{"id":1599,"date":"2018-05-26T22:34:10","date_gmt":"2018-05-26T22:34:10","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/starbucks-site-slurped-z-wave-locks-clocked-mad-mac-monero-mining-malware-and-much-more\/"},"modified":"2018-05-26T22:34:10","modified_gmt":"2018-05-26T22:34:10","slug":"starbucks-site-slurped-z-wave-locks-clocked-mad-mac-monero-mining-malware-and-much-more","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/starbucks-site-slurped-z-wave-locks-clocked-mad-mac-monero-mining-malware-and-much-more\/","title":{"rendered":"Starbucks site slurped, Z-Wave locks clocked, mad Mac Monero mining malware and much more"},"content":{"rendered":"
<\/div>\n

Roundup<\/strong> While this week was dominated by news of a new Spectre variant<\/a>, the VPNFilter botnet<\/a>, and TalkTalk’s badbad routersrouters<\/a>, plenty of other stories popped up.<\/p>\n

Here are a handful of security happenings that you may have missed.<\/p>\n

Wireless Z-Wave smart-locks, home IoT devices menaced<\/span><\/h3>\n

Wireless gadgets, such as home smart locks, using Z-Wave to communicate via radio can be potentially hijacked over the air by nearby miscreants, according to<\/a> infosec biz Pen Test Partners.<\/p>\n

Once upon a time, Z-Wave had a pairing mode called S0 that was used to connect a device, such as a lightbulb or lock, to a controller, such as a home IoT hub. In 2013, that mode<\/a> was found to be insecure<\/a>, so today Z-Wave-compatible devices use a stronger pairing method called S2.<\/p>\n

However, Pen Test Partners said this week it has found a way to downgrade communications between gizmos to S0 mode from S2 during pairing, thus opening up more than 100 million Z-Wave-compatible things to potential attack. If you can get near a gizmo while it is in pairing mode, such as during its initial setup, you can potentially push it down to S0 and attempt to commandeer it.<\/p>\n

Here’s a video demonstrating the flaw:<\/p>\n

Youtube Video<\/a><\/p>\n

Z-Wave overseers Silicon Labs said<\/a> devices already paired cannot be forced down to S0 from S2, adding: “We are updating the specification to ensure that any user will not only get a warning during a downgrade to S0 but will have to acknowledge the warning and accept it to continue inclusion.”<\/p>\n

Starbucks brews double-whip grande mocha pwnage<\/span><\/h3>\n

Researcher Martin Bajanik discovered a cross site scripting bug<\/a> that was present on the Starbucks UK website. The now-patched bug would have allowed an attacker to inject malicious JavaScript into the browsers of people visiting the cafe chain’s online store, though Bajanik says an actual exploit would have been hard to pull off.<\/p>\n

“The underlying issue was a simple HTML injection with extremely low, even none, security impact. Due to existing code, however, I was able to achieve arbitrary JavaScript execution under certain, fairly obscure, circumstances,” Bajanik told The Register<\/em>.<\/p>\n

“Exploitation would have been rather unlikely as the attack could only work if the potential victims would had followed a malicious link created by the attacker (it was reflected XSS).”<\/p>\n

Speaking of bug bounties, researcher Ryan Stevenson banked $1,000 after discovering<\/a> in April a T-Mobile US server used by staff to look up customers’ names, addresses and account numbers using their cellphone numbers, which was not secured and open to all who could find it. It’s since been fixed.<\/p>\n

If you’ve found any security vulnerabilities, and want to share details, please do let us know<\/a> or chat to us anonymously on Ricochet<\/a> at ricochet:qk724lftsymjcwlq<\/code><\/p>\n

\n

Quick links<\/span><\/h3>\n