Security Week 15: Spy Speakers and Hacking Hotel Keys

Okay, Google, once, how do I hear, reception? On April 12, the Mitchollow video blogger arranges a live experiment on YouTube to answer a simple question: if you have some Google software installed on your computer (for example, the Chrome browser), does this mean that Google, as a homeland , always listens to you through microphone? The author of the video first shows a sign with the name of the goods (toys for dogs), which he later speaks out loud for a couple of minutes. After that, opening a couple of popular sites, instantly stumbles upon advertising of pet stores in large quantities.

From this beautiful experiment you can make a lot of far-reaching conclusions. For example, that we now, from the point of view of the unbridled surveillance of users on the network, live in a certain world of the Wild West, where we are profiled in all parameters - from statements to selfie and patterns of the acceleration sensor built into the phone. Perhaps it is, but on April 24, the same blogger lays out not so much a refutation , but rather an attempt to show that everything is not so simple. As usually happens on the Internet, the first video with a fan is watched more than two million times, the second video is gaining only 160 thousand views.



Indeed, the experiment was not the most scientific. First, the author of the video, seeing the first relevant link, immediately clicked on it. The rest of the advertising on dog toys could no longer be shown: it is obvious that after clicking, targeting will show you similar advertisements to the bitter end. Secondly, it may be that the fact of a live broadcast was a mistake: if a person speaks into a microphone, consciously transmitting sound to Google’s servers, it is clear that they will listen on that side. They also allowed!
')
A little more scientific research was conducted by Checkmarx ( news , a full study is available after registering with them on the site). They found a vulnerability in the Alexa voice control system, which is used, in particular, in Amazon Echo wireless speakers. Echo allows you to install third-party applications - more precisely, in the new terminology of the wondrous microphone world, they are called either skills or skills. The researchers managed to write a moderately malicious application, it exploits a typical scenario: the user accesses the column, the column recognizes the request (in a smart cloud with intelligent intelligence) and provides an answer. But the opportunity was found to listen to the user just like that. Not for long, since the time to “listen to the request” is limited: the standard API implements the “I do not understand” script and asks the owner again - what did he mean?



This restriction was also managed to be circumvented by replacing the “questioning” with silence. That is, it turns out something like this: the owner of the column asks to turn on the toaster, the column is dull, the owner spits and turns on the toaster with his hands, the column continues to listen. And with the help of standard voice recognition methods, it transmits the decoding of everything said to the attacker. It did not work out just to turn off the backlight of the column, which is activated only during listening: there is still some pale in the process of spying.

There is an error in the logic of the system, which the researchers were able to use. The hole, according to Amazon, was closed, and it is planned to continue to detect and eradicate "empty" requests to the user, as well as to identify suspiciously long listening sessions. In other words, Alexa and Amazon Echo still have default mechanisms that sometimes allow the microphone to be turned off.

In this story, as in the unscientific experiment of YouTube, you can see a threat that is different from the expected "bad" scenario: when a big vendor eavesdrops and spies on you. Most people should proceed from the fact that a big vendor personally has nothing to do with them. Each of us is just one of the billions of user IDs, a couple of megabytes on the server rack. Here the potential problem is different: the infrastructure of a large vendor may be vulnerable to the actions of third parties who use standard tools to divert the flow of private information to themselves. In the huge infrastructure of Google or Amazon, even catching such activity will not be easy. And then we are waited by the proliferation of machine-learning systems, which generally do not understand how they work - will there be safety at the level of the three rules of robotics, or what? I say, brave new world.

F-Secure experts have learned how to clone hotel electronic keys
News

It all started with the fact that researchers from F-Secure company stole a laptop from a hotel room. There were no signs of hacking at the door, so the hotel, after investigation, refused to compensate for anything - what if they themselves had lost? It became a shame for researchers, and, having spent a couple of years (or a dozen years) studying typical hotel keys, they found a way to penetrate any hotel room without leaving a trace.

From a technical point of view, the F-Secure report on the work done is extremely unspecific. The developer of the software for managing locks is called Vision VingCard, and the manufacturer of the locks themselves is Assa Abloy. The problem was allegedly discovered (and closed) at the software level, the locks did not have to be changed, but the amount of fog in the original blog post hints at the possibility of alternative scenarios. If so, then it is understandable why the technical details of the study are disclosed a little less than nothing.


Generally not informative video, in which suddenly there is some Russian hotel.

Nevertheless, the attack scenario is quite simple (provided that there is a RFID reader doped to the mind and knowledge of how everything works). You need any key card from a particular hotel, even an overdue and lost one, even five years ago, will do. Information from the card is read, magic happens, and a master code is written back onto the card, which can open almost any door in the same hotel. A useful story to remind a simple truth: do not leave valuable things in the hotel room. Even if it is a pathetic five stars.

One line
Microsoft has released a new patch to combat Specter Type II vulnerability. Let me remind you, the old one led to the fall of the system, and the new one seems to be proposed to be installed only manually.

In the update of the browser Firefox introduced the attribute of the same-site, aimed at combating CSRF-attacks.

The zero day vulnerability was discovered and closed in Mikrotik routers.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.