Infosec Round-Up Oct 1st

Payment Flaw, Crypto Crackdown & NK Arrest

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Contactless Payment Flaw

Researchers have discovered an iPhone flaw which could allow payments of £1,000 to be made from a locked device.

Discovered by researchers from the Computer Science departments of Birmingham and Surrey Universities, the flaw pertains to Visa cards setup in ‘Express Transit’ mode within Apple Pay; Express Transit being a feature which enables commuters to make quick contactless payments without unlocking their phones.

Despite the exploit being demonstrated to BBC journalists, there is currently no evidence the flaw has been exploited by criminals.

With Visa responding that this type of attack was “impractical” outside of a lab, Dr Andreea Radu, of the University of Birmingham stated: “It has some technical complexity - but I feel the rewards from doing the attack are quite high”. Adding that if unaddressed "in a few years these [flaws] might become a real issue”.

China’s Crypto Crackdown

Continuing its crackdown on cryptocurrency, China’s central bank has announced that all transactions of crypto are illegal and that “virtual currency-related business activities are illegal”.

Warning that such transactions “seriously endanger the safety of people’s assets”, the trading of virtual currencies has been officially banned since 2019, though this announcement marks an escalation in the Chinese government’s crackdown.

In June of this year, the government told banks and other payment platforms to stop facilitating transactions, and banned the mining of such currencies, though this new announcement makes it clear that those involved are committing a crime and will be prosecuted.

Luisa Kinzius, a director at China-focussed consultancy Sinolytics, noted on the matter: “The announcement is also targeting any Chinese citizen working for crypto-related companies abroad, declaring their work as illegal and putting them at risk of being legally investigated.”

Adding, “China is very hesitant towards pure financial speculation due to financial stability concerns – and of course, cryptocurrency is very much driven by speculation.”

Ethereum Researcher Pleads Guilty

Virgil Griffin, a former special projects developer and researcher for the Ethereum Foundation, has this week pled guilty to charges of assisting North Korea in evading U.S sanctions.

Having travelled to North Korea in 2019 to attend the Pyongyang Blockchain and Cryptocurrency Conference, the crypto expert was arrested seven months later when re-entering the US for, what prosecutors describe as “[participating in] discussions regarding using cryptocurrency technologies to evade sanctions and launder money”.

Facing a maximum sentence of 20 years in prison, Griffin had been denied permission to travel to North Korea by the US Department of State and according to court documents, sought to obscure his activities from authorities.

U.S. Attorney Audrey Strauss stated on the case: “Griffin worked with others to provide cryptocurrency services to North Korea.” Adding, “In the process, Griffin jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.