Longstanding, unpatched Bluetooth vulnerability lets burglars shut down Google security cameras

A security researcher has published a vulnerability and proof-of-concept exploits in Google's Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure. Read the rest

Open source hardware, IoT motorcycle kit you assemble in a weekend

Fictiv is a rapid prototyping company that can take concepts or finished designs and farm them out to a network of CNC and 3D printing companies to have your design fabricated, finished and delivered within 24 hours; to demonstrate their new open IoT platform, they've announced an open-source hardware IoT motorcycle kit that you're meant to be able to assemble in your garage in a weekend, and drive off on by Monday. Read the rest

Google Home: a $129 speaker that plays advertisements when you ask it for a "daily briefing"

Owners of Google Home smart-speakers got a surprise today when their personal assistants finished the "daily briefing" (a rundown of weather, calendar reminders an traffic info) with a plug for Disney's new Beauty and the Beast movie: ""By the way, Disney’s live action Beauty and The Beast opens today," followed by a long spiel for the movie. Read the rest

Smart meters can overbill by 582%

A team from the University of Twente and the Amsterdam University of Applied Sciences have published a paper demonstrating gross overbillings by smart energy meters, ranging from -32% to +582% of actual power consumption. Read the rest

Testing products for data privacy and security

It’s an exciting and treacherous time to be a consumer. The benefits of new digital products and services are well documented, but the new risks they introduce are not. Basic security precautions are ignored to hasten time to market. Biased algorithms govern access to fair pricing. And four of the five most valuable companies in the world earn their revenue through products that mine vast quantities of consumer data, creating an unprecedented concentration of corporate power. A recent survey at Consumer Reports showed that 65% of Americans lack confidence their data is private or secure, with most consumers feeling powerless to do anything about it.

Healthcare facilities widely compromised by Medjack, malware that infects medical devices to steal your information

The healthcare industry is a well-known information security dumpster fire, from the entire hospitals hijacked by ransomware to the useless security on medical devices to the terrifying world of shitty state security for medical implants -- all made worse by the cack-handed security measures that hospital workers have to bypass to get on with saving our lives (and it's about to get worse, thanks to the Internet of Things). Read the rest

Collapsing "connected toy" company did nothing while hackers stole millions of voice recordings of kids and parents

Spiral Toys -- a division of Mready, a Romanian electronics company that lost more than 99% of its market-cap in 2015 -- makes a line of toys called "Cloudpets," that use an app to allow parents and children to exchange voice-messages with one another. They exposed a database of millions of these messages, along with sensitive private information about children and parents, for years, without even the most basic password protections -- and as the company imploded, they ignored both security researchers and blackmailers who repeatedly contacted them to let them know that all this data was being stolen. Read the rest

British police arrest suspect in last November's me-too Mirai botnet floods

Last October, floods of traffic from Internet of Things devices infected by the Mirai worm brought down several high profile internet services, from Level 3 to Dyn to Twitter and Reddit. Read the rest

A Clinton-era tech law has quietly, profoundly redefined the very nature of property in the IoT age

An excellent excerpt from Aaron Perzanowski and Jason Schultz's The End of Ownership: Personal Property in the Digital Economy on Motherboard explains how Section 1201 of the 1998 Digital Millennium Copyright Act -- which bans tampering with or bypassing DRM, even for legal reasons -- has allowed corporations to design their products so that using them in unapproved ways is an actual felony. Read the rest

The previous owners of used "smart" cars can still control them via the cars' apps (not just cars!)

It's not just that smart cars' Android apps are sloppily designed and thus horribly insecure; they are also deliberately designed with extremely poor security choices: even if you factory-reset a car after it is sold as used, the original owner can still locate it, honk its horn, and unlock its doors. Read the rest

Bad Android security makes it easy to break into and steal millions of "smart" cars

Securelist's report on the security vulnerabilities in Android-based "connected cars" describes how custom Android apps could be used to find out where the car is, follow it around, unlock its doors, start its engine, and drive it away. Read the rest

Seafood-related queries from own internet-connected vending machines brought college network to its knees

A university, mercifully left unnamed, blew off complaints from students about its slow network. When the problem became too bad to ignore, their IT team found the culprit thanks to a "sudden big interest in seafood-related domains."

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet. ... botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems.

The Internet of Hacked Things strikes again! I'm sure some content filtering and updating passwords will do the trick. Read the rest

Make: a $5 ACLU-donation Dash button you can press every time Trump makes you angry

Nathan writes, "Wanting a more immediate and responsive way to do something about the outrage a friend and I felt every time we read about the latest assaults on civil liberties, I built an Amazon Dash button that sends $5 to the ACLU every time I press it. Repurposing the technology to do good, not just buy goods." Read the rest

Houseguests, technological literacy, and the goddamned wifi: a single chart

Randal Munroe nails it again in an XKCD installment that expresses the likelihood that your houseguests will be able to connect to your wifi (I confess to having been the "firmware" guide -- but also, having been reminded to do something about my own firmware when other difficult houseguests came to stay). Read the rest

TV news report about unwanted Alexa orders triggers unwanted Alexa orders

Television anchors on San Diego's CW6 were discussing how a young girl "accidentally" ordered a dollhouse and four pounds of cookies by talking to Amazon's Alexa when one of the anchors said "I love the little girl, saying ‘Alexa ordered me a dollhouse." Oops. From CW6 San Diego:

As soon as (anchor Jim) Patton said that, viewers all over San Diego started complaining their echo devices had tried to order doll houses...

Amazon says shopping settings can be managed via its Alexa app, including turning off voice purchasing and creating a confirmation code before any order.

The company also says any “accidental” physical orders can be returned for free.

Read the rest

FBI arrest the VW executive who stonewalled on the first Dieselgate reports for defrauding the US Government

Oliver Schmidt led Volkswagen regulatory compliance office from 2014 to Mar 2015, and it was he who issued statements dismissing the initial West Virginia University reports of cheating in the emissions control systems of the company's cars, lying to US regulators and insisting that the systems were merely buggy, and not deliberately designed to get around emissions testing; after the company admitted to the fraud, he appeared before the British Parliament and insisted that the fraud didn't violate EU law. Read the rest

Watercooler won't dispense until it finishes updating Windows

Intel Director of Incident Response Jackie Stokes has captured the entirety of 2017 in a single image: a watercooler that won't dispense water until it has installed a Windows upgrade (caption: "I just wanted some water..."). Read the rest

More posts