Hardware Security Keys: A Seatbelt for the Internet?—Cyber Saturday
Stina Ehrensvärd is creating “a seatbelt for the Internet.”
The CEO and founder of Yubico, a startup that designs online account-securing fobs, says as much as she enthusiastically slaps a package on a table at Fortune’s offices. Inside the plastic container: Her latest product. It’s the first Lightning-port compatible hardware security key. Translation: the first security fob that works with Apple’s latest iPhones, generations 5 and later.
Hardware security keys come highly recommended by security experts. They offer an additional layer of protection—a second-factor, in the parlance—over passwords alone. They’re generally more secure than sending a one-time code to your phone, or using a random number generating application to produce the codes. Services such as Twitter, Facebook, and Dropbox support the keys.
Before one dismisses the notion—why am I going to stick this dongle into my phone every time I want to log into one of my accounts?—Stina anticipates the objection. You only have to stick in the key every so often. Google lets you have a 30-day grace period. Other services give you more leniency. Besides: What’s a minor inconvenience for so much peace of mind?
In calling her invention a seatbelt, Ehrensvärd is hearkening back to decades-old innovations at Volvo. In 1959, Nils Bohlin, an engineer at the carmaker, created the three-point seatbelt, which became the standard for safety across the auto industry. Instead of filing patents and keeping the life-saving design proprietary, Volvo chose to evangelize the innovation. Ehrensvärd, who is, coincidentally, also Swedish, aims to do the same with her invention.
“Even if you don’t write about Yubico, you should promote this standard,” Ehrensvärd implores. She refers to WebAuthn, an open authentication standard that enables all this technology to work. She wants to raise awareness about the protocol so that more big tech companies roll it out. Apple only recently began adding compatibility after the World Wide Web Consortium, or W3C, an Internet standards body, gave its blessing to the tech. (You can test the keys out on the beta, or experimental, version of Apple’s web browser Safari.)
Some security keys work without physical touch—no sticking keys in any ports. Instead, they use “near-field communication” or Bluetooth, two wireless telecom standards, to exchange authentication data. But Yubico won’t touch Bluetooth, for fear of security issues, and Apple has so far refused to let outsiders tap into its NFC capability. So, no contactless YubiKeys for iPhone.
In considering this (hopefully temporary) impasse between Yubico and Apple, one might do well to remember that it wasn’t the invention of the seatbelt that saved so many lives, but the convenience of the three-point strap design that Volvo’s Bohlin pioneered. If and when Apple buckles up and lets companies like Yubico tap into NFC, as Google has long enabled on Android, we’ll see real progress.
Robert Hackett | @rhhackett | firstname.lastname@example.org
Poison in the well. Last week Google's elite Project Zero hacking team revealed details on 14 alarming iPhone vulnerabilities it discovered hackers to be exploiting in the wild for as long as two years. At the time they were discovered, the bugs affected iOS versions 10 through 12, Apple's latest phone software. Apple released patches; to protect yourself, make sure your iPhone software is up to date.
The contagion spreads. Following Google's iPhone vulnerability disclosure, TechCrunch reported that the referenced hackers were (likely) Chinese state sponsored actors targeting Uyghurs, an ethnic minority group. Forbes then reported that the hackers were also targeting Google Android and Microsoft Windows. Apple acknowledged that Uyghurs were targeted, but it has also disputed some of Google's claims. This is a convoluted story that continues to develop...
"Man-in-the-Middle" Kingdom. Beijing-linked agents broke into Asian telecom companies to track the movement of Uyghur travelers, Reuters reports, citing unnamed sources. And an online forum for organizing Hong Kong protests got knocked offline by a distributed denial of service attack.
Sharif don't like it. A U.S. cyber operation conducted wiped a database used by Iran militants to target oil tankers in the Persian Gulf, the New York Times reports. The June 20th strike followed Iran shooting down an American drone. The alleged data destruction demonstrates how U.S. Cyber Command is upping its retaliatory tactics in cyberspace.
Si vis pacem, para bellum. NATO is opening a new cyber operations center in Mons, Belgium. In a statement about the news, Secretary General Jens Stoltenberg reaffirmed the group's commitment to collective defense, specifically relating to cyberwar. "A serious cyberattack could trigger Article 5 of our founding treaty," Stoltenberg writes, meaning "an attack against one ally is treated as an attack against all."
iPhone? More like "iPwn." Zerodium, a broker that buys phone-busting software tools from hackers and resells them to government and law enforcement agencies, is for the first time paying more for Android exploits than iPhone ones. Some security experts think Apple is having a bad year security-wise.
Hacks, leaks, and breaches. A server containing 419 million Facebook records, including people's phone numbers, was found to be exposed to the Internet. Hostinger, a website hosting company, forced a password reset for customers after someone gained access to a database containing information on 14 million customers. The forums of XKCD, the humorous web comics site, were breached, exposing information on more than 560,000 people. Actress Chloë Moretz's Twitter account apparently got hacked.
Share today’s Cyber Saturday with a friend: http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here.
Cliff-hanging chad. The following excerpt is from a piece of speculative fiction penned by Alex Stamos, the former chief security officer of Facebook. In it, he imagines what horrors could befall the 2020 U.S. presidential election as a result of cybersecurity vulnerabilities, social media disinformation, and other systemic issues. To reiterate, the story, published on the national security blog Lawfare, is fictional...but it reads all too real.
Jan. 1, 2021. New Year’s Day is traditionally spent recovering from the previous night’s revelry. This year, the United States awakens to the greatest New Year’s hangover in the country’s almost 245-year history: a crisis of constitutional legitimacy as all three branches of government continue to battle over who will take the presidential oath of office later this month. This coming Wednesday, Jan. 6, a joint session of Congress will meet for what is a traditionally perfunctory counting of the Electoral College votes. With lawsuits still pending in seven states, both major-party candidates claiming victory via massive advertising campaigns and the president hinting that he might not accept the outcome of the vote, it’s time to reflect on how everything went so very wrong.
Most Americans Distrust Companies Using Facial Recognition Technology by Jonathan Vanian
The Best Way to Thwart Hackers and Cyber Crooks by Adam Lashinsky
ONE MORE THING
Listen all y'all, it's a sabotage. It remained an open mystery how western spies snuck centrifuge-destroying malware into an Iranian nuclear facility in more than a decade ago. Now Yahoo Finance reports, citing anonymous intelligence sources, that U.S. and Israeli agents collaborated with Germany, the Netherlands, and France to pull off the operation. Key to their success: A Dutch mole posing as a mechanic who allegedly loaded the virus, Stuxnet, onto an internal computer.