Is your phone listening in? DLink Routers have severe vulnerabilities and Governments are gathering a lot of data on us from big tech companies.
Welcome to Cyber Security Today. I’m your host, Jim Love
D-Link has alerted users about several critical remote code execution (RCE) vulnerabilities in its discontinued DIR-846 router series, which have a CVSS score of 9.8, indicating high severity.
These vulnerabilities, identified as CVE-2024-44341 and CVE-2024-44342, involve OS command injection issues that could allow a remote attacker to execute arbitrary code on the affected devices.
Two additional vulnerabilities, CVE-2024-41622 and CVE-2024-44340, also present high security risks, with CVSS scores of 8.8. These flaws enable attackers to manipulate parameters within the routers, leading to unauthorized command execution.
Security researcher Yali-1002 discovered these vulnerabilities. The issues affect parameters like lan(0)_dhcps_staticlist, wl(0).(0)_ssid, and tomography_ping_address, which can be exploited via crafted POST requests or by an authenticated attacker.
Given that the DIR-846 routers are end-of-life (EOL) and no longer receive support, D-Link recommends users retire and replace these devices to prevent potential security breaches.
This situation underscores the importance of regular hardware updates and the risks associated with using outdated network equipment.
But the warning comes as part of a broader context where routers are increasingly targeted by cybercriminals and botnet operators.
Earlier in the year, another critical vulnerability (CVE-2024-0769) was discovered in the D-Link DIR-859 routers, which also reached EOL and were not updated to fix the flaw.
Reports we read indicate that most of these devices were sold overseas. But given the severity, it may be wise to check if you have these in use anywhere in your organization. But it’s also a wider alert that routers are increasingly targeted and regular patching updates are a must as is the removal of any out of support devices.
Sources include: Security Affairs
We’ve done a number of stories between this and our sister podcast Cyber Security Today that focus on the amount of data that companies are collecting on us from our internet and social media usage. We assume that most of that data goes to companies that want to use it to sell us products and services. A lot is gathered by data brokers.
But it turns out that governments are also gathering data on us from these same companies. There is, according to a recent study from Surfshark, a cybersecurity company, an increasing number requests for user data from major tech companies.
That study shows the scale and scope of these requests over the past decade. From 2013 to 2022, government agencies worldwide requested data from nearly 9 million user accounts across Apple, Google, Meta (formerly Facebook), and Microsoft.
The United States leads the pack in data requests, with a staggering 3.3 million accounts requested over the decade. To make comparison easier, the report expresses the number in terms of requests per 100,000 people in the countries population.
And when we put it that way, the US government requests information on 989 accounts per 100,000 people. Or if you prefer, 1 in a hundred US residents .
That’s 9 times the global average.
Following the U.S. are Germany and the United Kingdom, with 850 and 453 accounts requested per 100,000 people, respectively.
The good news for Canadians is that we are number 27 on the list – with a mere 145 requests per 100,000 people or about 6 times less likely to request information.
Still, the trend is clearly on the rise. In 2022 alone, the report notes a 38% increase in requests compared to the previous year. In fact, the number of accounts requested has increased to more than 8 times the number of requests in 2013.
Now, how are tech companies responding to these requests? On average, they’re complying with 72% of them.
Remember the idea that Apple guards your information? Not according to his report. In fact, Apple leads the pack with an 83% compliance rate in 2022 but the others aren’t far behind. Google complies with 72.9% of requests, Meta about the same 72.8%, and Microsoft is the lowest, complying with 67% of requests.
As our lives become increasingly digital, governments are clearly seeing our online data as a valuable source of information for investigations. As we’ve said before, why bother spying on your population when you can just buy the data from data brokers – or in this case, just demand it from tech companies.
And given how easy it is to get that data, it’s a worthwhile question to ask – what are they doing with it and how are they ensuring it’s used only for the purposes they requested it for – you know, the same transparency that demand – or should demand – of the companies who gather our data.
The report and many useful graphs can be downloaded from the link on the show notes at technewsday.com or .ca
Source: Surfshank Study
Many of you might have heard someone you know complain that they had just been talking about some product on their phone and then saw an ad for it a few moments later. Many of you may have taken the time to explain how cookies work in browsers and reassure them that Facebook and others had no way to listen in on their calls and leverage that for advertising purposes.
And you may have been wrong.
A news report from 404 Media reports that documents, leaked to its reveal that one of Facebook’s advertising partners, Cox Media Group (CMG), has reportedly used what they term “Active Listening” software that leverages smartphone microphones to capture real-time audio data from people’s conversations. This data is then used to deliver more targeted advertisements on Facebook and other platforms.
The leaked documents reportedly reveal that CMG hast pitched this “Active Listening” technology to its clients, which their pitch deck says includes tech giants like Amazon, Facebook, and Google. The ability to eavesdrop on people’s private conversations and use that information for advertising purposes raises major privacy concerns.
Following the report, Google has removed CMG from its Partner Program, and Meta (Facebook’s parent company) is now reviewing the partnership to determine if any terms of service have been violated. This admission has understandably outraged many people and reignited the long-standing debate about the extent to which tech companies are willing to invade user privacy in the name of targeted advertising.
For those wondering if this is really possible, apparently it is technically possible on older Android phones although a post on Apple Insider noted that it would not be possible on iPhones because the Apple’s OS requires explicit user permission to use the microphone. While that may be true, recently it was reported that Office365 programs used on a Mac were reportedly able to bypass some of these safeguards.
Given the material supplied by the company it would seem likely that they were able to make this work on enough devices to develop a working product.
One blogger from TweakTown raise another question, “is this even legal?” Presumably, the questions is, “was this done without the user’s knowledge.” The same post states that they the same blogger had read a now deleted blog post from Cox Media’s which stated in their multi-page use agreement, somewhere in the fine print, Active Listening was included.
Whether that constitutes “permission” will ultimately be the source of continuing debate.
Sources Include: TweekTown
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick.
Cyber Security Today will have its week in review show available early Saturday morning and we’ll return to the Monday, Wednesday, Friday routine next week.
I’m your host Jim Love, thanks for listening.