Not So 'Smart' - Child Tech Has Hackable Flaws episode artwork

EPISODE · Apr 19, 2019

Not So 'Smart' - Child Tech Has Hackable Flaws

from Info Risk Today Podcast · host InfoRiskToday.com

A warning that a smartwatch marketed to parents for tracking and communicating with their children could be coopted by hackers leads the latest edition of the ISMG Security Report. It also reviews how a DNS hijacking campaign is hitting organizations and how "dark patterns" trick users.

Episode metadata supplied by the publisher feed · Published Apr 19, 2019

A warning that a smartwatch marketed to parents for tracking and communicating with their children could be coopted by hackers leads the latest edition of the ISMG Security Report. It also reviews how a DNS hijacking campaign is hitting organizations and how "dark patterns" trick users.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Not So 'Smart' - Child Tech Has Hackable Flaws

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Why a smartwatch for children isn't so smart and how the sea turtle espionage campaign is hijacking DNS to target intelligence agencies These stories and more coming up on the ISNG security report Hello, I'm Matthew Schwartz This week's security report begins with an alarming look at a child tracking tool for parents that has flaws Which could be abused by an attacker to track a child or talk directly to them ISNG's Jeremy Kirk has more That's the voice of Australian security researcher Troy Hund's six-year-old daughter Ellie She's speaking with banjilist Stikis a security researcher with pen test partners in the UK As part of a security test Stikis managed to add himself as a parent to Ellie's TikTok track smartwatch and then call Hund's daughter Although Hund gave permission to run the test in theory Stikis shouldn't have been able to do that But Stikis and his colleagues found the smartwatch's web application contained a serious vulnerability The GPS smartwatch which has a SIM card is designed to let parents keep tabs on their kids including their location But the vulnerability could have allowed a hacker to track a child's location spoof the child's location and add themselves as a parent to an account The smartwatch is made by a China-based gator group but uses software developed by TikTok track Which is marketed by a Brisbane-based company the gator watch is sold around the world and often the web app is customized by local companies that sell it As a result of the findings TikTok track this week shut down its service pending verification of the flaws in a fix Company said if the flaws are verified by its own audit it would offer refunds for subscriptions The type of vulnerability that affected this smartwatch was an insecure direct object reference It allowed anyone logged into the TikTok track service to increments and identify or in a URL which allowed access to other accounts The type of vulnerability is an elementary one and should have been caught Security researchers have long warned of vulnerabilities in internet-connected toys and in children's smartwatches Theoretically the problems with the TikTok track should have never happened And that's not just because the developers should have had greater knowledge of insecure direct object references In October 2017 the Norwegian Consumer Council published a detailed paper into the privacy issues and security aspects of four kinds of children's smartwatches including the gator The council found what it termed significant security flaws unreliable safety features and a lack of consumer protection And about a year later Pentes partners published research outlining some of the same kinds of vulnerabilities also in a gator watch As a result of the findings gator fix problems with its own web application All this is a warning once again that internet-connected devices aimed at children are still an immature and potentially risky area For information security media group I'm Jeremy Kirk Next in the security report I'm joined by Scott Ferguson of ISMG who's been reporting on a domain name system hijacking campaign That's been targeting intelligence agencies the energy sector and more Scott what's going on here? Hi Matt, thanks. So on Wednesday this week Cisco Talos released a report about a nation state sponsored attack called C-Turtle This group has managed to hijack DNS traffic and it's something Cisco Talos has been looking at before There's a couple other groups operating in the North Africa and Middle East regions that have become pretty prolific at manipulating and hijacking DNS traffic Cisco Talos told me an email that this is not related to some of those other attacks which have been kind of pinned on Iran Cisco Talos also had told me that they know who is behind it But they're not saying yet exactly who these people are that might come out a little bit later But again, we're seeing these groups that have state sponsorship to them taking advantage of these older protocols and getting really prolific at hijacking that traffic Is this the first time that we have been seeing these kinds of DNS hijacking campaigns? This has actually been going on for a while A C-Turtle itself has been around since at least the very beginning of 2017 The folks at Cisco Talos have told me that they are still in operation right now even after Cisco planned on publishing some of these results that they had But we are again seeing different groups manipulating DNS traffic most are state sponsored So they're part of SB and Ojans spying campaigns I received an email late yesterday from a Talos spokeswoman and she said also to that this group of C-Turtle has also managed to steal data from some of the Organizations that it's targeted.

So this is a pretty extensive state sponsored campaign That's going on right now and again It's indicative of these sort of continuing operations, especially in the Middle East and North Africa How should organizations be protecting themselves against these sorts of attacks? Cisco Talos did release a little bit of material about how you can defend yourself one of the main things was You know take a good look at your DNS registry, right? Make sure that that is not being manipulated go into the logs If the logs don't have multi-factor authentication in them Maybe that's something you want to put in if you think maybe you've been targeted You want to reset your passwords do a whole network reset use a trusted computer reset all your passwords And of course like everything else because this group managed to take advantage of so many flaws and vulnerabilities in commodity software Go through all your patching make sure that everything is up to date and then from a more big picture perspective We're also seeing slowly the adoption of domain name system security extensions For example DNS sec that can help as well, can't it it can help? The only thing I would kind of add there as a kind of caveat is that Craig Williams He's one of the researchers at Talos who put together this report He said as DNS systems are sort of being upgraded from modern security the attackers are also updating their methods So even though better security is coming you have to be aware that the attackers are adjusting their methods to sort of manipulate the traffic Even with these better security protocols in place So it's a constant cat and mouse game as better security comes on the attackers change and then you need to re-up your game as well So cat and mouse game DNS edition exactly you know five versus five at this point.

Well Scott. Thanks so much for your time inside today Thank you, man. I appreciate it. You're listening to the ISMG security report on ISMG radio IsMG your number one source for information security news If you've ever been trying to do one thing on a website But it tricks you into doing something else that's a dark pattern to combat such practices a new bipartisan Senate bill introduced by Virginia Democratic Senator Mark Warner And Nebraska Republican Senator Deb Fisher would prohibit large online platforms from using deceptive interfaces Here's Senator Warner telling CNBC more about his deceptive experiences to online users reduction or D2R Act This one takes a look at the abuse For large platform companies people more than a hundred million users where you see Manipulative tactics on their sites or their application that we've all seen sites that have flashing arrows to say press I agree press I submit but you're gonna find the unsubscribe button on the same site This would set up a an advisory industry advisory group similar to the model the securities industry of thin rest would be that would set up rules and regulations That would be able to enforce this effort against our what we call dark patterns against manipulate behavior But we're hearing as well towards children and we think it's a good first step one useful resource for better understanding dark patterns is dark patterns Dot org the website highlights numerous examples of dark patterns seen in the wild for example bait and switch means you click An X on the upper left part of a window asking if you want to upgrade your operating system to Microsoft 10 Intending to dismiss the box only to have clicking the axe beak in the upgrade roach motels meanwhile Refer to sites that make it easy for a user to end up in a situation but difficult to get out of ticket master For example has been known to sneak magazine subscriptions into a customer's shopping cart unless they explicitly opt out Confirm shaming uses guilt to try and drive someone into accepting something information security veteran Wendy Nather calls this the yes I wanted to let the orphans starve prompt airline websites For example often do this to when they try to get ticket buyers to purchase one off travel insurance And the final example for today trick questions trick phrasing can leave users unclear about whether clicking no might instead mean yes Or it might follow a checkbox for opting out with a checkbox for opting in Regardless of the type of dark pattern at work if you had to summarize this sort of thing it might be don't be evil instead Organizations that use usability as a force not only for making things easier to use but for good have the opportunity to not only foster better data security But also greater transparency and to trust with users That's the ISMG security report our theme is by Ithaca audio.

I'm Matthew Schwartz. Catch you next time

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on April 19, 2019.

What is this episode about?

A warning that a smartwatch marketed to parents for tracking and communicating with their children could be coopted by hackers leads the latest edition of the ISMG Security Report. It also reviews how a DNS hijacking campaign is hitting...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!