Lawsuit alleges Bose's headphone app exfiltrates your listening habits to creepy data-miners

Bose's $350 wireless headphones need an app to "get the most" out of them, and this app monitors everything you listen to -- the names of the podcasts, the music, videos, etc -- and sends them to Bose without your permission, according to a lawsuit filed this week in Chicago by Kyle Zak. Read the rest

Aga added networking to their super-high-end cookers, integrating them into the Internet of Shit

Aga is an iconic European over-maker famous for a longstanding, ostentatious design that required the owner to burn fuel around the clock to maintain temperature across the cooker's titanic thermal mass, so much so that owners of British country homes integrated them into their household heating systems. Read the rest

Securing driverless taxis is going to be really, really hard

Charlie Miller made headlines in 2015 as part of the team that showed it was possible to remote-drive a Jeep Cherokee over the internet, triggering a 1.4 million vehicle recall; now, he's just quit a job at Uber where he was working on security for future self-driving taxis, and he's not optimistic about the future of this important task. Read the rest

Floods of WordPress attacks traced to easily hackable, ISP-supplied routers

Wordfence, a security research company, discovered that the reason Algeria is the country most often seen in attacks on WordPress blogs is that the country's largest ISP distributes home routers that are locked in an insecure state, with an open port that lets attackers seize control of them and use them to stage attacks on higher-value targets. Read the rest

The Internet of Things will host devastating, unstoppable botnets

Bruce Schneier takes to the pages of Technology Review to remind us all that while botnets have been around for a long time, the Internet of Things is supercharging them, thanks to insecurity by design. Read the rest

Dallas's 156 tornado sirens hacked and repeatedly set off in the middle of Saturday night

If you've ever witnessed an emergency siren test, you know how terrifying these things are: engineered to be bowel-looseningly urgent, to pierce through any sense that it's probably just a misfire, to motivate you to drop everything and rush for the emergency shelters, equally useful for tornadoes and incoming ICBMs. Read the rest

A year later, no action from Chinese company whose insecure PVRs threaten all internet users

It's been more than a year since RSA's Rotem Kerner published his research on the insecurities in a PVR that was "white labeled" by TVT, a Chinese company and sold under over 70 brand-names around the world. In the intervening year, tens of thousands of these devices have been hijacked into botnets used by criminals in denial of service attacks, and TVT is still MIA, having done nothing to repair them. Read the rest

IoT vendor objects to "rude" review, renders complainer's device inoperable

R Martin bought a Garadget -- a device that lets you verify whether your garage door is closed using a mobile app -- and couldn't get it to work and left an intemperate 1-star Amazon review for the product. Read the rest

Samsung's created a new IoT OS, and it's a dumpster fire

Tizen is Samsung's long-touted OS to replace Android and Israeli security researcher Amihai Neiderman just delivered a talk on it at Kapersky Lab's Security Analyst Summit where he revealed 40 new 0-day flaws in the OS, and showed that he could trivially send malicious code updates to any Tizen device, from TVs to phones, thanks to amateurish mistakes of the sort not seen in real production environments for decades. Read the rest

Camera-equipped sex toy manufacturer ignores multiple warnings about horrible, gaping security vulnerability

The uniquely horribly named Svakom Siime Eye is an Internet of Things sex-toy with a wireless camera that allows you to stream video of the insides of your orifices as they are penetrated by it; researchers at the UK's Pen Test Partners discovered that once you login to it via the wifi network (default password "88888888"), you can root it and control it from anywhere in the world. Read the rest

Farmers in Canada are also reduced to secretly fixing their tractors, thanks to DRM

In 2011, the Canadian Conservative government rammed through Bill C-11, Canada's answer to the US Digital Millennium Copyright Act, in which the property rights of Canadians were gutted in order to ensure that corporations could use DRM to control how they used their property -- like its US cousin, the Canadian law banned breaking DRM, even for legitimate purposes, like effecting repairs or using third party parts. Read the rest

"Unskilled group" is responsible for multiple, crappy ransomware attacks

Software can be thought of as a system for encapsulating the expertise of skilled practitioners; translate the hard-won expertise of a machinist or a dental technician or a bookkeeper into code, and people with little expertise in those fields can recreate many of the feats of the greatest virtuosos, just by hitting Enter. Read the rest

Miele's networked disinfecting hospital dishwasher has a gaping security flaw

The Miele PG 8528 is a "washer-disinfector" intended for hospitals and other locations with potentially dangerous pathogens on their dirty dishes; it's networked and smart. And dumb. Read the rest

Longstanding, unpatched Bluetooth vulnerability lets burglars shut down Google security cameras

A security researcher has published a vulnerability and proof-of-concept exploits in Google's Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure. Read the rest

Open source hardware, IoT motorcycle kit you assemble in a weekend

Fictiv is a rapid prototyping company that can take concepts or finished designs and farm them out to a network of CNC and 3D printing companies to have your design fabricated, finished and delivered within 24 hours; to demonstrate their new open IoT platform, they've announced an open-source hardware IoT motorcycle kit that you're meant to be able to assemble in your garage in a weekend, and drive off on by Monday. Read the rest

Google Home: a $129 speaker that plays advertisements when you ask it for a "daily briefing"

Owners of Google Home smart-speakers got a surprise today when their personal assistants finished the "daily briefing" (a rundown of weather, calendar reminders an traffic info) with a plug for Disney's new Beauty and the Beast movie: ""By the way, Disney’s live action Beauty and The Beast opens today," followed by a long spiel for the movie. Read the rest

Smart meters can overbill by 582%

A team from the University of Twente and the Amsterdam University of Applied Sciences have published a paper demonstrating gross overbillings by smart energy meters, ranging from -32% to +582% of actual power consumption. Read the rest

More posts