Police In Canada Used BlackBerry’s Key To Read Encrypted BBM Messages

When it comes to mobile phones Blackberry pride themselves on their security, with many companies taking up the device as their go-to model thanks to its support and security features. It now appears that those security features may not have been so secure after all with the Royal Canadian Mounted Police (RCMP) gaining the ability to read encrypted BBM messages.

When it comes to encryption, companies are having to be careful with the likes of Apple going to congress to discuss just how much they can be expected to help and support law enforcement without oversight or detailed rulings on how and when they can access private data. In this case, the RCMP gained access to BlackBerry’s BBM (BlackBerry messenger) services by using the encryption that came with your everyday BlackBerry, meaning the only ones that were safe from this interception are those connected to enterprise servers.

If you weren’t connected to an enterprise server, your BlackBerry would have used a peer-to-peer key that is loaded into your phone when it’s built, something that the RCMP managed to gain access to and in turn granted them access to people’s encrypted BBM messages and conversations.

As part of an operating, titled Project Clemenza, the RCMP intercepted and decrypted roughly one million messages as reported by Vice news in a joint investigation with Motherboard, who in turn revealed that the RCMP actually had a server in Ottawa that acted like a mobile phone by simulating “a mobile device that receives a message intended for [the rightful recipient]”.

With BlackBerry looking to step away from mobile devices and into security consulting, this news couldn’t come at any worse of a time given that if the server is still operational (key and all) then without a large update to its phones, the RCMP could still be reading people’s messages to this day even after the operation ended in 2012.

Radio Attack Lets Hackers Drive Away Your Car

When it was revealed I couldn’t believe my eyes. Someone walks up to a car and its locked, someone else walks up and can instantly get in and at the press of a button start the engine, no key required. Wireless key technology is now employed in cars all over the world and allows for users to avoid the hassle of finding their car keys, sadly it looks like a radio attack lets hackers do exactly the same thing without you even knowing.

A group of german vehicle security experts have studied how the radio hack uses your keys to break into your own key. The whole principle of wireless keys is that the engine and the doors will only work when the keys are within a certain range of the vehicle, this means that if you aren’t near your car it’s just an expensive piece of metal and technology.

Munich-based automobile club, ADAC, tested a hacking technique that uses the principle of “amplification” to fool your car into believing that the keys are actually closer than they actually are. In total, their study found 24 different vehicles were vulnerable, and it wasn’t just one manufacturer that was involved, 19 different manufacturers were vulnerable to the radio attack. What does this mean? Using this kind of attack someone can walk up to your car, and using a small pocket amplification device, unlock and drive away your car. No alarms,

What does this mean? Using this kind of attack someone can walk up to your car, and using a small pocket amplification device, unlock and drive away your car. The total cost of this hack? $225 for the device. Compare that to the cost of the Audi A3, A4 and A6, Ford Galaxy, Mitsubishi Outlander, Renaults Traffic and countless other models that are vulnerable to this attack.

The technique works by “amplifying” your keys signal. In reality, what happens is the key fobs signal is relayed through a pair of radios. Is this an example of technology being made too smart, at the cost of security, in order to save us a few seconds of inconvenience?

GreenMan Gaming Will Now Show Source of Every Key it Sells

Following accusations on reddit that the online games retailer was selling ‘grey market’ games, GreenMan Gaming has announced that it will report the source of every key, plus when delivery of that key should be expected, on its respective page.

GreenMan Gaming posted the following message on its Facebook page:

“You spoke, we listened.

We know you want great games at great prices. In response to your feedback, rolling out from today on the Green Man Gaming store you’ll see our pages now have two new pieces of information:

1/ When you can expect the delivery of a key
2/ The source of that key

We are committed to continually improving our site, so you can expect the very best service and experience from us. Bear with us as we have over 5000 titles to update, but remember that your feedback is always really important to us, and we want to keep helping you make informed decisions when shopping with us. Thanks for your support!”

Though, judging by some of the comments to the above post, GreenMan Gaming is not being quite as transparent as it claims. One irate customer claims that the retailer is using the vague term “Authorised Distributor” as a source for some games.

This is GreenMan Gaming’s listing for Call of Duty: Black Ops III:

While that might be accurate, the lack of detail is hardly as transparent as claimed. As a new initiative, though, it’s possible that GreenMan Gaming is still updating the details of its games library.

D-Link Inadvertently Publishes Its Private Code-Signing Keys

Hackers are viewed within the media and by films as master genius’s who are able to hack into protected systems with the intention of stealing a vast array of information. There is some truth in this assertion considering even multinational companies have been caught napping by cyber thieves, but, what happens if I don’t know, a tech firm accidentally publishes its private signing keys? Well, D-Link has managed to do this in what is known scientifically as stupididiotness.

Taiwan-based networking equipment manufacturer D-Link has published its Private code signing keys inside the company’s open source firmware packages. This was spotted by a user by the username “bartvbl” who had bought a D-Link DCS-5020L security camera and downloaded the firmware from D-Link which open sources its firmware under the GPL license.

All seemed well for “bartvbl” until they inspected the source code, only to find four private keys which are used for code signing. To test this, the user-created a windows application which was able to be signed by one of the four keys which appeared to be valid. Not only this, the user also discovered pass-phrases which are needed to sign the software,

It is yet unclear if any of these keys were used in attacks by malicious third parties, meanwhile, D-Link has seen the light and has responded to this embarrassment by revoking the certificate in question and subsequently releasing a new version which does not contain any code signing keys, which is good.

Thank you tweakers via Google Translate for providing us with this information.

Image courtesy of thehackernews.

Car Companies Tried To Silence Rather Than Fix Electronic Car Lock Hack

When walking home from work you notice that your neighbours front window is open. You realise that someone could pop in, grab their stuff and leave without anyone noticing so you go knock on their door and tell them. What happens next surprises you though, as your neighbour shouts at you and tells you to never speak of it again as they slam the door in your face. This is not the reaction you expect when you point out a problem with something and yet it seems to be the thing that happened back in 2012 with several major car companies.

Radbound University in the Netherlands discovered a security flaw in the security chip that’s used by companies such as Volkswagen, Audi, Fiat, Honda and Volvo. In typical fashion, they approached the companies and informed them about the issue only to find that they were being sued to suppress the paper.

The problem they discovered was in the immobilizer system commonly used by cars, in which a system detects the presence of a radio frequency chip close to the car or the ignition switch. If the chips detected, it lets the car start, otherwise it would disable the car. This specific breach though appears to be in the Megamos Transponder that helps transmit the information.

The key initially uses a 96bit secret key, but by eavesdropping on the communication they were able to reduce the possible options so that after a few tries they could breach the system. With it ranging from a few minutes to just under 30 minutes they could breach the system and start the cars easily.

So you find a problem and you inform them about the issue only to find it thrown in your face? How would you react?

Thank you Ars Technica for the information.

Image courtesy of Wired.

Your Smart Home Appliances Are Not as Safe as You Think

Are you a proud owner of smart lock? How about motion sensors, temperature sensors, bulbs or other Internet of Things gadgets? Well, if they’re made by ZigBee, chances are your house is vulnerable to hacking, according to a paper revealed at the Black Hat conference in Las Vegas.

ZigBee, a company that specializes in IoT smart appliances that supplies big name companies such as Samsung, Philips, Motorola and Texas Instruments, is said to have implemented just enough security measures to pass the requirements to ship, which means that security measures are almost non-existent. Hackers are said to easily be able to sniff out exchange network keys, gaining access to the entire network and all smart appliances.

The security experts say that the main cause for the lack of security is due to the companies, who want to quickly ship out the latest tech, make it communicate and interact with everything, all while keeping prices down to a minimum. As a consumer, I get the bit to keep prices down, but if I have to pay a bit extra to prevent someone opening my door or fiddling with my lights, I think that would be an option all of us may opt for. In the end, security is more important than cheap product, don’t you think?

Thank you TechCrunch for providing us with this information

Image courtesy of Architect’s Toy Box

Malwarebytes Offers Free Reprieve to Pirates

Oh the conundrum of pirated software, on one hand, it’s better to support the product, on the other hand it’s free, but loyalty is what counts, yeah but it’s free. Software companies have tried many avenues to stop pirates, from banning individuals from using particular online games to as in Microsoft’s case, offering free copies of Windows 10 to cracked software owners only to change their minds around 50 times.

Popular and successful Anti Virus Company Malwarebytes have taken a different view and are offering an amnesty to pirated keys in exchange for legitimate licences. How does it work? Well according to the Malwarebytes website, if you try, well not you, but if someone attempts to activate a pirated licence key, a message will appear informing them of two options. One is to contact Malwarebytes for a new 12 months key before its disabled with the second option being for paid customers of legitimate licences.

Malwarebytes aims to roll out a new licensing system which is stronger and also hopes to determine which keys are for which owners. The offer is for a limited time only but as of writing, there is no defined end date to which this offer will end. It’s a brave move to offer a free key to pirates, but in turn the company is not threatening users with legal action etc which might build a stronger reputation with users in the long run.

Or this could be just the case of spreading a huge net to see who bytes, bites, I am speaking in tech, either way it will be interesting to follow the progress of this offer.

Thank you Malwarebytes and Forum for providing us with this information

Image courtesy of degreedix

Drive Your Land Rover From Your Phone

Remote control cars are a thing of joy. Watching them speeding along your path only to struggle when it gets to the grass. We have started to relive that joy with self-driving cars, all the effort removed so you only have to focus on what you want to listen to on your way to work. Land Rover, however, want to combine the two, they want you to be able to drive your full-size car with your phone.

During a demonstration , the car was driven by a smartphone located within ten metres of the actual vehicle. With control over steering, brakes and the accelerometer. While the limit for driving the vehicle by smartphone is just 4MPH, with the system cutting out when it detects the smartphone getting either too far or too close to vehicle.

The app is marketed as being useful for when you’re driving the car across difficult terrain such as across streams and where the roads are made difficult by snow or rain.

While it is limited by how far you can be from your car, and obviously how close you are (just to be safe), being able to drive any life size vehicle by remote is like a dream come true. How long before racing on TV is just done by somebody sitting in the pits with a PlayStation controller?

https://youtu.be/QjJ2wKCMq5w

Thank you MACNN for the information.

Image courtesy of TechCrunch.

Closed Beta Testing for StarCraft 2: Legacy of the Void Could Start at the End of March

The latest StarCraft title, Legacy of the Void, is said to be the closing story for the StarCraft 2 series. It was first announced at BlizzCon last year, but Blizzard did not mention when it will be released.

While Blizzard is known for taking its time with their titles, The Daily Dot gives some hope that the release date is close than expected. Their sources say that the closed beta for Legacy of the Void should be launched at the end of March or early April, pointing out that gaming press and esports organisations have been told to submit their requests for beta keys.

“It’s great timing for them. WCS Season 1 will be all but over and this will give players plenty of time to stream the beta and generate some excitement. As things stand the beta is pretty much ready to launch with the balance team just tweaking a few units.”

Blizzard stated that StarCraft 2: Legacy of the Void will not be an expansion, but a standalone game. It is said to focus on the Protoss side of the story and should ultimately end the StarCraft 2 story as a whole.

Thank you Ubergizmo for providing us with this information

Apple’s Latest Watch Might Replace Your Car Keys

There have been a lot of talks about Apple’s latest gadget that would bring the company further into the wearable market. In a latest statement to The Telegraph, Apple CEO, Tim Cook, stated a number of things the Watch can do, one of them being the ability to unlock your car.

It seems that Apple is looking to “convert” people in using their smartphones and traditional payment methods less by adding a lot of features to its wearable. However, its latest addition might get people into the habit of using their car keys less as well.

The Watch is set to replace key fobs used by many automobile security systems as well, making it a handy multi-purpose gadget that people can rely upon on a daily basis. Apple is said to release the watch this April.

Thank you NextPowerUp for providing us with this information

Man Breaks Into Neighbor’s Apartment Using His Phone and An App

Andy Greenberg from Wired has apparently shown us how easy it is to break in someone’s house nowadays. You don’t need sophisticated lock-picking skills or need to be a professional thief to do it. All you need is an app and an iPhone, as he puts it.

Greenberg used an app called KeyMe, which lets users 3D scan any key and uploads the images to the company’s cloud. Once that is done, you can head over to either one of their kiosks or order a 3D printed copy online.

He apparently went to his neighbor’s appartment, 3D scanned his key in a few seconds using the app and told him that he will be back in his apartment the next day ‘uninvited’. His neighbor did not believe him at first (who would believe you when saying you will break an entry with an iPhone?), but it did surprise him the day after.

KeyMe, KeyDuplicated and Keysave are apps that serve pretty much the same purpose, which is scanning keys. Some even let you scan more complex keys, such as car keys, having KeyMe stating it will even duplicate keys that “do not duplicate”. The service however describes the scanning process to be more complicated than just point the camera and take a picture.

KeyMe states that in order to duplicate a key, customers need to take it off the keychain, scan it on both sides against a white background and from approximately 4 inches away. However, Greenberg told that he did not follow any of the rules when he made his ‘stairwell creep-scans’.

With so many app alternatives and 3D printing aid nowadays, every commercially available piece of tech can be used to break into houses, amongst other ‘unintended’ uses. As Greenberg stated, breaking an entry nowadays has proven to be quite “idiot-proof”.

Thank you Wired for providing us with this information

Hackers Can Get Your Wi-Fi Password By Simply Hacking Your Smart Lightbulbs

Though everyone wants to bring a variety of ‘Internet of things’ products on the market, from microwaves, to refrigerators, and even light bulbs, not everyone thinks about the bad side of all this. This means that, despite everything linking to your local area network, not everything connected is currently secure. This is how some engineers over at Context uncovered a way to hack your network through smart lightbulbs.

LIFX, the company making the actual light bulbs in question and their software, have not released the 1.1 version to the public, making it harder for hackers to fiddle with it. Even so, the Context engineers have apparently removed the microcontroller embedded inside each bulb and connected different JTAG pins ti special debugging hardware in order to monitor the signals sent when the light bulbs were added or removed to the network.

The company has quickly responded to the engineers’ findings, having to release LIFX software version 1.3, which is stated to encrypt all 6LoWPAN traffic using an encryption key derived from the Wi-Fi credential while also including functions for secure processing when new bulbs join a network.

Though people might think they are missing out if their household appliances are not connected to the network, security breaches such as this one still reminds us that not everything should be linked to the internet, at least not yet. The big names in the tech industry, namely Microsoft, Apple and Google, have devoted large amounts of resources to ensure their devices are secure and stay that way. Even so, breaches are still inevitable from time to time.

Thank you Wired for providing us with this information
Images courtesy of Wired

FBI And NSA Request Master Encryption Keys From Developers

Would you hand your keys to just anyone, I sure wouldn’t. That isn’t stopping the United States Federal Government from asking encryption developers to hand over their keys, encryption keys that is.

The Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) have been attacking the digital world for quite some time, when or where will it stop, no one really knows. So long as FISC or FISA stays in play it gives these two agencies and probably many others access to harass and disrupt digital and internet based companies.

Any website you visit that requires a username and password has some form of data encryption, sites such as your email, or even your bank. Microsoft, as well as Google both declined to let us know if they have been contacted about their encryption keys, it seems as if they did state that they have not given up their keys.

Cnet.com reported that “Apple, Yahoo, AOL, Verizon, AT&T, Opera Software’s Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies.”

So it seems to me that the United States Government wants to have full access to anything and everything that people do on the internet, from emailing, voice over internet phone calls, text messaging, to search histories, as well as gaining any and all meta date from these companies. On top of that, they want it handed to them on a golden platter that allows them to sift through everything that they gather without needing to work for it.

Personally, I think the Government is stepping over that line, and asking for to much, each and every day that I see a new article about the FBI, NSA or PRISM that makes me want to step further away from technology.

Thank you Cnet for providing us with this information.

Image courtesy of Crackdown