RISKS-LIST: Risks-Forum Digest Saturday 1 July 2023 Volume 33 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.74>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Android 13 "Emergency SOS" Implementations Leading to Problems
Peter Bernard Ladkin)
UK police blame Android SOS feature for influx of false
emergency calls (The Verge)
FAA lifts ground stop at DC-area airports after pausing
departures for repairs at air traffic control facility (CNN)
Researchers Find Way to Recover Cryptographic Keys
by Analyzing LED Flickers (NIST)
The cleaner did it: an uncool act. (Times Union)
Single points of failure and the repercussions of
"silencing the alarm" (CNN)
How Do Kwon, a Crypto Fugitive, Upended the Politics
of Montenegro (*The New York Times*)
Petro-Canada payment problems continue, but company says it's 'making
progress' on fix (CBC)
$118K water bill has name of woman who died in 2007 on
it; water company wants new owner to pay it (WSBTV)
Cyberstalkers shielded by SCOTUS ruling on speech and
online threats (Ars Technica)
Barred from Grocery Stores by Facial Recognition (NYTimes)
Indigo lost $50M last year, in large part due to February 2023 cyberattack
(CBC)
Europe Opens AI 'Crash Test' Centers (ACM TechNews)
AI's Use in Elections Sets Off a Scramble for Guardrails (NYTimes)
How Secure Are Voice Authentication Systems? (U.Waterloo)
LastPass users furious after being locked out due to MFA resets
(BleepingComputer)
"The EU AI Act: A Critical Assessment" (Lauren Weinstein)
OpenAI, maker of ChatGPT, hit with proposed class-action
lawsuit alleging it stole people's data (CNN)
Re: Is America Ready For AI-Powered Politics? (Martin Ward)
Re: The people paid to train AI are outsourcing their work ... to
... to AI (Steve Bacher)
Re: Do chatbot avatars prompt bias in health care?
(Arthur Flatau)
Re: Is America Ready For AI-Powered Politics? (David Alexander)
Re: Tesla leak reportedly shows thousands of Full Self-Driving, safety
complaints (Martin Ward)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 30 Jun 2023 09:35:34 +0200
From: "Prof. Dr. Peter Bernard Ladkin" <ladkin@techfak.de>
Subject: Android 13 "Emergency SOS" Implementations Leading to Problems

Apparently an Android OS update from Autumn 2022, offers an "Emergency SOS"
function, whereby, when a particular key combination (one or more keys) is
pressed 5 times, the emergency-services telephone number is called.

Apparently not every manufacturer of Android-based phones has implemented
this function appropriately. There is an article in my local newspaper, the
Neue Westfalische Zeitung, today 2023-06-30, about "ghost calls" causing
problems for the emergency services. The problem is not uniform. In my
district of Bielefeld, with about 334,000 inhabitants, there are about 45
(more) such calls a day, and in May there were about 1,500 more calls than
usual. In the district of Paderborn, just south of us, with about 306,000
inhabitants, there are about 100 (more) such calls a day.

Each such call must be followed. First, the emergency responder calls the
number back. If someone answers, the matter is quickly settled but this
still takes time. If no one answers, the assumption is that the caller is
unable to respond, which can mean a medical emergency with the caller
unconscious; that entails that people and vehicles are sent. There aren't
the personnel to cope with this everywhere all the time.

The problem is apparently known, both by Google and by suppliers of Android
phones. And it can be sorted. The issue then is that not all Android phones
are automatically SW-updated; the users themselves in these cases must
initiate an update and most people don't know about the problem (and some
may not even care :-( ).

------------------------------

Date: Mon, 26 Jun 2023 15:32:19 -0400
From: Monty Solomon <monty@roscom.com>
Subject: UK police blame Android SOS feature for influx of false
emergency calls (The Verge)

https://www.theverge.com/2023/6/26/23773733/android-sos-emergency-call-uk-999-first-responder-google

------------------------------

Date: Mon, 26 Jun 2023 15:46:18 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: FAA lifts ground stop at DC-area airports after pausing
departures for repairs at air traffic control facility (CNN)

Flights to DC-area airports are able to resume after the Federal Aviation
Administration lifted a ground stop made earlier Sunday evening due to
equipment problems at an air traffic control facility in Virginia.

The agency had paused departures to Reagan National, Washington Dulles
International and Richmond International airports in Virginia as well as
Baltimore Washington International in Maryland while repairs were made at
the Potomac Terminal Radar Approach Control facility, according to the FAA’s
Twitter.

------------------------------

Date: Wed, 28 Jun 2023 19:03:03 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Researchers Find Way to Recover Cryptographic Keys
by Analyzing LED Flickers (NIST)

In what's an ingenious side-channel attack
<https://csrc.nist.gov/glossary/term/side_channel_attack>, a group of
academics has found that it's possible to recover secret keys from a device
by analyzing video footage of its power LED.

``Cryptographic computations performed by the CPU change the power
consumption of the device which affects the brightness of the device's power
LED,'' researchers from the Ben-Gurion University of the Negev and Cornell
University said <https://www.nassiben.com/video-based-crypta> in a study.

By taking advantage of this observation, it's possible for threat actors to
leverage video camera devices such as an iPhone 13 or an Internet-connected
surveillance camera to extract the cryptographic keys from a smart card
reader.

Specifically, video-based cryptanalysis is accomplished by obtaining video
footage of rapid changes in an LED's brightness and exploiting the video
camera's rolling shutter <https://en.wikipedia.org/wiki/Rolling_shutter>
effect to capture the physical emanations.

"This is caused by the fact that the power LED is connected directly to the
power line of the electrical circuit which lacks effective means (e.g.,
filters, voltage stabilizers) of decoupling the correlation with the power
consumption," the researchers said.

In a simulated test <https://eprint.iacr.org/2023/923>, it was found that
the method allowed for the recovery of a 256-bit ECDSA key from a smart
card by analyzing video footage of the power LED flickers via a hijacked
Internet-connected security camera.

------------------------------

Date: Wed, 28 Jun 2023 17:45:58 +0200
From: Peter Houppermans <peter@houppermans.net>
Subject: The cleaner did it: an uncool act. (Times Union)

https://www.timesunion.com/news/article/rpi-sues-cleaner-s-gaff-allegedly-=
destroyed-18164979.php

TROY -- A custodial worker switched off a super-cold freezer in = a
Rensselaer Polytechnic Institute lab -- destroying decades of = scientific
research and causing a least $1 million in damage, according = to a lawsuit
filed by the university against the outside firm that employed the cleaner.

------------------------------

Date: Tue, 27 Jun 2023 07:37:46 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: Single points of failure and the repercussions of
"silencing the alarm" (CNN)

Single points of failure are a risk. Alarms and error messages are a
nuisance. Having only a single set of samples and someone clearing the alarm
without resolving the underlying condition has consequences.

As reported in the CNN article, a lawsuit has been filed by Rensselaer
Polytechnic against a janitorial services contractor concerning a power down
event involving a laboratory freezer.

A laboratory freezer storing biological samples at Rensselaer Polytechnic
was in need of service. Service had been called. Notices were put on the
unit that it was awaiting service and that the unit should not be unplugged,
but the alarm could be temporarily cleared by pressing the TEST button. A
janitor heard the alarms and instead of following the instructions, flipped
the circuit breaker. The temperature went from the programmed -80 C to -32
C, irreparably damaging samples comprising 20 years of research.

https://www.cnn.com/2023/06/27/us/janitor-alarm-freezer-rensselaer-polytechnic-lawsuit-new-york/index.html

------------------------------

Date: Sun, 25 Jun 2023 20:22:53 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How Do Kwon, a Crypto Fugitive, Upended the Politics
of Montenegro (*The New York Times*)

Only days before an election in Montenegro, a letter from Do Kwon, the
fugitive founder of the Luna digital coin, claimed that crypto “friends” had
provided campaign funding to a leading candidate.