Facebook Scraping SMS, Call Data from Android Phones, Ledger Hardware Wallets Hacked (by 15 year old!)
Infosec News
INFORMATION SECURITY NEWS
For The Week of 3/20-3/27 2018
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
Facebook Scraped Call and Text Data from Android Phones for Years
You can download all the data Facebook has collected about you from their website (link below, if you want to try this out). While looking through this data, someone discovered that Facebook had stored call metadata from his Android phone, including names, numbers, and durations of calls, as well as SMS metadata. Facebook is claiming that this is explicitly an opt-in feature of Messenger and that the app “explicitly requests” access to the logs. It is true that in recent versions of Messenger, Facebook does request call and SMS logs on Android. Prior to Android 4.1, however, access to read contacts would automatically grant access to the call and SMS logs. While the data collection was technically opt-in, their apps were installed with these permissions by default, and did not separately request them. The arstechnica article author confirms that he found call data in his archive, despite never having been asked to opt-in to the data collection. Facebook released a blog post refuting the claim that they collected the data without users’ permission, and that people whose data they collected had to opt in first.
Facebook blog post refuting the claims: https://newsroom.fb.com/news/2018/03/fact-check-your-call-and-sms-history/
Download Facebook data https://www.facebook.com/help/131112897028467?helpref=page_content
Ledger Hardware Wallets Hacked (by 15 year old!)
Ledger is a French company that sells hardware wallets for cryptocurrencies. Hardware wallets are widely considered the most secure way to store a wallet for cryptocurrency, because they circumvent many security issues with other forms of wallet management. Ledger tries to ensure the security of their devices by only allowing them to run signed firmware. Ledger wallets ship with a notice that there are no physical tamper-proofing measures on the device, because they trust their system to be cryptographically secure. Their CEO was so confident in this process that he claimed it was totally secure to purchase the devices off eBay (where they potentially could have been tampered with). The Ledger uses a two chip design. One chip, called the secure element, verifies that the Ledger is running authorized firmware on its main processor, the MCU. However, the secure element depends on the MCU to send it a firmware to be verified. This means malicious code can just send a copy of the original firmware to the secure element, while running whatever unauthorized firmware they want. This exploit can result in devices being tampered with to generate easily modifiable hardware keys, or to modify transactions. The best part? The hacker who pulled this off is only 15 years old.