IOTA shuts down network temporarily to fight wallet hacker

Popular cryptocurrency IOTA has temporarily shut down its entire network after a hacker stole funds from ten of its highest-value users.

IOTA is a cryptocurrency that uses an alternative to the conventional blockchain technology seen in assets like Bitcoin. Called tangle, it’s a ‘blockless’ network that the development team created with vast connected networks of small-footprint connected machines (the internet of things) in mind. Its advantages include fast verification of transactions and no transaction fees. However, for this network to operate effectively, it needs a system called the Coordinator to protect the network when the transaction volume is low.

On Wednesday 12 February, IOTA published a status update, explaining:

Currently the Coordinator is halted until further notice to investigate reported issues with stolen funds. We ask you to keep the Trinity wallet closed for now until further notice.

In a series of further updates, the team explained that the problem lay in a third-party integration with the desktop version of Trinity, a wallet that the company released in July 2019. The vulnerability apparently allowed an attacker to steal users’ seeds – digital keys that provide access to the wallet’s funds. The IOTA team published an updated version on Sunday to fix the problem.

The attacker had hit ten people that the IOTA team said were high-value clients, and may have intended to work their way down to clients with fewer funds, it said.

Once it spotted the fraud, it contacted cryptocurrency exchanges to see if any of them had processed any of the stolen funds. It also notified them of the ‘bundles’ of IOTA cryptocurrency in question so that they can block them if the criminals attempt to sell them. It had already noticed the stolen funds being split apart and resent to other addresses as the criminals attempted to cover their tracks.

Early on Monday, the IOTA team published a three-step remediation plan to get things back on track. The first step is for users to install the updated version of the Trinity desktop wallet, changing their passwords in the process. Then, users should transfer their tokens to a safe seed using a seed migration tool that it will launch in the coming days. That will prevent attackers from making unauthorised cryptocurrency transfers, it said. It also wants all users to do this, even users of the mobile version of the wallet, just to be safe.

Finally, users will reclaim their stolen tokens. To do this, the IOTA team is taking a global snapshot of the network that users will have to validate. That will enable it to work with an unspecified third party to restore stolen tokens to their rightful owners, it said.

The cryptocurrency has suffered hacks before. In January 2019, British and German police arrested someone suspected of stealing $11.4m in IOTA by creating a fraudulent website that purported to generate digital keys used to secure wallets.

Market capitalisation for IOTA, which is now the 23rd largest cryptocurrency space according to CoinMarketCap, plummeted 25% from $975.74m on 12 February to $730.14m in the early hours of Monday 17 February. It rallied slightly early on Monday as news of the remediation plan spread.


Latest Naked Security podcast

Sensitive plastic surgery images exposed online

Researchers at VPN advisory company vpnMentor have found yet another online data exposure caused by a misconfigured cloud database. This time, the culprit was the French plastic surgery technology company NextMotion.

Established in 2015, NextMotion sells digital photography and video devices for dermatology clinics, concentrating on images including those that document the effects of treatment. Its proprietary software includes facial analysis and augmented reality tools, and also documents treatment plants, digital consent forms, treatment reports, quotes, and invoices. It reports selling its services to over 170 clinics in 35 countries. It has received investments of €1.58m, a million of which it raised last year in a single round.

The images are the contentious part here. According to a team led by vpnMentor researchers Noam Rotem and Ran Locar, NextMotion’s compromised database contained sensitive images of thousands of plastic surgery patients, uploaded via its devices and software.

There were almost 900,000 images in an Amazon Web Services S3 bucket, showing patients’ faces along with the parts of their bodies that had been treated. These images were often highly sensitive, showing patients’ genitalia and other body parts.

The French company was quick to clarify what hadn’t been exposed. In a press release on its site, it said:

These media are stored in a specific database separated from the patients’ personal data database (names, birth dates, notes, etc) – only the media database was exposed, not the patients’ database.

Although any separate databases holding patient data might have remained unexposed, there was still sensitive data on the S3 bucket in question. These included not just video files showing 360-degree body and face scans, but also patient profile photos, outlines for proposed treatments, and also invoices for treatments. Redacted document images included in vpnMentor’s report include patient names and unique IDs. The researchers said:

The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients. This type of data can be used to target people in a wide range of scams, fraud, and online attacks.

On its site, NextMotion makes a point of telling users that it stores its data on cloud infrastructure that is compliant with “the latest health data storage regulations in your country (GDPR, HIPAA, ISO, etc)”. This highlights a common misunderstanding of cloud security, though.

While it’s true that cloud service providers are responsible for securing the underlying cloud infrastructure (security of the cloud), the customer is responsible for securing what they run on it (security in the cloud). This is called the shared responsibility model.

The database storing this information was named after NextMotion, which made it easy for the researchers to find out and contact the company. They did so on 27 January 2020, following up with a message to Amazon Web Services on 30 January 2020. The database was taken down on 5 February 2020.

Insecure storage of medical images is a widespread problem, according to a report by ProPublica. Last September, investigators revealed that X-rays, MRIs and CT scans for around five million Americans had been publicly accessible online.


Latest Naked Security podcast

Are you looking for the ultimate in desktop recovery?

Your workplace PCs are always likely to encounter problems from time to time – after all, there are plenty of dangers out there on the big, bad web, as well as human errors that can be made. Whether it’s a virus, user error or botched software installation that has left you needing to recover your PC desktop, you’ll almost certainly appreciate a stress-free and efficient means of doing it.

That means of desktop recovery is available for you from Perpetual IT in the form of RollBack Rx PC. It’s been described as “an instant time machine for your PC”, enabling those with a PC running Windows 2000, XP, Vista, 7 or 8 (32 and 64 bit versions) to instantly go back in time to their machine’s previous state. There isn’t a more comprehensive Windows system restore solution currently on the market. Continue reading

For affordable enterprise-level security, choose the Dell SonicWALL firewall

Where do you start with choosing the right firewall for your small or medium sized business – one that not only effectively repels web threats now, but can continue serving your firm well as it grows? We reckon that if there’s one firewall that offers the right combination of characteristics, it’s the Dell SonicWALL firewall.

For network security for small to medium sized businesses, we are delighted to be able to offer Dell’s broad selection of Network Security Appliances, which incorporate true enterprise-class security and performance into a product that your business at the earlier stages of growth can actually afford. Continue reading

go top