SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 143: Whole Lotta Listenin’ Goin’ ON

Posted on June 27, 2019

On this week’s episode: Samsung takes heat for advising SmartTV security, La Liga: Revisited, and An app hears taps and guesses passwords.

How safe is your Smart TV? Samsung has something to say about protecting yourself, and we’ll take a look at what exactly that’s all about on today’s show. Then, following up on a story from last year, we’ll return to the European world of football — soccer as we know it in the US — to check up on how a controversial anti-piracy measure has held up in the face of legal scrutiny. After that we’re looking at a novel way hackers might steal passwords — are our own fingers even safe from spying eyes and ears? We’ll find out on today’s edition of the Checklist, as we tick down our list:

  • TV Party at Ground Zero Day
  • La Liga Faces Legal Penalty Kicks
  • Tapping It Out: Listening for Passwords

Let’s kick things off this week with a quick look at an important and interesting tip from major electronics manufacturer Samsung.

TV Party at Ground Zero Day

Do you ever stop, look around the store, and wonder… does everything need to be an Internet of Things thing? The risks are real, and it’s growing more common for the average user to experience some problem with their IoT devices — or at least they face a heightened risk of digital intrusions. Samsung took some heat on Twitter recently as a result of a proactive attempt to point out that, hey — if you connect your TV to the Internet, you’re potentially at risk.

What’d they do? Nothing major — in fact, it seems straightforward. The tweet, which Samsung later deleted, read in part: “Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks.” The tweet also included a helpful link to a tutorial for how to access the built-in virus scanner on the TV to check for any unwanted visitors. 

We have to give some props to Samsung for promoting best practices here; “scan your TV for viruses” is not something most people would think about or even consider, yet when the manufacturer points it out, it can do a lot to raise awareness surrounding the issue. That’s important because the potential dangers posed by compromised IoT devices are numerous. The Verge reported on some of those dangers in a recent piece, such as the CIA-developed “Weeping Angel” software that could allegedly exploit flaws within Samsung TVs to turn them into listening bugs, picking up conversations in the same room as the TV set. 

That revelation led researchers to take a more in-depth look at the software powering Samsung TVs, and ultimately revealed dozens of serious and exploitable zero-day flaws that hackers could use to make inroads for running their own code on the unit. This all happened back in 2017, and when it all came out, Samsung was quick to point out that its TVs had baked-in abilities for detecting malware. So, if any company is going to know about the potential risks of Smart TVs, it’s going to be Samsung.

Back to Samsung’s tweet, it’s important to note that we aren’t sure exactly why they tweeted this out; it’s possible that the company was just being proactive, trying to protect its consumers, or maybe they caught wind of a new security threat percolating out on the Internet. What the truth is remains a little murky. Not only that but, as the Verge points out, if Samsung can detect malware — and users can run a virus scan on the TV after digging through a million menus — why isn’t that process entirely automatic?

That’s a good question, and there could ultimately be a few reasons why that’s the case.

The Verge uses the rest of its space in the article to make a passionate argument against buying a smart TV at all. However, if you’ve gone TV shopping any time in the past few years, you’ve probably noticed that it’s getting more challenging to find a unit that doesn’t have some Internet functionality baked into it on some level. So, what if you search and search and the best option available to you is still a Smart TV? 

There are a few things you can do, and Samsung’s tweet has the right idea: if you do connect your TV to the Wi-Fi, make sure it has a virus scanning capability built in like Samsung TVs, and use it regularly. However, you could always buy a smart TV and never connect it to the Internet — you might choose to use alternate hardware, such as an Apple TV or even a games console, to watch your favorite streaming services, rather than trying to use the often-clunky built-in apps. Overall, though, it’s best to simply be aware — your TV is a computer now, too.

La Liga Faces Legal Penalty Kicks

Our next two stories for the day go together in a way — at least insofar as that they both have something to do with our phones listening to what we do when we aren’t expecting that. For the first of these stories, we get to play some soccer — and we get to reach way back into the archives for a story that we covered last year concerning a Spanish soccer league called La Liga. At the time, we discussed how the league intended to use its Android apps, downloaded and used by many of its fans, to listen in to user surroundings when they were out and about.

Why? La Liga said that illegal rebroadcasts of its matches, often by pubs and restaurants, were costing it hundreds of millions of dollars a year in lost revenues. Their solution was to ask fans to let their app use their phone’s microphone and GPS location services to listen for the unique audio signature of the game broadcasts. Once detected, La Liga could determine if it was a legal broadcast. If not, they would then move on to taking legal action against the establishment pirating their broadcasts.

At the time of our original discussion, we supposed that La Liga was doing a lot of things right in its efforts to combat piracy: they asked users directly for permission, anonymized the data, made it easy to opt out, and only turned the listening functionality on during the games. Other steps, too, were taken to protect privacy with this functionality. Even so, people were not happy with La Liga, not only review bombing the app with 1 star on the Google Play Store, but taking the league to court, too.

Those courts have now spoken, slapping La Liga with a fine that equates to almost $300,000 US under the GDPR rules in effect throughout the European Union now. We’re not clear on whether or not La Liga admitted guilt after GDPR went into effect or if the courts simply found it to be too creepy for words, but the ruling was clear: enlisting all the users of your app to form a secret listening service runs afoul of digital privacy and security laws. 

Is this just a slap on the wrist?

La Liga, for its part, says the fine is unfair, and that it did everything necessary to do things by the book — even, it says, asking users for permission not once but twice before activating the microphone using the app. The league has launched an appeal seeking to have the fines overturned. What will the outcome be? We can only guess, but we’ll keep our ears to the ground so we can bring you an update when and if something new develops. 

Tapping It Out: Listening for Passwords

We’re headed from a sneaky soccer league to a crazy bit of eavesdropping as reported on by Business Insider. BI ran a piece about a particularly scary hack that could allow attackers to accurately guess a user’s password by merely listening to the sound of their fingers tapping it out on the phone screen. How could that be possible? According to researchers from the University of Cambridge quoted in the piece, malware could be used to take over the device’s microphones to pinpoint exactly where on the screen a user taps. By measuring the difference in the time it takes for sound waves to reach one microphone or the other, the malware can make an educated guess about which digit the user tapped.

In one trial run, the malware had ten attempts to guess a four-digit passcode, typically the number of times before iPhones begin to lock for continually longer periods. With ten attempts, codes with four numbers were discerned correctly almost three-quarters of the time. Longer passcodes dropped the success rate down to 30% over more tries, but even then, the proof of concept was still able to get it correct nearly a third of the time.

As scary as this sounds, there is some good news: this hack isn’t out in the wild, at least not yet — for now, it’s just an experiment. Not only that but as usual, following best practices will keep you safe. As always, be careful about what you download onto your phone — though if you’re pulling it from the App Store, you’re probably going to be safe. As we’ve discussed in recent weeks, watch out for shady apps using MDM and enterprise programs to get around App Store protections, since they can be significant vectors for unsavory attacks that might mean your passcode security is the least of your worries.

Other important tips include: don’t jailbreak your phone! We say it again and again, but it remains true: there’s no good reason for the average user to do this these days, and you’re only opening yourself up to further risks. Skip out on apps that require an MDM profile unless it’s coming from your company and learn from La Liga. Most of today’s mobile OSes won’t allow apps to use your microphone unless you give it explicit permission. If an app asks you for the opportunity to listen in, stop, step back, and ask yourself: does it indeed need that access? 

Make sure you’re doing what’s necessary to keep yourself safe — no matter whether it’s ensuring your TV can’t be used against you or carefully looking over all the permissions you grant to the apps you install. Want to dive into more helpful tips and how-tos on staying safe in an increasingly dangerous digital world? We’d like to invite you to take a trip into the Checklist Archives, where you’ll find our original story on La Liga, plenty of discussions about Smart TVs, and much, much more. With show notes, complete audio recordings, and links to chase down more information, you’ll find everything you need to shore up your security knowledge in no time.

Join our mailing list for the latest security news and deals