Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. The clock is ticking for TikTok. The popular short-form video sharing app, which is already banned in India, is facing a similar roadblock in the US, where the Trump administration has escalated its threats to ban the platform along with WeChat. Even as ByteDance and Microsoft are hammering out a possible deal, the big question is: should you delete TikTok off your phone? Privacy and security worries about the app have run rampant in recent weeks, with the US government warning that it puts “your private information in the hands of the Chinese Communist Party.” To answer the question, the best way is to unpack the app itself and follow the data trail. That’s exactly what security researcher Baptiste Robert (@fs0c131y) did. And what he found is proof that the app isn’t doing anything different from what other apps like Facebook are already doing. “As far as we can see, in its current state, TikTok doesn’t have a suspicious behavior and is not exfiltrating unusual data,” Robert said. “Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others.” Then earlier this week, a Wall Street Journal analysis found that it used a known loophole in Android to get the MAC address of the device and possibly use the persistent device identifiers for ad tracking purposes. TikTok stopped the practice in November 2019. Yes, it’s a shady thing to do, as was the clipboard fiasco, but it’s far from being deemed a threat to national security. In fact, a recent CIA assessment obtained by The New York Times found no evidence that the app had been used by Chinese spy agencies to intercept data. It’s a given when you install an app on your phone, you are willingly signing up to be tracked and an ungodly amount of data collected about you. But while there’s actually scant evidence that TikTok is sharing your personal information with China, we should be wary of any governmental attempts to control software under the garb of privacy concerns.
What’s trending in security?
Twitter said it fixed a bug in its Android app that may have allowed an attacker to access a user’s private Twitter direct messages, Garmin reportedly paid a multi-million dollar ransom to recover access to its systems after a ransomware attack, and the EU imposed sanctionsagainst China, Russia, and North Korea for carrying out major cyberattacks against European citizens and businesses.
The US announced rewards of up to $10 million for any information leading to the identification of any person who works with or for a foreign government for the purpose of interfering with US elections through “illegal cyber activities.” [US Dept of State] How secure is the chip in your credit card? An analysis of 11 chip card implementations from 10 different banks in Europe and the US found it’s possible to “harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions.” [Brian Krebs] The New York Times looked at the life of 17-year-old Florida teenager Graham Ivan Clark, the alleged “mastermind” behind the Twitter hack last month, who was arrested with two other accomplices. [The New York Times] The NSA warned members of the US military and intelligence community this week that their smartphone apps could be tracking them and putting their security at risk. It’s telling workers to disable location-sharing services on mobile devices, grant apps as few permissions as possible, turn off ad permissions, limit mobile web browsing, adjust browser options to disable use of location data, and disable settings for tracking misplaced/stolen phone. [NSA]
More than 400 vulnerabilities in Qualcomm Snapdragon chips, now patched, could be exploited to bypass security checks and steal sensitive data, according to new research. [Ars Technica] Anomaly Six, a contractor for the US government, has embedded its SDKs in more than 500 mobile apps, allowing it to track the movements of hundreds of millions of mobile phones worldwide. [The Wall Street Journal] High-wattage connected devices like dishwashers and heating systems can be recruited into botnets and used to manipulate energy markets. [Georgia Tech] Taiwan’s semiconductor industry was the focus of a hacking campaign called “Operation Chimera” between 2018 and 2019 by a China-based threat group with an aim to steal source code and chip designs. [CyCraft Technology]
A dozen vulnerabilities in a Mercedes-Benz E-Class car allowed researchers to remotely open its doors and start the engine. [TechCrunch] At the Black Hat conference last week, a security researcher revealed how insecure satellite-based Internet allows attackers to snoop on companies and sometimes tamper with data. [Ars Technica] Security expert Troy Hunt open-sourced data breach notification website Have I Been Pwned. To read more about how such password checkup tools work, here‘s an interesting primer from Cloudflare’s Junade Ali. [Troy Hunt] The fortnight in data breaches, leaks and ransomware: British Dental Association, Canon, Havenly, Intel, LG, Xerox, and Zello.
Data Point
IBM released its annual Cost of a Data Breach Report last month, which says that the average data breach now costs $3.86 million. Although this average has decreased by 1.5% in comparison to 2019, these “mega” breaches can cost up to $392 million to recover from, up from $388 million in 2019.
Tweet of the week
Another reason why SMS-based two-factor authentication needs to go!
— Twitter Support (@TwitterSupport) August 10, 2020 That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)