Money Reimagined: Fixing the Internet’s Big Flaw

The Money Reimagined Podcast

After reading this newsletter, make sure you check out the latest edition of our podcast. 

This week, Sheila Warren and I talk to Hyperledger Executive Director Brian Behlendorf about self-sovereign identity, the topic of the column below. A developer whose three-decade career has seen him deeply involved in efforts to foster a more open internet, Brian grasps, like few others, the nuances of how human beings should live within a rapidly changing digital economy.

Getting internet identity right, 30 years on

We tend to think of governments, with the data they collect on births, drivers licenses, tax returns and passports, as humanity’s primary identity managers. 

Arguably, internet platforms have usurped that role. Some store more identifying records than China – Facebook has 2.7 billion active users; Google manages 1.5 billion email accounts. Just as important, they can tie those records to our online behavior and gather immense predictive power. Facebook’s algorithm even knows if you are going to break up with your partner – before you do.

This isn’t another Facebook-bashing column. It’s just that its all-knowing power highlights how the fundamental human question of identity has changed in the internet age. 

It also illustrates why we need a new “self-sovereign” model of identity to match our digital existence and why the latest moves toward that deserve widespread support.

Flawed from the start

An original sin was committed at the internet’s conception: its underlying, decentralized architecture was built without an identity layer.

The internet’s founders had good intentions. To ensure universal availability, the system controlled access by assigning addresses to computers but was agnostic about the identities of the people, companies and devices using them. As a famous New Yorker cartoon quipped in 1993, “On the internet, nobody knows you’re a dog.”

This became a problem

Security firm: WarezTheRemote flaw could turn a Comcast remote into a listening device

Could your cable TV device spy on you? Vulnerability found and patched in Comcast TV remote.

guardiacore.jpg

Security researchers at Guardicore reverse-engineered the firmware update process for a popular Comcast remote to turn the device into a spying tool.

Image: Guardicore

Security firm Guardicore reverse-engineered the firmware update process for Comcast’s XR11 remote to take control of the device. Researchers interrupted the process to turn the voice-control element of the remote into a listening device.

Once the malicious firmware update was in place, researchers used a 16dBi antenna and were able to listen to conversations inside a house from about 65 feet away.

The WarezTheRemote attack could have affected the 18 million remotes in use around the US. After Guardicore disclosed the vulnerability to Comcast, the company developed a fix that was deployed to all units by the end of September. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

The XR11 has a microphone button to allow users to operate the set-top box with voice commands. The remote communicates with the set-top box over a radio frequency (RF) as opposed to an infra-red connection. As the researchers wrote in the research paper on the vulnerability, “RF enables contact with the remote from afar, which makes for a larger attack surface than a remote control would otherwise have, and the recording capability makes it a high-value target.”

Guardicore described the vulnerability in a new paper published Wednesday, “WarezTheRemote: Turning remotes into listening devices.” Guardicore used a man-in-the-middle attack to exploit remote’s RF communication with the set-top box and over-the-air firmware upgrades. By pushing a malicious firmware image back through the remote, attackers could have used the remote to continuously record audio without requiring any user interaction.

Guardicore researchers put the security threat in context:

“… with so many

Grindr flaw allowed hijacking accounts with just an email address

A Grindr vulnerability allowed anyone who knows a user’s email address to easily reset their password and hijack their account. All a bad actor needed to do was type in a user’s email address in the password reset page and then pop open the dev tools to get the reset token. By adding that token to the end of the password reset URL, they won’t even need to access the victim’s inbox — that’s the exact link sent to the user’s email anyway. It loads the page where they can input a new password, giving them a way to ultimately take over the victim’s account.



BERLIN, GERMANY - APRIL 22: The logo of the dating app for gay and bisexual men Grindr is shown on the display of a smartphone on April 22, 2020 in Berlin, Germany. (Photo by Thomas Trutschel/Photothek via Getty Images)


BERLIN, GERMANY – APRIL 22: The logo of the dating app for gay and bisexual men Grindr is shown on the display of a smartphone on April 22, 2020 in Berlin, Germany. (Photo by Thomas Trutschel/Photothek via Getty Images)

A French security researcher named Wassime Bouimadaghene discovered the flaw and tried to report it to the dating service. When support closed his ticket and he didn’t hear back, he asked help from security expert Troy Hunt who worked with another security expert (Scott Helme) to set up a test account and confirm that the vulnerability does exist. Hunt, who called the issue “one of the most basic account takeover techniques” he’s ever seen, managed to get in touch with Grindr’s security team directly by posting a call for their contact details on Twitter.

Loading...

Load Error

While Grindr quickly fixed the issue after hearing from Hunt, the incident underscored the platform’s shortcomings when it comes to security. And that’s a huge problem when the dating app caters to individuals whose sexual orientations and identities could make them a target for harassment and violence. This isn’t the first security issue Grindr has had to deal with. Back