10 Spooky Security Threats To Watch This Halloween

Spooky Security Season

With Halloween fast approaching, security professionals have to be on the lookout for vulnerabilities, or risk being spooked by attackers. The past month has already been more trick than treat when it comes to security, with reports of spooky vulnerabilities emerging around Android, iOS, Windows, popular software applications, networking gear and more. Whether they believe in superstitions or not, security professionals don't want to be left looking like they've seen a ghost this Halloween when it comes to these threats.

Take a look at 10 security scares that might be lurking around.

Android LTE Vulnerability

A vulnerability in Android operating systems on LTE networks, used by Verizon and AT&T, could allow for incorrect over- or under-billing of phone usage, spoofing of phone numbers, being able to directly retrievie data from other phones, making calls without a user's knowledge, and opening the door to denial-of-service attacks on the network. The vulnerability was revealed in an advisory posted by Carnegie Mellon University's public vulnerability database (CERT) on Oct. 16. The vulnerability is due to a lack of the appropriate permissions on the Android operating system for the packet switching method used by LTE networks. It does not appear to affect iOS devices on the same network, the report said.

To remediate the vulnerability, the advisory recommended that each provider should update its network to resolve the issues.

Adobe Flash Vulnerabilities

In October, Adobe released an emergency update for a vulnerability in its Flash Player. Not part of its regular monthly update cycle, which had been rolled out only days before, the update fixed a vulnerability discovered by Trend Micro that affected versions of Adobe Flash running on Windows, Macintosh and Linux. The vulnerability was in the software's plug-in capabilities and, if the program crashed, could allow attackers to take control of the system. The patch was issued after phishing attacks were found to be exploiting the vulnerability, particularly led by a group called Pawn Storm against government entities. Shortly after the vulnerability was announced, Apple moved to block some out-of-date versions of the software from its computers.

Netgear SOHO Router Vulnerability

A security vulnerability in some Netgear Small Office Home Office (SOHO) routers that was discovered in the summer was publicly exploited in late September by hackers. The security flaw, discovered by Shell Shock Labs and Compass Security, potentially allowed hackers to redirect traffic to their servers by reaching the Web management interface through the internal network. The researchers estimated that more than 10,000 routers had been hacked by a single hacker. Netgear has released a patch for the vulnerability.

Self-Encrypting External Hard Drives

If you think you're being more secure by using a self-encrypting external hard drive, think again. An academic paper by Gunner Alendal, Christian Kison and modg published in late September analyzed six drives from Western Digital manufactured mostly between 2007 and 2013, finding that they had multiple vulnerabilities, including complete backdoors and multiple encryption key leaks.

SYNful Knock On Cisco Routers

At the end of September, researchers discovered that nearly 200 IP addresses of Cisco routers in more than 30 countries had been attacked by a malicious firmware known as SYNful Knock. The research came on the heels of a FireEye report that found 14 infected routers. By physically implanting the malware, attackers were able to gain back-door access that can persist across reboots, a Cisco spokesperson told CRN at the time. The three modules of routers known to be affected are 1841, 2811 and 3825. Partners at the time said they didn't expect the malware to have any effect on their Cisco router sales.

Stagefright 2.0

With a very appropriate name for the holiday, Stagefright made a repeat appearance this October with the emergence of the Stagefright 2.0 vulnerability that affected an estimated 1 billion Android phones. Following up on the July announcement of Stagefright by security firm Zimperium, Stagefright 2.0 is a vulnerability that is tied to specifically designed MP3 or MP4 files that allows hackers to use malicious files to execute code. The vulnerability affects Android devices running Android 5.0 or later, though a separate vulnerability affects previous device systems. Google has already created a patch for the issue.

Fitbit Flex Vulnerability

Working out after eating all of your Halloween candy might have a downside. At the Hack.Lu conference in October, researcher Axelle Apvrille of Fortinet revealed a vulnerability in popular fitness tracking device Fitbit Flex. The sensor vulnerability allows the device to be hacked through its Bluetooth radio feature, allowing attackers to potentially deliver code or malware to a computer. Fitbit said at the time that it doesn't believe the security flaw to be accurate, but welcomed input from security researchers.

WinRAR Vulnerability

Popular file compressor WinRAR has a critical security vulnerability, researchers at Vulnerability Lab announced this month. The vulnerability, which affects version 5.21, could allow hackers to generate their own compressed archives with malicious code, ultimately allowing them to compromise a system. The vulnerability is enhanced by the executable files used by WinRAR, which do not allow a user to verify the file before it is opened.

iOS 9 Vulnerability

Android wasn't the only mobile operating system with a vulnerability recently. iOS 9 also had a vulnerability discovered this month, posted by Jose Rodriguez on YouTube, that showed how a user could bypass a lock screen and gain full access to a phone's photos and contacts. Users can disable the vulnerability on their own by disabling Siri when the phone is locked or by creating an alphanumeric passcode.

Windows Vulnerabilities

As part of its regular Patch Tuesday releases, Microsoft issued, among others, a critical patch that affected all versions of Windows. The flaw was found in the Internet Explorer browser (Microsoft Edge was unaffected) and allowed for a hacker to potentially gain access to a machine through a compromised website to exploit a vulnerability in how the browser handles objects in memory. The vulnerability is fixed by patch MS15-106.