This week
Vulnerability in locks used in over 3 million hotel rooms
- Security researchers Lennert Wouters, Ian Carroll, and a team of others have identified vulnerabilities in popular RFID door locks used to secure over 3 million doors in 13,000 hotels worldwide.
- The technique exploits vulnerabilities in the encryption implementation and underlying RFID system. First, an attacker requires access to any (current or previous) hotel key card from the property. Then, two cards can be programmed that, when tapped in sequence, allow an attacker to unlock the door.
- It’s being dubbed ‘Unsaflok’, after the name of the locks manufactured by Swiss firm Dormakaba. The company has a fix for the issues, which it began rolling out to hotels in November 2023. It’s a resource-intensive programme, requiring all locks to receive a software update or be replaced, as well as new key cards and front desk hardware and software. Plus, the hotel must update any third-party integrations (such as those in elevators and car parks). Around 36% of the affected locks have been updated or replaced.
- The deadbolt on the lock can also be unlocked by software, meaning additional physical measures (such as door chains) present the best way to secure a room while you are in it.
- The researchers do not plan on sharing a proof of concept at this time to allow further time for the vendor and hotel chains to update their systems. LINK, UNSAFLOK
Apex Legends esports tournament suspended after compromise of competitor’s devices
- An esports tournament was postponed after players were hacked during a match. In Apex Legends, the players suddenly gained ‘wall hacks’ (seeing other players’ positions through scenery). “Due to the competitive integrity of this series being compromised, we have made the decision to postpone the [North America] finals at this time,” the organisers Sid on Twitter/X. ‘Destroyer2009’ has claimed responsibility and said they did it “just for fun,” and to force the games’ developers to fix the vulnerability they had discovered. LINK, MORE
Other reading
- It was Gartner’s Security & Risk Management Summit in Sydney, Australia, this week, with analysts Chris Mixter and Dennis Xu telling the audience that “adrenalin does not scale” and that more emphasis must be placed on response preparedness. LINK
- A slowdown in analysis by NIST of new vulnerabilities (CVEs) added to the National Vulnerability Database (NVD) is leading ‘thousands’ without crucial metadata around the type of weakness, affected product and commonly reference CVSS score. In February, NIST posted a notice saying, “NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” LINK
Interesting stats
Wave three of the UK government’s Cyber Security Longitudinal Survey (CSLS) has been published:
66% of businesses reported having a designated member of staff responsible for cyber security who reports to the board, however only 43% of boards are discussing cyber security at least quarterly. 70% of businesses report receiving fraudulent emails or attachments (30% are lying or not looking?) 43% reported that people tried to impersonate their organisation in emails or online 12% suffered from a malware infection (explicitly not ransomware) LINK
916 Google Firebase databases have been discovered with public read (and many write) permissions, exposing 125 million sensitive user resources, including names, email and phone contact details, billing information, and 19 million plain text passwords. LINK
Other newsy bits / in brief
⚠️ Incidents:
- ‘Anonymous’ claims to have breached an Israeli nuclear facility’s computer network and stolen thousands of documents in protests against the war in Gaza. In a social social media post, the group said it did “not intend to have a nuclear explosion but this operation is dangerous, and anyhting might happen”. That’d be just what’s needed in the region. LINK
- “Oh, Crumbs!” UK bakery chain Greggs could only take cash payments on Wednesday morning after a “technical issue” affecting the firm’s point of sale systems. LINK
- AT&T says a claimed data leak of 70 million people being sold by ShinyHunters on a crime forum is not from its systems. LINK
- Fujitsu says it discovered malware on ‘multiple work computers’ that may expose customer data. The firm suffered an incident in 2021 affecting Japanese government customers of its ProjectWEB file sharing solution. LINK, vol. 4, iss. 22
- The London Clinic is investigating three staff members after allegations that they attempted to access the private medical records of Catherine, the Princess of Wales. Speculation over the future Queen’s medical condition and diagnosis by the private Marylebone hospital had reached fever pitch in recent weeks before the royal confirmed a cancer diagnosis earlier this week. LINK
- Radiant Logistics has isolated its Canadian operations after detecting “the initial stages of a cybersecurity incident”. LINK
- Cybercriminals hijacked the official email for the Belgian Grand Prix event and used their access to phish banking information from F1 fans. LINK
- Leicester council if a suspected ransomware attack affected resident’s data. Their comms strategy seems to be to say nothing, which could be a bad plan or because they don’t know. LINK
🕵️ Threat Intel:
- SentinelOne says that it has found an updated version of the AcidRain malware used by Russian forces to disrupt Viasat’s satellite modems on the eve of their invasion of Ukraine in 2022. The new variant, dubbed AcidPour, has capabilities to target a wider range of devices LINK
- Russia’s SVR foreign intelligence agency has also been busy trying to spear-phish German political parties with dinner invites, according to Mandiant. LINK
- It shouldn’t be surprising that Chinese spies might be targeting UK lawmakers, but we should get some details this coming week. Deputy prime minister Oliver Dowden is expected to inform parliament that MPs and peers have been targeted in a string of attacks. LINK
🪲 Vulnerabilities:
- Ivanti has fixed a critical vulnerability in its Standalone Sentry product. CVE-2023-41724 (9.6/10) was reported to the vendor by NATO security researchers and allows unauthenticated attackers on the same network to execute arbitrary commands on the server. LINK, ADVISORY
- An exploit is available for the Fortinet EMS vulnerability patched last week. LINK, ADVISORY
- University researchers have discovered a side-channel attack against Apple’s M-series chips that may be used to extract secret keys used in cryptographic operations. LINK
- Common Electronic Logging Devices (ELDs) from multiple vendors, and required in US medium- and heavy-duty trucks, “present considerable security risks,” according to researchers from Colorado State University. In one scenario, the researchers uploaded a truck-to-truck worm that exploits the ELDs Wi-Fi capabilities to search for and infect other vulnerable trucks nearby. LINK
🧰 Guidance and tools:
- AWS guidance on choosing a security model. LINK
- CISA and Five Eyes counterparts have published actions for critical infrastructure leaders to defend against Chinese state-sponsored activity. While nothing is disagreeable here, “make informed and proactive resourcing decisions” and “secure your supply chain” are easier said than done. LINK
- Help from NCSC or CEOs in public and private sector organisations on managing a cyber security incident. LINK
- GitHub says that its new AI Autofix feature can remediate over two-thirds of vulnerabilities it finds without requiring engineers to make edits to the code themselves. LINK
🧿 Privacy:
- Glassdoor updates users’ profiles with (sometimes incorrect) names and location data obtained from support requests and other group sites. That’s left some users concerned that the review site encourages users to leave candid feedback on employers and salaries, that while it promises anonymity, exposing your data is ‘only a JOIN away’. The changes are partly the result of an update to terms of service following the acquisition of the business social network Fishbowl in 2021, which requires users to provide valid personal information. LINK, MORE
- General Motors is to drop sharing driving data from its connected cars with data brokers, following outcry after the practice came to light. LINK
📜 Policy & Regulation:
- The UK Information Commissioner’s Office has published new guidance on how it decides to issue penalties and calculate fines. LINK
- The US House Of Representatives passed a bill banning data brokers from selling sensitive personal information to countries designated as “foreign adversaries”. However, the bill lacks any protections against “onward transfers” that would restrict the resale of data, essentially allowing these foreign adversaries to buy data from a third party. The bill needs to pass the Senate and be signed by the President before becoming law. LINK, TRANSFERS
- The UN General Assembly unanimously adopted a non-binding AI resolution. “The improper or malicious design, development, deployment and use of artificial intelligence systems … pose risks that could … undercut the protection, promotion and enjoyment of human rights and fundamental freedoms,” the measure says. LINK
👮 Law Enforcement:
- Nicholas Hawkes, 39, becomes first in England to be jailed for cyber flashing. Hawkes was jailed for 66 weeks after sending unsolicited dick pics to a 15-year-old girl and another woman earlier this year. He was already a registered sex offender. LINK
🏭 Industry news:
- Atos says that Airbus is no longer interested in acquiring the French integrator’s big data and security businesses, sending the firm’s shares down 20%. News of talks between the companies emerged at the beginning of the year, with a price tag of up to €1.8 billion ($2B) being rumoured. LINK, vol. 7, iss. 1
- Performanta claims first with integration with Microsoft Copilot for Security into the MSSP’s Managed Extended Detection and Response (MXDR) solution. LINK
- Deloitte says it’s partnering with NVIDIA to help clients integrate artificial intelligence models into their cyber security solutions. LINK
- The University of Strathclyde has received ‘centre of excellence’ status from the UK government. LINK
And finally
- A semi-related read in an overlapping area of interest for me: Williams Formula 1 team managed 20,000 parts in Excel. This was “Impossible to navigate and impossible to update,” according to new team boss James Vowles. While Vowles is chasing performance improvements, the move away from Excel will also help address potential vulnerabilities in these business-critical processes. LINK