At a glance.
- Twitter issues mea culpa for misusing user security data.
- Smart Jacuzzi bug could allow attackers to dip into user data.
- Halfords’ tires leak more than air.
Twitter issues mea culpa for misusing user security data.
Social media giant Twitter on Wednesday released an apology for using account security data for targeted advertising. According to a complaint filed by the US Department of Justice and the Federal Trade Commission (FTC), between May 2013 and September 2019 Twitter asked users to supply a phone number or email address to authenticate their accounts, but Twitter was also using the contact info to serve users targeted ads “that enriched Twitter by the multi-millions.” The Record by Recorded Future explains, the complaint alleged that the company violated a previous order “by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially.”
Twitter was also found in violation of the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which require companies to “follow certain privacy principles in order to legally transfer data from EU countries and Switzerland.” FTC Chair Lina Khan explains, “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.” To settle the complaint, Twitter agreed in May to pay a $150 million fine and notify users that it had misused the security data. The company’s apology appeared pinned at the top of users’ timelines, stating, “We are very sorry this happened.” The FTC has also banned Twitter from profiting off of “deceptively collected data,” and is requiring the company to provide alternative methods of two-factor authentication, as well as implement a comprehensive privacy and information security program.
Smart Jacuzzi bug could allow attackers to dip into user data.
Demonstrating that perhaps not every device in one’s home needs to be a smart device, a security researcher has found that Jacuzzi’s SmartTub line of hot tubs has several security vulnerabilities. Researcher EatonWorks first detected the issue when attempting to log into the SmartTub site, which allows users to control tub settings from a phone or SmartHome hub. Eaton noticed that, for a split second, an admin panel populated with user data appeared on his user login screen. Deciding to dive deeper, Eaton was able to use a program called Fiddler to modify the site’s code to convince the site he was an admin, giving him access to Jacuzzi user data from around the world. The researcher told Vice, “Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership.” Eaton reached out to Jacuzzi about the bug back in December, and eventually Auth0, the third party who handled the login front end of the SmartTub software, patched the vulnerabilities on the login page.
Chris Hauk, consumer privacy champion at Pixel Privacy, sees this as an instance of the IoT's threat to privacy. “This seems to be a common affliction for users of Internet of Things devices, such as smart Jacuzzis, lighting, smart appliances, security cams and more. Usually, such vulnerabilities are related to weak or no passwords being used. However, in this case, developers are at fault for leaving a security hole that could have allowed hackers to access user data, and in some cases control a user's tub remotely. This underlines how users need to be careful as to how much personal information they should reveal to any IoT company or to any other organization, for that matter.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, while aware of the ridiculous aspects of the issue, points out that the risk can't be laughed off. “As absurd as this breach may sound, it proves that all organizations that collect data (and who isn’t these days) are potential targets for threat actors. Data is the lifeblood of any organization and threat actors’ focus is on getting their hands on any sensitive data from which they can profit. What is the solution? Protect the data itself. Data-centric security methods such as tokenization and format-preserving encryption replace sensitive data with benign representational information, so even if it falls into the wrong hands, threat actors cannot leverage it for financial gain or mischievous purposes.”
Roger Grimes, data-driven defense evangelist at KnowBe4, suggests that the big issue is the difficulty the bug hunter encountered in getting the vendor to address the issue:
“This was somewhat of a standard IoT hack and we can expect hundreds of thousands of them in the coming decade. The ultimate issue was a poorly secured admin console website in which admin credentials could be bypassed. This is a very, very common type of vulnerability and had the website been subjected to any type of security code review or pen test it would have been caught, and could have been remediated before people's data was compromised.
"Sadder, and more concerning, was how long it took this well-meaning bug finder to get the bug resolved by the involved vendor. He contacts them over and over, gets delayed, ignored, and tries again. It should not be so hard for a bug finder to report a bug and get that vendor to acknowledge the bug, thank and remunerate the bug finder, and for the bug to be fixed. The vendor here compounds the original vulnerability with poor response to the bug report. The latter disturbs me more than the former. There's always going to be bugs. It's how the vendor responds when they are reported that matters the most in the long run.
"Right now I don't have any faith that the vendor learned a necessary lesson in how to do better bug response. Will the next bug found take as long to resolve?”
Grimes's colleague at KnowBe4, security awareness advocate James McQuiggan, commented that IoT issues still tend to be overlooked:
“IoT (internet of things) and security do not always appear to be at the forefront of most organizations' priorities until a data breach is due to the product becoming compromised. After this, the effort to secure it becomes a high-level focus, and the necessary security features are ignored or added to the product. Budgets are approved, resources are provided, and the company works to provide a secure product. The race to get a product out to market always seems more critical than adequately securing the IoT device from the beginning.
"IoT developers want to develop the products to ensure they aren't shipped with default passwords and prompt users to change default configurations on first use. Utilizing a Secure Development Lifecycle (SDLC) where the information security department is instilled from the beginning and making it a development gate can ensure a more secure product. Proper security features have been proven to reduce the risk of IoT devices and compromise.”
Halfords’ tires leak more than air.
The Register reports that the UK’s leading vehicle products and services supplier Halfords was found to be exposing customer data through their appointment confirmation process. Cyber security consultant Chris Hatton noticed that, when scheduling an appointment for a tire replacement, he received a confirmation email containing a link that gave him access to private details about his booking, including his telephone number, car details, and his street address. Hatton also found the same private data could be retrieved using just a Halfords-issued customer ID. Hatton explains, "Through the Order ID, it seems likely that hundreds of thousands (if not millions) of different orders can be found, each containing [personally identifiable information]." Hatton attempted to disclose the issue to Halfords, but received no response. When contacted by the Register, Halfords responded, “In this case we've been made aware of a potential vulnerability in one of our customer-facing systems. No bank or payment details have been at risk. We've removed the vulnerability and we'll be implementing an immediate review of our screening protocols to help ensure this doesn't happen again.”