SKY ECC May 2020 Newsletter

A happy May day to all the privacy readers out there! There are some important stories to look at this week in the mobile privacy and security world:

  1. New Bluetooth vulnerability exposes a billion devices
  2. VIPs targeted in 0-click iPhone flaw
  3. The European Commission has switched to Signal
  4. Email scam targeted VIPs through Microsoft products
  5. Xiaomi phone browser sends mass of data to servers

1. Bluetooth vulnerability exposes a billion devices

If Bluetooth wasn’t leaky enough already, researchers uncovered a vulnerability which allows attackers to remotely take over devices by spoofing a previous authentication key. Impacted devices and components include:

  • Apple
  • Samsung
  • Intel
  • QUALCOMM
  • Broadcom

Issues like this are exactly why SKY ECC devices have disabled Bluetooth. It is also why I never use a Bluetooth keyboard to type in my passwords. You need to think about which devices you should not use Bluetooth on until this is patched.

2. VIPs targeted in 0-click iPhone flaw

A flaw in the iPhone’s Mail app was recently found. Hackers chose to target VIP users rather than spam the vulnerability and be discovered sooner by Apple. Victims were:

  • Employees at Fortune 500 companies in North America
  • A Japanese executive, and possibly a Swiss executive as well
  • A Germany VIP
  • A European journalist

My advice? Switch all communications to SKY ECC and turn Mail off on your phone until iOS 13.4.5 passes beta testing for a general release.

3. European Commission switches to Signal

The European Commission has mandated that all messaging will be done on Signal…because if they left it up to users they’d all been sharing international secrets on WhatsApp

The move comes after high-profile hacks compromised data in a number of embassies. It’s encouraging to see world leaders taking message security seriously, and it would be even better to see them take it a step further with a more advanced tool…who knows someone at the European Commission and can pitch SKY ECC?

4. Email scam targeted VIPs through Microsoft products

Over 150 executives at companies in Canada, the UK, the USA, Germany, The Netherlands, and other countries were hit by the email phishing “PerSwaysion” attack. This hack gained access to Microsoft’s file-sharing services, such as Sway, SharePoint, and OneNote.

The importance of proper email phishing procedures must be stressed: If you’re not sure, don’t click it. Contact the person in question via an alternative trusted communication method.

5. Xiaomi phone browser sends data to servers

Xiaomi’s Mint browser was seen transmitting browsing data and metadata back to the company’s servers—even when users were in incognito mode. This data could be linked to the user.

A new setting in the browser turns this data collection off by tapping Settings > Incognito mode settings > Disable Enhanced incognito mode. Another option would be tapping a sales agent for a better phone.

  1. Bluetooth vulnerability
  2. 0-click email scam
  3. Euro Commission on Signal
  4. Email scam on VIPs
  5. Xiaomi phones data collection