AI of Things (II): Water, a sea of data

Francisco Ibáñez González    16 March, 2022

Water management companies have been adapting the way they manage their processes according to the evolution, costs and availability of technology in each part of their value chain. It is important to highlight that not all technologies that are applicable to a productive sector evolve at the same time, and in the case of the water sector this has not been any different. However, it is safe to say that there are now affordable mass sensing, data storage and exploitation capabilities available that allow water managers to make the best decisions at the right time, enabling them to offer the best possible service to consumers. In the first article of the AI of Things series, we discussed the two main pillars of transforming the physical world, sensorisation and data mining. In this article we will look at the technology that allows us to sensor the world of water and how to take advantage of all the information gathered from these assets.   

Data, data and more data!

In Spain we have more than 20 million water meters, which could provide data 24 hours a day, 7 days a week, resulting in more than 500 million signals per day, only in terms of water consumption.

If we use the most advanced smart water meters such as those from our partner Contazara, they are able to generate much more information both metrologically and from a communications point of view.

This sensing capability is possible thanks to different LPWA (Low Power Wide Area) communication technologies, each of them differing in terms of factors such as quality of service, battery life, latency, scalability, message size, coverage, range, deployment and cost.

Among the different options, Telefónica IoT&BD is committed to NB-IoT as the best LPWA communication technology that can help water utilities in the next evolution of the integrated water cycle, enabling the successful implementation of a wide range of mass IoT solutions, including the deployment of a smart metering solution. Its main features are:

  • Open 3GGP communication standard with global reach enabling a powerful ecosystem of manufacturers.
  • Radio network deployment is conducted over licensed bands to avoid scalability issues, security and regulatory constraints
  • Simple and cost-effective implementation making the cost of IoT devices support the business case
  • Improved network coverage and signal penetration to reach all deployed IoT devices
  • Managed quality of service through efficient allocation of network resources, as well as interference and congestion management and mitigation
  • Ensuring power autonomy of devices for more than 10 years
  • End-to-end security.

We can get great value from the data generated from IoT sensors deployed in the full water cycle

Once we have that massive amount of data available from IoT sensors, mainly from smart water meters, we can apply artificial intelligence and analytics technologies to take advantage of every “drop” of information we have obtained from that sensor asset.

  • Control over deployed assets
    • Performance monitoring of the LPWA technology used: success rate, retry rate, network and data availability.
    • Performance monitoring of deployed hardware manufacturers, by analysing information from the device itself or by detecting anomalies (predictive maintenance), as we will see in depth in another article of the series: faulty or tampered device, excessive battery consumption, variability of sent and received packets, etc.
  • Unregistered water reduction
    • Reduction of water losses in distribution networks by analysing high average flow values and high minimum night-time flow values. In Spain, leakage rates in distribution networks can currently reach more than 25%
    • Reduction of household losses
    • Identify potential fraudulent services
  • Added value services for the consumer
    • Mobile applications that allow the reception of alerts for leaks (2nd house), the monitoring of consumption and the comparison of consumption with other consumers with a similar profile
    • Social care for dependent people by monitoring water consumption outside the usual pattern
    • Identification of the appropriate water meter calibre according to the consumption profile made
    • Detection of anomalies in the invoicing process
    • Water quality monitoring in “sensitive” consumers
  • Process improvement
    • Intelligent prioritisation of work orders according to the criticality of the incident (main pipe burst, leaks in a residential environment, fraud, etc…)
    • Demand forecasting through consumption pattern analysis
      • Improve the demand management strategy by adapting the infrastructure investment plans to cover the expected demand for different scenarios (seasonality, major events, crisis, etc.)
      • Reduction of energy consumption in the water management value chain through water demand forecasting
    • Monitoring of water quality along the value chain ensuring a secure supply in real time

IoT technologies and advanced analytics enable water utilities to tackle a complete digital transformation of the entire water cycle, ensuring the success of massive sensor deployments, like smart meters, that will enable them to address the challenges of managing demand, reducing losses, ensuring the efficient and reliable supply of water to consumers and making smart water resource management the basis for sustainable development.

If you want to know more applications of the fusion of the Internet of Things and Artificial Intelligence, known to us as AIoThings, you can read other articles in the series:

AI of Things(I): Multiplying the value of connected things
AI of Things (III): IoT anomalies, how a few wrong pieces of information can cost us dearly
AI of Things (IV): You can already maximise the impact of your campaigns in the physical space
AI of Things (V): Recommendation and optimisation of advertising content on smart displays

Are airlines companies as safe as they seem?

Lucía López Sánchez    15 March, 2022

Recently, the number of news reporting cybersecurity incidents involving airlines companies worldwide has increased; cybercriminals are targeting airlines more and more often. Some examples of these incidents are the DDoS attack suffered by the Iranian airline Mahan, or the steal of hundreds of thousands of Star Alliance passengers’ details.

Cyberattacks may cost airlines companies a large sum of money, not only because of the interruption of their services, but also for non-compliance fines related to different data protection laws. This situation can be observed in a news published in 2018, when British Airlines had to face a fine of $229 million after suffering a cyberattack.

Telefónica Tech team carried out a study with the objective of determining to what extent airlines are somehow unprotected and how much data could be gathered just by performing a general recognition collecting only public information (both on the Clearnet and on the Dark web), without intrusion tests being performed. To achieve this goal, and with the aim of making comparisons between territories, all kinds of data were collected from the ten most important airlines in five different regions of the world. These regions being America, Europe, APAC, Africa, and Middle East.

The detailed methodology and full study can be read in this full report. The study analyzed risks and potential CVEs, SSL/TLS servers’ security, data breaches and even dark web findings.

The amount of data found for the different regions is very similar, and the same mistakes seem to be repeated in all regions, such as subdomains with descriptive names that can provide helpful information for an attacker to map out a company’s attack surface. While all regions have a similar amount of leaked credentials, African airlines seem to struggle the most when it comes to the security of their websites and SSL/TLS servers. Even so, surprising as it may seem, all the active offers on common dark markets belong to American airlines, and many of them only cover the USA.

After analyzing all the collected information, airlines companies in all regions seem to have potential security issues. This study shows up that anyone could gather valuable information about them in a few clicks and searches to perform a more sophisticated targeted attack and that it is necessary to implement control and safety measures such as a DRP (Digital Risk Protection) service to minimize the exposure.

Updated data such as SSL/TLS servers’ quality and cipher versions, open ports and potential CVEs could be a starting point in search of security holes and vulnerable applications. On the other hand, leaked credentials could be the entry point. It is not necessary to have very extensive knowledge in the field to find useful and sensitive information. A large amount of data can be obtained in the process of information gathering by using off-the-shelf tools and methods.

It is necessary to spread awareness about the scope of cybersecurity in these kinds of services and it is extremely recommended to adopt DRP measures or services that help monitor these threats. Telefónica Tech’s DRP service has tools and qualified analysts helping to protect valuable and private data and reputation, preventing, identifying, and mitigating a wide variety of threats.

Comprehensive solutions against cyberthreats that cover the whole process from early detection to final response are needed nowadays more and more.

Read the full study and the detailed methodology: DOWNLOAD HERE

Leave a Comment on Are airlines companies as safe as they seem?
Lucía López Sánchez
Lucía López Sánchez

Lucía is a final year student of Cybersecurity Engineering first promotion at the Rey Juan Carlos University. She is currently pursuing a Talentum scholarship at Telefónica Tech Cybersecurity & Cloud, in the New Markets Team. Proactive and interested in continuing to train and learn, Lucía has also participated in several training and awareness cybersecurity projects for teenagers and grownups.

Telefónica Tech at Mobile Word Congress 2022

Telefónica Tech    14 March, 2022

MWC 2022 was undoubtedly one of the busiest in recent years. With the post-pandemic halt and the rescheduling of MWC 2021, even though it was only 6 months since the last edition, everyone there was really looking forward to meeting each other, talking about technology and having a coffee.

In addition, this year Telefónica Tech brought to the physical stand in Barcelona and the virtual stand in the Telefónica Metaverse, a very complete proposal of all the digital transformation solutions for companies: IoT, Big Data, Blockchain, Cybersecurity and Cloud solutions.

Throughout the conference, the visitors in Barcelona also focused on the face-to-face demos at the Telefónica stand, which was visited by more than 2,560 people. First of all, the Smart Industry demo, where visitors could discover the different use cases of:

  • Automation: a key element that increases efficiency, reduces costs and, above all, allows operators to perform higher value-added tasks while technology performs more repetitive tasks.
  • Sustainability: through the application of IoT, Big Data, 5G, Cybersecurity, Blockchain and Cloud technology, it is possible to extend the useful life of resources and respond to energy anomalies, contributing to protecting the environment.
  • Remote assistance: through the robotic arm we have seen how, thanks to the low latency provided by 5G and virtual reality, we can respond to incidents remotely and in real time, allowing industries to reduce response times and minimise costs.

And the Smart Buildings demo showed how the creation of smart buildings allows us to have integrated, automated, more efficient, healthier and safer management and control for people. We also saw how, through our integration platform, we obtain a centralised view of the data, which we collect, analyse and process.

We brought all of this to the keynote sessions organised by the GSMA and to those held in the Agora itself at the Telefónica stand:

  • ‘𝐈𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐧𝐠 𝐚𝐜𝐫𝐨𝐬𝐬 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬; 𝐦𝐨𝐯𝐢𝐧𝐠 𝐧𝐨𝐰 𝐭𝐨 𝐧𝐞𝐱𝐭’ with Elena Gil Lizasoain taking part in a round table on the importance of diversity and inclusion as an essential commitment to enhance the value of companies.
  • Digital rights and SDGs: sustainable business facing the digital rights challenge‘. Once again, Elena Gil Lizasoain defended the conviction of companies regarding the need for digitalisation and the enormous role played by talent, especially people, in carrying out this transformation process. ” Customers, employees and investors are increasingly demanding to work with companies that are sustainable”
  • ‘𝐊𝐢𝐜𝐤𝐬𝐭𝐚𝐫𝐭𝐢𝐧𝐠 𝟓𝐆 𝐟𝐨𝐫 𝐌𝐚𝐧𝐮𝐟𝐚𝐜𝐭𝐮𝐫𝐢𝐧𝐠’ with Andres Escribano Riesco talking about smart industry and how 5G and digital technologies are enabling us to develop real-world use cases.

Cyber Security Weekly Briefing 5-11 March

Telefónica Tech    11 March, 2022

Mozilla patches two 0-day vulnerabilities

Mozilla has issued a security advisory patching two 0-day vulnerabilities that are reportedly being actively exploited and affect Firefox, Focus and Thunderbird. Both vulnerabilities were reported by the company 360 ATA security team.  The first one, classified as CVE-2022-26485, is a use-after-free vulnerability in XSLT parameter processing, which allows document conversion. The second one, classified as CVE-2022-26486, is a use-after-free vulnerability in the WebGPU IPC framework. If exploited, a threat actor could execute code remotely, bypassing security, and could even compromise the device by downloading malicious code. Both vulnerabilities are fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0 and Focus 97.3.0. Mozilla recommends updating as soon as possible.

Discover more: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/#CVE-2022-26485

​​Dirty Pipe: new vulnerability in the Linux kernel

Security researcher Max Kellermann has published details of a new vulnerability in the Linux kernel from version 5.8 that would allow local users to gain root privileges through exploits that are already publicly available. Identified as CVE-2022-0847 and with a CVSSv3 of 7.8, the bug would allow an unprivileged local user to inject and overwrite random data in read-only files, including SUID processes running as root, leading to privilege escalation on the affected system and even making it possible to manipulate sensitive files such as those located in the /etc/passwd path, which would allow the root user’s password to be removed. In his publication, the researcher shares a proof of concept (PoC) and points out the similarity of this vulnerability with “Dirty Cow” (CVE-2016-5195), which came to light in October 2016, although on this occasion its exploitation would be less complex and groups such as Anonymous have already spoken out about it. The vulnerability has already been fixed in Linux versions 5.16.11, 5.15.25 and 5.10.102, so it is recommended to patch it as soon as possible given its potential impact if successfully exploited.

All the details: https://dirtypipe.cm4all.com/

Microsoft update bulletin

Microsoft has published its security bulletin for the month of March in which it reports the correction of a total of 74 flaws, including three critical vulnerabilities according to the firm and three 0-days that are reportedly not being actively exploited.

  • Critical vulnerabilities according to Microsoft: The most critical of the three flaws (CVE-2022-23277 CVSSv3 8.8) affects Microsoft Exchange Server and allows an authenticated attacker to target server accounts with the goal of executing remote code with ADMIN privileges, due to a flaw in memory management by the server. The other two flaws also classified as critical by Microsoft, CVE-2022-22006 and CVE-2022-24501, both with CVSSv3 7.8, affect the HEVC and VP9 video extensions but their exploitation requires social engineering as it requires the victim to download and open a specially modified file.
  • 0-days: The most serious flaw of this type, CVE-2022-21990 CVSSv3 8.8, allows remote code execution in RDP. Some researchers point out that this flaw should be considered critical and stress that, although it is not actively exploited yet, it may be exploited soon since a proof-of-concept is already available. The other two 0-day fixes are identified as CVE-2022-23285 CVSSv3 8.8 and CVE-2022-24503 CVSSv3 5.4.

More: https://msrc.microsoft.com/update-guide/releaseNote/2022-Mar

UEFI firmware vulnerabilities

HP, in conjunction with the Binarly team, have discovered multiple high-impact vulnerabilities related to UEFI firmware, which are reportedly affecting different HP products such as laptops and desktops, or perimeter nodes and point-of-sale (PoS) systems. These have been classified as CVE-2021-39298 with CVSSv3 8.8, CVE-2021-39297, CVE-2021-39299, CVE-2021-39300 and CVE-2021-39301, all with CVSSv3 of 7.5. When exploited, a threat agent could inject malicious code, escalate privileges, as well as remain on devices after operating system updates. HP has provided firmware updates and instructions on how to update the BIOS.

All the information: https://support.hp.com/us-en/document/ish_5661066-5661090-16

Analysis of the resurgence of Emotet

Researchers at Black Lotus Labs have published an analysis of evidence of the resurgence of the Emotet botnet since November 2021. The researchers indicate that since then, the botnet has shown a sharp increase in activity through approximately 130,000 unique bots spread across 179 countries, accumulating more than 1.6 million infected devices. The malware resurfaced using Trickbot as a delivery method, and although its Command&Control (C2) structure was reportedly reinstated in November, the addition of bots was not announced until January. The technical details of the report reveal that Emotet has made notable changes to its operation, such as the algorithm used to encrypt network traffic, which is now based on elliptic cryptography (ECC); or the change in the tiering model, marked by the absence of Bot C2, although it is not known whether this is a temporary or permanent change. As Emotet is distributed via compromised emails with malicious attachments, the researchers recommend intensifying anti-phishing preventive measures and monitoring network resources to prevent possible downstream incidents.

More info: https://blog.lumen.com/emotet-redux/

42 Madrid students solve Telefónica Tech’s challenges

Telefónica Tech    10 March, 2022

In recent years, cybersecurity has become a major cornerstone for businesses. Data is today’s gold and protecting it is an essential part of a project. In 2021, there were an average of 40,000 attacks per day in Spain alone.

Let us introduce ourselves. We are David Puente, Juan Rodríguez, Antonio Costal and David Rodríguez, students at 42 Madrid and the organisers of the cyber security association on campus. We have spent the last year promoting activities and events related to computer security.

As a result of the proposal set up by Telefónica Tech’s cybersecurity experts, David García, Álvaro Núñez-Romero and Sergio de Los Santos, the CTF “Stairway to hell” was held. This was a 48-hour event in which students from the campuses in Malaga, Barcelona, Urduliz (Vizcaya) and Madrid competed to solve the greatest number of challenges in order to reach the podium.

A CTF (Capture The Flag) is a computer challenge in which, individually or in teams, students try to solve a series of tests, each one of a certain difficulty and different knowledge.

The origins

Once we finished deciding on the structure and testing, we started with the implementation. This has been the longest phase of the project and the one where we took on almost all the weight ourselves from the campus. The infrastructure behind the event was based on Cloud Computing, with a dedicated server capable of virtualising the dozens of machines that made up the challenge. We also developed a great work of setting: the CTF told a story with each challenge, and all of them were combined with a certain aesthetic, winks to the hacker culture and geek references.

Making it happen

We called it “Stairway to Hell”, inspired by the theme of Dante’s underworld. There were different tests, covering many of the branches of cybersecurity. There were tests on reverse engineering, steganography, exploitation, cryptography, web and defence. These were set around the deadly sins and other mythological references.

As the date approached, the students’ interest was clear. Cybersecurity events tend to generate a high level of interest among students at 42, and this one in particular was overwhelmingly well received.

More than 48 hours

It was carnival time, and the campus had a very festive atmosphere. Many people had also prepared well and had already brought supplies to spend the whole weekend, everything was ready to start.

The starting signal was given by Sergio de los Santos at 18:00. We explained the dynamics, the rules of the campus and finally introduced the theme with a small performance. There was no turning back and we were hoping that all the hard work of the previous months would lead to an exciting challenge.

Our fellow students were hard at work throughout the event. To be honest, although they had a solid background in computer science, most of them had no experience in cybersecurity. However, the interest and eagerness to learn drove the participants to work tirelessly to advance in the tests, in a fierce battle that lasted until the very last minute.

Looking towards the future

After several months of work, this project has become a fundamental part of our training at 42 and, above all, a way of giving back to the campus part of everything it has given us.

In the short term, we are creating various workshops related to what we have learnt at the CTF, together with other content for the 42 course. In addition, we have the ambition to create a larger association that will encompass all the campuses in Spain, expanding the methodology to the five campuses that will make up 42 in our country.

Telefónica Tech AI of Things made real

Telefónica Tech    9 March, 2022

In a previous post of our blog, we already told you how the combination of technologies based on Artificial Intelligence, Iot and Big Data, the “Artificial Intelligence of Things”, helps us to have a safer, more efficient, sustainable and human life.

AI of Things, the Artificial Intelligence of Things

What is the real meaning of Artificial Intelligence of Things? It may look like something new, but if we get to know its meaning, we will realize that it is already present in our daily lives. And it is not a fleeting thing, it is here to stay.

Discover the full potential of AI of Things on the new website

The new AI of Things website is the perfect place to learn about our wide portfolio of solutions for mobility management, industry 5.0, smart spaces, companies looking for energy monitoring and management or advertising solutions. In addition, our capabilities in connectivity, professional services in strategic consulting and advanced analytics and training, AI & Business Insights platforms and technological enablers such as Blockchain, allow us to offer all the potential derived from the union of IoT, Big Data, Artificial Intelligence and Blockchain technologies.

This union allows us to accompany organisations of all types of industries in their digital transformation. Thanks to the sectoral value proposition, designed for more than 12 sectors and resolved in 140 use cases, we help transform organisations in sectors such as mobility, transport, tourism, logistics and distribution, utilities and many others.

All this is reflected in the extensive gallery of success stories of customers who have already relied on the solutions and capabilities that we offer from Telefónica Tech AI of Things and that show how solutions based on IoT, Big Data, Artificial Intelligence and Blockchain technologies are already a reality in society.

We have unified our social media channels

We have unified our social media channels to offer you clearer, more accessible, and accurate information. If you don’t want to miss any of our posts, video posts, webinars, infographics, events, live events, etc, take note of our new channels.

Twitter:
All our news in English: https://twitter.com/TefTechAIoT_EN (English account).
LinkedIn:
https://www.linkedin.com/company/telefonica-tech-aiofthings

Blog:
Our articles in English: https://business.blogthinkbig.com/telefonica-tech-aiofthings
Youtube:
https://www.youtube.com/c/telefonicatechaiofthings

We look forward to seeing you on all our social channels!

-AI of Things. Join the magic-

Understanding the concept of “rollup” for blockchain scalability

María Teresa Nieto Galán    8 March, 2022

In previous articles we have already discussed how important scalability is in Blockchain technology and how this ecosystem is starting to create solutions to achieve faster and more computationally and energy efficient public networks.

(If you have come this far without reading the previous article, I suggest you take five minutes and read it.:) )

Of all the solutions analysed, one of the most promising is what are known as “rollups”. This new paradigm is expected to be the cornerstone of scalability in Ethereum and is classified as a layer 2 solution.

However, before we get down to the nitty-gritty of what this idea is all about, let’s take a look at the mathematical trickery behind the blockchain technology, also known as cryptography.

Let’s start with the basics: the hash

The most basic concept we will start with is the so-called hash or summary function. This mathematical algorithm allows us to transform any data (words, phrases, documents, etc.) into a new series of characters with a fixed length. For example, if we hash “Hello world!” we would obtain the following: “239bdfaad79afdf9220349ddccd67b1e801aa275d757ac90c3977ac2f0a1f9e4”.

One of the characteristics of hashes is that if we modify any character of the content we transform, the hash changes completely. For example, if we remove an exclamation mark from the previous sentence and hash “Hello world” the result would be: “48666287270d81108ea41339aa48316f92c52995690b6da6b4f86242b408f779”. Therefore, one of the many use cases of this type of cryptographic functions is to be able to guarantee the integrity of documents.

Finally, it should be noted that the hash, unlike the encryption, once it has been generated, it is not possible to go backwards. In other words, if we have a hash, we cannot decrypt what was there prior to the execution of the algorithm.

Let’s complicate the theory and add a bit of botany: Merkle Trees

On the other hand, another concept to review is what is known as Merkle trees. This is a data structure in the form of a binary tree, binary because each node has only two children.

If we look at the figure below, the tree is built from the bottom up, so that at level 0 we would have the raw data, at level 1 the hashed data, at level two we would hash the two child nodes and so on until we get to the last level or the root node of the tree.

Graphic illustration of a Merkle tree, David Göthberg

This type of data structure provides a secure and efficient method of verifying information, since, if we were to change a piece of data in one of the leaves at level 0, when performing the hashes towards the higher levels, the result would change drastically at the root node.

The biggest use case for Merkle trees today is the secure storage of transactions in a blockchain network.

Now, you may ask, why so much of a cryptographic concept if it is already applied in this technology? The answer is simple, rollups are also based on the concept of Merkle trees to be able to group transactions.

We already have all the components ready… what do the rollups consist of?

A rollup is a set of protocols that combines Merkle trees, plus cryptography which we will not go into in depth in this article, and a smart contract deployed on a blockchain network.

This smart contract maintains the root of the rollup state, or, in other words, it stores the contents of the root node of the Merkle tree that contains the information that has been compressed. This compressed information is a set of transactions, so, instead of performing all transactions on the network, these can be done outside and only a summary of all transactions would be uploaded to perform only one transaction instead.

Illustration of how rollups work, Vitalik Buterin.

This mechanism is not restricted, but anyone can publish a batch of transactions, as long as they take into account the root of the previous state in the calculation (very similar to the way blocks are chained in blockchain).

At the time of recording the result of a new batch of transactions, the smart contract checks that the state root of the previous batch of transactions matches the root of its current state, because it has not yet been updated. If it matches, it would be updated by changing the state to the new root as shown in the following image:

Illustration of how rollups work, Vitalik Buterin.

What would happen, however, if someone batches transactions that have not actually occurred? In the end we are relying on the state of the previous root being the same, but at no point do we check that the transactions being batched are valid.

There are two types of rollups for this necessary validation:

  • Optimistic Rollup: Transactions that are batched are assumed to be valid by default. The smart contract keeps a record of the entire history of the roots and hash of each batch. If someone discovers that the batch had an erroneous state root, a proof of fraud is published on the chain. The contract then verifies this proof by reconstructing the tree and in case of fraud, the batch and subsequent batches are reverted. If there is no evidence of fraud, this method is very efficient. However, if there is a lot of evidence, all the information has to be processed to analyse its validity and, therefore, efficiency is lost.
  • ZK-Rollup: a proof of validity is stored in the contract following the Zero Knowledge Proof protocol using ZKSnarks proofs, based on it. This would prove that the result of the root of the new state is correct without having to process all transactions in the batch. To this end, the contract would perform a validity check of the root before storing it.

It is also worth noting that rollups are sometimes closely related to the use of sidechains or alternative chains. In this way, transactions would be carried out on an alternative chain and from time-to-time rollups of sets of transactions that have taken place would be generated with the aim of being dumped on another network.

In other words, if we wanted to make transactions on Ethereum, but this network did not give us the necessary performance, they could be made on an alternative network and every so often rollups could be dumped onto the main network.

Rollup solutions in the market

There are currently companies that are already starting to use this mechanism to benefit from this improved scalability in public blockchain networks.

Among them is Polygon with Hermez, which has created an open-source zk-rollups solution, with the aim of being able to transfer tokens securely and at a lower cost.

There is also zkSync, a scaling and privacy engine for Ethereum. This implementation allows low-cost transfers of ETH and ERC20 tokens on the Ethereum network or even atomic swaps.

And finally, Consensys’ zk-rollups solution, which will be validated through a consensus test together with one of the world’ payment giants, Mastercard.

References: https://vitalik.ca/general/2021/01/05/rollup.html

Are SMS for sending verification codes secure?

Alexandre Maravilla    7 March, 2022

I recently forgot the password to access the personal area of my current bank’s online banking app. I show you the process of resetting the password, carried out from the browser of my smartphone:

  1. Enter your ID number
  2. Enter the number of one of my debit cards and its pin code.
  3. Request an SMS to be sent to receive a verification/confirmation code.
  4. Receive the verification code via SMS to be able to access the app and create a new definitive access code.
Image 1: Process of sending the verification code via SMS to reset the access code to the online banking app.

The problem with sending verification codes via SMS

As can be seen in the diagram above (image 1), which shows the flow of the process, step 4, where the verification code is received, happens with the screen locked, i.e. the confirmation code can be seen by anyone who has the mobile device nearby, without needing to know how to unlock it.

This fact translates into a security breach, since any impostor who has possession of our device, or who has possession of our SIM, can access the verification code, and take control of our bank account. From this point on, we can only “pray” that the bank has implemented an anti-fraud engine based on behavioural analytics, and that it is able to identify that the person using the banking app is an impostor, and not the legitimate user.

It is true that to get to this point, a fraudster will have had to do some work beforehand, such as collecting our ID, and knowing our debit card number and pin code. However, the theft of these credentials is the order of the day, and this type of fraud is known as pishing, vishing or smishing.

Why do we still use SMS?

According to this Twitter report on the security of its user accounts, 80% of users who use two-factor authentication (2FA) to access their account do so by sending an SMS. Twitter allows the use of other methods to implement 2FA, such as the use of an external app that you have to install and from which this verification code is generated each time, or the use of a security key, a hardware device that is connected to the USB port of a PC, which replaces the verification code because it is assumed that only the legitimate user is the one who possesses it.

Image 2: Alternative methods to SMS for user authentication

Given the simplicity of SMS compared to these other alternatives, it may seem reasonable to think that most Twitter users might prefer SMS as a method of receiving the verification code, because among other things it does not involve having to install an external app, nor does it require the purchase of an additional hardware device. Moreover, all users know how SMS works, we don’t need to learn how to use it as might be the case with external authenticators and/or security keys.

Could we increase security when sending SMS?

As we have shown, SMS is a widely accepted method among users when it comes to receiving confirmation codes, its usability and user experience (as much as we may regret it), make it the preferred option. However, we know that this method is exposed to phishing attacks, so finding a solution and securing SMS can be of great value to users.

From Telefónica Tech’s Identity Innovation Lab at the Marina de Valencia, together with our colleagues who are experts in identity verification solutions from Mobbeel, we have developed a solution based on the FIDO2 Identity standard that allows user transactions to be confirmed by sending SMS in a secure way, by introducing biometrics in the middle of the process.

Image 3: Process of sending verification code via secure SMS to reset the access code to online banking app.

As can be seen in the step 4 of the diagram shown above (image 3), we replace the reception of a verification code sent via SMS with the sending of an SMS requesting our authentication through the biometrics that the user already uses on their own mobile device; TouchID, FaceID or pattern or unlock code. Once the user has verified their identity through the biometrics in the SMS received, they can continue with the reset of their password to access the app.

Secure SMS verification via biometrics

Telefónica and Mobbeel have pioneered the implementation of the FIDO2 standard to solve a real problem that affects most users of digital services and products. Sending secure SMS using biometrics helps to prevent online fraud through identity theft. In this way, the use of SMS to verify user transactions does not run the risk of someone with bad intentions being able to “get in the middle” and gain access to our accounts.

Cyber Security Weekly Briefing 28 February – 4 March

Telefónica Tech    4 March, 2022

Daxin: highly sophisticated backdoor

Researchers at Symantec have published a paper reporting a new backdoor they have called Daxin, which they attribute to actors linked to China. According to Symantec, it is the most advanced malware they have seen from Chinese threat actors. Daxin can read and write files and start processes, but is particularly notable for its stealth and the way it communicates with its Command & Control. The malware is able to hijack legitimate TCP/IP connections in order to achieve a key exchange with its remote peer, thus opening an encrypted communication channel to receive commands and send responses by hiding among legitimate traffic and bypassing security solutions. Another notable functionality is its ability to create a new communication channel across multiple infected computers on the same network using a single command for a set of nodes. This allows it to quickly re-establish connections and encrypted communication channels. Symantec has identified Daxin in government organisations, as well as entities in the telecommunications, transportation and industry sectors that are of strategic interest to China. The attacks observed date back to November 2021 but note that the oldest sample identified dates back to 2013.

More info: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

Critical vulnerability in GitLab

GitLab has released a security update that fixes a total of 7 vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE). Among the security flaws, the most notable is the one identified as CVE-2022-0735, which has a CVSS score of 9.6. Exploitation of this vulnerability could allow an unauthenticated attacker to obtain a registration token from a runner, enabling remote code execution. Although the technical details of the vulnerability have not been published, the exploitation of this vulnerability would be of low complexity and would not require privileges or user interaction to be exploited. This vulnerability affects all versions from 12.10 to 14.6.4, 14.7 to 14.7.3, and all versions from 14.8 to 14.8.1. As a result, GitLab has recommended upgrading to versions 14.8.2, 14.7.4, and 14.6.5 of GitLab Community Edition (CE) and Enterprise Edition (EE).

All the details: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/

Distribution of TeaBot via the Google Play shop

Researchers at Cleafy have published a new article on the TeaBot banking trojan, also known as Anatsa, which has reportedly started to be distributed via rogue apps hosted on the Google Play shop. This banking trojan emerged in early 2021 and was primarily distributed via smishing campaigns. The new samples, however, have switched to using Google Play as a means of distribution, with a Teabot dropper hiding behind a QR code scanner app (QR Code & Barcode – Scanner). Upon downloading the app, the dropper will require the user to update the app via a pop-up message. This supposed update will not actually be an update, but a second application (‘QR Code Scanner: Add-On’) will be downloaded from an untrusted source. This second application is the one already identified as Teabot, which asks the user for permissions to accessibility services to obtain privileges such as viewing and controlling the screen and viewing and performing actions. Recent Teabot campaigns have gone on to support languages such as Russian, Slovakian and Mandarin Chinese, so the malware could be expanding its targets geographically.

More: https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe

AI of Things(I): Multiplying the value of connected things

Telefónica Tech    28 February, 2022

Written by Álvaro Capell and David Bonomo

The recent media explosion of the metaverse concept has overshadowed another technological trend, augmented or mixed reality, which is transforming the way we relate to the physical world, and which, as it is expected to evolve in the coming years, will bring about a revolution in many areas at both the individual and social levels.

This mixed reality, in addition to the technologies that are currently under rapid development to integrate the visual interface in overlap with the physical world, is based on two fundamental pillars for the digitisation of the physical: on one hand, it is necessary

1) to sensor the environment and objects to enable interaction with them, and on the other, it is necessary

 2) to deploy a layer of intelligence to ensure that this interaction is relevant and adds value. This is where the combination of Internet of Things (IoT) and Artificial Intelligence (AI) is critical to make this vision a reality.

In this digitised world, vertical solutions are not isolated, but leverage the data generated by other solutions to improve the accuracy of their algorithms and deliver more valuable business outcomes. It is this combination of sources that makes the tandem of IoT and AI, AI of Things, so powerful and potentially applicable to a multitude of verticals and sectors:

One of these is smart buildings or smart building, where the proper exploitation of data from a multitude of solutions used in building management (room booking, access and capacity control, energy efficiency management, dynamic digital marketing, space sanitisation…) provides the possibility of integrating and unifying this information in dashboards that allow a building manager to quickly understand what is happening and act accordingly. Likewise, the use of Machine Learning or Deep Learning algorithms in these scenarios can contribute to more efficient and sustainable management, through use cases such as predicting the building’s energy consumption based on visitor patterns and other external factors such as weather forecasts, or adjusting environmental parameters according to the levels of traffic at any given time.

Another example, within the world of retail analytics and smart spaces, is the combination of data from outdoor location analytics tools with data generated inside the shop through video or wifi analytics and digital signage solutions, which provides a wide range of new AI functionalities for retailers to exploit. These include the possibility of guaranteeing end-to-end traceability of the sales funnel within the establishment or the recommendation of the most appropriate marketing content to display on screens according to the type of audience that is visiting them at any given time.

It is also worth noting the natural fit of the AI of Things concept in areas as relevant as smart metering and Industry 4.0. In the former, the information captured through smart meters in real time provides utilities (water, gas or electricity) with various options to enhance the use of Big Data to reduce losses, such as the detection of anomalies that lead to the early detection of potential fraudulent behavior. In the second, new technologies such as 5G or Edge Computing have enabled the huge and rapid capture of large volumes of data that allow, among other things, the development of predictive maintenance algorithms for industrial machinery (through information from sensors) or the identification of flaws in certain spaces (through data provided by a drone, for example) to facilitate maintenance work on electricity grids or solar panels in a building.

Finally, it would be important not to overlook the wide range of applications that AI of Things brings to the field of connected mobility, where data such as mileage, speed, consumption or driving habits, generated through a device connected to a vehicle’s OBD port, can feed different analytical models that enable transport companies to manage their fleets more efficiently. Likewise, within this field, the role played by the data provided by different asset tracking technologies (BLE, RFiD, WiFi…) is also decisive for, on the one hand, ensuring end-to-end visibility of the logistics value chain, and on the other, making certain predictive and prescriptive applications feasible, aimed at optimising inventory or maintaining the cold chain, among other options.

At Telefónica Tech IoT & Big Data we continue to deepen the concept of AI of Things by developing innovative solutions such as those briefly described in this article. The following articles in this series will provide a detailed description of each of these solutions at both a business and technical level.

AI of Things (II): Water, a sea of data
AI of Things (III): IoT anomalies, how a few wrong pieces of information can cost us dearly
AI of Things (IV): You can already maximise the impact of your campaigns in the physical space
AI of Things (V): Recommendation and optimisation of advertising content on smart displays