You are here

Android value-chain FAIL: Samsung leaks Sprint customer data

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Another week, another leak. Sprint—the carrier, not the agile concept—warns its customers that some of their data has gone walkabout (but it’s not sure how many customers).

And it’s blaming Samsung. Supposedly, the South Korean handset maker had a vulnerability in its website.

But Samsung denies it. Perhaps this sort of failure is inevitable with Android’s complex value chain. In this week’s Security Blogwatch, we wish a plague on both their houses.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Apollo.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

PII leak rains on parade

What’s the craic? Shaun Nichols quips Just in case we've not made ourselves clear, Samsung screwed you over, adds Sprint:

Sprint has told some of its subscribers that a piss-poor Samsung website exposed their personal details. [The] account and device details were leaked … thanks to, apparently, dodgy Samsung coding.

Fraudsters somehow obtained and used some Sprint customers' account information to log into the Samsung add-a-line website and, from there, gathered additional personal details. … Sprint did say it was resetting customer PINs [but] the carrier did not say how many of its customers were affected.

Samsung, for its part, admits its site was the source of the leak, but said the credentials used by the attackers were gathered elsewhere.

Curious. Catalin Cimpanu castigates the carrier—Hackers had access to customer info:

US mobile network operator Sprint said hackers broke into an unknown number of customer accounts. … The company said it re-secured all compromised accounts by resetting PIN codes.

Sprint said the information hackers had access to did not pose "a substantial risk of fraud or identity theft," although, many might disagree with its assessment. [The] notification lacks a few important details.

From which, fahrbot-bot teases out the irony:

So they re-secured all the compromised accounts, from an unknown number of customer accounts?

And this Anonymous Coward hammers it home:

How do they not know how many people were affected if they reset PINs and emailed the affected people?

Sprint, there's usually a count function somewhere in there. Ask engineering.

But doublelayer sees both sides:

[It] leaves a few options open. I'm sure this is because Sprint and Samsung are not all that happy to give out information and have contradicted one another, but here are a few things this could be:
 
  1. Samsung has Sprint credentials (why?), and they left them unsecured. …
  2. Sprint left Sprint credentials unsecured, and criminals stole them. …
  3. Sprint credentials were found by criminals from somewhere. …
Neither company seems to have bothered trying to explain exactly where the credentials came from. Logically, Sprint should be the only people with them, but who adheres to logic?

Are you feeling any déjà vu? Zack Whittaker finds it Interesting:

Bizarre that a similar thing happened a few months ago involving Boost, which Sprint owns. Seems entirely separate and not connected but very unfortunate for Sprint customers.

Wait. Pause. Why does a Samsung website have access to Sprint customers’ accounts? This Anonymous Coward has had it:

Marketing, branding, partnerships: To me this is what is fundamentally broken with Android. … By the time you get it, it's had all sorts of **** injected into it to help companies collect data, monetize your experience, and track [you].

The problem is you don't know what is there, and you are somehow implicitly agreeing to someone's terms of service you've never been told about. … You have no way of knowing just how many ways your security and privacy have been compromised to let the manufacturer monetize you.

I'll not buy anything Android again.

But Kim Christiansen—@imkimc—doesn’t sound so surprised:

Samsung, the paragon of security and privacy: Lest we forget that their smart TVs were originally designed to listen in on you at home at offer up advertising based on private conversations.

And notyetanotherid, neither:

"Samsung takes security very seriously." Would this be the same Samsung that let the ssuggest.com domain lapse, thus potentially exposing to miscreants millions of Galaxy mobile users with the non-removable SSuggest app.

Meanwhile, BlueTARDIS has a “helpful” suggestion:

Here’s how we get companies to beef up security: Take whatever is leaked in a data breach, and make that same data that belongs to the board and officers public.

If customers aren't at "substantial risk" from this breach then the CEO should be just fine releasing his phone number, device type, device ID, account number, billing address, etc.

The moral of the story?

Audit and red-team your partners too—not just your own architecture.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

And finally

Apollo bluffers’ guide


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Victoria White (cc:by)

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]