At a glance.
- Pirated content carries privacy-threatening malware.
- Bluetooth RCE exploit demonstrated.
- More companies shun Zoom over privacy concerns.
- Risks of iOS zero days may be exaggerated.
Streaming pirated content remains a bad idea.
It seems that many are succumbing to temptation while they're staying home under conditions of social isolation. In particular, people groping for entertainment are streaming pirated content. The Wall Street Journal reports that the custom at black market television and movie sites has jumped as much as 30% in many countries. Since malware notoriously floats in on such streams, the downside of accessing pirated content is obvious.
Bluetooth exploit demonstrated.
As increased attention is given to applying Bluetooth in contact-tracing applications, researcher Jan Ruge at TU Darmstadt has demonstrated a proof-of-concept exploit that could enable someone within Bluetooth range of an Android device to execute code on the machine. The exploit takes advantage, CyberScoop reports, of a protocol used for streaming music on the device. In itself the proof-of-concept is no reason not to use Bluetooth in contact tracing, since the vulnerability is there whether the device is using any such public health app or not. But its demonstration does expose a potential Android privacy issue affecting devices running unpatched versions of the Android 8.0-9.0 operating systems.
Zoom privacy concerns prompt more companies to shy away.
Bloomberg reports that several large corporations have banned or restricted using Zoom for company business, out of concern for security and privacy. Daimler AG, Ericsson AB and NXP Semiconductors NV don't want their personnel using Zoom at all. Bank of America will let them do so under restricted circumstances, and after obtaining company permission.
Privacy risk of iOS zero day may be exaggerated.
ZDNet reports that Apple has disputed the seriousness of the vulnerabilities ZecOps claimed it discovered when it saw them being exploited in the wild. It's the exploitation in the wild that Apple takes particular exception to: Cupertino says it found no indications that the zero days (which it acknowledges, and which in any case will be fixed in the next iOS release) pose any real threat to users. Some researchers think ZecOps may have observed malformed emails, and not malicious exploitation of iOS bugs. ZecOps says it intends to release more information on its discovery. In the meantime, Naked Security suggests that whatever else the bugs might be, they don't seem to be directly exploitable, and so any risk is probably low.