Security

Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Attack (bleepingcomputer.com) 60

An anonymous reader writes: The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. The attack -- codenamed Z-Shave -- relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.

The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property. While this flaw might prove frivolous for some devices in some scenarios, it is a big issue for others -- such as smart door locks, alarm systems, or any Z-Wave-capable device on the network of a large corporation. The company behind the Z-Wave protocol tried to downplay the attack's significance, but its claims were knocked down by researchers in a video.

Bug

Comcast Website Bug Leaks Xfinity Customer Data (zdnet.com) 43

An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.

Advertising

Should T-Mobile Stop Claiming It Has 'Best Unlimited Network'? (arstechnica.com) 54

An anonymous reader writes: Speed isn't everything, or is it? According to a report from Ars Technica, the National Advertising Division (NAD) says T-Mobile should stop claiming that is has "America's Best Unlimited Network" because it needs to prove it also has the widest geographic coverage and best reliability. T-Mobile is saying that speed outweighs all other factors.

"T-Mobile's claim is based on data from Ookla and OpenSignal, which offer speed-testing apps that let consumers test their wireless data speeds," reports Ars Technica. "Both Ookla and OpenSignal have issued reports saying that T-Mobile's speeds were higher than Verizon's, AT&T's, and Sprint's. The OpenSignal tests also gave T-Mobile an edge over rivals in latency and 4G signal availability." T-Mobile "did not provide evidence that its network is superior in providing talk and text mobile services or in providing high-speed data more reliably or to a greater coverage area," the industry group's announcement said.

Canada

People Hate Canada's New 'Amber Alert' System (www.cbc.ca) 324

The CBC reports: When the siren-like sounds from an Amber Alert rang out on cellular phones across Ontario on Monday, it sparked a bit of a backlash against Canada's new mobile emergency alert system. The Ontario Provincial Police had issued the alert for a missing eight-year-old boy in the Thunder Bay region. (The boy has since been found safe)... On social media, people startled by the alerts complained about the number of alerts they received and that they had received separate alerts in English and French... Meanwhile, others who were located far from the incident felt that receiving the alert was pointless. "I've received two Amber Alerts today for Thunder Bay, which is 15 hours away from Toronto by car," tweeted Molly Sauter. "Congrats, you have trained me to ignore Emergency Alerts...."

The CRTC ordered wireless providers to implement the system to distribute warnings of imminent safety threats such as tornadoes, floods, Amber Alerts or terrorist threats. Telecom companies had favoured an opt-out option or the ability to disable the alarm for some types of alerts. But this was rejected by the broadcasting and telecommunications regulator. Individuals concerned about receiving these alerts are left with a couple of options: they can turn off their phone -- it will not be forced on by the alert -- or mute their phone so they won't hear it.

Long-time Slashdot reader knorthern knight complains that the first two alerts-- one in English, followed by one in French -- were then followed by a third (bi-lingual) alert advising recipients to ignore the previous two alerts, since the missing child had been found.
United States

40 Cellphone-Tracking Devices Discovered Throughout Washington (nbcwashington.com) 62

The investigative news "I-Team" of a local TV station in Washington D.C. drove around with "a leading mobile security expert" -- and discovered dozens of StingRay devices mimicking cellphone towers to track phone and intercept calls in Maryland, Northern Virginia, and Washington, D.C. An anonymous reader quotes their report: The I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City... The I-Team's test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours. "I suppose if you spent more time you'd find even more," said D.C. Councilwoman Mary Cheh. "I have bad news for the public: Our privacy isn't what it once was..."

The good news is about half the devices the I-Team found were likely law enforcement investigating crimes or our government using the devices defensively to identify certain cellphone numbers as they approach important locations, said Aaron Turner, a leading mobile security expert... The I-Team got picked up [by StingRay devices] twice off of International Drive, right near the Chinese and Israeli embassies, then got another two hits along Massachusetts Avenue near Romania and Turkey... The phones appeared to remain connected to a fake tower the longest, right near the Russian Embassy.

StringRay devices are also being used in at least 25 states by police departments, according to the ACLU. The devices were authorized by the FCC back in 2011 for "federal, state, local public safety and law enforcement officials only" (and requiring coordination with the FBI).

But back in April the Associated Press reported that "For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages... More sophisticated versions can eavesdrop on calls by forcing phones to step down to older, unencrypted 2G wireless technology. Some attempt to plant malware."
United Kingdom

FM Radio Faces UK Government Switch-Off As Digital Listening Passes 50 Percent Milestone (inews.co.uk) 99

The Amazon Echo and other smart speakers have helped push the audience for digital radio past that of FM and AM in the UK for the first time. According to Radio Joint Audience Research (RAJAR), digital listening has reached a new record share of 50.9%, up from 47.2% a year ago. This milestone will trigger a government review into whether the analog FM radio signal should be switched off altogether. iNews reports: The BBC said it would be "premature" to switch off the FM signal. It could cut off drivers with analogue car radios and disenfranchise older wireless listeners. Margot James, Digital minister, welcomed "an important milestone for radio." She confirmed that the Government will "work closely with all partners -- the BBC, commercial radio, (transmitter business) Arqiva, car manufacturers and listeners" before committing to a timetable for analogue switch-off.

James Purnell, BBC Director of Radio and Education, said: "We're fully committed to digital, and growing its audiences, but, along with other broadcasters, we've already said that it would be premature to switch off FM." Mr Purnell said that BBC podcast listening was up a third across all audiences since the same time last year, accounting now for 40,000 hours a week. But younger audiences have not inherited the habit of listening to "live" radio, even on digital.

Privacy

FCC Investigating LocationSmart Over Phone-Tracking Flaw (cnet.com) 19

The FCC has opened an investigation into LocationSmart, a company that is buying your real-time location data from four of the largest U.S. carriers in the United States. The investigation comes a day after a security researcher from Carnegie Mellon University exposed a vulnerability on LocationSmart's website. CNET reports: The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart's case was being handled by its Enforcement Bureau. Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies. On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart.

"The negligent attitude toward Americans' security and privacy by wireless carriers and intermediaries puts every American at risk," Wyden said. "I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans." He is also calling for FCC Chairman Ajit Pai to recuse himself from the investigation, because Pai was a former attorney for Securus.

Android

With Steam Link App, Your Smartphone Can Be An Imperfect Gaming Monitor (arstechnica.com) 47

Ars Technica's Kyle Orland shares his experience with Valve's recently announced Steam Link app, which lets users play games running on a PC via a tablet, mobile phone, or Apple TV on the same network. The app launches today for Android 5.0+ devices; iOS support is "pending further review from Apple." From the report: Valve isn't kidding when it says a Wi-Fi router in the 5Ghz band is required for wireless streaming. I first tested iPad streaming on the low-end 2.4Ghz router provided with my Verizon FiOS subscription (an Actiontec MI424WR), with a wired Ethernet connection to my Windows gaming rig on the other end. The Steam Link network test warned me that "your network may not work well with Steam Link," thanks to 1- to 2-percent frame loss and about 15ms of "network variance," depending on when I tested. Even graphically simple games like The Binding of Isaac ran at an unplayably slowed-down rate on this connection, with frequent dropped inputs to boot.

Switching over to a 5GHz tri-band router (The Netgear Nighthawk X6, to be precise), the same network test reported a "fantastic" connection that "look[s] like it will work well with Steam." On this router, remotely played games ran incredibly smoothly at the iPad's full 1080p resolution, with total round-trip display latency ranging anywhere from 50 to 150ms, according to Steam Link's reports (and one-way "input lag" of less than 1ms). At that level of delay, playing felt practically indistinguishable from playing directly on the computer, with no noticeable gameplay impact even on quick-response titles like Cuphead.

Wireless Networking

Ask Slashdot: Which Is the Safest Router? 385

MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
Android

OnePlus 6 Launched With 6.28-inch Display, Snapdragon 845 CPU, and Headphone Jack (phonedog.com) 109

OnePlus has launched their newest flagship smartphone today at an event in London. The OnePlus 6, as it is called, features a 6.28-inch 2280x1080 display with 19:9 aspect ratio and notch, Snapdragon 845 octa-core processor with up to 8GB of RAM, 16- and 20-megapixel rear-facing cameras, 3,330mAh battery, 3.5mm headphone jack, and Android 8.1 Oreo running out of the box with support for Android P coming soon. Strangely, the phone features a glass build construction but no support for wireless charging. OnePlus claims the glass back will be better for transmitting radio waves, but it's likely included in preparation for the OnePlus 6T, which will likely launch several months later and include wireless charging. PhoneDog reports: Around on the back of the OnePlus 6 is a vertically stacked dual rear camera setup that's now in the center of the phone for symmetry. There's a 16MP camera with Sony IMX 519 sensor, f/1.7 aperture, and support for optical image stabilization and electronic image stabilization, as well as a 20MP camera with Sony IMD 376K sensor and f/1.7 aperture. Also included are portrait mode and slow-motion 480fps video capture features.

The body of the OnePlus 6 is made of Gorilla Glass 5, which OnePlus says will be better for transmitting radio waves. Rounding out the OP6's spec list is a 16MP front-facing camera, NFC, Bluetooth 5.0, USB-C, an alert slider, and a 3.5mm headphone jack. On the security side of things, there's a rear fingerprint reader and face unlock, and when it comes to wireless capabilities, the OnePlus 6 supports 40 global LTE bands as well as 4x4 MIMO for speeds up to 1Gbps.
The OnePlus 6 will be available on May 22 with the following prices: 6GB/64GB: $529; 8GB/128GB: $579; 8GB/256GB: $629.
Robotics

Researchers Create First Flying Wireless Robotic Insect (newatlas.com) 64

An anonymous reader quotes a report from New Atlas: You might remember RoboBee, an insect-sized robot that flies by flapping its wings. Unfortunately, though, it has to be hard-wired to a power source. Well, one of RoboBee's creators has now helped develop RoboFly, which flies without a tether. Slightly heavier than a toothpick, RoboFly was designed by a team at the University of Washington -- one member of that team, assistant professor Sawyer Fuller, was also part of the Harvard University team that first created RoboBee. That flying robot receives its power via a wire attached to an external power source, as an onboard battery would simply be too heavy to allow the tiny craft to fly. Instead of a wire or a battery, RoboFly is powered by a laser. That laser shines on a photovoltaic cell, which is mounted on top of the robot. On its own, that cell converts the laser light to just seven volts of electricity, so a built-in circuit boosts that to the 240 volts needed to flap the wings. That circuit also contains a microcontroller, which tells the robot when and how to flap its wings -- on RoboBee, that sort of "thinking" is handled via a tether-linked external controller. The robot can be seen in action here.
Communications

Wi-Fi Alliance's Wi-Fi EasyMesh Certification Aims To Standardize Mesh Networks (pcworld.com) 39

The Wi-Fi Certified EasyMesh program that the Wi-Fi Alliance announced today promises to do for mesh networks what the Alliance has long done for wireless networking gear in general: Assure consumers that they can build out wireless home networks without worrying if one brand of device will be compatible with another. From a report: The emergence of mesh networking somewhat undermined that effort, because every manufacturer pursued its own path. Wi-Fi is still Wi-Fi, so you don't need to worry that your smartphone, or media streamer, or home security camera will connect to your wireless router, regardless of brand. But if you buy a Linksys Velop router today, for example, you can buy only Linksys Velop access points if you want to expand your network to cover more areas of your home later. EasyMesh promises to bring to mesh networks the same interoperability assurances that conventional routers have long offered.
Privacy

Connected Cars Don't Necessarily Disconnect Previous Owners When Resold (thedrive.com) 111

A modern car should be treated like a personal computer. Before you sell it, you should make sure all connections are severed and personal information is wiped before handing the keys to the buyer. The Drive reports of a former Volkswagen owner who recently discovered that her connection to her car lingered even after her old car was sold to a new owner. In what may seem like a public service announcement, The Drive writes: "It's up to you to wipe out your data and connections, not the dealer or manufacturer." From the report: Ashley Sehatti sold her 2015 Jetta back to her local VW dealer back in December. Like most car owners, she figured that was the end of it. So she was baffled when she continued to get monthly reports about her car's health. After receiving April's report, she attempted to log into her account for Car-Net, Volkswagen's connected car service. Much to Sehatti's surprise, she found that not only was her account still active, she still had access to her old car. She could see its current mileage, the status of its locks and lights, and, most disturbingly, its current location on a map. Sehatti was not aware that she, not Volkswagen or her dealer, was responsible for disabling access to Car-Net when she sold the car. Its new owner likely didn't sign up for the Car-Net service, which meant that Sehatti's access remained available, even though she didn't even want it. "Our Car-Net Terms of Service explicitly outlines that as a subscriber, the customer has the responsibility to terminate the contract when selling their vehicle," writes Catharina Mette, the head of technology communications for Volkswagen Group's North Americas region. "This is a practice common in the industry." The takeaway here is to read the Terms of Service because most car owners don't do so in any great detail.
Wireless Networking

Researchers Want To Turn Your Entire House Into a Co-Processor Using the Local Wi-Fi Signal (arstechnica.com) 102

An anonymous reader shares an excerpt from a report via Ars Technica: Researchers are proposing an idea to make your computer bigger. They are suggesting an extreme and awesome form of co-processing. They want to turn your entire house into a co-processor using the local Wi-Fi signal. Why, you may be asking, do we even want to do this in the first place? The real answer is to see if we can. But the answer given to funding agencies is thermal management. In a modern processor, if all the transistors were working all the time, it would be impossible to keep the chip cool. Instead, portions of the chip are put to sleep, even if that might mean slowing up a computation. But if, like we do with video cards, we farm out a large portion of certain calculations to a separate device, we might be able to make better use of the available silicon.

So, how do you compute with Wi-Fi in your bedroom? The basic premise is that waves already perform computations as they mix with each other, it's just that those computations are random unless we make some effort to control them. When two waves overlap, we measure the combination of the two: the amplitude of one wave is added to the amplitude of the other. Depending on the history of the two waves, one may have a negative amplitude, while the other may have a positive amplitude, allowing for simple computation. The idea here is to control the path that each wave takes so that, when they're added together, they perform the exact computation that we want them to. The classic example is the Fourier transform. A Fourier transform takes an object and breaks it down into a set of waves. If these waves are added together, the object is rebuilt. You can see an example of this in the animation here.

Cellphones

Facebook's Phone-Free, Wireless 'Oculus Go' VR Headset Is Released Today 34

UnknownSoldier writes: The Oculus Go is finally available for purchase. Amazon is selling the 32GB model for $199, while the 64GB model is selling for $249. As a standalone virtual reality unit, it doesn't require a computer or phone to use. Ironically, you must use a phone for the initial setup. Reviews are out on The Verge and Ars Technica. The TL;DR -- Pros: Inexpensive; Cons: LCD, fixed 72 Hz rate, limited motion tracking. Will 2018 finally will be the year of cheap VR?
Security

Volkswagen, Audi Cars Vulnerable To Remote Hacking (bleepingcomputer.com) 75

An anonymous reader writes: "A Dutch cyber-security firm has discovered that in-vehicle infotainment (IVI) systems deployed with some car models from the Volkswagen Group are vulnerable to remote hacking," reports Bleeping Computer. The vulnerabilities have been successfully tested and verified on Volkswagen Golf GTE and Audi A3 Sportback e-tron models. Researchers say they were able to hack the cars via both WiFi (remote vector) and USB (local vector) connections. Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history," Computest researchers said in their paper. "Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time," researchers added. VW deployed patches.

Businesses

Will the T-Mobile, Sprint Merger Be Bad For Consumers? (vice.com) 130

On Sunday, T-Mobile and Sprint said that they have agreed to a $26.5 billion merger, creating a wireless giant to compete against industry leaders AT&T and Verizon. While a new website has been set up by the companies to help quell consumers' and regulators' fears by promising new jobs, improved broadband service, and increased competition, Motherboard's Karl Bode cites previous telecommunications mergers and Wall Street analysts to argue against the merger. From the report: The two companies attempted to merge in 2014 but had their efforts blocked by regulators who were justly worried about the deal's impact on overall competition. As Canadian wireless users can attest, the reduction of major wireless competitors from four to three only reduces the overall incentive for wireless carriers to engage in real price competition. That was the central point repeatedly made by regulators when they prohibited AT&T from gobbling up T-Mobile back in 2011. Even with four competitors, the industry frequently does its best to avoid genuine price competition, and industry watchers have noted that the overall volume of quality promotions for wireless consumers had been dropping so far in 2018. After regulators blocked the AT&T merger, T-Mobile wound up being a largely positive impact on the sector, forcing its competitors to adopt more consumer-friendly policies like eliminating long-term contracts and early termination fees. However, even with T-Mobile intact, price competition in the sector tends to be theatrical in nature.

Wall Street analysts are on record predicting that a Sprint, T-Mobile merger could result in the loss of up to 30,000 jobs -- potentially more than Sprint even currently employs. From retail operations to middle managers, there's an endless roster of human beings who, sooner or later, will be viewed as redundant. "If approved, this deal would especially hurt consumers seeking lower-cost wireless plans, as the combined company's plans would likely increase while competitors AT&T and Verizon would have even less incentive to lower prices," said Phillip Berenbroick, lawyer for the consumer advocacy group Public Knowledge. "Unless the merging parties can demonstrate clear competitive benefits we have yet to see, we will urge the Department of Justice and the FCC to reject this deal."

China

China is Now Monitoring Employees' Brainwaves and Emotions (fastcompany.com) 123

From a report: The Orwellian-as-all-get-out practice is being conducted using "emotional surveillance technology" by both businesses in China and the country's military, reports the South China Morning Post. The tech uses small wireless sensors embedded in employees' hats that can monitor brainwaves. That brainwave data is then analyzed by AI to tell when an employee is tired, anxious, or even full of rage. One company using the brain-monitoring tech says profits have increased by $315 million since rolling it out way back in 2014. Other uses of the tech include monitoring drivers of trains to tell if they've fallen asleep or are at risk of doing so. It's important to note the technology cannot read people's thoughts.
Communications

Sprint, T-Mobile Agree To Combine in a $26.5 Billion Merger (bloomberg.com) 105

T-Mobile and Sprint said on Sunday that they have agreed to combine in a $26.5 billion merger, creating a wireless giant to compete against industry leaders AT&T and Verizon. From a report: Deutsche Telekom AG, the Bonn, Germany-based company that controls T-Mobile, and SoftBank Group, the Tokyo-based owner of Sprint, agreed to a combination that values each Sprint share at 0.10256 of a T-Mobile share, the companies said in a statement Sunday. That ratio values Sprint at $6.62 a share based on T-Mobile's Friday closing price of $64.52. The new company will use the T-Mobile name, with T-Mobile's John Legere as chief executive officer and Mike Sievert at chief operating officer. The German company's chairman, Tim Hoettges, will serve in that role at the combined company, and the board will include SoftBank Chief Executive Officer Masayoshi Son. The companies said they expect synergies of about $43 billion, with more than $6.5 billion on a run-rate basis.
Businesses

Apple's Working on a Powerful, Wireless Headset for Both AR, VR (cnet.com) 65

Apple CEO Tim Cook has nothing but praise for augmented reality, saying it's a technology that's potentially as important as the iPhone. It turns out he may have big plans for virtual reality too. From a report: The company is working on a headset capable of running both AR and VR technology, according to a person familiar with Apple's plans. Plans so far call for an 8K display for each eye -- higher resolution than today's best TVs -- that would be untethered from a computer or smartphone, the person said. The project, codenamed T288, is still in its early stages but is slated for release in 2020. Apple still could change or scrap its plans. It's notable that Apple is working on a headset that combines both AR and VR given its intense focus over the past year on pushing augmented reality in iPhones and iPads. Cook has said he sees bigger possibilities in AR than VR, partly because augmented reality allows you to be more present. Either way, it's vital for Apple to expand beyond its iPhones, currently its top moneymaker, and the slowing mobile market.

Slashdot Top Deals