Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - David Sancho (Senior Threat Researcher)

    In the second post of this series, we discussed the first two types of attacks involving wearables. We will now proceed to the third type of attack, which can be considered the most damaging of the three.

    High User Risk, Low Feasibility Attacks

    These attacks are considered the most dangerous but these are also considered the least likely to happen. If an attacker manages to successfully compromise the hardware or network protocol of a wearable device, they would have access to the raw data in the ‘IN’ devices but also the ability to display arbitrary content on ‘OUT’ devices.

    These scenarios range from personal data theft to mangling the reality of a camera device. These attacks might affect the wearer adversely and might even stop them from performing their daily routines. These attacks can also have a major impact if these devices are used in a professional setting: a simple Denial-of-Service (DoS) attack could prevent a doctor from operating on a patient or prevent a law enforcement agent from acquiring input data to catch criminals.

    Given that the single, most-used protocol used by these devices is Bluetooth, a quick explanation would be helpful. Bluetooth is a short range wireless protocol similar to Wi-Fi in uses but with a big difference. Whereas Wi-fi has an “access point” philosophy in mind, Bluetooth works like an end-to-end kind of communication. You need to pair two devices in order to make two devices “talk” to each other via Bluetooth. In this pairing process, the devices interchange an encryption key that will serve to establish communication between the two devices. Another difference with Wi-Fi is that Bluetooth tries to minimize radio interference by hopping from one band to another in a pre-established sequence.

    This type of set-up has two main effects on hacking via Bluetooth. One, an attacker needs to acquire the encryption key being used by listening to the paired devices the first time these sync up. Any later than that and the communication will be just noise to the intruder. Two, a DoS attack needs to broadcast noise in a wide range of frequencies in use by the protocol in order for it to have an impact. This is not impossible but such an attack involves a bigger effort than against just any other radio protocol.

    Read the rest of this entry »

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 3

    In the previous post, we talked about the definition and categories of wearables. We will now focus our attention at possible attacks for such devices.

    The possibility of attacks varies largely, depending on the broad category we are focusing on. The probability of attack will increase depending on where the attack can take place. Conversely, the possibilities of physical damage are much more remote as you go further from the physical device. As the attack moves further away from the device, the focus shifts towards stealing the data.

    Low User Risk, High Feasibility Attacks

    These attacks are the easiest to pull off but they have the most limited application against the user. In this scenario, the attacker compromises the cloud provider and is able to access the data stored there.

    Figure 1. Hackers are accessing the cloud provider to get the data

    Read the rest of this entry »

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 2

    The Internet of Everything (also known as Internet of Things) has given rise to new gadget categories in every electronics retailer shop. Smart wearables are rapidly becoming more commonplace than you think. While not everyone has Google Glass, you can bet that a lot of people have fitness trackers and even smart watches.

    With ‘wearable devices,’ we mean those pieces of equipment that people can have on themselves as they go about their day. The purpose of these devices is usually measuring bodily functions or serving as output of other devices. These two functions can overlap to provide a more rounded experience of the user’s everyday reality as it happens.

    In this series of posts, we are going to review possible attacks and risks associated with wearable devices. Bear in mind that these are largely theoretical and/or conceptual. They are not current attacks and therefore they may or may not happen depending on how the electronics market evolves and how other attack vectors keep criminals on different juicier targets. Our intent here is not scare users into avoiding this new device category but to encourage vendors to add security in them from the get-go.

    The Three Categories

    There are three very broad categories that we can use to describe what we are talking about.

    1. The ‘IN’ devices. These are sensors that capture a user’s data at all moments. Here, we find fitness sensors that measure the user’s steps, distance, effort, calories, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile phones or PCs to upload that data and afterwards to the user’s cloud account for historical logging and statistical display. Future devices that we have not yet seen are medical devices that could monitor health parameters, such as body temperature, oxygen in blood, etc.

    2. The ‘OUT’ devices. These are devices that output data coming from other devices, usually mobile phones. Here, we find smartwatches and the like, which are able to display texts and any application data for ease of use. Data displayed usually comes from internet sources by means of the intermediate device.

    3. The ‘IN and OUT’ devices. These are devices that capture data and use filters to display it differently. In here we find display devices such as Google Glass that have cameras that capture reality but they also feed data to the user by means of retina projection. These devices have the ability to enhance the user experience by filling in information on top of reality. Simpler devices also act as ‘IN and OUT’ by both gathering user data (steps, distance, etc.) and streaming data from their companion mobile phone.

    While these are distinct categories, the tendency is for devices to coalesce into IN and OUT because makers want to add as much value as possible. One example would be devices that record fitness information but also notify users of text messages, events, and other information from mobile devices.

    The Security Standpoint

    From a security standpoint, it’s hard to say which category is more secure than the other. This is because the difference among the categories is primarily about attack vectors. The more things a device can do, the most possibilities exist for attackers. In this case, IN and OUT devices have a larger attack surface, and the most potential for attacks.  However, this doesn’t mean that they are more unsecure. Security will depend on the implementation and the “track record” of the device. By track record, we mean the amount of attacks it has withstood over time. For newly introduced devices, cybercriminals may take a longer time to “test” them. However, as devices mature over time and hackers fully understand the inner workings of these devices, the platform isn’t as secure anymore.

    In the next blog posts, we will look at the possible attacks and risks associated with wearable devices. 

    You may read the next entries for “The Security Implications of Wearables:”

    For more information about wearables, you may check out the article “Are You Ready for Wearables?” and the infographic, “The Ins and Outs of Wearable Devices.” For more information about smart devices, you may visit our Internet of Everything hub.

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 1

    The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

    With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

    Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

    This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

    Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

    I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

    Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

    1. Choose a simple password you already use. Let’s take “Snoopy2″ as an example.
    2. Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.
    3. Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32”.
    4. Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

    The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

    Posted in Social | 1 TrackBack »


    Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

    This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

    Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

    But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

    Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

    Normal two factor

    Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

    Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

    This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number.  This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

    How’s that for a big malware operation? Localized spam runs, nonpersistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and the real back-end servers. You can’t say these criminals are lazy.

    The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan.  We have not been able to identify the other crypting service.

    More information about this attack may be found in our Finding Holes: Operation Emmental white paper, where we discuss this technique in depth. SWITCH.CH, the CERT for Universities in Switzerland, also did research on Emmental and published their findings on their site.

    Posted in Malware, Mobile | Comments Off on Finding Holes in Banking Security: Operation Emmental


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice