Friday Five: 6/22 Edition
Stealing data from laptop batteries, Android's new anti-spoofing feature, and how something like GDPR could hit the U.S. soon -- catch up on the week's new with this roundup!
1. Exfiltrating data from the browser using battery discharge information by Lukasz Olejnik
File this under far-fetched but feasible: Researchers found a way to leak data from a battery if it's been "poisoned." The attack, broken down by Princeton’s Center for Information Technology Policy blog Freedom to Tinker on Wednesday, relies on tricking an API used by major web browsers called the W3C Battery Status API. Academics from Technicon, Hebrew University, and UT Austin recently published the paper the research is on, “Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices (.PDF)" Assuming an attacker could swap in a malicious battery or poison hardware at a factory, perhaps in a supply chain attack, they could determine information about that user, including what kind of sites they visited, characters typed, when a camera shot was made, and when an incoming call was made. It's hard to imagine actually seeing this pulled off in real life but the fact that it's possible in the first place is fascinating enough for me to include it here.
2. Cybersecurity: Why this Spanish region has just created a new research center by Anna Solana
Spain is bulking up its cyber research capabilities and one new center has an excellent name: Cybercat. The center, which recently opened in the Catalonia region, was partially spurred after attacks against the area government increased by 200 percent last year. According to ZDNet's Anna Solana going forward the center will consult with organizations on how to comply with the EU's General Data Protection Regulation (GDPR) and solve issues revolving around IoT and engaging smart cities. The group is comprised of seven research groups from the region, located in northeastern Spain, 100 researchers, with over €6M ($6.9M) revenue.
3. Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure by Mohit Kumar
Google unveiled a new model – part of its Android mobile operating system – this week designed to enhance biometric security and keep users' data safer. The new model doesn't have a nifty name but it will tamp down its biometric authenticatiion mechanism. Currently the system uses two metrics to verify biometrics. While those techniques are well and good - Google isn't doing away with them - it is deploying two new metrics that "account for an attacker in the threat model," according to Mohit Kumar over at The Hacker News. Kumar cites an even more in depth blog on the subject via Vishwath Mohan, a security engineer with Android, for those seeking more information on Google’s recent fortifications.
4. GDPR-Style Privacy Regulations May Be On the Way in U.S. by Dennis Fisher
It may not be long until we here in the U.S. see a law similar to GDPR, the all-encompassing regulation that went into effect last month, enacted. According to Decipher's Dennis Fisher, Sen. Richard Blumenthal (D-Conn.) will soon introduce a bill similar to GDPR that includes a data breach notification framework. Fisher has some fine quotes in the story by way of Ashkan Soltani that are worth a read if you haven’t yet. Soltani, for the unengaged, has previously served as the Chief Technologist of the Federal Trade Comission. He's worked as an independent researcher and technologist since for the last several years. The U.S. Senate Committee on Commerce, Science, and Transportation archived the hearing on their site for those looking to dive deeper. Soltani also made a point to share his testimony on a publicly accessible Dropbox link earlier this week.
5. Bithumb $31 Million Crypto Exchange Hack: What We Know (And Don't) by Wolfie Zhao
The number is almost incomprehensible: $31 million. But that's apparently how much attackers were able to pry from Bithumb, a South Korean cryptocurrency exchange on Wednesday when it was hacked for the second time in the last year. It's unclear exactly what led to the breach or exactly how many additional assets may have been taken. What we do know is that attackers targeted XRP, a decentralized native digital asset that is thought of as much faster than Bitcoin. According to Coindesk - which cited a report from Yonhap, a South Korean news agency – on Wednesday about eight percent of the exchange's annual spending budget was used for data protection activities.