Mercedes-Benz app glitch exposed car owners’ information to other people’s accounts

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information.

TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see personal information — including names, locations, phone numbers, and other information — of other vehicle owners.

The apparent security lapse happened late-Friday before the app went offline “due to site maintenance” a few hours later.

It’s not uncommon for modern vehicles these days to come with an accompanying phone app. These apps connect to your car and let you remotely locate them, lock or unlock them, and start or stop the engine. But as cars become internet-connected and hooked up to apps, security flaws have allowed researchers to remotely hijack or track vehicles.

One Seattle-based car owner told TechCrunch that their app pulled in information from several other accounts. He said that both he and a friend, who are both Mercedes owners, had the same car belonging to another customer, in their respective apps but every other account detail was different.

benz app 2

Screenshots of the Mercedes-Benz app showing another person’s vehicle, and exposed data belonging to another car owner. (Image: supplied)

The car owners we spoke to said they were able to see the car’s recent activity, including the locations of where it had recently been, but they were unable to track the real-time location using the app’s feature.

When he contacted Mercedes-Benz, a customer service representative told him to “delete the app” until it was fixed, he said.

The other car owner we spoke to said he opened the app and found it also pulled in someone else’s profile.

“I got in contact with the person who owns the car that was showing up,” he told TechCrunch. “I could see the car was in Los Angeles, where he had been, and he was in fact there,” he added.

He said that he wasn’t sure if the app has exposed his private information to another customer.

“Pretty bad fuck up in my opinion,” he said.

The first customer reported that the “lock and unlock” and the engine “start and stop” features did not work on his app, somewhat limiting the impact of the security lapse. The other customer said they did not attempt to test either feature.

It’s not clear how the security lapse happened or how widespread the problem was. A spokesperson for Daimler, the parent company of Mercedes-Benz, did not respond to a request for comment on Saturday.

According to Google Play’s rankings, more than 100,000 customers have installed the app.

A similar security lapse hit Credit Karma’s mobile app in August. The credit monitoring company admitted that users were inadvertently shown other users’ account information, including details about credit card accounts and balances. But despite disclosing other people’s information, the company denied a data breach.

A set of new tools can decrypt files locked by Stop, a highly active ransomware

Thousands of ransomware victims may finally get some long-awaited relief.

New Zealand-based security company Emsisoft has built a set of decryption tools for Stop, a family of ransomware that includes Djvu and Puma, which they say could help victims recover some of their files.

Stop is believed to be the most active ransomware in the world, accounting for more than half of all ransomware infections, according to figures from ID-Ransomware, a free site that helps identify infections. But Emsisoft said that figure is likely to be far higher.

If you’ve never had ransomware, you’re one of the lucky ones. Ransomware is one of the more common ways nowadays for some criminals to make money by infecting computers with malware that locks files using encryption. Once the Stop ransomware infects, it renames a user’s files with one of any number of extensions, replacing .jpg and .png files with .radman, .djvu and .puma, for example. Victims can unlock their files in exchange for a ransom demand — usually a few hundred dollars in cryptocurrency,.

Not all ransomware is created equally. Some security experts have been able to unlock some victims’ files without paying up by finding vulnerabilities in the code that powers the ransomware, allowing them in some cases reverse the encryption and return a victim’s files back to normal.

Stop is the latest ransomware that researchers at Emsisoft have been able to crack.

“The latest known victim count is about 116,000. It’s estimated that’s about one-quarter of the total number of victims.”
Emsisoft

“It’s more of a complicated decryption tool than you would normally get,” said Michael Gillespie, the tools’ developer and a researcher at Emsisoft. “It is a very complicated ransomware,” he said.

In Stop’s case, it encrypts user files with either an online key that’s pulled from the attacker’s server; or an offline key, which encrypts users’ files when it can’t communicate with the server. Gillespie said many victims have been infected with offline keys because the attackers’ web infrastructure was often down or inaccessible to the infected computer.

Here are how the tools work.

The ransomware attackers give each victim a ‘master key,’ said Gillespie. That master key is combined with the first five bytes of each file that the ransomware encrypts. Some filetypes, like .png image files, share the same five bytes in every .png file. By comparing an original file with an encrypted file and applying some mathematical computations, he can decrypt not only that .png file but other .png of the same filetype.

Some filetypes share the same initial five bytes. Most modern Microsoft Office documents, like .docx and .pptx share the same five bytes as .zip files. With any before and after file, any one of these filetypes can decrypt the others.

There’s a catch. The decryption tool is “not a cure all” for your infected computer, said Gillespie.

“The victim has to find a good before and after of basically every format that they want to recover,” he said.

Once the system is clean of the ransomware, he said victims should try to look for any files that were backed up. That could be default Windows wallpapers, or it can mean going through your email and finding an original file that you sent and matching it with the now-encrypted file.

When the user uploads a “before and after” pair of files to the submission portal, the server will do the math and figure out if the pair of files are compatible and will spit back which extensions can be decrypted.

But there are pitfalls, said Gillespie.

“Any infections after the end of August 2019, unfortunately there’s not much we can do unless it was encrypted with the offline key,” he said. If an online key was pulled from the attacker’s server, victims are out of luck. He added that files submitted to the portal have to be above 150 kilobytes in size or the decryption tools won’t work, because that’s how much of the file the ransomware encrypts. And some file extensions will be difficult if not impossible to recover because each file extension handles the first five bytes of the file differently.

“The victim really needs to put in some effort,” he said.

top 10 commentary

The current share of worldwide ransomware infections. (Image: Emsisoft)

This isn’t Gillespie’s first rodeo. For a time, he was manually processing decryption keys for victims whose files had been encrypted with an offline key. He built a rudimentary decryption tool, the aptly named STOPDecrypter, which decrypted some victims’ files. But keeping the tool up to date was a cat and mouse game he was playing with the ransomware attackers. Every time he found a workaround, the attackers would push out new encrypted file extensions in an effort to outwit him.

“They were keeping me on my toes constantly,” he said.

Since the launch of STOPDecrypter, Gillespie has received thousands of messages from people whose systems have been encrypted by the Stop ransomware. By posting on the Bleeping Computer forums, he has been able to keep victims up to date with his findings and updates to his decryption tool.

But as some victims became more desperate to get their files back, Gillespie has faced the brunt of their frustrations.

“The site’s moderators were patiently responding. They’ve kept the peace,” he said. “A couple of other volunteers on the forums have also been helping explain things to victims.”

“There’s been a lot of community support trying to help in every little small bit,” he said.

Gillespie said the tool will also be fed into Europol’s No More Ransom Project so that future victims will be notified that a decryption tool is available.

MyGate raises $56M to bring its security management service to more gated communities in India

MyGate, a Bangalore-based startup that offers security management and convenience service for guard-gated premises, said today it has bagged more than $50 million in a new financing round as it looks to expand its footprint in the nation.

Chinese internet giant Tencent, Tiger Global, JS Capital and existing investor Prime Venture Partners funded the three-year-old startup’s $56 million Series B financing round. The new round pushes MyGate’s total fundraise to $67.5 million.

MyGate offers an eponymous mobile app that allows home residents to approve entries and exits, communicate with their neighbors, log attendance and pay society maintenance bills and daily help workers.

The startup says it is operational in 11 cities in India and has amassed over 1.2 million home customers. Its customer base is increasing by 20% each month, it claimed. The service is handling 60,000 requests each minute and clocking over 45 million check-in requests each month.

The idea of MyGate came after its co-founder and CEO, Vijay Arisetty, left the Indian armed force. In an interview with TechCrunch, he said his family was appalled to learn about the poor state of security across societies in India.

“This was also when e-commerce companies and food delivery firms were beginning to gain strong foothold in the nation. This meant that many people were entering a gated community each day,” he said.

MyGate has inked partnerships with many e-commerce players to create a system to offer a silent and secure delivery experience for its users. The startup also trains guards to understand the system.

According to industry estimates, more than 4.5 million people in India today live in gated communities, and that figure is growing by 13% each year. The private security industry in the country is a $15 billion market.

Arisetty says he believes the startup could significantly accelerate its growth as its solution understands the price-sensitive market. Using MyGate costs an apartment about Rs 20 (28 cents) per month. Even at that price, the startup says it is making a profit. “Today, we are seeing more demand than we can handle,” he said.

That’s where the new funding would come into play for the startup, which today employs about 700 people.

The startup plans to use the fresh capital to expand its technology infrastructure, its marketing and operations teams and build new features. The startup aims to reach 15 million homes in 40 Indian cities in the next 18 months.

In a statement, Sanjay Swamy, managing partner at Prime Venture Partners, said, “It’s been great to see a fledgling startup execute consistently and holistically, and grow into a category-creating market-leader.”

Foursquare CEO calls on Congress to regulate the location data industry

The chief executive of Foursquare, one of the largest location data platforms on the internet, is calling on lawmakers to pass legislation to better regulate the wider location data industry amid abuses and misuses of consumers’ personal data.

It comes in the aftermath of the recent location sharing scandal, which revealed how bounty hunters were able to get a hold of any cell subscriber’s real-time location data by obtaining the records from the cell networks. Vice was first to report the story. Since then there have been numerous cases of abuse — including the mass collection of vehicle locations in a single database, and popular iPhone apps that were caught collecting user locations without explicit permission.

The cell giants have since promised to stop selling location data but have been slow to act on their pledges.

“It’s time for Congress to regulate the industry,” said Foursquare’s chief executive Jeff Glueck (shown on the left in the photo above) in an op-ed in The New York Times on Wednesday.

In his opinion piece, Glueck called on Congress to push for a federal regulation that enforces three points.

Firstly, phone apps should not be allowed to access location data without explicitly stating how it will be used. Apple has already introduced a new location tracking privacy feature that tells users where their apps track them, and is giving them options to restrict that access — but all too often apps are not clear about how they use data beyond their intended use case.

“Why, for example, should a flashlight app have your location data?,” he said, referring to scammy apps that push for device permissions they should not need.

Second, the Foursquare chief said any new law should provide greater transparency around what app makers do with location data, and give consumers the ability to opt-out. “Consumers, not companies, should control the process,” he added. Europe’s GDPR already allows this to some extent, as will California’s incoming privacy law. But the rest of the U.S. is out of luck unless the measures are pushed out federally.

And, lastly, Glueck said anyone collecting location data should promise to “do no harm.” By that, he said companies should apply privacy-protecting measures to all data uses by not discriminating against individuals based on their religion, sexual orientation or political beliefs. That would make it illegal for family tracking apps, for example, to secretly pass on location data to healthcare or insurance providers who might use that data to hike up a person’s premiums above normal rates by monitoring their driving speeds, he said.

For a business that relies on location data, it’s a gutsy move.

But Glueck hinted that businesses like Foursquare would be less directly affected as they already take a more measured and mindful approach to privacy, whereas the fast and loose players in the location data industry would face greater scrutiny and more enforcement action.

“These steps are necessary, but they’re not sufficient,” said Glueck. But he warned that Congress could do “great damage” if lawmakers fail to sufficiently push overly burdensome regulations on smaller companies, which could increase overheads, put companies out of business and have a negative effect on competition.

“There’s no good reason that companies won’t be able to comply with reasonable regulation,” said Glueck.

“Comprehensive regulation will support future innovation, weed out the bad companies and earn the public trust,” he said.

Twitter says it will restrict users from retweeting world leaders who break its rules

Twitter said it will restrict how users can interact with tweets from world leaders who break its rules.

The social media giant said it will not allow users to like, reply, share or retweet the offending tweets, but instead will let users quote-tweet to allow ordinary users to express their opinions.

The company said the move will help its users stay informed about global affairs, but while balancing the need to keep the site’s rules in check.

Twitter has been in a bind, amid allegations that the company has not taken action against world leaders who break its rules.

“When it comes to the actions of world leaders on Twitter, we recognize that this is largely new ground and unprecedented,” Twitter said in an unbylined blog post on Tuesday.

Last year, Twitter said it would not ban President Trump despite incendiary tweets, including allegations that he threatened to declare war on North Korea. However, in the case of Iran’s supreme leader Ayatollah Seyed Ali Khamenei, he had one of his tweets deleted from the site.

“We want to make it clear today that the accounts of world leaders are not above our policies entirely,” the company said. Any user who tweets content promoting terrorism, making “clear and direct” threats of violence, and posting private information are all subject to ban.

But Twitter said in cases involving a world leader, “we will err on the side of leaving the content up if there is a clear public interest in doing so.”

In such a case, “we may place it behind a notice that provides context about the violation and allows people to click through should they wish to see the content,” said Twitter, making good on a promise it made in June.

“Our goal is to enforce our rules judiciously and impartially,” Twitter added in a tweet. “In doing so, we aim to provide direct insight into our enforcement decision-making, to serve public conversation, and protect the public’s right to hear from their leaders and to hold them to account.”

Shipping giant Pitney Bowes hit by ransomware

Shipping tech giant Pitney Bowes has confirmed a cyberattack on its systems.

The company said in a statement that its systems were hit by a “malware attack that encrypted information” on its systems, more commonly known as ransomware.

“At this time, the company has seen no evidence that customer or employee data has been improperly accessed,” the statement said, but many of its internal systems are offline, causing disruption to client services and other corporate processes.

The company said it’s working with a third-party consultant to address the issue. But it’s not immediately known what kind of ransomware encrypted its systems.

A spokesperson for the company did not immediately return a request for comment.

Pitney Bowes is a widely used shipping tech company that provides mailing services to sellers, with more than 1.5 million clients across the world, including the Fortune 500. The company allows sellers to make mailing items and goods easier and more efficient, and is widely used by sellers in marketplaces like Etsy and Shopify.

Several customers on Twitter complained that they were unable to perform basic tasks. It’s known that some account, product support pages, and software and downloads pages are unavailable.

It’s the latest in a string of attacks on high-profile businesses. In the past few months, drinks giant Arizona Beverages, aluminum maker Norsk Hydro, and science services company Eurofins have all been hit by ransomware.

Last week, the FBI warned of “high impact” ransomware attacks targeting larger businesses.

Google updates its Titan security keys with USB-C

Google has revealed its latest Titan security key — and it’s now compatible with USB-C devices.

The latest Titan key arrives just weeks after its closest market rival Yubico — which also manufactures the Titan security key for Google — released its own USB-C and Lightning-compatible key, but almost two years after the release its dedicated USB-C key.

These security keys offer near-unbeatable security against a variety of threats to your online accounts, from phishing to nation-state attackers. When you want to log in to one of your accounts, you plug in the key to your device and it authenticates you. Most people don’t need a security key, but they are available for particularly high-risk users, like journalists, politicians and activists, who are frequently targeted by hostile nation states.

By Google’s own data, security keys are far stronger than other options, like a text message sent to your phone.

Many companies, like Coinbase, Dropbox, Facebook, Twitter and Google, support the use of security keys. But although the list of supported companies is not vast, it continues to grow as security key usage increases.

Google said its newest key will be available from October 15 for $40.

Thoma Bravo makes $3.9 billion offer to acquire security firm Sophos

Sophos announced this morning that private equity firm Thoma Bravo, has agreed to buy the British company for £3.1 billion ($3.9 billion USD). The price is based on $7.40 USD per share and the company indicated that the board of directors will recommend that shareholders accept the offer.

Sophos CEO Kris Hagerman, as you would expect, put the deal in the brightest possible light. “Sophos is actively driving the transition in next-generation cybersecurity solutions, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more. We continue to execute a highly-effective and differentiated strategy, and we see this offer as a compelling validation of Sophos, its position in the industry and its progress,” he said in a statement.

But private equity firms typically look for undervalued firms that they can purchase and either combine with other properties or find ways to build up their value. Thoma Bravo indicated in a public filing that it saw a firm, it called “a global leader in next-generation cybersecurity solutions spanning endpoint, next-generation firewall, cloud security, server security, managed threat response, and more,” it stated in the filing.

The company has 400,000 customers in 150 countries, 47,000 channel partners and more than 100 million users, according to the filing. The stock price was up this morning on the news, according to reports.

It’s worth noting that just last week, TechCrunch’s Zack Whittaker reported on “a vulnerability in [Sophos’] Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.” The company issued an advisory last week on the problem, indicating it had issued a patch on September 30th.

California’s Privacy Act: What you need to know now

This week California’s attorney general, Xavier Becerra, published draft guidance for enforcing the state’s landmark privacy legislation.

The draft text of the regulations under the California Consumer Privacy Act (CCPA) will undergo a public consultation period, including a number of public hearings, with submissions open until December 6 this year.

The CCPA itself will take effect in the state on January 1, with a further six months’ grace period before enforcement of the law begins.

“The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law,” writes the State of California’s Department of Justice in a press release announcing the draft text. “The regulations would address some of the open issues raised by the CCPA and would be subject to enforcement by the Department of Justice with remedies provided under the law.”

Translation: Here’s the extra detail we think is needed to make the law work.

The CCPA was signed into law in June 2018 — enshrining protections for a sub-set of US citizens against their data being collected and sold without their knowledge.

The law requires businesses over a certain user and/or revenue threshold to disclose what personal data they collect; the purposes they intend to use the data for; and any third parties it will be shared with; as well as requiring that they provide a discrimination-free opt-out to personal data being sold or shared.

Businesses must also comply with consumer requests for their data to be deleted.

Flaw in Cyberoam firewalls exposed corporate networks to hackers

Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.

The vulnerability allows an attacker to remotely gain “root” permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet. The attack takes advantage of the web-based operating system that sits on top of the Cyberoam firewall.

Once a vulnerable device is accessed, an attacker can jump onto a company’s network, according to the researcher who shared their findings exclusively with TechCrunch.

Cyberoam devices are typically used in large enterprises, sitting on the edge of a network and acting as a gateway to allow employees in while keeping hackers out. These devices filter out bad traffic, and prevent denial-of-service attacks and other network-based attacks. They also include virtual private networking (VPN), allowing remote employees to log on to their company’s network when they are not in the office.

It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password. Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.

Sophos, which bought Cyberoam in 2014, issued a short advisory this week, noting that the company rolled out fixes on September 30.

The researcher, who asked to remain anonymous, said an attacker would only need an IP address of a vulnerable device. Getting vulnerable devices was easy, they said, by using search engines like Shodan, which lists around 96,000 devices accessible to the internet. Other search engines put the figure far higher.

A Sophos spokesperson disputed the number of devices affected, but would not provide a clearer figure.

“Sophos issued an automatic hotfix to all supported versions in September, and we know that 99% of devices have already been automatically patched,” said the spokesperson. “There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.”

Customers still affected can update their devices manually, the spokesperson said. Sophos said the fix will be included in the next update of its CyberoamOS operating system, but the spokesperson did not say when that software would be released.

The researcher said they expect to release the proof-of-concept code in the coming months.