Tag Archives: vulnerabilities

WhatsApp and Facebook signals can be hacked to track your location

Hackers can monitor 4G mobile networks to detect users’ location using supposedly anonymised identifiers

Security researchers have revealed how simply contacting somebody via WhatsApp or Facebook messenger can reveal a smartphone owner’s location by exploiting a security flaw in 4G mobile networks.

A hacker could use the apps to discover the supposedly anonymised identifiers that are assigned to devices when they connect to a network, and use them to locate their owner, according to researchers in Finland and Germany.

When a smartphone connects to a mobile network, it is assigned a temporary number called a TMSI (Temporary Mobile Subscriber Identity). The network then uses this eight-digit number to identify a device, rather than a phone number, to make communication more private.

However, a hacker monitoring radio communications could tie this TMSI to an individual by sending them a Facebook message or WhatsApp chat, both of which trigger a special “paging request” from a network that contains specific location information about a particular TMSI number.

Anybody with a Facebook account can send another user a Facebook message. Unless the two users are friends, this message will end up inFacebook’s “Other” folder, a feature most users do not know about that is only accessible on the social network’s desktop version, but sending a user a message will still trigger a paging request.

Likewise, WhatsApp’s “typing notification” – a feature on the chat app that displays when a contact is composing a message – also triggers the connection. If a hacker has a victim’s phone number, they could send them a message on WhatsApp, and if the victim begins to type a response, the network issues a paging request.

Within these paging requests are location data, that on newer 4G networks can be used to track users’ locations to an area of 2km2.

Older 2G and 3G networks would place a particular smartphone within a given “tracking area” of around 100km2, representing less of a security issue, but modern 4G networks place them in smaller “cells” of around 2km2, making it much easier to pinpoint a smartphone.

This allows network issues to be better understood, but in this case, gives away more data about smartphone users.

Smartphone trackingCells are much more accurate than tracking areas  Photo: Aalto University

It is relatively easy to monitor these signals using easily-available network hardware, according to the researchers from Aalto University, the University of Helsinki, Technische Universitat Berlin and Telekom Innovation Laboratories.

Although TMSIs are supposed to refresh relatively often, in order to protect privacy, they can persist for up to three days, the researchers said.

More aggressive attackers can set up a fake network base station to accurately triangulate users. These stations can request reports from TMSI numbers, typically used in cases of network failure, which can accurately reveal a smartphone’s location. At least one device gave away its GPS co-ordinates after a failure request, the researchers said.

Tagged , , , , , , , , ,

Mumsnet’s co-founder suffers ‘swatting attack’

Mumsnet has reset its users’ passwords after a series of attacks, one of which involved armed police being called out to the London home of the parenting site’s co-founder.

Justine Roberts said she suffered a “swatting attack” last week – a type of harassment in which a perpetrator calls the emergency services out to their victim on a false pretence.

She added that another member of the site had been similarly targeted.

Some accounts have been hijacked.

Ms Roberts also disclosed that someone had managed to hack into the site’s administrative functions.

Additionally, she revealed that there had been an attempt to force Mumsnet offline by swamping it with internet traffic, in what is known as a distributed denial of service (DDoS) attack.

A Twitter account linked to the incident, called DadSecurity, has been suspended.

A spokeswoman for Mumsnet said it currently had 7.7 million members.

Swat attacks

Ms Roberts – who is married to Newsnight editor Ian Katz – said the incident involving her home happened on Tuesday of last week.

“I wasn’t actually there – I was on holiday,” she told the BBC.

“The first thing I knew was when our au pair contacted us the next morning to tell us that at 03:30 she’d been woken up and disturbed by a Swat team of five armed police and three unarmed police and a police dog.

“They’d received a report of a man prowling round the house with a gun.”

She said that she was aware such incidents had become more common in the US, but she believed they remained relatively rare in the UK.

“At first I think the police were slightly nonplussed and said they were not sure, because there were no actual real victims, that it was a pursuable crime.

“But I think in the States it’s treated incredibly seriously because, of course, if you get copycat things like this it can be incredibly disruptive, not to mention the cost to the security forces.”

A spokesman for the Metropolitan Police provided further details.

“Police were called at approximately 00:15 on Tuesday 11 August to a residential address… following a report that a man had murdered a woman at the address,” he said.

“This was followed by a second call during which the caller stated he had members of his family held in a room. This call was assessed as requiring a firearms response.

“Local officers and firearms officers attended the address and carried out an assessment. Two people resident at the address were spoken to. The incident was treated as a hoax and the police response explained to those at the address.

“No suspects have been identified at this time, however enquiries continue.”

Handcuffed husband

Ms Roberts said that the second case occurred after a Mumsnet user had engaged the DadSecurity Twitter account and received back a message saying “prepare to be swatted” alongside a picture of a Swat team.

When the police arrived, she added, they initially handcuffed the husband.

“The [hoax] report had said they had heard gunshots and identified a man as shooting in the house,” Ms Roberts said.

“It’s incredibly disturbing and not surprising that that user and her family were very upset.”

DadSecurity’s tweets are now offline, but the BBC can confirm it repeatedly posted “RIP Mumsnet” and claimed to have stolen data from the site before being blocked.

What is a ‘swat attack’?

Police guns
  • They involve an individual or group providing the emergency services with fake information in order to get them to attend the victim’s home
  • Named after Special Weapons and Tactics (Swat) police teams in the United States because attacks often involve the reporting of fake crimes or emergency incidents designed to get armed police to attend
  • Often associated with online harassment campaigns involving video gamers, particularly in the United States

Login redirect

Ms Roberts also provided details of other attacks including:

  • Visitors to Mumsnet’s homepage being automatically redirected to DadSecurity’s Twitter profile
  • Posts on Mumsnet’s site being re-edited without their authors’ permission
  • Messages appearing on the site’s forums that were not written by the owners of the accounts that they were posted under
  • A DDoS assault, during which Mumsnet received about 17,000 requests per second. It normally receives between 50 and 100

Ms Roberts added that there was evidence that at least 11 accounts had been hacked, but warned that many more could be affected.

“It’s a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6 August 2015, and possibly some time before that, have been collected,” she wrote in a follow-up post.

Mumsnet has yet to determine how the hacks were carried out, but one theory is that a “cross site scripting” (XSS) attack was involved, in which code would have been added to Mumsnet’s site to redirect the login process to computers controlled by the attacker.

That way the hacker would have been able to harvest the passwords of people as they typed them in.

Users are being asked to double-check they are not entering their passwords into a fake login page

Ms Roberts said Mumsnet itself stored users’ passwords in a “high strength” encrypted form, so doubted its own database had been cracked.

As a precautionary measure, all the site’s users will have to create new passwords to access their accounts.

In addition, members are being asked to check that the page they log in on uses a specific address – https://www.mumsnet.com/session/login.

“It’s challenging to build a website that can stand up to a determined attacker, while still being cost-effective to run and easy to use,” commented security expert Dr Steven Murdoch from University College London.

“These types of incident will keep on happening, so this is a good reminder to not use the same password on multiple websites and be cautious about what information you give out online.”

Tagged , , , , , , ,

Fiat-Chrysler recalls 1.4 million vehicles in wake of hack

We were waiting for the other shoe to drop, and here it is: Fiat Chrysler Automobiles (FCA) has announced it is voluntarily recalling 1.4 million vehicles across its various brands and model lines, in the wake of the discovery of a zero-day exploitthat lets hackers remotely force late-model Jeep Cherokees off the road. All someone needs is the IP address of a car armed with Chrysler’s UConnect infotainment system, and they can infiltrate the car’s network via its Wi-Fi hotspot feature, rewrite the OS firmware, and then control all of the major systems of the car: accelerator, brakes, steering, air conditioning, and more.

Here’s the main text of the FCA recall press release:

“The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action… Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.”

The hack also lets someone remotely monitor the car’s location via GPS tracking, and could very well extend to the in-car microphones that capture voice commands. In the publicized hack, the researchers even managed to “taunt” the victim by displaying a picture of themselves on the display, as well as controlling secondary systems like the turn signals and windshield wipers — all that before disconnecting the engine from the drivetrain and taking control of the steering.

Fiat-Chrysler says it’s unaware of any actual customer injuries or even complaints related to the vulnerabilities aside from what’s been demonstrated in media outlets — an assumed direct reference to Wired’s original story. The number of cars on the list is roughly three times the initial estimate of 471,000 vehicles, and extends to the Dodge Ram pickup, the Grand Cherokee, the Dodge Durango, three of Chrysler’s most popular sedans, and the Dodge Challenger two-door coupe.

The following vehicles with 8.4-inch UConnect system touchscreens are affected by the recall:

  • 2013-2015 MY Dodge Viper specialty vehicles
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

If you’ve got one of these vehicles, visit http://www.driveuconnect.com/software-update/ to input your VIN number and see if it’s on the recall list. If so, Chrysler will mail you a USB drive that lets you update your car’s software and that provides “additional security features,” although the company hasn’t elaborated on what those are exactly. We’d like to think those features have something to do with preventing people from hacking into the car remotely and doing all of the above things without the driver being able to stop them.

Tagged , , , , , , , , , , ,