional details on who these third-parties are, or how this data will be used.

Samsung has encouraged concerned users to deactivate the voice recognition feature, or disconnect the TV from the Wi-Fi network.

US government to create cyber-intelligence agency

The Obama administration has announced a new intelligence agency charged with sharing intel on cyber-attacks, in the wake of high-profile data breaches at Sony and Target.

The Cyber Threat Intelligence Integration Center will have around 50 staff and a budget of US$ 35 million (£22.9 million) to act as a central point for monitoring and responding to cyber-security threats.

The group, announced formally by White House counter terrorism coordinator Lisa Monaco in Washington DC on Tuesday, will be an “intelligence centre that will ‘connect the dots' between various cyber-threats to the nation so that relevant departments and agencies are aware of these threats in as close to real time as possible.”

SC Webcasts UK

Sign up to our newsletters

FOLLOW US