With the ubiquity of smartphones, smart speakers, and wirelessly connected devices around the world, design flaws and security vulnerabilities more easily surface. For example, 2018 saw a spectrum of IoT security failures, ranging from problems with vendor implementation, state actors co-opting legitimate products, service providers outright selling data to third parties with negligible security practices, and cascading failures from voice recognition gone wrong.
Internet of Things policy
Many emergency broadcast systems in place today were designed in the 1980s, without the expectation that malicious actors would attempt to commandeer the systems. Though the alert of a ballistic missile threat broadcast in Hawaii on January 13th was the result of human error, the 38 minutes between that broadcasted alert and retraction caused panic and anxiety, particularly as North Korea had been testing missiles in late 2017.
Bastille Security found a vulnerability in emergency broadcast systems produced by Acoustic Technology Inc. (ATI), which allowed for command packets broadcast over the air to be captured, modified, and replayed. ATI deployed a patch to address the issue, though it is unclear if all of the affected systems were patched before the 90-day disclosure window, or if all vulnerable systems were patched. Oddly, ATI's public statement on the vulnerability claimed Bastille's research is "largely theoretical" and "is against the law," though ATI's statement highlights public safety communications systems as being exempt from the statute they cited.
Russian attackers co-opt LoJack implant to gain device control
The popular device security software LoJack-previously known as Computrace-was leveraged by the Russian state-sponsored cyber espionage group "Fancy Bear." LoJack requires computer manufacturers to insert a dropper in the BIOS that allows the software to persist across Windows installations, though Fancy Bear was able to redirect the dropper in Windows to servers they control, which impersonate LoJack's infrastructure. The legitimate nature of LoJack as an anti-theft utility prompted antivirus programs to ignore the attack, making it an attractive target for Fancy Bear.
While the May discovery relied on a change inside Windows, a second attack attributed to Fancy Bear was discovered in September. This attack, called LoJax, patches the UEFI data in the computer, making the attack persist across Windows installations and hard drives. Though this rootkit was discovered in 2018, it appears to have been in operation since at least 2004. According to ESET, LoJax is the first case of a UEFI rootkit recorded as active in the wild.
Cisco Talos reported finding 500,000 compromised devices across 54 countries, with evidence of the first infection dating back to 2016. The Ukrainian Security Service called out Russia as the originator of the attack. Initial reports indicated that rebooting the router was enough to clear the infection, but further updates found that to not be sufficient, recommending that users reflash the firmware as well. The malware is known to have code to target control systems using SCADA, but the aims of the attackers remain unknown.
Similarly, the Slingshot malware was discovered to be dormant in routers for six years and is capable of information gathering, persistence, and data exfiltration. Seculist researchers pointed out the similarities between Slingshot and the "Chimay Red" exploit published by WikiLeaks as part of the "Vault 7" releases of vulnerabilities, which WikiLeaks claims originated from the CIA.
LocationSmart leaked location data of all cell phones in the US
An unsecured product demo from geolocation data firm LocationSmart allowed any user to look up the location of any mobile phone without needing to supply a password or any other credentials for any phone on the four major US carriers, as well as US Cellular, and the Canadian carriers Bell, Rogers, and Telus. This vulnerability was found after Securus-a company that provides smartphone tracking tools for US law enforcement-was hacked. The backend data provider of that company was LocationSmart, according to a ZDNet report.
To make matters worse, mobile network operators were selling this personally identifiable data to LocationSmart. Verizon was the first to pledge to stop data sharing, with AT&T, Sprint, and T-Mobile following shortly thereafter.