DAV EY WINDER
Davey has a light bulb moment, before explaining why the demise of Adobe Flash could bring new dangers to people who still use it
Davey has a light bulb moment, before explaining why the demise of Adobe Flash could bring new dangers to people who still use it.
Anyone who has followed my written ramblings over the decades will know that I’m a cybersecurity nerd. My idea of a relaxing evening read is a research paper covering an ingenious method of either implementing or breaking something security or privacyrelated. So it was that I found myself mesmerised by the idea of using a light bulb to eavesdrop on private conversations with little chance of getting caught. As you do. What grabbed my attention most about this paper from a bunch of rather clever researchers based at the Ben-Gurion University of the Negev (BGU) and the Weizmann Institute of Science in Israel was that this privacy hacking didn’t involve a smart bulb.
Well, it could do, but old-fashioned light bulbs work just as well. We’ve become so used to reading of exploits that need a vulnerability in a smart device or the network it’s connected to, or for the bad guys to have compromised one or the other with malware, that it’s easy to forget that “dumb” stuff can still pose a threat.
The researchers achieved the eavesdropping exploit using hardware costing around £800. This covers a telescope and electro-optical sensor, meaning you can spy on speech and music audio from up to 24m away. The researchers reckon that if you spend more on a larger telescope and a 24/ 32-bit analogue-to-digital converter, the effective range ramps up. This kit allows the fluctuations of air pressure on the surface of a hanging light bulb – fluctuations caused by conversation, for example, which make that surface vibrate – to be measured. The Lamphone algorithm ( nassiben.com/ lamphone) developed by the team then recovers the audio from those optical measurements.
Many people have told me that this is nothing new, that the military and secret squirrel types have been using lasers to do the same thing with vibrations off windows for decades. Many people are often wrong, and they are in this case. Not about the use of laser microphones to detect sound vibrations on a distant object such as a windowpane, but rather that this is totally analogous to the light bulb eavesdropping methodology. It isn’t.
I’m not disputing that lasers have been used to eavesdrop on people. What I’m disputing is that this methodology brings nothing new to the spying table. It does and that’s summed up in two words: totally passive. Ben Nassi, a PhD student at BGU and one of the authors of the Lamphone: Real-Time Passive Sound Recovery from Light Bulb Vibrations research paper ( pcpro.link/312lamp), says that a laser beam “can be detected using a dedicated optical sensor that analyses the directed laser beams reflected off the objects”. So, the laser method can be detected using an optical sensor, but the light bulb technique cannot. It doesn’t use lasers at all, instead employing an electrooptical sensor attached to a telescope. It’s this that observes the vibrations within the glass surface of the light bulb itself, and the fact that it’s a passive method makes it much harder to detect. Although not any harder to prevent, I should point out.
For an attacker to effectively pull off this light bulb exploit, a few conditions need to be met. The most important: a clear line of sight between the spy telescope and the bulb itself. I’m tempted to say that lowering the blinds would be “curtains” for the spies… and have now done so. Even a lampshade would be enough if it prevented a view of the bulb. A standing lamp should also prevent success as the “hanging” part is what allows for the right level of vibration, as I understand it. Even the thickness of the bulb glass could impede measurement, as could the distance from it that the conversation was taking place and the loudness of that chat. Nonetheless, it’s a fine piece of research and one that shines light onto how hi-tech, privacy-busting exploits don’t have to be based around smart speakers or malware.
This kind of exploit is known as a “side-channel attack”, and I expect we’ll be hearing about more and more of them as conventional cybersecurity protections continue to evolve. Wikipedia defines a side-channel attack as being any attack “based on the implementation of a computer system rather than weaknesses in the implemented algorithm itself”, which is almost perfect. Almost, but not
“Malicious support sites with Flash ‘updates’ will definitely be a thing in 2021”
quite, as I’d be inclined to replace “weakness” with “vulnerability” and “algorithm” with “hardware and software”. The Lamphone exploit is a great example. Say we’re talking about a smart light bulb here and not an old-fashioned one. A traditional attack vector would be a vulnerability within the firmware of the device, and when talking Internet of Things (IoT) devices that usually means firmware that isn’t user-updatable, or within the network it’s connected to. As far as the latter is concerned, that could mean a firmware vulnerability in the router or even malware that has infected the network somewhere along the line.
The side-channel exploit doesn’t need any of these things: it just needs the smart device to be installed so an attacker can measure the vibrations I mentioned before. It could just as easily be electromagnetic leakage, power consumption fluctuation or timing information. Well, perhaps not quite “easily” because most side-channel attacks make for great lab-based research papers but don’t translate into real-world threats. Using motion sensors in a smartwatch to monitor your typing on a keyboard sounds great, but when I investigated this a few years ago it required not just a specific smartwatch (that the attacker was also wearing), but one that was worn on the left wrist. I could go about how it also needed the victim to be typing painfully slowly, hunt and peck style, and in English for good measure. Oh, and it still required malware to be installed, so I’m calling this one out as not being in the true spirit of a side-channel attack anyway.
Lamphone is much more realworld in its adoption of exploiting the physics of computing rather than just algorithms. There’s no escaping the physical outputs of computing and computation, although as with pulling the curtains for Lamphone there are ways to evade them being exploited. Which isn’t to say they aren’t problematic: ask Intel about Spectre and Meltdown and I’m quite sure it will tell you it’s fairly miffed about those side-channel inclusive microchip architecture exploits.
Goodbye and good riddance to Adobe Flash
I have been writing about, predicting and encouraging the death of Adobe Flash and Flash Player for more than a decade. And deservedly so: Adobe Flash is nothing less than a security nightmare. Even now, when you’d hope that most people would get that simple fact, each month brings new critical flaws and vulnerabilities that can enable the arbitrary execution of code. Sure, I know, the same could be said about Windows, but there’s a big difference between the two. Namely, and I agree that Linux and macOS fans will likely disagree, that Windows is essential for hundreds of millions of people but Flash most certainly isn’t.
This hasn’t stopped thousands of folks from still using Flash, despite it being both outdated and a known risk. Indeed, I’d say the only reason that Adobe hasn’t kicked Flash into dumpster yet is the sheer number of websites that still insist on pushing content using it. According to some analytics, at least a quarter of a million of the busiest sites still use Flash. And that’s just the cream off the top of the web bottle: the true number is likely a multiple of ten greater.
The bad news for them, and the good news for everyone else, is that’s about change. Adobe Flash will reach end of life (EOL) status on 31
December 2020. “Adobe will continue issuing regular Flash Player security patches, maintain OS and browser compatibility and add features and capabilities as determined by Adobe through the end of 2020,” stated
Adobe ( pcpro.link/312flash), adding that it will stop distributing and updating Flash Player after then.
That means no more security updates as of 2021, and no more browser compatibility updates either. Importantly, all Flash-based content will be “blocked from running in Adobe Flash Player after the EOL date”. Apple has said that the Safari 14 web browser won’t support Flash Player content and Google Chrome will follow, as will the other major browser clients.
None of this should come as any great surprise, not least because Adobe itself announced the EOL date back in 2017. What I’m about to suggest, however, may well do. While I’m mighty chuffed at being able to say good riddance to Flash at last, I doubt that will be the end of Flashrelated security problems.
Wait, don’t send help for me just yet – there’s reason to this apparent madness. With no official support, and no more official downloads from Adobe, the curse of phishing scams and malware-ridden third-party downloads looms. Malicious support sites with malicious Flash “updates” will definitely be a thing in 2021.
If you’re one of those people or businesses that rely on creaky old software that requires Flash, you should start making alternate plans and quickly. There isn’t much time left and, frankly, three years down the line from Adobe’s original EOL announcement you only have yourselves to blame.
How incognito is Chrome’s Incognito mode?
An interesting lawsuit popped up across the pond recently, concerning the Incognito privacy browsing mode of Google Chrome. Now, you need not concern yourself too much with
the chances of this proposed classaction filing that could be worth at least $5,000 (£4,000) per claimant as it’s a US thing. As I understand it, the class action wouldn’t be open to thee or me.
That’s not the point of me writing about this, though. The point is that the claim states it’s due to Google’s unlawful and intentional interception and collection of confidential communications without the consent of the individuals concerned, including when users follow Google’s recommendations to prevent the tracking or collection of their personal information and communications.
Which is pretty serious stuff form the privacy perspective, don’t you think? Or at least it would be were it not for the fact that Google does display a message that states quite clearly that websites visited might be able to collect information about browsing activity during that session. Not to mention employer, school, and internet service provider. What Chrome’s Incognito mode promises is that other people using the same device won’t see your activity (other than downloads and bookmarks that are saved) while browsing history, cookies, site data and form inputs won’t be saved.
Click on the “learn more” link in the Incognito message that appears whenever you start a session and you are clearly told that it doesn’t block third parties from using cookies. It also says that Incognito mode won’t stop sites serving you ads based on activity during a session.
A Google spokesperson told me that the company would defend itself vigorously against any lawsuit. I suspect it will win as well, despite the claimant arguing that there’s “surreptitious tracking” by way of Google Analytics and the Google Ad Manager. For most people, most of the time, Incognito mode in Google Chrome offers enough safeguards to meet their expectations of privacy. As always, you need to read the small print before being able to make that call. If it’s not private enough then consider browsing via a VPN to add another layer of obfuscation or use a Tor browser.