The dangers of password leaks: Smart home cybersecurity news [November 2020]
This month’s cybersecurity news roundup features the Ring doorbell recall, Zoom’s settlement with the FTC over its security practices, a Facebook Messenger bug that allows users to listen in on other users, and a password leak of almost 50,000 vulnerable Fortinet VPNs.
Ring recalls video doorbells over fire hazard posed to consumers
On Nov. 10, home security and smart home company Ring issued a recall on their second-generation video doorbells over reports that the product was catching fire. According to the notice posted by the U.S. Consumer Product Safety Commission, "The video doorbell's battery can overheat when the incorrect screws are used for installation, posing fire and burn hazards."
Approximately 350,000 units in the U.S. and 8,700 in Canada are subject to the recall. The doorbell units affected consist of the 2nd generation line sold between June and October with the model number 5UM5E5. These units were sold for around $100 in stores and online at Amazon in both the U.S. and Canada.
Ring says that these incidents occured because of improper installation and states in their user manual to only use the screws that ship out with the unit to avoid damaging the battery, which can result in the units catching fire.
Image credit: Ring
To date, there have been 85 reports of improper screw installation (though this number may continue to grow with the recall notice in effect). 23 of the reports resulted in doorbell units catching fire from improper installation, and of those, eight consumers received minor burns.
If you own a Ring doorbell and aren’t sure whether your unit is impacted, you can check by visiting Ring’s website and entering your product’s model number.
Zoom settles with FTC over “deceptive” security practices
In our last cybersecurity roundup blog, we outlined Zoom’s new end-to-end encryption feature that rolled out in October. Now, the videoconferencing platform has received backlash and a formal complaint from the Federal Trade Commission (FTC) over its “deceptive and unfair practices that undermined the security of its users.”
According to the FTC, Zoom mislead users by claiming to offer "end-to-end, 256-bit encryption” when in fact it provided a lower level of security. True end-to-end encryption secures communications so that only the sender and recipient — and no other person, not even Zoom — can see the content.
Zoom claimed that their “end-to-end encryption” service was “in reference to the connection being encrypted from Zoom end point to Zoom end point” and that “content is not decrypted as it transfers across the Zoom cloud.” But the company was in possession of the cryptographic keys, which could theoretically allow them to enter into users’ meetings or view sensitive information such as virtual doctor’s visits using their services.
In the FTC’s blog post, they outlined further deceptive practices the company has engaged in, including claims that meeting recordings would be hosted on Zoom's server would be encrypted immediately when in fact some recordings were stored unencrypted for up to 60 days before being transferred to the company's secure cloud storage.
Not only that, but ZoomOpener, a software installed on MacOS computers, bypassed Safari browser security settings and put users at risk. The software could be misused to spy on users through their webcam or even take remote control over the computer; even if the Zoom application was deleted, the ZoomOpener software remained on the computer and could be re-installed by Zoom without permission or the user’s knowledge. The ZoomOpener web server was removed from user computers by Apple in 2019.
Zoom has now reached a settlement against the alleged charges brought by the FTC, discontinuing the practices outlined above and forcing the company to seriously reconsider end-user security. Zoom will now face big fines in the future if they don’t adhere to new guidelines and a security program to protect user information.
50,000 Fortinet VPNs compromised by password leak
On Nov. 25, a bad actor leaked the credentials for nearly 50,000 Fortinet VPNs online, hitting targets across the globe including banks, telecommunications companies, and government organizations. The exploit can be used to steal login credentials, allowing bad actors to deploy ransomware on compromised networks. Previous to the leak, a hacker had posted a list of possible exploits for the credentials on a hacker forum thread.
The vulnerability, known as CVE-2018-13379, allows bad actors to access sensitive system files through HTTP requests. It’s a path-transversal flaw that’s specifically impacting thousands of unpatched FortiOS SSL VPN machines.
Fortinet had previously warned its customers repeatedly about the possibly exploitable vulnerability, going as far back as May of 2019.
"In the last week, we have communicated with all customers notifying them again of the vulnerability and steps to mitigate,” said a Fortinet spokesperson to BleepingComputer. “While we cannot confirm that the attack vectors for this group took place via this vulnerability, we continue to urge customers to implement the upgrade and mitigations." For further information, visit Fortinet's updated blog and refer to its May 2019 PSIRT advisory.
Facebook Messenger bug allowed Android users to listen in on each other
On Nov. 19 it was reported that Facebook had fixed a bug that allowed users to spy on one another through the Facebook Messenger calling feature on Android devices.
The bug was brought to their attention by Natalie Silvanovich, one of Google’s Project Zero bug-hunting researchers.
"If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee's surroundings," she explained.
“Normally, the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button (which strategy is used depends on how many endpoints the callee is logged into Facebook on).”
Hackers might have exploited this bug through the use of an SdpUpdate message, causing a call to connect to another device before the user can answer. This would have effectively allowed hackers to spy on Android Facebook Messenger users.
Silvanovich was awarded $60,000 for her findings, among the highest three bug bounties ever awarded by Facebook, which are determined based on the reported bug’s maximum potential impact level. According to a Twitter post, Silvanovich said that she was donating her bounty earnings to the GiveWell Maximum Impact Fund, which was later matched by Facebook for a total of $120,000 in donations.