Disruptive technologies of tomorrow usually lack widely accepted definitions and are often invented by individual entities not necessarily responsible for formulating and enforcing industry standards that govern the technology evolution. Innovation and advancements in the field of connected technologies started with networked computers which then progressed through the Internet era and have evolved beyond the concept of connecting physical objects as part of the Internet of Things (IoT) revolution.
Thursday, 3 October 2019
Microsoft just announced at its big product event, a Two-screen Android phone
Microsoft surprised onlookers with a pair of new dual-screen hardware devices it’s planning to release next holiday: The Surface Neo laptop and the Duo smartphone, which runs Google’s Android operating system rather than Microsoft Windows.
The announcements came at the end of Microsoft’s annual hardware event, where it also introduced refreshed versions of its Surface tablets and laptops, and a new Surface that runs a Qualcomm low-powered chip based on a design from ARM — similar to those found in Apple’s iPad and most smartphones — rather than the Intel-based processors that traditionally run Windows PCs. It’s the third time Microsoft has unveiled an ARM-based tablet, but its past efforts failed at the market because they could not efficiently run traditional Windows apps.
“With the Surface we focused on three distinct ambitions,” Microsoft CEO Satya Nadella said. “We wanted to put people at the center of every device experience. We wanted to innovate across form and function, especially with a focus on how we can drive the next level of creation and productivity. That led to the first Surface Pro 2-in-1. Today we will share the next chapter of this journey,” Nadella said. “We believe the next decade will be about creation and amplifying what we can do as humans.”
Microsoft’s event follows a flurry of hardware announcements from rivals like Apple, Amazon, and Samsung. The launches allow the companies to get their products out in front of consumers before the upcoming holiday shopping season.
Here’s a rundown of everything that was announced:
The big surprise: Microsoft Surface Duo phone
The biggest surprise was a small smartphone that can run two apps on two different screens. It’s called the Microsoft Surface Duo and runs Android, and will be available in the 2020 holiday season.
It’s the first return for Microsoft to the mobile space since it abandoned Windows Phone years ago. “Make no mistake, this product is a Surface,” said Microsoft product chief Panos Panay, “because of how productive you can be on it. We know, scientifically, that you will be more productive on two screens.”
It has a 360-degree hinge, two 5.6-inch displays and can completely fold up when you’re not using it.
“We’re partnering with Google to bring the absolute best of Android into one product,” Panay said, noting it will support all Android apps. Unlike the Samsung Galaxy Fold, which also folds, a hinge runs down the middle, which should prevent damage, since there’s not a single screen across the entire inside.
Alexa Got Hacked | SQL Injection of Voice
Based on your previous coverage of similar topics, we thought you may be interested in this recently discovered voice activation device hack, and a new technique we call Voice-Command SQL Injection.
Here are the highlights:
- Hacker uses a voice-command SQL injection methodology to extract unauthorized data from the application database- including the admin account.
- This is done on an Alexa device but could be performed on any voice-activated digital assistant.
- This could mean that users of virtual assistant skills/applications could be exposed to new attacks.
- The outcome: The tried and true SQL injection attack has is now voice-enabled.
Write-up:
Picture this, your bank account was hacked. While not new news, what if it was hacked using simply voice and Alexa? Pretty scary, right?
We all know that not all web applications are created equal, as each one has different levels of security measures in place to protect the information or data, as well as application access. Unfortunately, the average user of the application has very little knowledge as to the security of each application, whether it be their financial, retail, utility, fitness applications, etc.
Luckily, there are regulatory requirements surrounding security measures for applications in certain industries like FinServe (FINRA), Healthcare (HIPAA), and Retail (PCI-DSS), but what about other industries not impacted by regulatory compliance? Or even within those, how have security protocols evolved to protect the applications and skills when applied to new channels, like Alexa, Google Assist, Cortana, Siri, etc.
In fact, now it is easier than ever for hackers to perform such hacks into a variety of applications, just using their voice. Leveraging voice-command SQL injection techniques, hackers can give simple commands utilizing voice text translations to gain access to applications and breach sensitive account information.
To illustrate the vulnerability and create greater awareness, Protego’s Head of Security and Ethical Hacker, Tal Melamed illustrates how a simple SQL Injection can be executed through a verbal command in order to gain unauthorized access to sensitive account data. This demo will show how, in this instance, Alexa, can be exploited in an unprotected application or skill, by translating words and numbers.
Tal will illustrate how easy it is to gain unauthorized access through Alexa to unsecured applications, by verbally providing simple account numbers and text. Since Tal is an ethical hacker, he will be using an application and SQL database he built himself, but in reality, it could be any application that requires an account number or text as a unique identifier.
Wednesday, 2 October 2019
Even the tech expert from 'Mr. Robot' can’t figure out this iPhone hack
If your dad were the technical advisor for the realistic hacks on Mr. Robot and he lovingly micromanaged your gadgets, you'd probably feel pretty badass about the security of your personal devices. So when one of Marc Rogers' kids had their iPhone pickpocketed at San Francisco Pride this year, things took an unexpected turn when tech-savvy thieves pulled off hacking tricks that had Rogers beside himself with curiosity and fascination. And concern. Lots of concern.
"Since this was my kid we are talking about, the phone was up to date and had a strong password and FaceID enabled, and activation lock was turned on," Rogers told Engadget via email. The teen noticed the phone missing within 10 minutes of its theft and immediately began security protocols. "As soon as the phone was found to be missing it was switched to Lost Mode and later a wipe command was sent to it," he explained.
Since that's exactly what you're supposed to do, that should have been the end of it. A loss to be sure, and a pain to start over with a new iPhone. Except Rogers noticed that neither the Lost Mode activation or wipe command went through, leading him to "believe the phone has been immediately powered down or placed in a bag that blocked signals. That and the fact that it never resurfaced told me that whoever stole it knew what they were doing and had done this before."
Most likely, the iPhone was powered down immediately and placed in a radio frequency-blocking bag (also called a Faraday Bag or RFID bag), a foil-lined sleeve or even an empty potato chip bag. This step interferes with Activation Lock, Find My iPhone, and Remote Wipe. In fact, after anti-theft "kill switch" features were introduced, the iPhone theft rate dropped by 40 percent in San Francisco and 25 percent in New York within 12 months. London saw its iPhone thefts reduced by half.
The blocked signals didn't surprise Rogers; understanding digital crime is his job, after all. He explained in a post on Dark Reading what usually happens to a stolen iPhone after that:
The devices are then powered up only when thieves are positive no signal can reach or inspect them. If the phone is out of date and a software vulnerability exists, they hack the phone and wipe it clean to be resold. If the phone is up to date but not valuable enough to resell, it is either junked or sold for parts. This can easily happen on both older and newer models of phones.
But what happened to his kid's phone next surprised him. Within a few days, the teen "started getting these highly targeted messages using the information they had apparently managed to extract." That information included the child's correct Apple ID, its associated email address, "they knew the phone number associated with it even though the SIM card had been killed," and the attackers "sent a range of different messages trying several different social engineering tactics" to try and trick Rogers's kid into clicking on tainted links.
The messages, sent by SMS/iMessage, were made to look like they came from Apple. Yet Rogers noticed they "rotated through a range of different mobile numbers, possibly to avoid detection." The attackers also rotated through a variety of iCloud addresses in order to prevent the victim from ignoring or blocking any of the messages.
Even though Rogers reported the messages as "junk" (this is what Apple advises), the messages came in a relentless flood. "At one point, more than 10 messages per day came in at all hours," he wrote.
He did some online digging and discovered what others are experiencing at the hands of similar attackers. "Apple forums are full of users asking for help after clicking on similar phishing emails. After which their phone is almost instantly deleted from their account, never to be seen again." If the target clicked on one of the links, Rogers explained, "they were immediately redirected to a fake Find My iPhone page that attempted to harvest their AppleID and password, as shown below, taken from fake Apple servers." From there, he wrote for Dark Reading:
If the target entered their AppleID credentials into the site, the phone would have been quickly deleted from their account. And often, the first moment targets know this has happened is when the missing device disappears from the list of devices trackable through Find My iPhone.
Sometimes, for good measure, the thief will hijack the target's AppleID, changing email addresses and contact information to exploit the account further."
Rogers was taken aback by the accuracy and automation of the attacks. "This is the first time I have seen spear-phishing used as a technique like this to bypass anti-theft technology used by consumers," he said. "The attacks appear to have been around since 2017 but steadily getting more sophisticated and more targeted."
He added that "normally this kind of very personal spear-phishing is something you associate with high-value targets like the directors of companies, however now it is being used against ordinary smartphone users. We have clearly reached a point where tools are readily available to do this."
So what seems like a basic iPhone theft at first glance is pretty serious and has implications of bad privacy or security bleed happening somewhere. "All smartphone manufacturers and the mobile carriers need to find out how the attackers are harvesting personal information from their victims with nothing but a locked stolen phone," Rogers told Engadget. "Clearly they have found a route they can leverage to extract key pieces of information, likely through a multi-step process. A thief should not be able to extract the victim's contact information from a locked stolen device."
"This information exposure could have bigger ramifications than just spear-phishing."
While the attack method is somewhat of a mystery, it comes to light at the same time as a newly revealed bootrom exploit for iPhones, called checkm8. It, by the way, requires physical access to a victim's iPhone -- exactly the scenario for pickpockets and phone-snatches. Right now what is known about the checkm8 attack is that it jailbreaks iPhones, which could allow an attacker to revert the operating system to an unpatched version, could be used to undermine iCloud account locks (used for remote security actions like wipes), and more.
What's key here is that since Marc Rogers saw what happened with his kid's stolen iPhone, the world has found out that there's a whole new way to crack iPhones. And being told that attackers must have physical access to the phone is no longer a reassurance.
Personally, I'm inclined to believe we live in a terrible timeline in which privacy is burning, security is a smoking husk of good ideas and all companies hoarding our personal information are big fat thieves and liars. Maybe I'm not wrong! Or maybe I'm just feeling a little dour after finding out about the evolution of attacks on the people most at-risk to be exploited and have their lives torn apart. Namely, people who aren't up to date on all the latest security-savvy. Or, what hackers call "normal people." And companies seem to want to think of as "reputation risks when anyone finds out bad things are happening."
So like usual, we need to think a step ahead of the latest security measures. According to Rogers, that means being extremely cautious about text messages (and tell your friends and family too). "Don't trust messages with links in them, go to the site manually without clicking," he advised Engadget. "Keep your phone up to date and make sure you use all the security features available in your device. Finally, make sure all your accounts that support multi-factor authentication have it enabled. It's a good, simple defense against phishing attacks."
Yep, trust no one. Got it.
Subscribe to:
Posts (Atom)