15 August 2019

IRM Weekly Cybersecurity Roundup: Biometric data leak and more

Want the IRM weekly cybersecurity roundup sent straight to your inbox? Sign up to our newsletter. 

Biometric data leak hits Metropolitan Police, banks and enterprise companies

Over a million fingerprints, facial recognition and other personal information that is used to control access to specific parts of secure facilities, has been exposed to the public on an accessible database by the web-based security tool Biostar 2, owned by security company Suprema.

The data belongs to thousands of companies in 83 countries and used by over 5,000 organisations including the Metropolitan Police, banks and enterprise companies from the UK.

Biostar 2’s data was found on an unprotected and mostly unencrypted database. It contains around 30 million records and 23GB of data including unencrypted usernames and passwords in plain text form, photographs, fingerprints, security clearance levels, and personal details of staff. It is unknown how long the data was accessible, but it has since been made private. You can read more here.

Low-cost Android phones come pre-loaded with dangerous Malware

Google’s security researcher Maddie Stone from the Project Zero team, announced that some brand new low-cost smartphones come pre-installed with malware that could commit ad fraud or even take over the device.

Android phones using Android’s Open-source Project (AOSP), which installs cheaper software alternatives to the “full-fat version”, aren’t vetted and could cause a large amount of damage.

Over 200 device manufacturers failed testing after malware was found to be able to attack the devices remotely.

Owners of devices with the “Android-Badge” like Google and Samsung are safe from the risk. You can read more here.

How everyday tech objects can be hacked

Researcher from Technology Consulting firm ‘PWC UK’ has warned hackers now have the ability to exploit unsecured laptops, Bluetooth headphones and smart speakers to play inaudible, ultrasonic noises. Which in turn, can lead to hearing issues like tinnitus or even a physical effects.

Researcher Matt Wixey wrote code scripts and more complete malware to test these devices. Research found that the tested Bluetooth headphones are capable of emitting high frequencies above the recommended guidelines whilst Bluetooth speaker and noise-cancelling headphones can emit low frequencies that exceed the recommendations.

Smart speakers were found to be able to exceed both low and high frequencies but worryingly were also able to generate so much heat that after around five minutes started melting the internal components.

Matt Wixey has disclosed the findings to the manufacturers of these devices who have now patched the issues. He did not name any device by brand and says he will not be releasing any of the malware he used for the project. You can read more here.

British Airways under fire again for exposing personal flight information

British Airways has had a difficult year, after being hit by a £183 million fine for a data regulation breach back in 2018 and IT failures earlier this month. They are under fire again after a vulnerability has been found that could leave personal passenger information, including flight details, exposed. The security flaw was found in the e-ticket booking system where flight check-in links sent to passengers emails were unencrypted.

This could lead to an attack exposing information’s such as email addresses, booking reference numbers, membership numbers, itineraries, times and phone numbers. It could also see that the booking information could be altered.

British Airways reported no passport or payment information could be accessed by this flaw and no evidence of customer information has been accessed illegally. They have said they are taking action to keep customers protected. You can read more here.

Quick-fire updates:

iPhones could be hacked from just an iOS iMessage text: Project Zero researcher found multiple bugs in Apples’ iOS iMessage platform that could allow hackers to break into devices just by sending a text. You can read more here.

How working from home could affect a business’s cybersecurity: Businesses that let their employees work remotely or at home haven’t been training staff on cyber-safety, which could leave the business open to a cyber-attack. You can read more here.

A sponsored talk at Black Hat taken off company website after being ridiculed: The crowd at the security convention Black Hat scorned a presentation from a company named Crown Sterling, who claimed to have developed a new kind of encryption technology called “Time AI”. Attendees claimed it to be a scam and interrupting the talk for “putting people in danger” with unproven tech. You can read more here.

If you have any questions about this week’s roundup, or want to understand how you can improve your cybersecurity strategy, get in touch with IRM. 

Are you looking to get into a career in cyber? Check out IRM’s job vacancies on our careers page or sign up to our careers newsletter for future roles.