Google releases Android 9 Pie, US Homeland Security finds flaws in millions of smartphones, and Atlanta taxpayers look at an expensive ransomware recovery.
A slice of Pie
Grabbing headlines this week was the release of Google’s Android 9 Pie software, which started rolling out on Tuesday to Google Pixel phones. Standard whiz-bang OS enhancements aside, from a security perspective, here’s what we found noteworthy: The software update "restricts access to mic, camera, and all SensorManager sensors from apps that are idle.” That means that when you stop using an app, that app will no longer have permission to access your phone's mic, camera, etc. As app permissions have become increasingly invasive, this is a very welcome update.
Furthermore, if an app tries to access your camera, you’ll get an error message. Other privacy features include a separate permission category called Call_Log, which requires developers to ask explicit permission to access a user’s call logs (whereas previously, they may have lumped it all into one permissions group called “Phone,” for example). Developers now also have to ask for permission before running a Wi-Fi scan (read: gather location data). Finally, following Google’s decision to have its Chrome browser call out unencrypted connections as “NOT SECURE”, Android Pie, by default, also blocks HTTP connections and requests that apps use HTTPS connections instead.
Medical emergency for patient records
On Tuesday, a team of researchers called Project Insecurity disclosed 22 vulnerabilities in OpenEMR, a popular medical practice management software program that supports over 100 million patients’ digital medical records. The vulnerabilities include a portal authentication bypass flaw that could have allowed users to access random patient records. The information potentially compromised includes patient profiles, patient demographics, medical records, prescription info, medical billing details, appointment schedules, and more. The good news is that patches have already been released to cloud customers and users. OpenEMR released the update on August 7.
Avast security evangelist Luis Corrons comments, “It is critical that organizations using OpenEMR update their systems immediately. Attackers won’t wait and are probably already scanning the internet looking for new targets. In the Equifax breach, attackers broke into the company via a vulnerability that had been made public a few days earlier.”
Homeland Security calling...
In the wake of flaws being found in Blu cell phones last year, the US Department of Homeland Security funded researchers to do a deep dive into all smartphones to search for similar flaws. Surprisingly, major security vulnerabilities were discovered that the researchers say could affect millions of US smartphones. The Department has not yet released make and model details, nor have they specified if these are Android or Apple devices, but they have commented that the problem phones are sold by Verizon, AT&T, T-Mobile, Sprint, and other carriers. The manufacturers of the flawed phones have already been notified, however, and further news on the study is expected to be made public in the next week or so.
The cost of Atlanta’s ransomware attack
The latest figures are in and here’s the unfortunate fact: the ransomware attack on the city of Atlanta this March has proven to be one of the most expensive “cyber incidents” suffered by local US governments in 2018. A seven-page confidential audit report prepared by The Atlanta Journal-Constitution says the attack could cost taxpayers $17 million, with a reported $6 million of that already spent on data and system recovery. The ransomware attack brought down all local government digital services including police and utilities. It should be noted that this cybercriminal activity continues by the SamSam hacker group.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.