Cybersecurity Week in Review: 11/16

Internet of Things devices are in the news this past week as we learned of the latest research to turn an IoT device into spyware and how the U.S government is combating  the lack of IoT safeguards and security. We also cover a new ransomware attack targeting the TurboTax software.

Malware Turns Vacuum Cleaner into Eavesdropping Device

James Bond’s R&D team has nothing on academics and researchers’ innovation from the University of Maryland and the National University of Singapore. They took a smart vacuum cleaner and converted it into a laser microphone capable of recording nearby conversations. 

Calling it the LidarPhone, the researchers took the vacuum’s LiDAR laser-based navigational component and converted it into a laser microphone. To use the LidarPhone, attackers would first need to modify the vacuum’s firmware using malware or a tainted update process. Then stop the rotation of the vacuum LiDAR and instead direct its focus to a specific object or area to examine surface vibrations and record sound waves. Any recordings would also need to be uploaded to the attacker’s remote server for additional processing and a signal boost to ensure quality.

The researchers tested the attack with various objects and over distances, managing to recover data with a 90% accuracy rate. Researchers believe the sound recording technique could identify an individual’s gender or even determine more personal information based on other noise captured in the background.

But smart vacuum cleaner owners need not worry that someone may start listening in to their conversations quite yet. The hurdles to get the instrument working are still somewhat complicated, and there are many far easier ways to spy on people. 

PDF versions of the research paper entitled “Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors” can be found here and here.

An article on the research can be found here.

Tax Woes Starting Early This Year

It seems that cybercriminals aren’t only targeting the upcoming holiday season—ransomware is already being launched aimed at tax season, with a focus on TurboTax. 

A relative newcomer to the seedy ransomware underworld, the “Mount Locker ransomware operation” first appeared in July 2020, infecting computers and threatening to publish stolen data unless millions of dollars in ransom was received from victims.

The current version of Mount Locker appears to target TurboTax files specifically. Researcher Vitali Kremez discovered that the Mount Locker code looks for and then encrypts specific TurboTax file extensions—.tax, .tax2009, .tax2013, and .tax2014. 

According to Kremez, the “.tax” file extension would cover all TurboTax files, regardless of year, so it is unclear why the ransomware also strangely targets other specific tax years.

Once the ransomware is installed, the files are first encrypted and then victims are told their stolen data will be published on the Mount Locker data leak site unless the ransom is paid.

More information on the Mount Locker ransomware targeting TurboTax can be found here. 

Senate Unanimously Passes IoT Protection Bill

The Internet of Things Cybersecurity Improvement Act that unanimously passed this past week in the U.S. Senate could have positive long-term implications for all users of IoT devices.

The Act requires all internet-connected devices purchased by the federal government to meet minimum security recommendations from the National Institute of Standards and Technology (NIST). Through the act, NIST must issue standards-based guidelines for all IoT devices owned by the federal government. It also prohibits federal agencies from procuring devices that don’t meet the Act’s guidelines. The bill also creates a disclosure program requiring IoT vendors to disclose vulnerabilities in their devices and how they were resolved.

Likewise, the bill requires a review and update every five years to ensure the mandates keep up with the latest technological developments.

Good News for Consumers

Since the federal government procures many of the same IoT devices and systems used by corporations and the general population, IoT vendors will need to adhere to a standard set of cybersecurity regulations, creating immediate benefits for IoT users.

IoT devices are relative newcomers to the internet-connected world but have already achieved a reputation for lacking basic cybersecurity and safeguards. With the passing of the Internet of Things Cybersecurity Improvement Act, not only does the overall security of the federal government stand to be improved, but experts believe we’ll begin to see more transparency with IoT devices, as well as globally accepted security standards.

More information on the Internet of Things Cybersecurity Improvement Act can be found here.

Final Words

We’re living in a world of constant innovation regarding both internet-connected devices and the cyber threats that target them. This makes it critical for regulators and manufacturers to recognize the necessity to secure and protect these devices. 

The passing of the Internet of Things Cybersecurity Improvement Act was a positive step in the overall transparency and security standards process. With some estimates placing the number of IoT devices at 125 billion by 2030, this bill can’t be implemented soon enough.

The bill sets the stage for corporations and the government to work closely together to ensure the safety of any individual, group or organization that uses an internet-connected device. 

With this being Thanksgiving week, one last thing to say is that this kicks off the most massive shopping week of the year. Black Friday, coupled with Cyber Monday, will see increased purchases in-stores and the majority online due to our COVID-19 circumstances. 

We need to remember that attackers don’t take holidays. They use them against us. With Black Friday already being notorious for breaches, this year should be no different, especially since attacks have exponentially increased this year already. Web skimmers, redirects, malvertisements, phishing and more could be in heavy use, as they have been already this year. Let’s stay vigilant out there, being safe and secure.

As always, security is an action. You get out what you put in.