Your Smart Home Appliances Are Not as Safe as You Think

Are you a proud owner of smart lock? How about motion sensors, temperature sensors, bulbs or other Internet of Things gadgets? Well, if they’re made by ZigBee, chances are your house is vulnerable to hacking, according to a paper revealed at the Black Hat conference in Las Vegas.

ZigBee, a company that specializes in IoT smart appliances that supplies big name companies such as Samsung, Philips, Motorola and Texas Instruments, is said to have implemented just enough security measures to pass the requirements to ship, which means that security measures are almost non-existent. Hackers are said to easily be able to sniff out exchange network keys, gaining access to the entire network and all smart appliances.

The security experts say that the main cause for the lack of security is due to the companies, who want to quickly ship out the latest tech, make it communicate and interact with everything, all while keeping prices down to a minimum. As a consumer, I get the bit to keep prices down, but if I have to pay a bit extra to prevent someone opening my door or fiddling with my lights, I think that would be an option all of us may opt for. In the end, security is more important than cheap product, don’t you think?

Thank you TechCrunch for providing us with this information

Image courtesy of Architect’s Toy Box

The Internet Could Become as Regulated as TV

“It’s not the level playing field that we once thought it would be,” Jennifer Granick lamented. She was talking about the internet, and how it is slowly shifting away from being the bastion of free speech, invention, and information, at the Black Hat computer security conference in Las Vegas. She fears that the web will become regulated into oblivion, much the same way as US network television.

“It’s going to be this slick, stiff, controlled, closed thing,” Granick, a lawyer and director of civil liberties at the Center for Internet and Society at Stanford University, said during her keynote speech in front of 10,000 security researchers in Vegas yesterday. She fears that laws such as Europe’s Right to be Forgotten could cripple the internet’s transparency, especially if the legislation becomes extraterritorial, as France is advocating.

“We’re losing the freedom to tinker,” she complained. “The message is clear—you need permission to operate in their world. If you step over the line, we’ll come for you.” To combat the creeping problem, Granick encouraged hackers and coders to keep jabbing at the establishment, and building decentralised internet systems, to keep ultimate control of the web out of the hands of “The Man”. Failing that, “we need to smash it apart and make something new and better,” she postured.

Thank you USA Today for providing us with this information.

Image courtesy of LiveScience.

See How Hackers Can Take Control of Your Chrysler Vehicles

I know that there have been a lot of movies where hackers can take control of vehicles and crash them, but can it really be done in real life? Well, a pair of hackers have just demonstrated this with a Chrysler using a zero-day exploit they found.

The hackers apparently demonstrated the hack having Wired’s Andy Greenberg in the actual vehicle. He was not told about the hack, but was warned not to panic. So, as he was travelling down a busy highway, the hackers started slowly taking control, first by turning on the air conditioning system, then the radio and finally the windshields.

As Greenberg drove on, the hackers moved to something more serious. They proceeded to cut the transmission, having Greenberg watch the RPM go up, but the car slowly losing speed. To demonstrate the hack even further, they found an empty car lot, where the hackers were able to show how they can kill the engine, apply brakes or even cut the brakes entirely. The latter apparently sent Greenberg into a ditch, as shown in the pic above.

The attack is really terrifying,since a lot of vehicles out there are vulnerable to the attack. However, the hackers stated that they plan on releasing the exploit on the Internet at the same time they are to give a talk at the Black Hat security conference in Las Vegas next month.

Thank you WIRED for providing us with this information

New Jailbreak for Apple’s iOS 7.1.2

It is just a matter of time before someone breaks the improved security in new mobile OS releases, and Georgia Tech researchers have now found a way to jailbreak the current version of iOS.

Georgia Tech Information Security Center has a long track record of jail breaking iOS, giving them a leading edge on every new release. Each time a new patch is introduced, a new way to circumvent it is found. This time the researchers used a multi-step attack after analysing the new patches, working out a sequence that would jailbreak any modern iPhone.

The team of researchers, Yeongjin Jang, Byoungyoung Lee, Tielei Wang and Billy Lau, stresses the importance of patching all of the threats and not just to close one vulnerability and assume that it renders others unusable as attack method.

“Patching all vulnerabilities for a modern, complex software system (i.e., Windows, iOS) is often difficult due to the volume of bugs and response time requirements. Instead, software vendors usually devise quick workarounds to mitigate the exploitation of a given vulnerability. However, those patches are sometimes incomplete, and attackers can utilize different attack vectors to re-exploit a patched vulnerability. iOS is no exception.”

As so many recent vulnerability discoveries, the findings will be presented at the upcoming Black Hat convention in Las Vegas. Weirdly enough, no one has yet claimed the $30.000 Device Freedom Prize for an open source iOS7 jailbreak.

It is highly unlikely that this jailbreak will remain operational for very long, as Apple certainly will try to patch it, iOS 8 is in beta and iPhone 6 is rumoured for an October launch.

Thank you I programmer for providing us with this information

Images courtesy of Apple

NSA Leader’s Black Hat 2013 Speech Revealed – Video

We already told you about the NSA Boss getting booed at his Black Hat 2013 conference keynote speech this week. Now the speech has been put online for people to see. In the speech the NSA’s General Keith Alexander took to the stage, in a somewhat defensive position, to try and place NSA surveillance programs in a more favourable light and argue that the NSA aims to balance civil liberties, privacy and security. You’ve got to really commend him for agreeing to go ahead and give the speech despite the hostile public attitude towards the NSA, he could easily have chosen to avoid giving the speech in favour of making up an excuse.

That said the audience still remained quite divided towards his speech with many booing the NSA boss and some even shouting out allegations that he is a liar and breaking the constitution. Of course the frustration towards the NSA is understandable but General Keith Alexander is not on his own solely responsible for everything that has been exposed, though he is in a rather priviledged position to make the radical changes many people want.

If you have the time we recommend watching the speech which you can see below. It is certainly interesting viewing. Do you think the audience were right to doubt and undermine what General Alexander says or did you think he made a strong argument?

[youtube]http://www.youtube.com/watch?v=xvVIZ4OyGnQ[/youtube]

Image courtesy of Keith Alexander

Flaws In UEFI Can Be Abused To Install UEFI Bootkit

According to a PC World report, via Softpedia, three researchers demonstrated a UEFI vulnerability at the 2013 Black Hat conference. Andrew Furtak, Oleksandr Bazhaniuk and Yuriy Bulygin demonstrated two attack methods that can be used to bypass the secure boot to install a UEFI bootkit.

One of the attack techniques relies on a hole in the Unified Extensible Firmware Interface (UEFI). However, the particular attack requires access to the Kernel mode to launch which is difficult to do as it has the most privileges to contend with. This exploit was reported to have affected several vendors including ASUSTek though in most cases and products BIOS updates have fixed the flaw. Though the ASUS VivoBook laptop, which the presentation was given on, still has the vulnerability.

The second vulnerability which is much easier to do involves exploiting common applications such as Microsoft office, Java and Adobe Flash to bypass the Secure Boot. All security flaws revealed are recent discoveries and so vendors have been given time to address and provide details of the vulnerabilities and any fixes.

Despite the vulnerabilities of the BIOS the UEFI secure boot system is still the best way to keep computers bootkit free.

Image courtesy of Dell

Hacker Dies Days Before Speaking About Security Flaws In Medical Implants

 

Barnaby Jack is well-known in many hacking circles, not for knocking off companies or stealing information but for exposing major vulnerabilities in ATM machines and medical devices, unfortunately it has been reported that he died last Thursday while in San Francisco, just days before he was scheduled to speak on deadly security shortcomings in medical implants at next week’s Black Hat security conference.

35 year old Jack was director of embedded device security at IOActive, a security firm that specializes in industrial, supply chain and medical device security. IOActive had no immediate comment on Jack’s death. In a statement issued Friday morning, Black Hat organizers expressed regret at Jack’s sudden passing although the cause of his death has so far been unreported.

“Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable,” show organizers said. “Barnaby had the ability to take complex technology and intricate research and make it tangible and accessible for everyone to learn and grow from.”

The statement went on to add that Black Hat will leave the time slot for Jack’s speech vacant to commemorate his life and work. “Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognize the legacy that he leaves behind,” the statement noted.

Jack was a former security researcher at McAfee and Juniper, best known for a demonstration that allowed him to jackpot ATM machines (fixed now of course), he also demonstrated how modern pacemakers and other similar devices could be exploited to give lethal shocks, scary stuff.

Jack was scheduled to speak on “Implantable Medical Devices: Hacking Humans” at next week’s conference in Las Vegas. The talk was expected to highlight how, common bedside transmitters could be used to search for, interrogate and exploit individual medical implants from up to 300 feet away.

Thank you Computer World for providing us with this information.

Image courtesy of Guardian.