SKY ECC January 2020 Newsletter

Happy 2020! New Year, new threats from world governments as Hong Kong police hack the phones of protesters, WhatsApp is being shut down by repressive governments, TikTok “vulnerabilities” likely make it the favourite spying tool of the Chinese government, the US government is distributing phones with malware, and US Senators are pushing the FCC to act on SIM swamping.

Hong Kong police hack protester’s mobile phones

Thousands of protesters in Hong Kong are having their phones seized. This is a controversial topic as seizing a phone during an arrest is not unusual, but I will let the Secretary General of the Demosistō Activist Group speak further:

This newsletter is not here to advise you on legal matters, but it can and will inform you of matters exactly like this so that you may act accordingly.

WhatsApp Most Often Disabled App by Government

WhatsApp is proving itself to be a problem again and again for the most vulnerable people in need of mobile security. The app is the most-blocked platform in the world, with over 6236 hours of disruption.

This is being done by repressive governments when protests against them are being conducted by their citizens. Here’s a look at the countries below:

TikTok vulnerability shows it can’t be trusted

TikTok, the social media app owned by a company in China, has been found have more “security vulnerabilities” that seriously weaken account privacy:

  • Accounts can be taken over
  • Content can be manipulated
  • Unauthorized videos can be uploaded to accounts taken over
  • Private videos can be made public
  • Private information on the account can be made public

The attack launches from a malicious link in a spoofed SMS message, illustrating again how SMS is vulnerable to exploitation.

A patch was quickly released, but do you remember our chat last month about Pavel Durov and WhatsApp vulnerabilities really being exploits?

I’m not making accusations, but I am observing how an app often accused as being a surveillance tool of China has vulnerabilities that are perfect for spying on users.

Pre-installed malware on US government-funded phones

Phones being offered by the US government via the Lifeline Assistance program have been found to be loaded with pre-installed malware apps. Those apps include:

Wireless Update: This app is the only way to update the phone’s OS, and installs apps without user consent. It is similar to a Chinese spying app called Adups.

Settings App: We all have a Settings app on our phones, but this is different as it’s similar to other mobile Trojan dropper malware, except it can’t be uninstalled. The code is in Chinese and matches other Chinese malware.

It is not clear, as the vendor is not saying, if the malware comes from a supply chain attack in China, or if it was installed on the American side.

US Senators push FCC to act on SIM swamping

SIM swapping is when hackers trick phone carriers into swapping a person’s wireless account from the authorized phone to a phone controlled by the hacker. The FCC, and Chairman Ajit Pai seen here admiring his work on net neutrality, is responsible for monitoring this.

SIM swapping is a serious threat as it’s how Twitter CEO Jack Dorsey was hacked. Michael Terpin, an early Bitcoin investor, lost $24 million to SIM swapping. Another lost $1.8 million after suffering 4 SIM swapping scams, two in the same day.

A total of six Democratic Senators wrote in to push for a change to SIM swapping laws. Can you guess where this letter was sent with that few Senators and all of them Democrats with the current cadre in charge? 

The last word…

Governments around the world are gearing up for 5G. Few are doing anything about the security flaws it will have…maybe because those flaws are what they use to spy on you. Maybe. Those three flaws are: too complex for secure implementation, backwards compatibility opening attacks where 5G is forced to 4G, too many security features are optional. It’s looks like 5G is not going to fix the current flaws as they’re just too useful for government exploitation.

Links to stories mentioned:

Like any of these stories? Tweet @Sky_ECC!

The SKY ECC Twitter account is active with a new social manager here at Sky HQ! Follow our official account:

Posts from SKY ECC this month!

This was a very busy month at Sky HQ, but we made time to work on the use case series for you. There is one big piece coming that we hope you see soon, so be sure to check in with the SKY ECC blog.

Use Case for Secure Communications in Executive Security

C-level employees, celebrities, and politicians are prime targets for communication hacks. This article looks at the risks they face, such as SIM swapping and WhatsApp hacks, and shows how SKY ECC will help protect their communications.


Use Case for Secure Communications in the Mining Industry

One of the more vulnerable industries which is seldom thought about is mining. With teams out in the field using whatever works to communicate with HQ, you had better hope that any data transmitted is secured against hacking. This article shows a hack against Goldcorp Inc., and explains how SKY ECC would have helped.