Checklist 116: It’s In The Mail

Welcome in to our post-Thanksgiving episode of The Checklist, brought to you by SecureMac.

Holiday weeks are typically where news goes to die — everyone shovels out the stories they don’t really want to talk about in the hopes that no one will notice, being instead too distracted by football and stuffing. Does it always work? Nope. Not when you’ve got people like us with their eyes peeled for the stories worth discussing. This week, we’re bringing you a few stories that those involved might have preferred to keep on the lowdown. From a big fumble by the US Postal Service right before the holiday shopping season to an apparently new consumer service for iPhone unlocking, to a leak of personal info that’s almost impressive in its ineptitude, we’ve got a ton of great content coming your way today.

On our list for this week:

• Data loss? It’s in the mail!
• A GrayKey for the rest of us,
• A data exposure that’ll rub you the wrong way

Let’s kick things off for this week’s discussion by looking at something the US Postal Service announced in the run-up to Thanksgiving and which so far has been flying a bit under the radar.

Data Loss? It’s in the Mail!

Just before the Thanksgiving holiday, the USPS dropped a bomb of an announcement that was more like a firecracker — we bet you didn’t discuss the post office while passing the gravy this year. According to a report in Engadget, the USPS patched an exploit in an API for a service they offer to organizations sending out bulk mail. Using this exploit let anyone, logged in with only a USPS.com account and having no special permissions or access, view the details of any other USPS user’s account. In total, that could mean free rein to personal information found in accounts for more than 60 million users.

Let’s break this apart.  First, what is an API? Think of it as a special communications channel between a web-based service and a piece of software you might have. By using the API, you can request data from a webserver for display or analysis; for example, a third-party app might use Twitter’s API to request tweets from their official account to display inside the software. That’s just one example, but you’ll find APIs are in use all over the place; they’re a common and handy tool. Unfortunately, like everything, they can also come with some serious security flaws that allow people with the right know-how to request data they weren’t supposed to access.

So where did the problem start with the USPS? It’s all about a program they run called “Informed Visibility” — something the USPS says is meant to “help empower bulk mail senders with near real-time tracking data.” In other words, it lets junk mail senders track the progress and health of their mailing campaigns. While we could probably do an entire episode just on that, it’s not why we’re here today. Instead, we’ll focus on the issue with the API. What was that issue?

According to Engadget, the API was not very well designed. Built to accept a vast number of “wildcard” options for searches, anyone who understands how to tweak things through their web browser’s console would be able to force the API to cough up tons of data on other users. It included not just basic, boring info such as usernames and account numbers, but also those users’ real addresses and even their phone numbers. For an identity thief, these tools could represent a possible way to start phishing for more information elsewhere.

Literally anyone could have gone in and looked at this information, since it seems to have been relatively simple to execute.  It wasn’t only Informed Visibility customers. The USPS left the door wide open on tons of basic information on all its users. That’s a pretty serious situation. A member of the International Computer Science Institute, Nicholas Weaver, agrees. He told Krebs on Security the following:

This is not even Information Security 101, this is Information Security 1, which is to implement access control… It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad, and I’m willing to bet they’re not enforcing controls on writing to that data as well.

While this might sound alarmist, it’s a legitimate concern. According to Krebs, writing data back to the server via the API was possible in some instances, too. We can imagine all kinds of scenarios where that could go wrong: you might change someone else’s address, muck with tracking data to make it look like a package was not yet delivered, and so forth. Though the USPS has said they’ve since patched the hole, it shouldn’t have been there in the first place; this is a big “oops.” As it turns out, it’s been a long-running one, too.

Krebs’ report notes that an independent researcher found and reported the problem to the Post Office well over a year ago, but nothing was done. As usual, though, once Krebs on Security reached out to let them know a story would be going out about the issue soon, the service began to take action. We first heard about this story during preparations for recording our Thanksgiving episode; however, we wanted to wait to see if there would be any public response from the Post Office. Well, we got one, such as it is:

We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to mitigate this vulnerability quickly.

“Quickly” — if you don’t count the whole first year that vulnerability was out in the wild. We’ve seen this issue repeatedly, across industries: research identifies a problem, reports it through proper channels to the company in question, and finds their work ignored. Meanwhile, the problem continues unabated; then, once Brian Krebs begins to report on the issue, suddenly it’s taken seriously because it’s coming from an established, respected industry figure. We’ve even seen Apple sometimes show a preference for a small cadre of InfoSec researchers over the work of less established individuals. This type of attitude and approach is as much a problem for security today as the actual vulnerabilities and exploits.

The rest of the USPS’s statement was boilerplate: reassurances that they’re investigating, that they take security seriously and that they always do their best under the face of a constant onslaught. Does it ring true with the facts we know? Well — not really. Sure, this incident wasn’t malicious or intentional; maybe it is even a consequence of budgeting problems. Either way, though, the USPS left the back door open.  Thankfully, for now, it seems to have been closed.

A GrayKey for the Rest of Us

Now let’s pivot to a surprising bit of news coming out this past week. We’ve got MacRumors reporting that DriveSavers, a company that offers customers data recovery services when things go wrong, is now telling customers they can unlock their iOS devices. The service is intended for iPhone and iPad users who’ve either forgotten the PIN they set on their phone, ended up locked out after too many wrong attempts, or want to be able to access a device owned by a family member who has since passed.

Savvy listeners will immediately note that this sounds an awful lot like the service GrayShift offered through its GrayKey device, only for the general public and not the police. So, what’s to stop the cops from sending in a device they want information from and simply saying “Oops, I forgot my password”? Well, according to MacRumors, DriveSavers swears up and down that they go to great lengths to ensure that you’re actually the correct owner of the phone. You’ll have to sign an authorization form, supply DriveSavers with some form of “specific information,” and confirm your authority over the data before they’ll give you anything back. In the case of a deceased family member, for example, they will likely request a death certificate or another court-supplied document for proof.

It’s not cheap, either; an unlock will cost nearly $3,900, and you’ve got to mail your device in to DriveSavers as, unlike GrayKey, this is not a case of someone selling a device intended to crack phones. So how do they make it happen? We don’t know for sure. Instead, the company just says that they use a “proprietary technology,” much like GrayShift. There’s another interesting facet to this service: DriveSavers is offering unlock services not only for iOS devices, but also for Android, Windows, and BlackBerry devices as well. With that in mind, how should we feel about this? Is this a good thing, or is there something secretly nefarious to worry about here?

DriveSavers has a solid reputation in the technology industry, and they do provide several valuable services. On its face, this one is just that: another service, and one that undoubtedly many people would find useful. The issue at play here is not necessarily what DriveSavers is doing, but what someone else might do in the future.

If the company can create “proprietary technology” that somehow allows them to get into an iPhone even after everything Apple has done regarding fighting back against GrayKey, then that means someone else can or will. That’s even assuming that someone hasn’t already taken those steps. Since DriveSavers claims to return your unlocked device to you, the question of “how are they doing it?” is an important one — it could have serious ramifications later for iOS device security.

Of course, recent reports indicated that iOS 12 “broke” GrayKey, which could “brute force” iOS passcodes. We initially talked about that device on Episode 88 of The Checklist, GrayKey’s Anatomy, which you can find in our archives. Even with that method broken, though, apparently, DriveSavers can recover everything from photos and videos to your contacts, text messages, and even your notes. Their dedicated consumer-facing approach is an interesting twist, too; it’s clear they’re not very worried about Apple or law enforcement, though both are surely taking a keen interest in whatever developments they’ve made.

Rest assured, though this may be the first time we’re hearing about this story, it certainly won’t be the last.

A Data Exposure That’ll Rub You the Wrong Way

Remember earlier in today’s show, when a researcher referred to USPS’s fumble on security as “not security 101, but security 1”? Our last story for today might qualify as a “negative one” because there are simply so many things wrong going on here. We’re looking at a startup called Urban Massage, which TechCrunch says is all about “wellness that comes to you.” Well, while they might come to you to help you feel better, your information is going everywhere else in the meantime. The company’s entire customer database — the whole thing! — leaked thanks to a security error so basic it’s almost hard to believe.

The company simply puts its database online without a password. Yes, that’s right: connected to the Internet with absolutely no authentication requirements whatsoever. As you might imagine, that made it an easy target for those ne’er-do-wells who salivate at such prospects. Included in the database were more than 300,000 customer records, which included email addresses and phone numbers. It wasn’t just customers, either, as more than 2,000 people who work for Urban Massage also had their information exposed in the leak. That’s on top of another 350,000 booking records. In other words, a real treasure trove.

Who noticed the problem? A researcher by the name of Oliver Hough was the one who uncovered it through the usage of Shodan, a vulnerability search engine which we’ve discussed on the show a few times. Anyone who found Urban Massage’s database through Shodan could have had free rein to muck around in the database, including altering or changing records as they liked. TechCrunch notes that there’s no indication as to how long the database was left in this state, or whether anyone had actually downloaded a complete copy. Current evidence suggests the info was available for several weeks at least, however.

Urban Massage (now called Urban) has a legitimate reason to worry about this incident, too.  Based in the UK they are now subject to the new regulations imposed by the GDPR. That includes punishments and fines for mishandling of user data, which could equate to a significant percentage of the company’s annual revenues.

If it’s any consolation — and it doesn’t seem to be much of one — none of Urban Massage’s billing information was exposed in the breach. So, sure, tons of personal details were floating around out there for anyone to take, but at least they didn’t get your credit card number, too! Small blessings…

On that note, we’ll draw this week’s show to its conclusion. Perhaps in the future, we’ll have an update on one of these stories, particularly with any new developments that may occur in the DriveSavers story. For now, we’ll leave you to finish your post-Thanksgiving recovery.

Did you know there’s a fast and simple way to dive back into previous episodes of The Checklist? Whether you missed an episode and want to catch up or you’re a new listener curious about the topics we’ve covered in the past, you’ll find everything you need right here in The Checklist Archives. With complete show notes, helpful links, and of course, the full audio of each episode to listen to, you can beef up your security knowledge in no time. You’ll find our episode about GrayKey in there, for example, and many others.