Open in app

Sign in

Write

Sign in

Top Security & Crypto Fails of 2017

Cossack Labs
8 min readDec 31, 2017

A Very Subjective List of the notable security and, specifically, cryptographic fails of the year

While half of the world is still busy getting over the seasonal festivities and the other part is only getting ready to celebrate, we decided to share the list of our favourite (and extremely subjective) security/crypto fails of the year that’s ending.

For starters, Burger King “hacking” Google

In April, Burger King sneaked a TV ad that triggered Google Home assistants through voice command “OK, Google, what is the Whopper burger” taking the users’ devices to a pre-edited (by no one else than Burger King) Wikipedia page that for a short while contained an ad for the Whopper Burger rather than factual information.

Google dealt with the issue by swiftly disabling the culprit phrase, but this incident provides a worrisome spoiler of what may await us in the future with the spreading of the not-so-smart-after-all devices. By the way, instead of getting a lawsuit, the ad proceeded to receive the Cannes Lions award.

Apple fails — root access, password stealing, Face ID fails

This was either a hard or fruitful (pun intended) year for Apple as there is not one, but three reasons why we feature the company in our fail-parade.

First, it turned out to be that Face ID is too loyal to close siblings (or sometimes — just people of the same race) enabling non-authorised people to unlock the devices. Secondly, it also turned out one can access the user’s Apple ID details simply by asking politely.

To crown it all — the new version of OS X — “High Sierra” enabled the users to access root without entering the password. The funniest part? The update re-introduced an older known bug negating the previous fix, not added a new unknown vulnerability.

WannaCry/WannaCrypt

The infamous ransomware WannaCry attack that hit in May, exploited the Eternal Blue vulnerability, and which was stopped short in its tracks through an accidentally activated online kill-switch. It used a bit of social engineering spreading through emails and targeting older versions of the Windows operating system (namely Windows 7).

This is a kind of double-sided fail because the attack could have had worse and more widespread consequences, but its “untimely” deactivation largely mitigated the potential damage. At the same time, it affected enough user machines and encrypted enough sensitive user data to consider this fail to be on the users’ side of the field (although our Tech Writer smirks that going from “WannaCrypt” to “WannaCry” in the title due to a mistake is a kind of a fail in itself).

Petya/NotPetya

The first wave of attacks by Petya ransomware (that got its name from an old James Bond film) in 2016 was put out pretty easily, but in 2017 Petya (or rather its new and “improved” variant dubbed NotPetya) made a return spreading through Eastern Europe like wildfire.

According to F-secure, the initial attack was carried out through a backdoor in the update mechanism of a Ukrainian documentation/tax preparation software M.E. Doc, widely used by various businesses.

A mayhem in Kyiv Metropolitan, paralysed postal and delivery services, frozen information screens at an international airport? Check! Our Ukraine-based R&D office in Kyiv had the dubious pleasure of witnessing the crypto-induced local Apocalypse first-hand.

The ESET representatives later called the incident a well-planned operation since the backdoor was laying dormant in the infected systems at least 6 weeks prior to the attack. As it turned out, the new rewritten Petya was a wiper, not an actual ransomware. After the initial strike through M.E. Doc, the malware kept spreading due to the old bad user carelessness.

CCleaner comes clean

The next data security fail that caught our attention was caused by CCleaner. This popular system cleanup tool used to be a trusted and commonly used application — that is until Cisco Talos discovered that its new version v5.33 included an unwanted malware surprise.

The threat that collected users’ system information has been neutralised with the update to a newer version 5.34 and no actual harm was done, but the consequences could have been catastrophic.

HPs with keyloggers

For a long time it seemed like Hewlett Packard took the security and encryption of their laptops very seriously. That is, until November 2017, when a keylogger was discovered in the keyboard/touchpad drivers of roughly 460 models of HP laptops.

Although the spyware was not enabled by default, HP proceeded to release a security patch for all the affected devices and marked the update as the information that “should be acted upon as soon as possible”.

This is a very puzzling situation as it is the second keylogger found in HP hardware drivers this year alone(the first one hiding in a Conexant audio driver). Is it time to get cautious around HPs?

ROBOT attack (Because who learns from their mistakes?)

Paranoically safeguarding against a 19-year-old vulnerability that allows RSA decryption and signing operations with the private key of a TLS server could have looked like a vaccination against Black Plague in the modern times. That is, until the ROBOT attack caught up with Facebook, PayPal, and numerous other top-100 domains.

The bug was known since 1998 and instead of fixing the problem with a method recommended by Bleichenbacher once and for all, various workarounds were used until gradually it became so cumbersome they simply got overlooked and ignored by many developers, including those working for big-name companies. Chances are, you’re vulnerable, too. So, pox and Black Death vaccinations, anyone? ;)

Yahoo…

This entry is an ugly (but predictable) result of an old 2013 breach, which became a leak in 2017 when Yahoo hesitantly confirmed that personal data of every single client of Yahoo (3 billion users!) has been compromised.

This means that basically everyone in the world was somehow affected by this security fail since not only email accounts, but also accounts connected through Yahoo to other social networking sites (i.e. Flickr or Tumblr) got their data leaked in 2013. Although Yahoo sent out leak-related security emails to the users asking to change passwords and take other safety measures, the damage is done — everyone is affected.

Equifax

Although not a match for Yahoo and its billions of compromised users, the consumer credit score company Equifax leaked out around 143 million account details in 2017. This is not just an old obscene Tumblr profile made public — the data stored by Equifax is constituted by credit card details, social security numbers, driver licenses, and similar highly sensitive personal information.

This happened due to a website vulnerability exploited by hackers. The problem? The presence of the website vulnerability was known, but remained unpatched for months, which lead to the massive data leak. The majority of the affected users were from the U.S.A., in fact, almost half of the country’s population was somehow affected, causing the Equifax CEO to step down. An investigation has also been opened and the outcome is not looking good for Equifax.

KRACK

This feat is hard to accomplish in the modern world, but maybe — just maybe — you weren’t affected by any of the aforementioned crypto fails — no Yahoo account, no data at Equifax on you, nothing… But you’ve most definitely used Wi-Fi at some point in your life. Well, bang-bang, with KRACK vulnerability unpatched, you can be hacked.

For many years the WPA2 was considered to be the most advanced and secure way of protecting the wireless communication. Its 4 way handshake even had a security proof. But the freshly discovered Key Reinstallation Attacks (hence “KRACK”) method of exploiting the previously unknown weakness in the protocol made virtually every device in the world that’s using Wi-Fi vulnerable to this attack. In KRACK an adversary is able to break the encryption between the device and the router, and listen in on or interfere with the network traffic without even being on the network.

This is already out of the “fail” category, more like a crypto-end-of-the-world scenario. The worst part — it’s a safe bet to say that most of the regular users never updated their routers. So if you’re currently preparing the list of New Year’s resolutions, please do yourself a favour and put “patch my router against KRACK” on top of the list.

A Bonus Fail — The CRYPTO crypto and the non-CRYPTO crypto

Not that much of a fail (although, it depends), but a huge pet peeve of ours — and, as we suspect — of anyone working in the old school crypto is the fact that now we have to add “crypto, but not THAT kind of crypto, the data SECURITY kind of crypto”, aaargh.

Summary

Any system will be broken eventually and fails will continue to happen. Let’s just hope that in the new year the list of top fails will be less catastrophic or at least more smart so that we’d be able to marvel at the evil geniuses while trying to preserve what little security and privacy that is left.

Happy New Year!

If you think we’ve missed some spectacular security or crypto fail, we’d love to hear from you! Please reach out to us via info@cossacklabs.com or @cossacklabs.

Security
Encryption
Infosec
Information Security

--

--

Cossack Labs

Written by Cossack Labs

448 Followers

Focus on growing your business — while we take care of sensitive data risks, security engineering challenges, and compliance rqmts. https://www.cossacklabs.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams