Day: February 20, 2020

Boston’s plans to harden its waterfront against the perils of climate change—storm surge, flooding, and sea level rise—seem like an all-around win. The only way to keep a higher, more turbulent Atlantic out of South Boston and Charlestown is to build parks, bike paths, gardens, and landscaped berms with waterfront views. These are all things that make a greener, more walkable, more livable city. If this is adaptation to a warmer world, bring it on.

Except geographers and community activists are getting more and more worried about how cities choose which improvements to build, and where. They’re noticing that when poorer neighborhoods get water-absorbing green space, storm-surge-proof seawalls, and elevated buildings, all of a sudden they aren’t so poor anymore. The people who lived there—who would’ve borne the brunt of whatever disasters a changing climate will bring—get pushed out in favor of new housing built to sell at or above market rates to people with enough money to buy not just safety but a beautiful new waterfront. In real estate lingo, “adaptations” are also “amenities,” and the pursuit of those amenities ends up displacing poor people and people of color. The phenomenon has a name: green gentrification.

Fighting climate disasters is a good idea for the planet, but can have unintended consequences for neighborhoods. “In order to construct a green, resilient park or shoreline, we get rid of lower-income housing … and behind it or next to it, you’ll have higher-income housing being built,” says Isabelle Anguelovski, an urban geographer at the Autonomous University of Barcelona who co-wrote an article about green gentrification in December’s PNAS. It can get even worse, she says. Hardening one neighborhood so that water can’t flow inland there means the water goes somewhere else. “The flooding and storm events go into the basements of the public housing next door,” she says.

That’s double jeopardy. And it turns into triple jeopardy, thanks to economics. New amenities plus new luxury housing drive up local housing prices, which drive out working-class and poorer residents. “The question is not only what Boston is facing, which is middle-class gentrifiers with a slightly higher income and education. It’s über-rich people who end up taking over cities until they are unable to fulfill their direct functions,” Anguelovski says. The gentrification wave is its own kind of economic apocalypse. If it hits, none of the people who make a city work—teachers, police officers, health care workers, bus drivers—can afford to live there. “Or it becomes so important from an economic standpoint, so desirable and hardened with infrastructure that entire buildings are empty—purchased by real estate funds or individuals from the Middle East or Russia,” Anguelovski says.

The problem that cities face is the difference between physics and real estate. Climate change happens on the scale of decades or centuries; real estate development and politics happen on fiscal and electoral timescales. “I get it. Green space is great, and while it may not be much of an improvement in terms of climate adaptation, it’s good for people’s well-being and quality of life,” says Ken Gould, an environmental sociologist at Brooklyn College and coauthor of Green Gentrification: Urban Sustainability and the Struggle for Environmental Justice. “Does it sequester much carbon? Not really. It’s fine. But you have to manage the real estate markets, because markets left to themselves, when you put in an amenity, are going to generate development.”

It’s not just Boston. In Philadelphia, Anguelovski and her team studied a program to build flood-fighting infrastructure like parkland, green roofs, and curbside swales to absorb rainwater before it hit sewers. This, too, was an engine of gentrification. “What you see on the maps is that the areas that gained the greatest amount of green resilient infrastructure are also those that became the most gentrified,” Anguelovski says. “And the areas that blacks and Latinos have had to move to between 2000 and 2016 have been the areas that got the least infrastructure.” In Brooklyn’s diverse Sunset Park neighborhood, residents and interest groups are arguing over a rezoning proposal that’d be favorable to green businesses and harden the waterfront. They fear it’d also force out the ethnically diverse, working-class group of people who live there.

Bluetooth is used in everything from speakers to implanted pacemakers, which means that Bluetooth-related vulnerabilities can affect a dizzying array of devices. In the latest instance, a newly discovered round of 12 Bluetooth bugs potentially exposes more than 480 devices to attack, including fitness trackers, smart locks, and dozens of medical tools and implants.

Researchers from Singapore University of Technology and Design began developing techniques for analyzing Wi-Fi security in January 2019, and later realized they could apply those same methods to assess Bluetooth as well. By September they had found their first bug in certain implementations of Bluetooth Low Energy, the version of the protocol designed for devices with limited resources and power. Within weeks, they had found 11 more.

Collectively dubbed “SweynTooth,” the flaws exist not in BLE itself, but in the BLE software development kits that come with seven “system on a chip” products—microchips that integrate all of a computer’s components in one place. IoT manufacturers often turn to off-the-shelf SoCs to develop new products quickly. That also means, though, that SoC implementation flaws can propagate across a wide variety of devices.

The SweynTooth bugs can’t be exploited over the internet, but a hacker within radio range could launch attacks to crash targeted devices entirely, disable their BLE connection until a restart, or in some cases even bypass BLE’s secure pairing mode to take them over. In addition to all manner of smart home and enterprise devices, the list includes pacemakers, blood glucose monitors, and more.

As problematic as the vulnerabilities could be in smart home devices or office equipment, the stakes are clearly higher in the medical context. The researchers did not develop proof of concept attacks against any of the potentially vulnerable medical devices, but the relevant SoCs contain bugs that could be used to crash the communication functions or the whole device. Manufacturers will need to individually test each of their products that rely on a vulnerable SoC to determine which attacks would be feasible in practice and what patches are necessary. And the researchers note that it’s important for manufacturers to consider how an attacker could chain the SweynTooth vulnerabilities with other possible remote access attacks to cause even greater harm.

Any device that wants to advertise Bluetooth as a feature and use the Bluetooth logo goes through a certification process to ensure interoperability across devices. In this case, though, the SoC manufacturers missed some basic security red flags.

“We were quite surprised to find these kinds of really bad issues in prominent vendors,” says Sudipta Chattopadhyay, an embedded systems researcher who oversaw the work. “We developed a system that found these bugs automatically. With a little bit more security testing they could have found it as well.”

The Bluetooth Special Interest Group, which oversees development of the Bluetooth and BLE standards, did not a return a request from WIRED for comment about the findings. Bluetooth and BLE implementation issues are common, though, partly because the Bluetooth and BLE standards are massive and complex.

“Some of the vendors we contacted originally the engineers said, ‘well, the reason you’re getting these issues is that you’re putting in values that are not expected, not within the specification,” Chattopadhyay says. “But you can’t only be testing for a benign environment. We’re talking about an attacker here. He doesn’t care about what’s expected.”

The researchers notified seven SoC makers about the vulnerabilities. Texas Instruments, NXP, Cypress, and Telink Semiconductor have all released patches already. Dialog Semiconductors has released updates for one of its SoC models, but has more coming for other models in a few weeks. STMicroelectronics recently confirmed the researchers’ findings but has not developed patches yet, and Microchip does not currently seem to have patches in the works. Even when the SoCs release updates to their BLE software development kits to plug the holes, though, the challenge is that each individual manufacturer that uses any of the seven affected SoCs still needs to take those patches, adapt them to their particular products, and convince customers to install them.

The nation’s largest financial data broker, Yodlee, holds extensive and supposedly anonymized banking and credit card transaction histories on millions of Americans. Internal documents obtained by Motherboard, however, appear to indicate that Yodlee clients could potentially de-anonymize those records by simply downloading a giant text file and poking around in it for a while.

According to Motherboard, the 2019 document explains how Yodlee obtains transaction data from partners like banks and credit card companies and what data is collected. That includes a unique identifier associated with the bank or credit card holder, amounts of transactions, dates of sale, which business the transaction was processed at, and bits of metadata, Motherboard wrote; it also includes data relating to purchases involving multiple retailers, such as a restaurant order through a delivery app. The document states that Yodlee is giving clients access to this data in the form of a large text file rather than a Yodlee-run interface.

The document also shows how Yodlee performs “data cleaning” on that text file, which means obfuscating patterns like “account numbers, phone numbers, and SSNs by redacting them with the letters “XXX,” Motherboard wrote. It also scrubs some payroll and financial transfer data, as well as the names of the banking and credit card companies involved.

But this process leaves the unique identifiers, which are shared across each entry associated with a particular account, intact. Research has repeatedly shown that taking supposedly anonymized data and reverse-engineering it to identify individuals within can be a trivial undertaking, even when no information is shared across records.

Experts told Motherboard that anyone with malicious intent would just need to verify a purchase was made by a specific individual and they might gain access to all other transactions using the same identifier.

With location and time data on just three to four purchases, an “attacker can unmask the person with a very high probability,” Rutgers University associate professor Vivek Singh told the site. “With this unmasking, the attacker would have access to all the other transactions made by that individual.”

Imperial College of London assistant professor Yves-Alexandre de Montjoye, who worked with Singh on a 2015 study that identified shoppers from metadata, wrote to Motherboard this process appeared to leave the data only “pseudonymized” and that “someone with access to the dataset and some information about you, e.g. shops you’ve been buying from and when, might be able to identify you.”

Yodlee and its owner, Envestnet, is facing serious heat from Congress. Democratic Senators Ron Wyden and Sherrod Brown, as well as Representative Anna Eshoo, recently sent a letter to the Federal Trade Commission asking for it to investigate whether the sale of this kind of financial data violates federal law.

“Envestnet claims that consumers’ privacy is protected because it anonymizes their personal financial data,” the congresspeople wrote. “But for years researchers have been able to re-identify the individuals to whom the purportedly anonymized data belongs with just three or four pieces of information.”

“Consumers generally have no idea of the risks to their privacy that Envestnet is imposing on them,” they added, telling the FTC that their concerns include that Envestnet doesn’t appear to enforce any policies requiring banks and credit card companies inform customers this is happening. (As Motherboard noted, Yodlee admitted it doesn’t audit client use of data in Securities and Exchange Commission filings in 2015.

In a lengthy statement to Motherboard, Yodlee defended its practices, said it complied with the all applicable laws, and wrote it “imposes technical, administrative, and contractual measures to protect consumers’ identities, such as prohibiting analytics and insights users from attempting to re-identify any consumer from the data.” It also cited “leading privacy experts” as agreeing “Envestnet | Yodlee data analytics meet or exceed leading industry standards of de-identification processing.”