There’s never a shortage of security holes

New reports last week highlighted some novel ways for information to get into the wrong hands

Information security is a job that can never be completed. Threats multiply, and new vectors of attack become apparent. A couple of new ones were publicized in last week.

For starters, internet security company Bastille advised that thieves can access a wireless keyboard’s “unencrypted radio communication protocols, enabling an attacker to eavesdrop on all the keystrokes typed by the victim from several hundred feet away using less than $100 of equipment. Wireless keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.”

Bastille published a list of keyboard manufacturers impacted and the statements the companies issued in response. You can tell an awful lot about a vendor by how it reacts to this kind of situation. Only three have responded so far. 

Kensington seems to have reacted the best. “Kensington has released a firmware update that includes AES encryption, which has been adopted by the U.S. government and is now widely used across the globe,” it said. But it opened with this muddled statement: “We are happy to report that, to our knowledge, no security incidents have been reported to us since this product originally launched in 2005.” (What is that “to our knowledge” doing in there?) The big problem with that is that the fact that such incidents haven’t been reported to you does not mean — even a little bit — that nothing leaked. Because of the nature of this hole, victims would likely be unaware of the leak. And if they did somehow learn of the leak, chances are that they would blame the operating system or a site they visited. Anything other than their mouse.  

In a less satisfying response, Anker said that it had “decided to suspend sales of our Ultra Slim 2.4gHz Wireless Compact Keyboard indefinitely” and that for a very limited time (until Aug. 30) it will be offering to swap out the devices for its Bluetooth keyboard — but only if the impacted keyboard is still under warranty.

Three thoughts. One: When you’ve been caught selling an insecure product, is that really the best time to enforce a warranty time limit? Presumably, customers weren’t aware that the Anker product was ludicrously insecure until Bastille reported it. Two: If customers had wanted Bluetooth, they would have purchased that initially. Three: Here’s a wacky thought. How about fixing this product by adding encryption and then offering to send the fixed units to all customers for free, with no limits? That’s how you regain customers’ trust. 

Anker also said it had received no customer complaints, but it at least didn’t sound as if its internal communications were a giant mess: “We are happy to inform that we haven’t received any reports or complaints concerning this issue, to date.” 

The third response was from Jasco Products, which is licensed to market its keyboards under the General Electric brand. Its statement amounted to a promise to do something just next door to nothing. Jasco, it said, “is aware of the issues reported by Bastille Threat Research Group in reference to the 98614 Keyboard and Mouse Combo and will work directly with its customers of this product to address any issues or concerns.” 

No promise to fix this, even in future versions. No word about encryption. Merely a vague promise to deal with any customer complaints as they come up. Jasco is definitely going on my list of vendors to avoid.

Tripwire added to the perils of peripherals when it reported that ”74 percent of the 50 top-selling consumer routers on Amazon shipped with security vulnerabilities, including 20 different models where the latest firmware from the vendor was exploitable.”

The Tripwire report was scary: “All requests containing a particular string received ‘200 OK’ responses. By creatively adding this string to other requests, I was able to get response data intended only for authenticated queries. Denial of Service: There is a particular page accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable. This is a serious issue as the product relies on HTTP when used as a hot spot. Information Disclosure: The device’s serial number is exposed by the HTTP server. It is unclear whether this has any direct security impact but it may be useful to an attacker as part of a social engineering ploy. I have also observed other products where the serial number is used as a means to prove ownership of a device. I also found that authenticated requests for a certain page would trigger excessive memory consumption causing the HTTP server to reload, as well as possible disruption to other services. This vector is exploitable via GET requests and therefore lends itself to CSRF attacks through malicious image tags in HTML documents or emails.”

To cap things off, I got a jolt about one of my favorite low-effort privacy protections: leaving my phone in airplane mode unless I want to do something such as check email or make a call. I have always figured that by keeping my iPhone off of cellular and Wi-Fi networks, I was keeping the bad guys at bay, while still being able to use it for Apple Pay transactions. That was overly optimistic, I now know. 

Consider this, from PubPub: “Turning off radios by entering airplane mode is no defense. For example, on iPhones since iOS 8.2, GPS is active in airplane mode.” 

Good old Apple, allowing us to be tracked more effortlessly than ever — while doing very little to let us know about it. Maybe there are some people who want to use Maps while in airplane mode, but I can’t help but see it as a privacy issue. Let’s say that I go to BigBoxStore while my phone is in airplane mode. I have on that phone an app from a competitor, BiggerBoxStore, that can use my current location. Because the phone was in airplane mode, I thought BiggerBoxStore wouldn’t get a heads up that I had been to BigBoxStore. But I was wrong. 

The PubPub article went on: “Furthermore, airplane mode is a ‘soft switch’ — the graphics on the screen have no essential correlation with the hardware state. Malware packages, peddled by [thieves] at a price accessible by private individuals, can activate radios without any indication from the user interface. Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

In other words, I might just think I’m in airplane mode. It’s depressing.

For most people, the leaky wireless keyboards and routers are the greater concern. Enterprises spend a lot of money on high-security systems and then allow them to connect in various ways, including over VPN, with insecure peripherals. Many times, IT has no way to know this.

It makes little sense to secure data if it can easily leak out the instant it’s unencrypted.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGeneral ElectricISMJascoKensingtonTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts