Penetration tester releases proof-of-concept code for hijacking smart buttplugs

Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities. Read the rest

Judge orders the State of Georgia to be prepared for pen-and-paper balloting by March 2020

Few states have voting machines that are simultaneously more obviously defective and more ardently defended by the state government than Georgia, where 16-year-old touchscreen systems are prone to reporting ballots cast by 243% of the eligible voters and where gross irregularities in election administration sends voters to the wrong polling places or sends co-habitating husbands and wives to polls in different cities to cast their votes. Read the rest

Defeating Apple's Faceid's proof-of-life by putting tape over glasses' lenses

Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness. Read the rest

Compromised speakers can be forced to play tones so loud that the speakers start to melt

Security research Matt Wixey from PWC UK tried putting different kinds of consumer speakers -- noise canceling headphones, smart speakers, parametric speakers -- in an anechoic chamber after infecting them with malware that caused them to emit tones beyond those intended by the manufacturer. Read the rest

Adversarial Fashion: clothes designed to confuse license-plate readers

Adversarial Fashions have a line of clothes (jackets, tees, hoodies, dresses, skirts, etc) designed to confound automated license-plate readers; one line is tiled with fake license plates that spell out the Fourth Amendment (!); the designers presented at Defcon this year. (via JWZ) Read the rest

The voting machines that local officials swore were not connected to the internet have been connected to the internet for years

Election Systems & Software (ES&S) is America's leading voting machine vendor; they tell election officials (who are county-level officials who often have zero cybersecurity advice or expertise) not to connect their systems to the internet, except briefly to transmit unofficial tallies on election night. Read the rest

Group sex dating app has "the worst security for any dating app"

One of the wonderful and terrible things about the internet is how it allows people seeking others with hard-to-find traits to find them: advertisers can find people thinking about buying a refrigerator; people who think they might be trans can find others in the same boat and make common cause; people with the same rare disease can form support groups, and Nazis can find sociopaths to march through the streets of Charlottesville carrying tiki torches and chanting "Jews will not replace us." Read the rest

Whatsapp, Slack, Skype and apps based on popular Electron framework vulnerable to backdoor attacks

This week at B-Sides LV, security researcher Pavel Tsakalidis presented his work on security defects in the Electron framework, a cross-platform development framework that combines Javascript with Node.js: apps built with Electron include Skype, Slack, Whatsapp, Visual Studio Code and others. Read the rest

Warshipping: attack a target network by shipping a cellular-enabled wifi cracker to a company's mail-room

IBM's ridiculously named X-Force Red have documented a new attack vector they've dubbed "Warshipping": they mailed a sub-$100 custom, wifi-enabled low-power PC with a cellular radio to their target's offices. Read the rest

Security researcher cracks high-security lock used for ATMs, Air Force One, military bases

At this year's Defcon Lock Picking Village, Ioactive's Mike Davis will present a method for cracking high-security locks made by Dormakaba Holding, a Swiss company. The locks are used in very high-stake applications, from security ATMs to Air Force One, as well as guarding classified and sensitive materials on US military bases. Read the rest

SimpliSafe bypassed with $2 gadget

The Lock Picking Lawyer is one of my favorite YouTubers, and he's spreading his wings beyond the usual fare of dreadful padlocks and crap safes. Here he shows how to use a $2 generic remote control to "blind" SimpliSafe, a security gadget that's getting rave reviews from product testers.

This however is a little 433 megahertz remote you can get them on Amazon or Ebay for about $2, and even though it's not very powerful, it's powerful enough. Let's demonstrate using this entry sensor. I'm going to arm the system, and you can see if I were to open whatever this was attached to—let's say the frontdoor—the keypad starts starts beeping telling me to enter the pin or the alarm will be triggered. Okay let's try that one more time. But before I open the front door, I'm going to press and hold the button on this remote.

As you can see, I opened and closed the front door and SimpliSafe had no idea

Here's a $2 one, shipping included, on eBay. Amazon matches the price. If we can't review the security of security devices, we shouldn't be reviewing them at all, should we? Read the rest

You have the right to remain encrypted

“You have the right to remain silent.” We’ve heard the Miranda warning countless times on TV, but what good is the right to remain silent if our own cellphones testify against us? Imagine every incriminating and embarrassing secret our devices hold in the hands of prosecutors, simply because you’ve been accused of a minor crime. This is the brave new world that Attorney General Bill Barr advocated when he recently addressed the International Conference on Cyber Security and called for an end to encryption as we know it. Read the rest

Cisco's failure to heed whistleblower's warning about security defects in video surveillance software costs the company $8.6m in fines

In 2008, a security researcher named James Glenn warned Cisco that its video surveillance software had a defect that made it vulnerable to a trivial-to-exploit attack; for four years afterward, the company continued to sell this software to schools, airports, hospitals, state/local governments, the US military, FEMA, the Secret Service and police departments without mitigating the defect or warning their customers that internet-connected randos could undetectably peer through their security cameras, unlock their doors, disable their alarms, and delete footage. Read the rest

Hong Kong protesters use lasers to blind security cameras

Freelance journalist Alessandra Bocchi posted this video of protesters in Hong Kong using some kind of laser to target security forces' cameras: it's part of the #612strike movement's stunning repertoire of improvised anti-police countermeasures, in a near-civil-war where faces have become a battleground. Read the rest

Fascinating, accessible guide to cryptographic attacks, from brute-force to POODLE and beyond

Ben Herzog's Cryptographic Attacks: A Guide for the Perplexed from Check Point Research is one of the clearest, most useful guides to how cryptography fails that I've ever read. Read the rest

Defects in embedded OS Vxworks leaves an estimated 200m devices vulnerable, many of them mission-critical, "forever day" systems

Vxworks is a lightweight, thin OS designed for embedded systems; a new report from Armis identifies critical vulnerabilities (called "Urgent 11") in multiple versions of the OS that they estimate affects 200m systems (Vxworks' make, Wind River, disputes this figure). Read the rest

Siemens contractor hid "logic bomb" in complicated spreadsheet, guaranteeing future maintenance work

David Tinley developed complex spreadsheets under contract to Siemens, which used them to manage its equipment orders; Tinley hid "logic bombs" in the spreadsheets' scripts that caused them to malfunction every couple of years, which would gin up new work for him as he was called in to fix them. Read the rest

More posts