Privacy

Security Flaw In a Popular Smart Helmet Allowed Silent Location Tracking (techcrunch.com) 3

An anonymous reader quotes a report from TechCrunch: The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets. Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet's in-built speaker and microphone, and share their real-time location in a friend's group using Livall's smartphone apps. Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall's smartphone apps had a simple flaw allowing easy access to any group's audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall's apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group's six-digit numeric code. "That 6-digit group code simply isn't random enough," Munro said in a blog post describing the flaw. "We could brute force all group IDs in a matter of minutes." In doing so, anyone could access any of the 1 million possible permutations of group chat codes.

"As soon as one entered a valid group code, one joined the group automatically," said Munro, adding that this happened without alerting other group members. "It was therefore trivial to silently join any group, giving us access to any users' location and the ability to listen in to any group audio communications," said Munro. "The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group." [...] In an email, Livall's R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.

The Almighty Buck

Ring Video Doorbell Customers Angry At 43% Price Hike (bbc.co.uk) 42

Longtime Slashdot reader Alain Williams shares a report from the BBC: Users of Ring video doorbells have reacted angrily to a huge price hike being introduced in March. After buying the devices, customers can pay a subscription to store footage on the cloud, download clips and get discounted products. That subscription is going up 43%, from $44 to $63 per device, per year, for basic plan customers. The firm, which is owned by Amazon, insisted it still provided "some of the best value in the industry." Its customers appear not to to agree.
Communications

Canada Moves To Ban the Flipper Zero Over Car Hacking Fears 63

It appears that the government of Canada is going to ban the Flipper Zero, the tiny, modular hacking device that's become popular with techies for its deviant digital powers. From a report: On Thursday, following a summit that focused on "the growing challenge of auto theft in Canada," the country's Minister of Innovation, Science and Industry posted a statement on X, saying "Criminals have been using sophisticated tools to steal cars...Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.

In a press release issued on Thursday, the Canadian government confirmed that it will be pursuing "all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero." The Flipper, which is technically a penetration testing device, has been controversial due to its ability to hack droves of smart products. Alex Kulagin, the COO of Flipper Devices, said in a statement shared with Gizmodo that the device couldn't be used to "hijack any car" and that certain circumstances would have to be met for it to happen:
Apple

Apple Is Lobbying Against Right To Repair Six Months After Supporting Right To Repair (404media.co) 27

An Apple executive lobbied against a strong right-to-repair bill in Oregon Thursday, which is the first time the company has had an employee actively outline its stance on right to repair at an open hearing. 404 Media: Apple's position in Oregon shows that despite supporting a weaker right to repair law in California, it still intends to control its own repair ecosystem. It also sets up a highly interesting fight in the state because Google has come out in favor of the same legislation Apple is opposing. "It is our belief that the bill's current language around parts pairing will undermine the security, safety, and privacy of Oregonians by forcing device manufacturers to allow the use of parts of unknown origin in consumer devices," John Perry, Apple's principal secure repair architect, told the legislature. This is a quick about-face for the company, which after years of lobbying against right to repair, began to lobby for it in California last fall. The difference now is that Oregon's bill includes a critical provision that Google says it can easily comply with but that is core for Apple to maintain its dominance over the repair market.
Security

The Viral Smart Toothbrush Botnet Story Is Not Real (404media.co) 52

On Tuesday, The Independent, Tom's Hardware, and many other tech outlets reported on a story about how three million smart toothbrushes were used in a DDoS attack. The only problem? It "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes." From the report: The original article, called "The toothbrushes are attacking," starts with the following passage: "She's at home in the bathroom, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become." [...]

The "3 million hacked smart toothbrushes" story has now been viral for more than 24 hours and literally no new information about it has emerged despite widespread skepticism from people in the security industry and its virality. The two Fortinet executives cited in the original report did not respond to an email and LinkedIn message seeking clarification, and neither did Fortinet's PR team. The author of the Aargauer Zeitung story also did not respond to a request for more information. I called Fortinet's headquarters, asked to speak to the PR contact listed on the press release about its earnings, which was published after the toothbrush news began to go viral, and was promptly disconnected. The company has continued to tweet about other, unrelated things. They have not responded to BleepingComputer either, nor the many security researchers who are asking for further proof that this actually happened. While we don't know how this happened, Fortinet has been talking specifically about the dangers of internet-connected toothbrushes for years, and has been using it as an example in researcher talks.
In a statement to 404 Media, Fortinet said "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."
IT

Fake LastPass Password Manager Spotted on Apple's App Store (bleepingcomputer.com) 42

LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. From a report: The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface made to appear close to the brand's authentic design. However, the fake app's name is 'LassPass,' instead of 'LastPass,' and it has a publisher of 'Parvati Patel.' In addition, there's only a single rating (the real app has over 52 thousand), with only four reviews that warn about it being fake.
Apple

In Its Tantrum With Europe, Apple Broke Web Apps in iOS 17 Beta (theregister.com) 66

An anonymous reader shares a report: Apple has argued for years that developers who don't want to abide by its rules for native iOS apps can always write web apps. It has done so in its platform guidelines, in congressional testimony, and in court. Web developers, for their part, maintain that Safari and its underlying WebKit engine still lack the technical capabilities to allow web apps to compete with native apps on iOS hardware. To this day, it's argued, the fruit cart's laggardly implementation of Push Notifications remains subpar.

The enforcement of Europe's Digital Markets Act was expected to change that -- to promote competition held back by gatekeepers. But Apple, in a policy change critics have called "malicious compliance," appears to be putting web apps at an even greater disadvantage under the guise of compliance with European law. In the second beta release of iOS 17.4, which incorporates code to accommodate Europe's Digital Markets Act, Progressive Web Apps (PWAs) have been demoted from standalone apps that use the whole screen to shortcuts that open within the default browser. This appears to solely affect users in the European Union, though your mileage may vary. Concerns about this demotion of PWAs surfaced earlier this month, with the release of the initial iOS 17.4 beta. As noted by Open Web Advocacy -- a group that has lobbied to make the web platform more capable -- "sites installed to the home screen failed to launch in their own top-level activities, opening in Safari instead."

Encryption

Linux Foundation Forms Post-Quantum Cryptography Alliance (sdtimes.com) 14

Jakub Lewkowicz reports via SD Times: The Linux Foundation has recently launched the Post-Quantum Cryptography Alliance (PQCA), a collaborative effort aimed at advancing and facilitating the adoption of post-quantum cryptography in response to the emerging threats of quantum computing. This alliance assembles diverse stakeholders, including industry leaders, researchers, and developers, focusing on creating high-assurance software implementations of standardized algorithms. The initiative is also dedicated to supporting the development and standardization of new post-quantum cryptographic methods, aligning with U.S. National Security Agency's guidelines to ensure cryptographic security against quantum computing threats.

The PQCA endeavors to serve as a pivotal resource for organizations and open-source projects in search of production-ready libraries and packages, fostering cryptographic agility in anticipation of future quantum computing capabilities. Founding members include AWS, Cisco, Google, IBM, IntellectEU, Keyfactor, Kudelski IoT, NVIDIA, QuSecure, SandboxAQ, and the University of Waterloo. [...] [T]he PQCA plans to launch the PQ Code Package Project aimed at creating high-assurance, production-ready software implementations of upcoming post-quantum cryptography standards, beginning with the ML-KEM algorithm. By inviting organizations and individuals to participate, the PQCA is poised to play a critical role in the transition to and standardization of post-quantum cryptography, ensuring enhanced security measures in the face of advancing quantum computing technology.
You can learn more about the PQCA on its website or GitHub.
Security

Critical Vulnerability Affecting Most Linux Distros Allows For Bootkits (arstechnica.com) 51

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they're hard to detect or remove. ArsTechnica: The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is what's known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the the web is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from. "An attacker would need to be able to coerce a system into booting from HTTP if it's not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it," Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. "An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code)."

Television

Disney Plus' Restrictions on Password Sharing Are Now Rolling Out To US Subscribers (theverge.com) 54

Disney Plus has started to inform subscribers about new changes to its terms of service that will, among other things, make it harder for people to access the service using log-in credentials that aren't actually theirs. From a report:The updated terms come a few months after Disney Plus implemented similar measures for its Canadian subscribers and just days after Hulu sent out similar notices to users about changes to its own TOS and its plans to stop password sharing in the coming weeks. Like Hulu's terms of service, the changes to Disney Plus' agreement are dated January 25th and are already in effect for new customers. Per Disney Plus' emails, existing subscribers can expect the new restrictions to go into effect on March 14th.
Security

3 Million Malware-Infected Smart Toothbrushes Used In Swiss DDoS Attacks [UPDATE] (tomshardware.com) 56

An anonymous reader quotes a report from Tom's Hardware: According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company's website. The firm's site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business. In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.

Stefan Zuger from the Swiss branch of the global cybersecurity firm Fortinet provided the publication with a few tips on what people could do to protect their own toothbrushes -- or other connected gadgetry like routers, set-top boxes, surveillance cameras, doorbells, baby monitors, washing machines, and so on. "Every device that is connected to the Internet is a potential target -- or can be misused for an attack," Zuger told the Swiss newspaper. The security expert also explained that every connected device was being continually probed for vulnerabilities by hackers, so there is a real arms race between device software/firmware makers and cyber criminals. Fortinet recently connected an 'unprotected' PC to the internet and found it took only 20 minutes before it became malware-ridden.
UPDATE 1/7/24: This attack "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes."

The cybersecurity firm Fortinet said in a statement: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred. FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices."
United States

US To Restrict Visas For Those Who Misuse Commercial Spyware (reuters.com) 23

The U.S. has announced new visa restrictions for individuals and companies misusing commercial spyware to surveil, harass or intimidate journalists, activists and other dissidents. Citing a senior Biden administration official, Reuters adds that the new policy will also apply to investors and operators of the commercial spyware believed to be misused. At least 50 U.S. officials have been targeted by private hacking tools in recent years.
AI

Inside the Underground Site Where 'Neural Networks' Churn Out Fake IDs (404media.co) 28

An anonymous reader shares a report: An underground website called OnlyFake is claiming to use "neural networks" to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds. In our own tests, OnlyFake created a highly convincing California driver's license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes. 404 Media then used another fake ID generated by this site to successfully step through the identity verification process on OKX. OKX is a cryptocurrency exchange that has recently appeared in multiple court records because of its use by criminals.

Rather than painstakingly crafting a fake ID by hand -- a highly skilled criminal profession that can take years to master -- or waiting for a purchased one to arrive in the mail with the risk of interception, OnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. Or at least fool some people. "The era of rendering documents using Photoshop is coming to an end," an announcement posted to OnlyFake's Telegram account reads. As well as "neural networks," the service claims to use "generators" which create up to 20,000 documents a day. The service's owner, who goes by the moniker John Wick, told 404 Media that hundreds of documents can be generated at once using data from an Excel table.

Microsoft

How a Microsoft Update Broke VS Code Editor on Ubuntu (omgubuntu.co.uk) 149

Microsoft's Visual Studio Code editor now includes a voice command that launches GitHub Copilot Chat just by saying "Hey Code."

But one Linux blog notes that the editor has suddenly stopped supporting Ubuntu 18.04 LTS — "a move causing issues for scores of developers." VS Code 1.86 (aka the 'January 2024' update) saw Microsoft bump the minimum build requirements for the text editor's popular remote dev tools to â¥glibc 2.28 — but Ubuntu 18.04 LTS uses glibc 2.27, ergo they no longer work.

While Ubuntu 18.04 is supported by Canonical until 2028 (through ESM) a major glibc upgrade is unlikely. Thus, this "breaking change" is truly breaking workflows...

It seems affected developers were caught off-guard as this (rather impactful) change was not signposted before, during, or after the VS Code update (which is installed automatically for most, and the update was pushed out to Ubuntu 18.04 machines). Indeed, most only discovered this issue after update was installed, they tried to connect to a remote server, and discovered it failed. The resulting error message does mention deprecation and links to an FAQ on the VS Code website with workarounds (i.e. downgrade).

But as one developer politely put it.... "It could have checked the libc versions and refused the update. Now, many people are screwed in the middle of their work."

The article points out an upgrade to Ubuntu 20.04 LTS will address the problem. On GitHub a Microsoft engineer posted additional options from VS Code's documentation: If you are unable to upgrade your Linux distribution, the recommended alternative is to use our web client. If you would like to use the desktop version, then you can download the VS Code release 1.85. Depending on your platform, make sure to disable updates to stay on that version.
Microsoft then locked the thread on GitHub as "too heated" and limited conversation to just collaborators.

In a related thread someone suggested installing VS Code's Flatpak, which was still on version 1.85 — and then disabling updates. But soon Microsoft had locked that thread as well as "too heated," again limiting conversation to collaborators.
Mozilla

Microsoft Deploys 'Harmful Design' Tricks To Push Edge, Say Mozilla Researchers (pcmag.com) 64

Mozilla claims in a new 74-page research report that Microsoft "repeatedly uses harmful design" and "dark patterns" to push users toward Microsoft Edge and away from rival browsers like Mozilla's Firefox or Google's Chrome browser. PCMag: "Microsoft uses the harmful preselection, visual interference, trick wording, and disguised ads patterns to skew user choice," the report argues, adding that "Microsoft's harmful design practices mean users are unable to download, install, use, or set as default an alternative browser without interference." The researchers claim this harms consumers because they can experience "distortion of choice," lose trust in the broader tech industry, and even possibly experience "emotional distress" as a result of Microsoft's efforts.

For the study, user experiences were tested on Windows 10 Home and Windows 11 Pro as well as the Windows 11 Home Insider Preview Version. The UK-based testers did not attempt to use a VPN to change or hide their IP addresses during their investigation. While Microsoft recently said it will allow users in the European Union to uninstall Edge as part of its efforts to comply with the Digital Markets Act (DMA), it's unclear whether US, UK, or other users around the globe could ever get the same option. Some Windows 11 users can remove five other apps that come preinstalled, however.

Google

Google Search's Cache Links Are Officially Being Retired (theverge.com) 32

Google has removed links to page caches from its search results page, the company's search liaison Danny Sullivan has confirmed. From a report: "It was meant for helping people access pages when way back, you often couldn't depend on a page loading," Sullivan wrote on X. "These days, things have greatly improved. So, it was decided to retire it."

The cache feature historically let you view a webpage as Google sees it, which is useful for a variety of different reasons beyond just being able to see a page that's struggling to load. SEO professionals could use it to debug their sites or even keep tabs on competitors, and it can also be an enormously helpful news gathering tool, giving reporters the ability to see exactly what information a company has added (or removed) from a website, and a way to see details that people or companies might be trying to scrub from the web. Or, if a site is blocked in your region, Google's cache can work as a great alternative to a VPN.

IT

Panasonic Sells Off Its VR Subsidiary (roadtovr.com) 19

Shiftall, the Japan-based VR hardware creator, is no longer owned by Panasonic, as the company has been effectively sold off to the Tokyo-based company CREEK & RIVER. From a report: As first noted by tech analyst and YouTuber Brad Lynch, Panasonic today announced it has transferred all shares of Shiftall to the Tokyo-based company CREEK & RIVER Co., Ltd., which specializes in outsourcing, consulting, content management and distribution services. Acquired by Panasonic in 2018, Shiftall primarily focused on niche consumer devices, but shifted over the years to focusing on VR hardware, such as its MeganeX PC VR headset, HaritoraX wireless body trackers, FlipVR motion controllers, and mutalk soundproof microphones.
Security

Pig-Butchering Scam Kits Are for Sale in Underground Markets (bloomberg.com) 27

Cybercriminals are selling ready-made "pig-butchering" scam kits on the dark web to conduct "DeFi savings" cryptocurrency fraud, according to Sophos. The kits expedite scamming worldwide. In these scams, criminals build online relationships then persuade victims to invest in fake crypto schemes, manipulating them to drain digital wallets. The bundled kits contain websites enabling wallet access via Ethereum blockchain plus chat support posing as technical staff. Victims open legitimate crypto apps but enter malicious sites letting criminals steal funds. The report details the mass distribution of these DIY crypto fraud kits.
Security

Cloudflare Hacked By Suspected State-Sponsored Threat Actor (securityweek.com) 19

wiredmikey writes: Web security and CDN giant Cloudflare said it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold.

According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted.

Slashdot Top Deals