It is well known that Yahoo has provided both free and paid email services to millions of users since the infancy of the public internet. In addition, Yahoo has been providing email services to other companies such as AT&T for several years. Yahoo was recently merged with AOL by Verizon to create a multimedia giant with a mission to reach 2 billion users.
In August, 2016 Yahoo disclosed to the public that it had recently become aware that its email systems security had been breached in 2014 and not discovered until 2016. To remedy the exposure, Yahoo advised email account clients to change their account password.
“Simply changing a password is not a solution”
Bear in mind that two years of undetected and unmitigated intrusion is a large window of opportunity for criminal activity to have occurred. Exacerbating the situation is the fact that theft of potentially millions of email account credentials and clients’ personal information had occurred early on. Such an unfortunate event holds potential for disaster on a grand scale. Since the disclosure of the breach, Verizon has gone from being silent to asking for a 1 billion dollar price reduction and now threatening termination of the deal.
MORE THAN MEETS THE EYE
What is not well known is that Yahoo is not just a catalog search engine with news and email. What you may not know about Yahoo:
Primary source of income is advertising impressions, not search engine results
Owns more than 1,700 patents (some say as many as 6,000)
Sells enterprise data management services including proprietary storage and retrieval solutions
Research and development business unit:
o Artificial intelligence
o Open source code development
WHAT HAS NOT BEEN SAID
Yahoo!’s public disclosures to date concerning the email breach failed to mention that it had loss exposure to the IOT (Internet of Things). Unmentioned was the fact that it entered the SmartTV platform development market in 2006 and exited in 2015. Partnerships were developed with major TV manufacturers such as VIZIO, SAMSUNG, SONY, LG and others. It developed an open source code operating system on the free Debian operating system, making it available on GitHub along with open source code for anyone to develop TV apps that work on its ConnectedTV platform.
In 2013 it claimed to have over 8 million TV operating systems connected. There is no accurate information available to determine how many more came online between then and now, however to give some perspective, just one manufacturer, VIZIO, has been manufacturing more than half a million SmartTV’s per quarter for years. I believe it is safe to say that there could be more than 50 million TV’s on the street boasting a Yahoo operating system. Although having abandoned the market, Yahoo maintains the ConnectedTV development business unit including the free Debian connected TV operating system, development open source code and a ConnectedTV developer forum.
Chances are that all of those connected TV’s continue to communicate with Yahoo systems on the back end. You see, in order to get TV manufacturer OS updates and content through branded apps such as Netflix, YouTube, YahooNews and many others there has to be a Yahoo email account in place. In other words, the TV OS connects to Yahoo servers by having the owner create a Yahoo email account with credentials so the OS can login to Yahoo after it has been connected to the owner’s home network.
In 2013, Yahoo purchased an artificial intelligence developer called LookFlow. The company created an artificial intelligence agent that uses computer vision to scan consumed content for advertising data and opportunity and NSFW (not suitable for watching) images and child pornography. As Yahoo faltered under Marissa Mayer, the AI company was going to be sold however Yahoo pulled LookFlow off the block for some unknown reason. This is now operated as the Yahoo Research business unit. The AI system is offered free of charge in open source code on GitHub.
There is no security system available for the Yahoo Debian OS.
Yahoo knew about the breach well in advance before telling email users, via email, to simply change the password instead of shutting down all email accounts until each account has the password manually changed by the user or better yet, creating a new account.
I own a VIZIO and was never contacted by VIZIO concerning the Yahoo breach.
In Yahoo’s public announcements it never mentioned the ConnectedTV clients.
Yahoo apparently integrated the LockFlow system into the Debian ConnectedTV platform allowing the AI agent to preview the user’s consumed media via the Yahoo AI scanner, which is also capable of watching the consumers facial expressions via attached camera while consuming content seeking facial cues feeding an advertising sales algorithm, or for NSFW images and child pornography consumption.
Having a two year window of opportunity and the availability of open source code for the TV OS and AI, all available on GitHub, one could have easily created a botnet with 50 million TV’s that don’t even use Email, with the plain text Yahoo email credentials to connect to potentially infected Yahoo email server to house command and control of the TV bots.
RISKTEX INFORMATION RISK MANAGEMENT