Checklist 162: Insecurity with a “light” touch

On this week’s Checklist, we’ll talk about a privacy issue with a privacy service. We’ll look at how social engineering works in practice by examining “SIM-swapping”. And we’ll check out a high-tech hacking story that reads like something out of a Hollywood thriller.

Here’s the Checklist for this week:

• Taking the privacy out of VPN
• SIM-swapping 101
• An audio hack with a “light” touch

When VPNs go public

As many as 2,000 users of the popular VPN service Nord VPN may have had their accounts compromised in a credential stuffing attack.

Credential stuffing refers to the practice of compiling huge lists of emails and passwords, often stolen or leaked in a data breach from another site, and then systematically trying them out on various websites and services until matches are found. 

This is not done manually, of course, but is accomplished by use of automation: Hackers will write scripts that can try every email and password pair on their list on different sites, all without any human intervention.

As for where the credentials in the Nord VPN attack came from, this is unclear. But the passwords on the list were reportedly very weak, which points to poor password security practices. And folks who don’t create strong, unique passwords also tend to have other bad security habits — habits like reusing those weak passwords on multiple sites, which opens them up to credential stuffing attacks if one of those sites has been compromised in a data breach.

The users don’t share all of the blame here, of course. For one thing, Nord could have been more proactive about ensuring that their subscribers weren’t using passwords that had been found in other data breaches or on hacker forums on the dark web. Other large service providers, such as Facebook and Google, do this — and require that users reset their passwords if they’re found to be using credentials which have been exposed elsewhere. Secondly, Nord doesn’t appear to have been rate limiting login attempts, which makes it easy for automated programs to try thousands of logins per minute.

As for what’s happening now, Nord is doing its best to get the lists of credentials taken down from online sites like Pastebin. Pastebin is a reputable service and does its best to ensure that illegal content is immediately removed. But other sites may be less well-administered, or less cooperative. It may prove difficult — or impossible — to remove lists of passwords from dark web sites. 

If you’re a user of Nord VPN, you should visit Have I Been Pwned (HIBP), a web service developed by Australian security expert Troy Hunt. There, you can see if the email account which you use for Nord was compromised. If you find yourself in the HIBP database, you should change your Nord VPN password immediately. And obviously, if you’ve been reusing the same password on multiple sites, you should create strong passwords for those sites right away.

This story illustrates the absolute importance of following password best practices, and is another reason why we recommend using a password manager like Dashlane or 1Password, as these do the hard work of creating and remembering complex passwords for you. 

SIM-swapping and social engineering

The victim of a SIM-swapping scam is suing cryptocurrency exchange Bittrex, according to a report in The Next Web last week. The story itself is somewhat lurid and makes for good reading, but it also presents a great opportunity to learn about a major cybersecurity threat which exploits good old human gullibility: social engineering.

SIM cards are familiar to all of us, though exactly how they work is probably not something many people think about. SIM stands for Subscriber Identity Module, and as the name implies, its function is to identify a user’s phone to the cellular network on which it operates. Basically, a SIM is like a password. It lets the network know that it should allow you access, and identifies you as, well, you. This works because no two SIM cards are alike: They all have unique codes.

This is also why you can take a SIM card out of one phone, put it in another, and begin to receive SMS messages and calls on your new device. The network recognizes the SIM, not the phone.

So how does this become a security problem? Because malicious actors will sometimes compile large amounts of personal information about a specific target — name, address, mother’s maiden name, first car, etc. — in order to impersonate them on a phone call to the target’s mobile carrier. These hackers have made a science of manipulation, persuading the unwary in a methodical, systematic way —  which is why this type of attack is called “social engineering”! 

They can be very convincing, especially as they have all sorts of information that can be used to fool an overly trusting customer service rep into believing that they are who they say they are. Once they’ve done this, the hacker will claim to have lost or damaged their SIM card, and then ask the CSR to kindly activate a replacement SIM which they’ve just purchased. 

If they can find someone at the cell carrier who will say yes to them, the target’s SIM will be deactivated and the hacker’s SIM activated. As far as the network is concerned, the hacker is now the legitimate user — and thus they will receive all of the target’s texts and calls.

SIM-swapping is why SMS is generally considered less-than-secure, and why we recommend using Authy or Google Authenticator for two-factor authentication instead of relying on SMS. 

So is this something to worry about? 

Probably not, at least for most of us. Practically speaking, it’s an awful lot of work to gather the information necessary to pull off a SIM-swapping attack — and while it does happen, it isn’t an everyday occurance. Realistically, unless you’re a high-value target like the CEO of a major corporation or a high-ranking member of the military, you don’t have that much to worry about.

If you do want some extra protection, just for peace of mind, you can add a passcode or a PIN to your mobile carrier account which will be required as authentication every time you call in for service. This, theoretically, makes your account secure, as a PIN is not something which a hacker could get hold of by doing web searches (unlike your street address or mother’s maiden name). Just make sure that you don’t set your PIN to your birth year or anything else that a hacker could guess based on the information they do have about you. 

A second precaution you could take would be to use third-party phone numbers (such as VoIP numbers or Google Voice) for all of your online accounts, instead of your mobile number. By using an intermediary number which forwards messages to your phone, you reduce the risk of your true mobile number ever being lost in a data breach at one of the websites or services you use.

Hacking at the speed of light

Researchers have discovered a way to hack smart home assistants like Alexa, Google Home, and yes, Siri, using nothing more than laser light.

It sounds like something out of a Mission: Impossible movie, and the researchers themselves admit that they can’t explain exactly how they’re achieving the effect that they’ve managed to produce. But their proof-of-concept demonstrates that it’s possible to use this technique to unlock smart home doors, make online purchases, and even start cars.

The attack works because microphones which use Micro-Electro-Mechanical Systems (MEMS) — which include the kinds used in the abovementioned home assistants as well as most modern digital devices —  can interpret light waves as sound. This makes it possible to simulate voice commands with light alone — to basically shine “Hey Siri” to an iPad’s microphone in the form of laser light.

Since MEMS are used all sorts of devices — and since the trend of connected smart things only seems to be picking up steam — this is somewhat worrying. In the future, manufacturers may need to begin using voice recognition as a form of authentication (a capability which Apple’s latest HomePod software could potentially support) in order to thwart these “light commands”.

In the meantime, though, there’s probably not too much to worry about. It’s unlikely that anyone with the know-how or equipment to do this would bother attacking most of us — and light commands depend on having a direct line-of-sight to the target device, making such an attack physically difficult to carry out. If you’re concerned, it’s probably enough just to make sure your smart devices and iThings aren’t next to the window.