1 00:00:00,415 --> 00:00:04,105 Cybersecurity today, we'd like to thank Meter for their support in bringing you. 2 00:00:04,105 --> 00:00:08,875 This podcast Meter delivers a complete networking stack, wired, wireless and 3 00:00:08,875 --> 00:00:13,945 cellular in one integrated solution that's built for performance and scale. 4 00:00:14,155 --> 00:00:17,785 You can find them at meter.com/cst. 5 00:00:19,330 --> 00:00:24,850 An info Steeler grabs open claws, soul tokens, keys, 6 00:00:25,030 --> 00:00:27,430 and your entire digital life. 7 00:00:27,790 --> 00:00:31,300 A hobby coder accidentally builds a robot vacuum. 8 00:00:31,300 --> 00:00:31,720 Army. 9 00:00:32,290 --> 00:00:34,510 Best Buy cases show why Zero. 10 00:00:34,510 --> 00:00:37,330 Trust is about behavior, not just rules. 11 00:00:37,510 --> 00:00:38,950 And Canada Goose breach. 12 00:00:38,950 --> 00:00:42,490 That wasn't when your supplier gets hacked instead. 13 00:00:44,270 --> 00:00:46,340 This is Cybersecurity today. 14 00:00:46,730 --> 00:00:48,410 I'm your host, Jim Love. 15 00:00:50,000 --> 00:00:54,710 We've warned before about OpenClaw's security weaknesses, but Hudson Rock, 16 00:00:54,770 --> 00:00:59,840 a cybersecurity firm that tracks info stealer malware, now has documented 17 00:00:59,840 --> 00:01:05,150 exactly what one of those attacks looks like in the real world, and it builds 18 00:01:05,150 --> 00:01:07,350 layer by layer into something that is. 19 00:01:07,835 --> 00:01:09,425 Actually quite frightening. 20 00:01:10,115 --> 00:01:14,705 An info stealer is a malware that quietly vacuums up sensitive data 21 00:01:14,825 --> 00:01:18,815 from your computer and sends it to attackers, and you probably never 22 00:01:18,815 --> 00:01:24,215 know it happened, but in this case, a standard file grabbing routine swept up. 23 00:01:24,445 --> 00:01:28,015 Everything in the victim's OpenClaw directory. 24 00:01:28,405 --> 00:01:33,115 First, it grabbed tokens, authentication credentials that give whoever 25 00:01:33,115 --> 00:01:35,245 holds them access to everything. 26 00:01:35,245 --> 00:01:38,755 The user can access a master key that's bad enough on its own. 27 00:01:40,500 --> 00:01:44,700 Then it grabbed the device's, private cryptographic keys. 28 00:01:44,970 --> 00:01:48,390 The keys used to sign and verify that communications are 29 00:01:48,390 --> 00:01:50,850 genuinely coming from your device. 30 00:01:50,910 --> 00:01:55,230 With those, an attacker can obviously impersonate your device, completely 31 00:01:55,440 --> 00:02:00,750 bypassing security checks and potentially accessing encrypted logs and even paired 32 00:02:00,750 --> 00:02:05,220 cloud services, the digital equivalent of stealing your identity at the hardware 33 00:02:05,220 --> 00:02:08,040 level, but then came the Cuda gra. 34 00:02:09,055 --> 00:02:14,395 Open claw agents are built around files called soul.md. 35 00:02:14,395 --> 00:02:14,785 Yeah. 36 00:02:15,085 --> 00:02:18,865 That's the actual name which defines the agent's personality. 37 00:02:18,985 --> 00:02:23,395 Its behavioral rules, what access it has in your life and 38 00:02:23,395 --> 00:02:24,775 to the events in your life. 39 00:02:25,015 --> 00:02:28,855 Calendar events, private messages, daily activity logs. 40 00:02:29,065 --> 00:02:33,385 The attacker doesn't just get your credentials as Hudson Rock put it. 41 00:02:33,775 --> 00:02:35,725 They get a mirror of your life. 42 00:02:36,325 --> 00:02:39,565 And here's what should concern everyone in security. 43 00:02:40,075 --> 00:02:46,165 This wasn't even a targeted attack, just a broad malware sweeping for anything 44 00:02:46,165 --> 00:02:51,595 sensitive that happened to hit the jackpot with a poorly designed piece of software. 45 00:02:52,165 --> 00:02:56,125 Hudson Rock is now warning that dedicated open claw modules malware 46 00:02:56,125 --> 00:02:58,045 built specifically to hunt and parse. 47 00:02:58,045 --> 00:03:02,905 These files are almost certainly on their way, just as we already 48 00:03:02,905 --> 00:03:06,055 have specialized Steelers for Chrome and Telegram and others. 49 00:03:07,330 --> 00:03:10,870 If you're running open claw, this is another reason to take a hard look at 50 00:03:10,870 --> 00:03:15,970 what you've given your agent access to because apparently so are the criminals. 51 00:03:17,575 --> 00:03:23,275 A hobbyist coder wanted to drive his robot vacuum with a PlayStation controller. 52 00:03:23,575 --> 00:03:24,115 Why? 53 00:03:24,520 --> 00:03:32,080 Who knows, but what he accidentally did was build an army of robot vacuums. 54 00:03:32,470 --> 00:03:38,170 Sammy Azdoufal, had just bought a DJI Romo and thought it would 55 00:03:38,170 --> 00:03:40,150 be fun to control it manually. 56 00:03:40,450 --> 00:03:44,680 So he used an AI coding tool to reverse engineer the devices communication 57 00:03:44,680 --> 00:03:46,780 protocols, and he built his own app. 58 00:03:47,210 --> 00:03:54,080 And when he connected to DJI servers, roughly 7,000 robot vacuums across 59 00:03:54,080 --> 00:03:57,320 24 countries started answering. 60 00:03:57,890 --> 00:04:02,660 He found he could watch live camera feeds inside stranger's homes listed 61 00:04:02,660 --> 00:04:07,655 through onboard microphones, generate accurate floor plans using just a fort. 62 00:04:07,980 --> 00:04:09,570 14 digit serial number. 63 00:04:09,630 --> 00:04:14,370 He pinpointed a journalist's robot vacuum, confirmed it was cleaning the living 64 00:04:14,370 --> 00:04:19,380 room at 80% battery and produced a map of their house from another country. 65 00:04:20,890 --> 00:04:24,310 The technical failure was almost embarrassingly basic. 66 00:04:24,760 --> 00:04:28,900 DJI systems had no access controls at the messaging level. 67 00:04:29,170 --> 00:04:32,230 Authenticate with one device token, and you could see traffic from 68 00:04:32,230 --> 00:04:35,500 every other device in plain text. 69 00:04:35,620 --> 00:04:40,420 It wasn't just vacuums, DJ's, portable home battery stations run on the same 70 00:04:40,420 --> 00:04:43,000 infrastructure and they showed up too. 71 00:04:43,990 --> 00:04:47,440 DJI initially told journalists the flaw had been fixed. 72 00:04:47,740 --> 00:04:51,760 That statement arrived about 30 minutes before  Azdoufal, demonstrated. 73 00:04:51,760 --> 00:04:54,670 Thousands of robots including the journalists' own device, 74 00:04:54,670 --> 00:04:56,665 still reporting in live. 75 00:04:58,135 --> 00:05:01,165 Now, this isn't the first vacuum hack. 76 00:05:01,165 --> 00:05:07,045 In 2024, hackers took over ecova vacuums across US cities, shouting slurs 77 00:05:07,045 --> 00:05:09,145 through the speakers, and chasing pets. 78 00:05:09,355 --> 00:05:13,465 Security testing of six vacuum brands last year found serious 79 00:05:13,465 --> 00:05:15,505 flaws in three Chinese models. 80 00:05:16,105 --> 00:05:20,995 More and more connected devices show little evidence of security 81 00:05:20,995 --> 00:05:24,715 being considered until somebody out there discovers the weakness, 82 00:05:24,815 --> 00:05:28,295 and with the number of devices we have, cameras, doorbells, home 83 00:05:28,295 --> 00:05:30,485 battery systems, and now vacuums. 84 00:05:30,635 --> 00:05:33,245 Well, that just sucks. 85 00:05:34,714 --> 00:05:37,534 There's a story coming out of Florida where police say, A Best Buy employee 86 00:05:37,534 --> 00:05:39,094 used a manager's override code. 87 00:05:39,379 --> 00:05:44,899 Which he was entitled to do, but he did it 149 times to buy high-end 88 00:05:44,899 --> 00:05:50,779 electronics, including MacBook Pros at discounts as steep as 99%. 89 00:05:51,559 --> 00:05:55,939 The alleged scheme ran from March to December, 2024 and cost the 90 00:05:55,939 --> 00:06:02,029 store roughly $120,000 before it was uncovered, and investigators traced 91 00:06:02,029 --> 00:06:06,289 the fraud not because of a security breach warning, but after discounted 92 00:06:06,289 --> 00:06:09,319 merchandise began appearing in pawn shops. 93 00:06:09,649 --> 00:06:10,189 Think about it. 94 00:06:10,729 --> 00:06:14,539 One employee using high privileged override credentials nearly 95 00:06:14,539 --> 00:06:17,149 150 times over nine months. 96 00:06:17,449 --> 00:06:19,549 That's not damaged box discounts. 97 00:06:19,549 --> 00:06:25,249 That's a pattern, and the fact that it went unnoticed for so long just simply 98 00:06:25,249 --> 00:06:26,904 encouraged more of that behavior. 99 00:06:28,339 --> 00:06:32,779 There's another case that we found as well in the same story, a Georgia case, another 100 00:06:32,779 --> 00:06:38,089 Best Buy employee was arrested after more than $40,000 in merchandise, allegedly 101 00:06:38,089 --> 00:06:40,639 walked out of the store over two weeks. 102 00:06:40,969 --> 00:06:45,289 Police reports say that he initially told investigators he was being blackmailed 103 00:06:45,439 --> 00:06:49,549 by a hacker group, threatening to release intimate images unless he 104 00:06:49,549 --> 00:06:53,869 cooperated, though he later disputed parts of that account in interviews. 105 00:06:54,379 --> 00:06:54,709 But. 106 00:06:55,104 --> 00:07:00,024 Two different stories, same underlying lesson, and we all know it. 107 00:07:00,144 --> 00:07:03,744 Security isn't just about whether credentials work. 108 00:07:04,044 --> 00:07:08,124 It's about whether the behavior makes sense in context. 109 00:07:08,874 --> 00:07:12,504 Just because the device or the login is validated. 110 00:07:12,714 --> 00:07:16,764 We should still be asking should this action be happening. 111 00:07:16,914 --> 00:07:20,694 This often under these circumstances by this person. 112 00:07:21,534 --> 00:07:23,484 In both cases, the systems allowed it. 113 00:07:23,934 --> 00:07:26,994 What failed though, was the contextual oversight. 114 00:07:28,000 --> 00:07:32,680 As we put our controls together and we tend to focus outward or on absolute 115 00:07:32,680 --> 00:07:34,855 controls, it's something to think about. 116 00:07:36,690 --> 00:07:40,920 Shiny hunters is back with another data dump, and this time it's Canada Goose, 117 00:07:40,920 --> 00:07:46,350 a Canadian clothing company that had 600,000 customer records, including 118 00:07:46,350 --> 00:07:51,450 names, addresses, order histories, and partial payment card information leaked. 119 00:07:52,260 --> 00:07:53,730 But here's where it gets interesting. 120 00:07:54,330 --> 00:07:57,990 Canada Goose was investigating and said they could find no evidence 121 00:07:57,990 --> 00:08:00,120 of a breach on their own systems. 122 00:08:00,480 --> 00:08:05,190 And then according to bleeping computer, when they were asked directly 123 00:08:05,280 --> 00:08:09,300 shiny hunters told them the data didn't come from Canada Goose at all. 124 00:08:09,570 --> 00:08:12,960 It came from a third party payment processor and a breach 125 00:08:12,960 --> 00:08:15,390 dating back to August, 2025. 126 00:08:16,290 --> 00:08:19,560 When you look at it, the structure of the leaked records backs that up. 127 00:08:19,620 --> 00:08:23,610 Security researchers noted that the dataset, schema, field names like 128 00:08:23,610 --> 00:08:30,210 checkout id, shipping lines, cart token, closely resemble e-commerce 129 00:08:30,210 --> 00:08:35,220 checkout exports from hosted storefront and payment processing platforms. 130 00:08:35,670 --> 00:08:39,330 So if you're Canada Goose, you just found out your customer data was leaked, 131 00:08:39,510 --> 00:08:41,100 but you had nothing to do with it. 132 00:08:41,100 --> 00:08:45,030 You weren't breached, your security held, but your customer's information 133 00:08:45,030 --> 00:08:49,410 is out there anyway because somebody in your supply chain didn't measure up. 134 00:08:50,805 --> 00:08:55,425 And if you're in payment processing or e-commerce platform operations, 135 00:08:55,845 --> 00:08:59,085 this should get your attention because you might be using one of the same 136 00:08:59,085 --> 00:09:02,985 suppliers or service providers as Canada Goose, and you may wanna find 137 00:09:02,985 --> 00:09:07,080 out where that breach actually happened and whether you were part of it. 138 00:09:08,190 --> 00:09:09,930 The data, thankfully, is old. 139 00:09:09,930 --> 00:09:16,080 Most of it dates back to 2021 to 2023, but old data still enables phishing, fraud 140 00:09:16,080 --> 00:09:20,880 and identity theft just with a little less urgency than fresh information. 141 00:09:22,530 --> 00:09:25,170 once again, third party breaches are becoming part of 142 00:09:25,170 --> 00:09:27,120 a pattern, not the exception. 143 00:09:28,215 --> 00:09:29,265 And that's our show. 144 00:09:29,595 --> 00:09:31,785 We'd like to thank Meter for their support in bringing you. 145 00:09:31,785 --> 00:09:35,355 The podcast Meter delivers full stack networking infrastructure, 146 00:09:35,355 --> 00:09:38,925 wired, wireless, and cellular to leading enterprises. 147 00:09:39,255 --> 00:09:42,405 Working with their partners meter designs, deploys and manages 148 00:09:42,675 --> 00:09:47,595 everything required to get performant, reliable and secure connectivity in 149 00:09:47,595 --> 00:09:49,755 a space they design the hardware. 150 00:09:49,760 --> 00:09:51,950 The firmware, they build the software. 151 00:09:51,950 --> 00:09:54,260 They manage deployments, they run support. 152 00:09:54,500 --> 00:09:55,340 They do it all. 153 00:09:55,430 --> 00:09:58,970 It's a single integrated solution that scales from branch offices, 154 00:09:59,180 --> 00:10:03,110 warehouses, and large campuses, all the way to data centers. 155 00:10:03,620 --> 00:10:06,950 Book a demo at meter.com/cst. 156 00:10:07,160 --> 00:10:11,090 That's METE r.com/cst. 157 00:10:12,470 --> 00:10:13,490 I'm your host, Jim Love. 158 00:10:14,300 --> 00:10:15,200 Thanks for listening.