Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


Kervball: The Kerv ring data breach...

Here's what happened the day my Kerv arrived...

Paul MoorePaul Moore

Notice: This article is a work-in-progress and serves only to address questions from media outlets & Kerv customers.

On the morning of June 21st 2017, I received an email from an "anonymous" Kerv user... coincidentally the same day I received my Kerv ring.

Nothing unusual there, apart from the fact it contained my name, home address, phone number and memorable information. Oh dear...

As regular readers will know, I use 1Password to generate both passwords & memorable information; meaning a breach of such information doesn't adversely affect other accounts I hold elsewhere. As each entry is entirely unique, it's trivially easy to determine the author of this email really does have access to my Kerv account. It quickly became clear that this wasn't a breach in the typical sense... this "anonymous" person had inside information which wouldn't otherwise be available. In an act of either lunacy or clarity, he subsequently forwarded admin credentials to me from a Tor address; obviously unaware of my work deanonymizing Tor users. Not a smart move!

After logging in to my Kerv account, I was greeted with the usual user interface. This time however, I clearly had access to features which were only intended for Kerv employees. After a brief investigation, it became obvious I had full admin access to the site, shop & customer database.

Time to contact Kerv!

I initially tried the Kerv "lost & stolen" number from the site, but there was nobody immediately available for comment. Cue Twitter...

After a matter of minutes, Mr Phil Campbell (Director @ Kerv Wearables) emailed to request further information. After a lengthy telephone conversation, I advised Phil to immediately take the site offline until a review could be performed. Almost immediately, my access was revoked and at 2:15PM, the site was taken offline completely.

In the hours which followed, Phil and his team worked to identify the root cause and restore service to their customers.

More information to follow...

FAQ

Q) What can I do to protect myself?
A) Change your passwords and memorable information, immediately. Use a password manager to generate them both. Register with Noddle for free credit alerts/reports.

Q) How did Kerv handle the disclosure?
A) Phil/Kerv's response is a perfect example of how companies should handle data/security breaches.

Q) Do you have any other concerns, should I still use my Kerv?
A) I haven't spent much time with Kerv, having only received it yesterday and it being offline ever since. However, I have a number of concerns which I've raised with Phil. It wouldn't be appropriate to list them here, however I've every confidence that Kerv will resolve any outstanding issues. Nonetheless, I see no reason to abandon Kerv. Insider threats affect everyone; Kerv have taken (what I'd consider to be) reasonable & appropriate steps to mitigate the risks involved and have been open & honest in their responses.

Q) What information did you have access to?
A) I was added to the "customer services admin" group, allowing access to virtually every piece of customer data, excluding financial info.

Q) Do you have any further comments?
A) If & when I do, I'll update the article. If you're a news/media outlet looking for comment, please use the comments form below.

Paul Moore
Author

Paul Moore

Comments