Ouch. Talk about poor customer service. A particularly irate customer who bought an IoT garage door-opener posts a nasty review and his device was denied server access, effectively making it useless or “bricking” it. Imagine posting a bad review about your Smart TV and it stops working. Hmmm.
Startup tells customer “Your unit will be denied server connection.”
Source: IoT garage door opener maker bricks customer’s product after bad review | Ars Technica
A new vulnerability discovered by Project Zero affects tons of smart phones (iPhone, Nexus, Samsung S*). The attack proceeds silently over WiFi – you wouldn’t see any indication you have been hacked. For iPhone users, iOS 10.3.1 fixes this. Android users? Good luck.
In this two-part blog series, we’ll explore the exposed attack surface introduced by Broadcom’s Wi-Fi SoC on mobile devices. … The first blog post will focus on exploring the Wi-Fi SoC itself; we’ll discover and exploit vulnerabilities which will allow us to remotely gain code execution on the chip. In the second blog post, we’ll further elevate our privileges from the SoC into the the operating system’s kernel. Chaining the two together, we’ll demonstrate full device takeover by Wi-Fi proximity alone, requiring no user interaction.
Source: Project Zero: Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
More IoT fun. Time to hack someone’s dishwasher. Yup, suddenly spying microwaves aren’t that crazy an idea.
Don’t say you weren’t warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it’s accused of ignoring.
Oh dear. Password manager with vulnerabilities. The team response is troubling to say the least. Lets hope they are really more competent than that.
In an eyebrow-raising declaration, according to Ormandy, LastPass had said they couldn’t get his code execution exploit to work, however the security researcher was calling the Windows Calculator executable in his code, while LastPass was examining the code on a Mac.
Google cyber-sleuth Tavis Ormandy has returned to examining LastPass, and a new lot of vulnerabilities have been discovered.
Source: LastPass hit by password stealing and code execution vulnerabilities | ZDNet
Get this: you are running Microsoft Edge in a VM and visiting a website. Your VM gets compromised and the malware jumps out of the VM to the host. The Qihoo security team has been coming up with a number of very impressive hacks.
Hack worked by stitching together three separate exploits.
Source: Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
One of Amazon AWS service – specifically S3 – goes down (and recovers eventually) but many sites are affected. It’s not as bad as the Dyn DDoS attack but it’s a reminder how many companies now rely on Amazon to power their services.
Amazon’s S3 web-based storage service is experiencing widespread issues, leading to service that’s either partially or fully broken on websites, apps and..
Source: Amazon AWS S3 outage is breaking things for a lot of websites and apps
Edit (2017-03-03): Amazon released a summary of what happened. The tl;dr version is this: fat-fingered engineer.
This is quite serious. A lot of small (and not so small) websites uses Cloudflare for CDN and DDoS protection. The issue reported by Google’s Project Zero team indicates that a bug in Cloudflare’s processing causes potentially sensitive information to be leaked. This is already bad, but it is made worse due to caching servers keeping a copy of those information. Someone is compiling a list of notable websites affected. You are advised to change your passwords on those affected websites.
Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge
Source: Incident report on memory leak caused by Cloudflare parser bug
Not surprising to anyone who has or had administered any servers that has open ports on the Internet. That is why the minimum you can do is to limit the attack surface by restricting Internet-facing ports, and using software like fail2ban to automatically ban attack attempts.
A Clark School study at the University of Maryland is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and the non-secure usernames and passwords we use that give attackers more chance of success.
Source: Hackers Attack Every 39 Seconds | 2017-02-10 | Security Magazine
Often your phone is the weakest link to all of your online and sometimes offline identity. Someone wrote a detailed and lengthy advisory on how to protect yourself against such attacks.
The security loophole these hackers are milking can be used against anyone who uses their phone number for security for services as common as Google, iCloud, a plethora of banks, PayPal, Dropbox, Evernote, Facebook, Twitter, and many others. The hackers have infiltrated bank accounts and tried to initiate wire transfers; used credit cards to rack up charges; gotten into Dropbox accounts containing copies of passports, credit cards and tax returns; and extorted victims using incriminating information found in their email accounts.
But the hackings should scare anyone with a mobile phone, an email account or an online bank account.
Source: Hackers Have Stolen Millions Of Dollars In Bitcoin — Using Only Phone Numbers
The tl;dr version: Smart TV spies on your viewing habits. Well, the incentive for doing this is too great. Such detailed viewing habits can be a minefield for advertisers and marketing companies. Vizio was caught by FTC because it’s too brazen. Others may follow.
According to the original complaint filed by the FTC and New Jersey AG, the company worked with a third party to build smart TVs that could capture “second-by-second” viewing information about what’s on the screen. That includes details on content from cable, internet, set-top boxes, DVD players, over-the-air broadcasts and other streaming devices.
Source: Vizio tracked and sold your TV viewing habits without consent (updated)
