At a glance.
- Volkswagen discloses third-party data breach.
- Smart speakers snooping.
- Buggy pre-installed Android apps.
- Stolen cookies as a threat to privacy.
Volkswagen customer data exposed by vendor.
Volkswagen has disclosed that the data of more than 3.3 million customers were exposed due to a vendor error, TechCrunch reports. The carmaker sent letters to customers explaining that from August 2019 to May 2021 an unnamed vendor left a cache of sales and marketing data collected from 2014 to 2019 exposed. For most, the compromised data included customer names, street addresses, email, and phone number, but for about 90,000 customers, sensitive loan eligibility information like driver’s license numbers, dates of birth, and social security numbers were also exposed. As Security Week explains, the incident impacted Volkswagen Group of America, which includes VW’s luxury brand Audi. While the breach was detected and secured in March, it wasn’t until May that Volkswagen’s investigation revealed that more sensitive data had been exposed.
Smart speaker turned snooping device.
Though seemingly innocuous, business conferencing smart speakers are essentially network-enabled microphones, meaning hackers with the proper know-how could use them for surveillance. To explore vulnerabilities common to these speakers, cybersecurity firm GRIMM examined the STEM Audio Table conference table speaker and detected a number of remote code execution bugs allowing an intruder to eavesdrop and potentially achieve persistence within the organization’s network. The device employs an unauthenticated control interface, meaning an attacker could access administrator passwords, reboot the device, or even revert it to factory settings. Because the speaker doesn’t verify update signatures, by modifying the update server’s URL, an intruder could direct the device to a malicious server. The speaker neglects to enforce encryption on sensitive operations like resetting passwords, meaning an attacker could eavesdrop on the local network; and even if encryption were enforced, the device exposes the private encryption key in its firmware update packages. STEM has been notified of the vulnerabilities and confirmed that the most recent update corrects the issues.
Bugs discovered in pre-installed Samsung apps.
Also demonstrating the importance of regularly updating your devices, Sergey Toshin, founder of mobile app security company Oversecured, recently discovered seventeen vulnerabilities in Samsung mobile devices, Bleeping Computer reports. The less serious bugs give the hacker the ability to trick the user into giving them access to SMS messages, while the more dangerous issues require no user interaction and give the intruder permissions to read or write files. Toshin, who has collected nearly $30,000 through Samsung’s bug bounty program for his discoveries, published a blog post last week providing proof-of-concept exploitation instructions for seven of the already-patched vulnerabilities. Samsung is currently working on fixes for the other issues.
EA believed to be hacked via stolen cookies purchased in criminal markets.
They got into the company’s Slack channel and persuaded a well-meaning employee to give them a login token. The hackers explained to Motherboard that they got into EA’s Slack using a stolen cookie they purchased in an underground souk for about $10. Why were the cookies important? Among the information cookies can save are a user’s login details, and in this case the details were enough to enable the attackers to log in.
The money to be made through the theft of the code may well lie in the revenue streams that flow through the EA games themselves. Game coins amount to a virtual currency, and Tech Republic claims that players of EA’s popular FIFA spent $1.5 billion on FIFA coins in 2020. Compromising the games’ source code could make “gold farming” (that is, playing the games to earn game coins, and then selling them to other players for more liquid fiat currency) far easier and far more lucrative than it already is.
The use of stolen cookies has obvious implications for privacy. Rajiv Pimplaskar, CRO of Veridium, agrees that the potential consequences of the breach are unlikely to be confined to loss of intellectual property. “Apart from the obvious Intellectual Property (IP) implications of such a data breach, there could be several downstream consequences such as loss of customer account credentials, biographic data, etc., all with potentially Personally Identifiable Information (PII),” he said, adding, “Additionally EA makes over $2.7 billion from microtransactions or in-game purchasing. App developers today have a higher responsibility to protect consumers and need to increasingly incorporate digital identity, authentication and privacy measures at a code level for improving cyber defense and mitigating fallout from such forms of theft.”