Wi-Fi vacuum cleaner a threat, more WordPress plugin hacks, the worst stores for unsafe Android apps and more
Welcome to Cyber Security Today. It’s Monday March 2nd. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
Is your vacuum cleaner spying on you? Maybe, if it’s connected to the Internet. Researchers at security firm Checkmarx have been looking into several Internet-connected devices, including the Trifo Ironpie M6, one of a number of circular vacuum cleaners being sold that automatically sweeps your floors and carpets. What makes the Trifo different from others is it has a video camera. It also connects to the web by Wi-Fi so users can remotely control and update it through an Android app. The problem is updates aren’t delivered securely through the Google Play Store. So someone could hack the manufacturer’s server and get into video feeds of anyone with that model of cleaner.
Checkmarx has been trying without success for weeks to get in touch with Trifo to warn them of the problem. So it went public. This is a problem with a lot of devices. Manufacturers think consumers want everything to be connected. But if it really doesn’t need Wi-Fi for its main function, why buy it?
Another alert for those who use or oversee WordPress, the popular website content creation service. More attackers are compromising the plug-ins that are used to add features to WordPress. These apps do thinks like create website forms, do analytics on website traffic and perform search engine optimization. Attackers hack these plug-ins as a way to get into a WordPress site and either destroy content or hold the site for ransom. One of the more recent hacks have been to the Flexible Checkout Fields for WooCommerce, Modern Events Calendar Lite, Async JavaScript and 10Web Map Builder for Google Maps plugins. Two pieces of advice: First, plugin developers have to do a better job of making sure their development environments and websites are secure from attack. Second, WordPress users have to be on the lookout for suspicious activity, including the appearance of new admin accounts that weren’t created yourself.
People love mobile apps. By one estimate owners of smartphones and tablets downloaded over 200 billion apps in 2019. Almost 9 million new apps were released last year. But some of them aren’t safe. According to security firm RiskIQ, which analyzes mobile apps, the online store most likely to host a malicious app is 9Game.com, followed by Feral apps, VmailApps, and Chinese based app stores called Xiaomi and Zhushou. The safest store for iPhone apps is, of course, the Apple store. For Android users bad apps can still slip into the Google Store, but it’s still the safest. The report says you have to be careful and skeptical when downloading anything. One tip off a mobile app is bad: It asks for permissions to connect to the contact list, microphone or camera when it doesn’t need to. Why does a game need to access your camera?
App stores are one way crooks spread different types of malware. One type is banking malware, which is aimed at stealing your bank login credentials as well as credit and debit card data. A security company called ThreatFabric recently did an interesting analysis of Android banking malware. To give you an idea of how rapidly gangs move, one of these bad apps added new features 10 times over four months. One of the most common capabilities of mobile banking apps is the creation of a login screen that looks identical to your bank’s and is overlaid on top of the real login screen. One of the problems with mobile devices is the screens are small and it can be hard to see the address of a login page compared to a desktop computer. So first, be careful about what you download from app stores, or links in your email or texts. Second, be careful entering bank login information and credit card numbers on mobile devices. Make sure you’re on the real site.
Finally, be on the lookout for security updates for Wi-Fi enabled devices. A serious vulnerability has been found in some that could allow a nearby hacker to intercept your network traffic. A number of companies, including Apple, have already pushed out patches. Cisco Systems will shortly release patches for enterprise products. If you go to web sites that have HTTPS in the address bar, you’re safe. You should check your home Wi-Fi router to see if the manufacturer has issued a patch. Anyway, it’s a good idea a couple of times a year to check if your home router has updates available.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon