21ST MAR 2024
21ST MAR 2024This week we cover the Unsaflok flaw, a phishing email that targeted fans at the Belgian Grand Prix, and a Firebase password leak that underscores how cybersecurity remains as essential as ever
Here’s what went down this week:
Researchers have unveiled critical vulnerabilities affecting 3 million Saflok electronic RFID locks utilized across 13,000 hotels and residences worldwide. These flaws, collectively dubbed "Unsaflok," were unearthed by a team comprising Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana back in September 2022.
Initially reported by Wired, the researchers participated in an exclusive hacking event held in Las Vegas, where they vied with other teams to identify vulnerabilities within a hotel room and its associated devices. Their focus honed in on dissecting the security of Saflok electronic locks, resulting in the discovery of exploitable flaws capable of granting unauthorized access to any door within the confines of a hotel.
The affected models are used in three million doors on 13,000 properties in 131 countries, and while the manufacturer is actively working to mitigate the flaw, the process is complicated and time-consuming.
The flaw affects multiple Saflok models, including the:
Saflok MT
Quantum Series
RT Series
Saffire Series
Confidant Series
All these locks are managed by the System 6000 or Ambiance software.
Promptly following their discovery, the researchers promptly communicated their findings to the lock's manufacturer, Dormakaba, in November 2022. This proactive measure allowed Dormakaba to initiate remedial actions and notify affected establishments of the security jeopardy, all while keeping the matter discreetly contained.
However, despite the preemptive efforts, the researchers caution that these vulnerabilities have been latent for over 36 years. While there's no documented evidence of exploitation in the wild, the prolonged exposure duration heightens the risk of potential breaches.
"Although there haven't been any documented instances of real-world exploits leveraging these vulnerabilities, we cannot rule out the possibility that malicious actors may have knowledge of and utilized them," elucidates the Unsaflok team.
Today marks the public disclosure of the Unsaflok vulnerabilities by the researchers, underscoring their widespread impact on nearly 3 million doors fortified with the Saflok system.
To check if the locks on their rooms are vulnerable, guests are encouraged to use the NFC Taginfo app (Android, iOS) to check their keycard type from their phone.
In an alarming development, hackers have seized control of the official contact email for the Belgian Grand Prix event, exploiting it to entice fans with a deceptive offer of a €50 gift voucher.
The Spa Gran Prix, a revered fixture in the Formula 1 World Championship, unfolds annually at the esteemed Circuit de Spa-Francorchamps in Stavelot, Belgium. Scheduled this year between July 26 and 28, the event draws legions of enthusiasts from across the globe, captivated by its storied legacy, formidable circuit layout, and unpredictable weather conditions.
According to the press release by the race organizer, on Sunday, March 17, 2024, malevolent actors commandeered the email account, subsequently dispatching phishing emails to an undisclosed number of recipients.
The fraudulent correspondence purported to offer recipients a €50 voucher redeemable for purchasing tickets to the F1 Grand Prix, enticing them to click on an embedded hyperlink.
Regrettably, the link redirected unsuspecting recipients to a counterfeit website mirroring the appearance of the authentic Spa Grand Prix portal, where they were duplicitously prompted to divulge personal information, including sensitive banking details.
Promptly upon detecting the breach, SPA GP sprang into action, swiftly issuing a series of cautionary emails to its clientele, unequivocally denouncing the prior communication as a phishing scheme and advising against interaction with any embedded links.
Not content with merely reactive measures, SPA GP has also taken proactive steps to address the breach, lodging a formal complaint with the Belgian cyber police on March 18, 2024, signaling its steadfast commitment to safeguarding the integrity of its operations and the security of its patrons.
The organizers also released this statement regarding the phishing attack:
Users who have tickets and feel worried about the possibility of their data having been exposed to cybercriminals have been informed to contact SPA GP’s secretariat.
Three cybersecurity researchers have unveiled a concerning revelation: nearly 19 million plaintext passwords have been laid bare on the public internet due to misconfigurations in instances of Firebase, a prominent Google platform utilized for database hosting, cloud computing, and application development.
Researchers Logykk, xyzeva/Eva, and MrBruh embarked on an extensive exploration, scanning over five million domains. Their investigation unearthed 916 websites belonging to various organizations, either devoid of security protocols altogether or configured incorrectly.
Within this trove of compromised data, over 125 million sensitive user records were exposed, encompassing a plethora of personal information such as emails, names, passwords, phone numbers, and even billing details, including bank information.
The researchers' inquiry led them to Firebase instances lacking any security parameters or improperly configured ones, granting unwarranted read access to databases. Eva, in conversation with BleepingComputer, underscored the prevalence of these security oversights, noting that a significant number of the identified websites also allowed write access, compounding the severity of the situation. Remarkably, among the exposed entities was a banking institution.
To provide a comprehensive assessment of the scope of the breach, Eva's script, Catalyst, systematically inspected each exposed database, extracting a sample of 100 records. These findings were then meticulously cataloged within a private database, painting a stark picture of the extent of sensitive user data left vulnerable due to inadequate security configurations:
Names: 84,221,169
Emails: 106,266,766
Phone Numbers: 33,559,863
Passwords: 20,185,831
Billing Info (including bank details, invoices, etc.): 27,487,924
The gravity of the situation is compounded by the alarming revelation that a staggering 98% of the exposed passwords, totaling 19,867,627, are stored in plaintext—an egregious lapse in security protocols.
Eva emphasized the perplexing nature of this oversight, noting that Firebase offers a robust end-to-end identity solution, Firebase Authentication, explicitly designed to ensure secure sign-in processes without exposing user passwords in plaintext within records. This underscores the need for organizations to prioritize robust security practices and adhere to industry-standard protocols to mitigate the risk of such breaches in the future.
Want to catch up on the latest security news? Check out:
