Perpetual IT

Denial of service, local escalation of privileges, and information disclosure are not security worries most computer users will associate with their racy graphics card or its drivers.

And yet fixes for precisely these issues are part of February’s Nvidia GPU display update, all of which could compromise Windows or Linux PCs, allowing an attacker to gain local access after a malware attack.

In all, the update covers five desktop CVE vulnerabilities, including one, CVE‑2020‑5957, rated as critical. This is in the Windows GPU Display Driver control panel for the GeForce, Quadro  NVS, and Tesla products leading to a corrupt system file and escalation of privileges or denial of service.

A second control panel flaw affecting the same products is CVE‑2020‑5958, which might allow the planting of a malicious DLL file with the same results as above along with information disclosure.

The Virtual GPU Manager gets three fixes addressing CVE‑2020‑5959, CVE‑2020‑5960, and CVE‑2020‑5961, with the first of these rated critical.

Nvidia is also readying separate updates for its enterprise products, namely the Virtual GPU Manager (various hypervisors), and vGPU graphics driver for guest OS (Windows and Linux), which is also affected by some of the above flaws.

Depending on the driver version affected, these will be available in the week of 9 March 2020, with updates during April promised for organizations using either version 10.0 or 10.1 for any of the above products.

These days, updating graphics drivers needs to be part of the standalone user’s patching cycle along with Microsoft’s Patch Tuesday, Intel’s regular CPU and product patches, not forgetting browsers and individual products such as Adobe’s PDF Reader and various plugins .

Nvidia ships fixes for its products almost every month, with missed months made up for by two releases the following month.

Almost all include critical updates for severe vulnerabilities which could cause major problems if left unpatched.

November 2019’s update fixed 11 mostly severe flaws across its desktop products, while August 2019 saw a similar story.

Latest Naked Security podcast

Unsettling news for anyone who relies on smartphone voice assistants: researchers have demonstrated how these can be secretly activated to make phone calls, take photos, and even read back text messages without ever physically touching the device.

Dubbed SurfingAttack by a US-Chinese university team, this is no parlor trick and is based on the ability to remotely control voice assistants using inaudible ultrasonic waves.

Voice assistants – the demo targeted Siri, Google Assistant, and Bixby – are designed to respond when they detect the owner’s voice after noticing a trigger phrase such as ‘Ok, Google’.

Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can’t hear, providing an attacker has a line of sight on the device and the distance is short.

What SurfingAttack adds to this is the ability to send the ultrasonic commands through a solid glass or wood table on which the smartphone was sitting using a circular piezoelectric disc connected to its underside.

Although the distance was only 43cm (17 inches), hiding the disc under a surface represents a more plausible, easier-to-conceal attack method than previous techniques.

As explained in a video showcasing the method, a remote laptop generates voice commands using text-to-speech (TTS) Module to produce simulated voice commands which are then transmitted to the disc using Wi-Fi or Bluetooth.

The researchers tested the method on 17 different smartphones models from Apple, Google, Samsung, Motorola, Xiaomi, and Huawei, successfully deploying SurfingAttack against 15 of them.

The researchers were able to activate the voice assistants, commanding them to unlock devices, take repeated selfies, make fraudulent calls and even get the phone to read out a user’s text messages, including SMS verification codes.

Responses were recorded using a concealed microphone after turning down the device’s volume so this communication would not be heard by a nearby user in an office setting.

DolphinAttack rides again

In theory, voice assistants should only respond to the owner’s voice, but these can now be cloned using machine learning software such as Lyrebird, as was the case in this test. It’s a defence of sorts – the need to capture and clone the victim’s voice.

A bigger might simply be the designs of individual smartphones – the team believe the two that did not succumb to SurfingAttack, Huawei’s Mate 9 and Samsung’s Galaxy Note 10, did so because the materials from which they were constructed dampened the ultrasonic waves. According to the researchers, putting the smartphone on a tablecloth was better still.

SurfingAttack was inspired by the 2017 DolphinAttack proof-of-concept, which showed how voice assistants could be hijacked by ultrasonic commands.

Elsewhere, sound has also proved interesting to researchers looking to jump air gaps, and exfiltrate data from computer fan noise.

While hacking voice assistants remains a lab activity with no known real-world attacks to speak of, there’s always a risk that could change. At some point, smartphone makers will surely have to come up with better countermeasures.

Latest Naked Security podcast

Last week was a big one for non-profit digital certificate project Let’s Encrypt – it issued its billionth certificate. It’s a symbolic milestone that shows how important this free certificate service has become to web users.

Publicly announced in November 2014, Let’s Encrypt offers TLS certificates for free. These certificates are integral to the encryption used by HTTPS websites.

HTTPS is HTTP that uses the Transport Layer Security (TLS) protocol for privacy and authentication. Your browser uses it to be confident that you’re not visiting an evil website that’s impersonating your real destination using a DNS spoofing attack. It also encrypts the information passing between your browser and the web server so that someone who can snoop on your traffic still can’t tell what you’re doing.

Netscape created HTTPS in 1994, but in 2014 a minority of websites used it. That’s because it could be technically difficult to implement, it was time consuming and it cost money. There was too much friction. That’s what Let’s Encrypt set out to change.

The project is a non-profit effort from the Internet Security Research Group (ISRG), an organisation sponsored by a mixture of privacy advocates and those who benefit from making the online ecosystem healthier. The Electronic Frontier Foundation (EFF) is a sponsor, along with Cisco, Facebook, Google, the Internet Society (which houses the Internet Engineering Task Force or IETF), Mozilla, and French cloud service provider OVH.

The project issues free certificates, keeping them valid for 90 days before forcing people to renew. It isn’t just the free nature of these certificates that has helped them flood the internet. The other key to the puzzle is automation. Let’s Encrypt created a protocol called Automated Certificate Management Environment (ACME). This is a challenge-response system that automates enrolment with the certificate authority and validation of the domain.

Version two of ACME became a proposed internet standard in May 2019 (did we mention that the IETF’s parent organization is a sponsor?) giving it more credence still. There are various ACME clients, and some have been baked directly into default Linux server distributions, enabling Apache and nginx web servers to run automatic scripts to handle the whole process.

Let’s Encrypt’s approach isn’t perfect. For one thing, it only offers domain validation that checks a person is in control of a domain, rather than extended validation certificates that go the extra mile to validate the legal name of the owner. This has led to some problems, such as Let’s Encrypt’s automatic validation of PayPal phishing sites.

This isn’t a mistake – it’s simply that the organization’s goal is to encrypt as many websites as possible rather than investigate their content, which it prefers to leave to others like Google. Eagle-eyed readers of today’s other stories will spot that the certificate issued on the Stripe phishing scam domain was also from Let’s Encrypt.

Thanks to this flood of free certificates, the web is a lot more encrypted than it was a few years ago. In June 2017, 58% of webpage loads were delivered over HTTPS, the project stated, adding that the number has grown to 81% today. That’s due in large part to free and automated certificate provisioning, but also to a firmer hand by web browser developers. Mozilla now shames any web pages that don’t use HTTPS, while Google removes the ‘secure’ label for HTTP-only sites and gives them a lower search ranking than HTTPS ones.

Latest Naked Security podcast

Clearview AI, the controversial facial recognition startup that’s gobbled up more than three billion of our photos by scraping social media sites and any other publicly accessible nook and cranny it can find, has lost its entire list of clients to hackers – including details about its many law enforcement clients.

In a notification that The Daily Beast reviewed, the company told its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts they’ve set up, and to the number of searches they’ve run.

The disclosure also claimed that Clearview’s servers hadn’t been breached and that there was “no compromise of Clearview’s systems or network.” The company said that it’s patched the unspecified hole that let the intruder in, and that whoever it was didn’t manage to get their hands on customers’ search histories.

Tor Ekeland, an attorney for Clearview, sent a statement to news outlets saying that breaches are just a fact of life nowadays:

Security is Clearview’s top priority. Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.

Clearview, which has sold access to its gargantuan faceprint database to hundreds of law enforcement agencies, first came to the public’s attention in January when the New York Times ran a front-page article suggesting that the “secretive company […] might end privacy as we know it.”

In its exposé, the Times revealed that Clearview has quietly sold access to faceprints and facial recognition software to more than 600 law enforcement agencies across the US, claiming that it can identify a person based on a single photo, reveal their real name and far more.

Within a few weeks of the Times article, Clearview found itself being sued in a potential class action lawsuit that claims the company amassed the photos out of “pure greed” to sell to law enforcement, thereby violating the nation’s strictest biometrics privacy law – the Biometric Information Privacy Act (BIPA).

Among the many online sources that Clearview has scraped to get all the biometric data it’s selling (or giving away), Twitter, Facebook, Google and YouTube have ordered the company to stop its scraping – a practice that violates the social media giants’ policies.

In a followup report, the Times noted that there’s a strong use case for Clearview’s technology: finding victims of child abuse. Investigators told the newspaper that Clearview’s tools have enabled them to identify the victims featured in child abuse videos and photos, leading them to names or locations of victims whom they may never have been able to identify otherwise. One retired chief of police said that running images of 21 victims of the same offender returned 14 minors’ IDs, the youngest of whom was 13.

Following the Times’ exposé, New Jersey barred police from using the Clearview app. Canada’s privacy agencies are also investigating Clearview to determine if its technology violates the country’s privacy laws, the agencies said on Friday.

David Forscey, the managing director of the non-profit Aspen Cybersecurity Group, told the Daily Beast that Clearview’s breach should be worrying for its customers:

If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t.

Put another way by tech policy advocate Jevan Hutson:

Clearview continues to give us a clear view of why biometric surveillance is an unsalvageable trash fire.

Latest Naked Security podcast