On January 21st, just two days before the primary election, numerous New Hampshire voters received robocalls containing a recording of an AI-generated clone of President Biden’s voice.
“This coming Tuesday is the New Hampshire Presidential Preference Primary. Republicans have been trying to push nonpartisan and Democratic voters to participate in their primary. What a bunch of malarkey. We know the value of voting Democratic when our votes count. It’s important that you save your vote for the November election. We’ll need your help in electing Democrats up and down the ticket. Voting this Tuesday only enables the Republicans in their quest to elect Donald Trump again. Your vote makes a difference in November, not this Tuesday.”
This marked the first known widespread case of voter suppression using sophisticated text-to-speech technology. The pressing question now is: How do we catch the next AI-generated, nefarious robocall in real-time before they reach the public? Today, we are excited to announce a partnership with YouMail and the creation of the Election Communication Defense Grid (ECDG).
Understanding the Election Robocall Threat
This year, a total of 468 seats in the U.S. Congress (33 Senate seats and all 435 House seats) along with the Presidency are up for election. Politicians are employing a variety of tactics to reach their constituents, including door-to-door campaigning, social media, traditional media ads, and email campaigns. With the recent launch of PindropⓇ Pulse™ Inspect, we’ve made available a forensic tool for media organizations, nonprofits, and governments to analyze and detect synthetically generated audio in digital media. The platform has already been used to identify and analyze several high-profile deepfakes, including a recent parody of Kamala Harris.
However, one critical area remained unaddressed: political robocalls. As we approach the November elections, voters’ voicemails are filled with these automated messages, where recordings of candidates discuss their platforms and encourage voter turnout. The challenge was clear: How do we get our technology into the hands of organizations that can flag political voicemails in real-time to help protect consumers from AI-generated speech?
State-of-the-art detection meets carrier-grade distribution
Enter YouMail, the industry’s only call-sensor network that accurately detects robocalls in real time, enabling carriers to stop fraud, spam, and other malicious attacks from reaching consumers. YouMail’s sensor network monitors billions of real consumer calls across all major US carriers to detect threats accurately and immediately.
We began collaborating with YouMail’s engineering teams the day after detecting the TTS engine behind the Biden robocall. After seven months of collaboration and analyzing robocalls from over a thousand political candidates in 2024 (the incumbents and their key challengers), we are proud to officially announce our partnership with YouMail and the creation of the Election Communication Defense Grid (ECDG).
Now that YouMail has PindropⓇ Pulse™ Inspect, our latest deepfake detection APIs, integrated into their robocall mitigation service, carriers who are using the YouMail Sensor Network can, in real time, block deepfaked political robocalls from originating or traversing their networks.
Learn more about our partnership at YouMail.com and ECDG.org.
Cloudflare, one of the larger content-delivery networks and DNS providers on the Internet, had a critical bug in one of its services that resulted in sensitive customer data such as cookies, authentication tokens, and encryption keys being leaked and cached by servers around the world.
The vulnerability was in an HTML parser that Cloudflare engineers had written several years ago but had recently replaced by a newer one. The company was migrating various services from the old parser, written using Ragel, to the new one, and a change made during that process is what caused the bug to activate and begin leaking memory with private information in it. The bug active for several days, and Cloudflare said the most critical period was Feb. 13 to Feb. 18.
“It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself,” John Graham-Cumming of Cloudflare said in a post-mortem on the response to the vulnerability.
Cloudflare has a massive and diverse customer base that includes companies such as Uber, Yelp, OkCupid, Medium, and 1Password. There is a running list being maintained of all of the known customers, including some that are known not to have been affected by the vulnerability. 1Password is among those who have said their data was unaffected.
The bug had a broad potential effect for Cloudflare’s customers, as well as for the company itself. Because of the way the company’s infrastructure is set up, a request to one Cloudflare site affected by the vulnerability could end up revealing private information from a separate site. Also, search engines routinely cache web content for faster serving, and some of the leaked private data from Cloudflare sites had been cached by Google and other engines.
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data.”
“The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines,” Graham-Cumming said.
“We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.”
Some of the sensitive data leaked by the vulnerability belonged to Cloudflare itself rather than its customers. Although no customer encryption keys were leaked, an SSL key Cloudflare used to encrypt connections between its own machines did, as did some other internal authentication secrets.
A researcher with Google’s Project Zero discovered the memory leak last week while doing unrelated research, and after confirming what he had found, reached out to CloudFlare’s security team immediately.
“It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output. My working theory was that this was related to their ‘ScrapeShield’ feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers,” researcher Tavis Ormandy of Google said in his initial analysis of the flaw.
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users.”
Cloudflare implemented a partial fix for the memory leak within a few hours of Ormandy’s initial report and fully fixed it earlier this week.
Image: Maarten Van Damme, CC By license.
Researchers have found that a vulnerability in Android that allows attackers to trick users into granting apps elevated privileges affects more devices than had originally been thought–nearly 96 percent of all Android devices.
The vulnerability is not a typical bug. It relies on some user interaction and lies in the way that Android allows apps to draw over one another. Using that ability, an attacker can overlay an app on top of the Accessibility Services app in Android and trick the user into making a series of clicks that grants the app a broad range of advanced permissions. The attack is a variety of the old clickjacking technique used in desktop browsers, and researchers at Skycure discovered that 95.4 percent of Android devices are vulnerable to a mobile clickjacking technique.
The researchers disclosed the original problem in March during the RSA Conference, but said Tuesday that they’ve now confirmed that it works on devices running Marshmallow, as well as older devices. The target of the attack is the Accessibility Services portion of Android, a feature of the OS that is designed to help users with disabilities interact with a device. Many of those services have very powerful permissions, and can take a variety of actions on behalf of the user.
https://youtu.be/4cSRq7_Z26s
“Recognizing this potential, starting with Lollipop (5.x), Google added additional protection to the final ‘OK’ button that would grant these accessibility permissions. In other words, Android programmers wanted to make sure that if a user was going to turn on Accessibility Services, the OK button could not be covered by an overlay, and the user would be sure to know what they are allowing,” Yair Amit, CTO of Skycure wrote in a post explaining the issue.
However, Skycure found that by overlaying another app on top of the Accessibility Services screen–a behavior that is part of Android’s design–an attacker could guide a victim through the process of granting the malicious app high privileges by clicking on various parts of the app. Those clicks go through the overlaid app and press the OK button in the Accessibility Services app.
“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent. This would include all personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more,” Amit said in the original post on the issue.
Sky cure disclosed the vulnerability to Google, which controls the Android code base, before its initial public discussion of it in March, but the company is not going to fix it.
“Skycure takes pride in abiding by vendor’s responsible disclosure policy. Per that policy, we notified Google of this issue in March 2016. Following our correspondence with the Google Android Security team, they have decided not to fix this issue and accept this risk as a consequence of its current design,” Amit said.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
You’re a small business owner running a website through a popular hosting site. You have purchased the unique URL that fits your company, and you set up your website. You muddle your way through figure out SEO, m
What Really Happened
You realize shortly after hanging up with the Google specialist that your website is not displayed on Google’s front search page. You also realize that several withdrawals have been made from your account that you have not authorized. Soon after, you catch on to what has happened. You’ve been scammed, and the fraudsters stole your credit card information. How did this happen?
- Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location through Caller ID spoofing
- Vishing – Fraudsters use the phone channel to persuade victims to divulge sensitive information, like credit card numbers, to initiate account takeovers
- Impersonation – by falsely implying that they are associated with Google, they are gaining your trust and/or intimidating you with their importance
Google Listing Scam Examples
Another day, another “Google Listing” call – A variation of the robocalls surrounding the Google Listing scam. According to Pindrop Labs research, there are 8 variations of robocalls connected to this scam.
Avoid and report Google scams – A list of scams tied to the Google name.
Pindrop Labs presents Emerging Consumer Scams of 2016 – Pindrop Labs has researched and discovered the 5 emerging phone scams effecting consumers in 2016, including the Google Listing Scam, and will be presenting a webinar on these findings on Wednesday, February 24th from 2:00-2:30pm ET.