Pre-Christmas Tech Update

Here are a few things worth a look as you ponder getting new tech toys for Christmas giving.

1 Ring in the New Year with Santa and his creepy friends.

Only four days after installing it, her 8-year-old daughter, Alyssa, heard music and a banging noise coming from the room where the camera was installed.

Alyssa says that when she began looking for the source of the noise, she heard a voice saying, “I’m Santa Claus, don’t you want to be my best friend?”

Lemay says the voice taunted Alyssa and encouraged her to mess up her room and break her TV before her dad came into the room and shut the camera off.

Ring security camera hacks see homeowners subjected to racial abuse, ransom demands

2 Lest you think Amazon is the only guys watching whether you are naughty or nice; Facebook is too, but only if you use a smartphone made by Tim Cook.

The glitch affects iPhone owners, who said their camera suddenly switched itself on while they were scrolling through their feed, watching videos or looking at photos.

When people turned the video to full-screen mode and then switched back to Facebook’s normal view, they could see a little open space on the left and the camera app in the background.
Several people have tweeted about the bug and it has been replicated by tech journalists.

Daryl Lasafin, a creative director, tweeted: ‘Facebook app on iOS 13.2.2 opens my phone’s rear camera when I open a profile photo swipe down to return (look at the little slit on the left of the video). Is this an app bug or an iOS bug??’

Joshua Maddox, a web designer and digital strategist, tweeted: ‘Found a Facebook security & privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed.’

The Facebook app has been quietly turning on people’s cameras and freaking them out

3 However, if you thought Android devices were safer, you’d be very wrong.

The security research team at Checkmarx has made something of a habit of uncovering alarming vulnerabilities, with past disclosures covering Amazon’s Alexa and Tinder. However, a discovery of vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, is the biggest to date. What did the researchers discover? Oh, only a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser.

The vulnerabilities themselves (CVE-2019-2234) allowed a rogue application to grab input from the camera, microphone as well as GPS location data, all remotely.

Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions? I hope you are sitting down as it’s a lengthy and worrying list.

Google Confirms Android Camera Security Threat: ‘Hundreds Of Millions’ Of Users Affected
  • Take a photo using the smartphone camera and upload it to the command server.
  • Record video using the smartphone camera and upload it to the command server.
  • Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
  • During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
  • Capture GPS tags from all photos taken and use these to locate the owner on a global map.
  • Access and copy stored photo and video information, as well as the images captured during an attack.
  • Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.
  • The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.

Since the whole world is watch you anyway, “you’d better be good for goodness sake…”

4 In other news, Tim Cook not only knows whether you’re good or bad but where you are (or have been too).

Apple has admitted that the company still collects location data of iPhones even when the user has turned off location settings. This comes just after a security researcher found that iPhone 11 Pro was collecting data after the location settings were turned off.

KrebsOnSecurity identified the issue and published a video showcasing the location data collection after the user had selected ‘never’ for all individual system services and apps. The researcher then forwarded the issue to Apple who gave a generic reply stating that some services require location data and they continue to collect it even when the user has turned off location settings.

Krebs noted that the statement contradicts with Apple’s claim that users get granular control over sharing their location. Apple hasn’t discussed more about the issue but for now, the company has confirmed that it indeed allow apps to collect location data even when the user has specifically blocked the app from doing so.

Apple admits that iPhone collects location data even when the user has turned off location settings

5 On Christmas, there is a tradition that if you find yourself under the mistletoe with a beautiful woman that you are obligated to kiss her; however, there might be repercussions; especially if you are equipped with a Fitbit.

There’s no ideal way to find out that your partner is cheating on you, but thanks to modern technology, there are at least more ways to learn the truth. This week, NFL Network correspondent Jane Slater has shared the story of how she discovered her boyfriend was being unfaithful after his Fitbit data exposed him.

The couple had both previously synced their Fitbit devices, so when Slater didn’t know where her boyfriend was at 4 o’clock in the morning, she checked her Fitbit account. Let’s just say, he was getting in some exercise.

NFL Network Reporter Jane Slater Caught Her Boyfriend Cheating Due to His Fitbit Activity

6 Fitbit was just recently purchased by Google although some regulators aren’t sure they want Google to be exposed to Fitbit data.

By next year, the health data Fitbit has on its users today will become Google’s data – a valuable acquisition for Google, undoubtedly, but one that I predict could make consumers uncomfortable.

Fitbit snapped up by Google in $2.1bn deal

7 Meanwhile, Microsoft discovers that computer users tend to reuse passwords for different accounts. Like no duh. I have an active list of at least forty different online accounts that I frequently use. Its somewhere between inconvenience and impossible to remember them all. I use technology to track my technology access. Microsoft has one password to access all their products on any platform. I guess they decided to look at their users and got a surprise.

Microsoft performed a threat assessment of their services and the users between January and March of this year and the results are shocking. According to the Microsoft threat research team, millions of users are reusing their passwords on Microsoft’s services.

As a part of the threat assessment, Microsoft checked over 3 billion credentials, out of which 44 million Microsoft services and Azure AD accounts matched indicating that the aforementioned accounts were reusing credentials. Microsoft also noted that out of the 3 billion credentials, many were leaked online and the company forced a password reset to ensure the accounts aren’t abused.

Furthermore, Microsoft said that 30% of the reused or modified passwords can be cracked within just 10 guesses.

Microsoft says millions of users are reusing their passwords

8 Finally, another Tim Cook story, this one from Germany where Apple has been ordered to allow other vendors to use NFC capabilities of the iPhone for pay services other than Apple’s.

We reported in October that Apple was drawing attention from the European Competition Commission over their monopoly over the NFC reader on the iPhone which prevented other payment companies such as banks from supporting contact-less payments directly on the handset.

Instead, banks had to subscribe to Apple Pay and pay Apple a percentage for the privilege. This is in contrast to Android, where users are able to set up any app as their contact-less payment provider.

Today Reuters report that last night a German parliamentary committee voted to force Apple to open up the payment platform on the iPhone.
The legislation, which does not name Apple directly, was added as an amendment to an anti-money laundering law.

German legislators vote to force Apple to open up Apple Pay and contact-less payments on the iPhone
It’s my precious

So that’s it for Friday the 13th. Be careful out there ‘cause lots of tech companies are depending on you so they can monetize your data, fill their coffers, and keep their Asia workforce employed for another year.

Friday the 13th