Weekly podcast: Amazon Echo, Android banking malware and Cardiff billboard

This week, we discuss a vulnerability that could allow attackers to turn your Amazon Echo into a wiretap, a new strain of the Svpeng mobile banking malware and the hacking of a digital billboard to display right-wing messages.

Hello and welcome to the IT Governance podcast for Friday, 4 August 2017. Here are this week’s stories.

You might remember that earlier in the year I mentioned the Weeping Angel attack – an exploit apparently used by the CIA to hack Samsung’s smart TVs to eavesdrop on viewers. Now, it’s emerged that another ‘always listening’ home device, Amazon’s Echo smart speaker, is vulnerable to a hack that lets attackers stream live audio from compromised devices.

Security researcher Mark Barnes of Basingstoke-based MWR InfoSecurity reports that, given physical access to an Echo, it’s possible to connect to the device’s debug pads to gain access to the operating system and “install malware without leaving physical evidence of tampering”.

This could grant an attacker “persistent remote access to the device”, allow them to “steal customer authentication tokens” and provide “the ability to stream live microphone audio to remote services without altering the functionality of the device”.

According to Barnes, it was “trivial” to do this, although the need for physical access is “a major limitation”.

The flaw affects devices released in 2015 and 2016. Newer versions are not vulnerable. If you’re worried that someone might have compromised your Echo while you left it unattended, Barnes points out that you could always use the mute button – or turn it off. Alexa, did you hear that?

A new strain of the Svpeng mobile banking malware has been targeting Android users in 23 countries, including Russia, Germany, Turkey, Poland and France.

Kaspersky Lab reports that, last month, its researchers identified a new variant of the Trojan that works as a keylogger, intercepting text entered on banking apps via Android’s accessibility services.

As Kaspersky’s Roman Unuchek explains, accessibility services “provide user interface (UI) enhancements for users with disabilities or those temporarily unable to interact fully with a device […] Abusing this system feature allows the Trojan not only to steal entered text from other apps installed on the device, but also to grant itself more permissions and rights, and to counteract attempts to uninstall the Trojan”. It also “takes screenshots every time the user presses a button on the keyboard, and uploads them to the malicious server”.

The Trojan is distributed from malicious websites as a fake Flash player download. Once you’re tricked into installing it, it asks for permission to use accessibility services, after which it can steal your data – “even on fully-updated devices with the latest Android version and all security updates installed”.

Much to the bemusement of shoppers in Cardiff, a giant digital billboard in Queen Street was hacked on Tuesday to display a swastika, a picture of Big Brother from the 1956 film of George Orwell’s Nineteen Eighty-Four and a picture of Donald Trump as the far-right mascot Pepe the Frog, among others.

Twitter user @polNewsForever tweeted pictures of the incident, saying the hackers had “had a little fun”.

According to Wales Online, a South Wales Police spokesperson said: “On Tuesday evening South Wales Police received a number of calls relating to concerns regarding messages being displayed on the screens in Queen Street, Cardiff. We alerted the city council and will investigate any crimes which may have been committed.”

A Cardiff Council spokesperson said: “The council has contacted the company that own and operate the advertising screen. The screen was switched off at midnight on Tuesday night.”

The BBC reports that there was “a security vulnerability with the screens”. BlowUPmedia, which operates the billboard, has not yet commented.

This is by no means the first time that digital billboards have been defaced. In May, one in Liverpool was hacked to display the message “we suggest you improve your security. sincerely, your friendly neighbourhood hackers”. Fair point.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.