New Episode Alert EP131

The largest Chinese hacking campaign ever discovered?

July 27, 2020

In episode 131 for July 27th 2020: The FBI charges two Chinese hackers for one of the largest Chinese directed hacking campaigns ever discovered, how the BadPower fast charger attack could melt or set your devices on fire, and details on a massive leak of Instacart customer information.

A few days ago I was made aware of a video someone had posted on Instagram showing a car being stolen through a key fob relay attack. A relay attack is where a thief can take the signal from your key fob and boost it to break into your car or steal it. This attack is happening more and more so the easiest way to protect your car from this attack is by putting your key fob in a Silent Pocket Key Fob Guard which is a faraday bag that can block all wireless signal. Pick one up on for yourself today at

silentpocket.com

. And because you listen to the Shared Security Show, take 15% off during checkout by using discount code "sharedsecurity".

DOJ says Chinese hackers targeted coronavirus vaccine research

Last Tuesday the

FBI charged two Chinese nationals with hacking hundreds of US and foreign companies, human rights activists, and even attempting to hack three US based firms that have been researching the coronavirus

. Reports state that the two men stole "hundreds of millions of dollars" worth of trade secrets, intellectual property, and other high value business information. This was all detailed in a newly released inditement from a court in the Eastern District of Washington. Victims include, tech firms, manufacturing and pharmaceutical businesses, and even firms that make educational software and medical equipment. According to the inditement, in one instance one of the hackers even attempted to extort a victim into paying a ransom by threatening to publish their intellectual property. The FBI had stated that the hackers “worked with, were assisted by, and operated with the acquiescence of ”an officer in China’s Ministry of State Security. And in related news, the Trump administration ordered the Chinese consulate in Houston Texas to quote "cease all operations and events". Ironically, hours before the news of the consulate's closure was announced, neighbors noticed several small fires burning in the consulate's courtyard. And when Houston fire crews showed up, they were denied entry by the building's occupants due to the international agreements in place at the consulate. I don't think these guys were roasting marshmallows here, sounds to me like they were trying to burn some classified documents and other evidence. What's interesting is that this may be the most detailed inditement about Chinese hacking to date. And we really shouldn't be surprised by this. China has been hacking, well everyone, for years for intellectual property and other information to give them the advantage in this highly competitive worldwide market. It's just that now, they've been caught so let's now see what the US and other foreign governments will do about it.

BadPower attack corrupts fast chargers to melt or set your device on fire

And in other China news not related to Chinese hacking,

a group of Chinese researchers said that they can alter the firmware of fast chargers to cause enough damage to melt components or even catch them on fire

. The new technique called, BadPower, was detailed in a report last week from Chinese tech giant Tencent. Fast chargers, well charge your devices much faster than traditional power adapters by detecting the type of voltage required through the firmware which will determine the charging speed based on the capabilities discovered by the firmware. The BadPower attack works by altering the charging parameters supported to deliver more voltage than required, causing the device to heat up, melt, or catch on fire. Now what's concerning is that the attack is silent and pretty stealthy as the attacker only needs to connect their computer to the charger and upload the malicious firmware. There are even some models of these fast chargers that can load malicious code via a smartphone. Apparently, out of the 35 fast charging models that were tested, 18 models from 8 different vendors were vulnerable. And if this news wasn't bad enough, many of these devices cannot be updated so your only solution is to buy a new fast charger when and if this issue is fixed.

So does this mean we should all be more cautious when using a fast charger? Not really, unless you think your threat model may make you a target, or if you notice your device getting hotter than normal after you've used one of these fast chargers. Which should indicate that your fast charger may be defective anyway.

Instacart user data is reportedly being sold online, but the company denies there was a breach

BuzzFeed News reported late last week that the personal information of hundreds of thousands of Instacart customers are being sold on the dark web

. Supposed data includes names, email addresses, last four digits of credit card numbers, and order histories. As of last week, two dark web markets were offering around 278,000 Instacart accounts that appears to have been uploaded in late June and July and is being sold for $2 per record. BuzzFeed News also reports that Instacart has denied that there has been a data breach and rather they said "Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password." Something sounds fishy here as a few independent security researchers worked with Buzzfeed to confirm that at least some of the data is legit as there have already been several Instacart users that confirmed that their order history and personal information matched to what was being sold on the dark web. One user even contacted Instacart about the breach and was told that she probably was a victim of a password reuse attack, even after telling Instacart customer support that she did not reuse any passwords.

My take is that this is very concerning and I would hope that Instacart starts a serious investigation on their own to determine if they've been breached or not. This is the worst case scenario for most companies, and that's not knowing that you've got a massive leak of customer data on your hands and that you don't know where its coming from. Perhaps the better approach from a public relations perspective would be to state that "we're investigating reports of a data leak" instead of outright denying altogether.

Watch this episode on our YouTube Channel!

JulyMonthly ShowEpisode 102In episode 102 of our July monthly show Scott and Tom walk-through the recommended privacy settings for Amazon Echo and Google Home smart speakers. If you own one or several of these devices, this is one episode you don't want to miss!

Watch this episode on our YouTube Channel!

Please support our sponsors!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.