Tag Archive for: smart

Google Home smart speaker bug could have allowed hackers to spy on your conversations

/in


A security researcher has won a $107,500 bug bounty after discovering a way in which hackers could install a backdoor on Google Home devices to seize control of their microphones, and secretly spy upon their owners’ conversations.

Vulnerability hunter Matt Kunze initially reported the problem to Google in early 2021, after experiments with his own Google Home smart speaker noticed the ease with which it added new users via the Google Home app.

Kunze discovered that connected users could send commands remotely to paired Google Home devices via its cloud API.

In a technical blog post, Kunze described a possible attack scenario:

  1. Attacker wishes to spy on victim. Attacker can get within wireless proximity of the Google Home (but does NOT have the victim’s Wi-Fi password).
  2. Attacker discovers victim’s Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
  3. Attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
  4. Attacker connects to the device’s setup network and requests its device info.
  5. Attacker connects to the internet and uses the obtained device info to link their account to the victim’s device.
  6. Attacker can now spy on the victim through their Google Home over the internet (no need to be within proximity of the device anymore).

According to Kunze, a malicious hacker who has successfully linked his account to the targeted Google Home device can now execute commands remotely: controlling smart switches, making purchases online, remotely unlock doors and vehicles, or opening smart locks by brute-forcing a user’s PIN.

Kunze even determined that he could exploit a Google Home speaker’s “call <phone number>” command, effectively transmitting everything picked up by its microphone to a phone number of the hacker’s choice.

Thankfully, Kunze’s responsible disclosure of the vulnerabilities to Google mean that none of the security flaws should be possible to exploit any more.  Google fixed the security holes in April 2021, although details have only been made public now.

Of course, that does mean that for some years millions of people were…

Source…

American national security requires smart spectrum planning

/in


The United States has always been on the cutting edge of tech. Our free-market system enabled us to win the race to 4G, helped unleash the app economy, and allowed us to get to 5G faster than others. Our country’s leadership in tech helps secure the nation’s economic power and protect national security so the United States continues to serve as a beacon of peace and democracy.

Technology should be a force for good in the world. Our national security, and the security of other nations, is tied to our ability to keep up with and get ahead of emerging technologies. I’m encouraged to see that Congress is working together to implement a national spectrum policy. America needs a national strategy to make sure there is enough spectrum to build out 5G networks and not fall behind China.

Spectrum refers to the radio waves on which we transmit data, and it serves as the foundation for many of the wireless networks that power our lives, including 5G. Spectrum is the lifeblood of technological innovation — including advancements in national security that power our weapons systems and intelligence operations.

5G is quite literally the fifth generation of wireless connection, and it serves as a crucial foundation for innovations and advancements in the near and not-too-distant future. Alarmingly, America does not have enough spectrum in the pipeline to build out secure and reliable 5G networks. According to a paper by Analysys Mason, the United States ranks 13th in terms of available licensed spectrum — significantly behind nations such as China, Brazil and Saudi Arabia.

One reason why is that the United States has overallocated spectrum to unlicensed use. This type of spectrum is available to the public and has important uses, but it’s not the foundation of secure and reliable 5G networks. Unlike managed licensed spectrum, unlicensed spectrum faces interference, and devices connected to unlicensed spectrum aren’t always assessed for security concerns. Indeed, when it comes to security, users of unlicensed spectrum have varying incentives, capabilities and technical skills, resulting in more cybersecurity risks than those who use managed licensed…

Source…

Why It’s Smart to Use Authentication Apps for Multifactor Security

/in


The apps generate short-lived codes to use along with a password. That can be safer than having codes texted to you.

By Yael Grauer

In a world riddled with data breaches, having a strong password isn’t always enough to keep your personal and financial information safe. That’s why security experts recommend safeguarding your accounts with another layer of defense, namely multifactor authentication (aka two-factor authentication). But many people who use multifactor authentication (MFA) might not be using it in the most secure way, according to security professionals.

When you turn on MFA, which is available for financial sites, social media sites, and many others, you need a second factor in addition to your password to log in. That way, if a hacker gets your password, they still won’t be able to access your account. Probably the most common way to use MFA is to have the site send you a text message with a code that you enter into a pop-up box.

But many security experts say there’s a better option: switching to an authentication app, which uses an algorithm linked to your device to continually generate numerical codes that expire every 30 seconds.

Unlike authentication apps, text messages rely on your phone number, which is more vulnerable to criminal attack. A determined attacker may persuade a phone company to redirect someone else’s phone number to a new SIM card on their own device in what’s called SIM swapping or SIM jacking. Then they can intercept messages directed to that phone number.

“SIM swapping is obviously a risk,” says Leigh Honeywell, CEO and co-founder of Tall Poppy, a social venture that builds tools and services to help companies protect their employees from online harassment and abuse. But, she says, other problems can arise.

“The issues that come up more often are going to be you lose your job and your phone gets cut off, or you’re on a family plan and you have a conflict with a family member who is the administrator of the plan,” she says. “There are a lot of ways that phone numbers end up being a very brittle part of the security ecosystem that go way beyond the very sharp end of the spear that is SIM swapping.”

And MFA based…

Source…

Up to £200,000 available to test security of smart devices used by nearly all UK businesses

/in


  • Successful bidder will research potential vulnerabilities in popular devices to better protect against cyber risks

  • Findings will help make sure current security measures and guidance are robust enough for evolving threats

Organisations can now apply for funding to support research into the cyber security of office devices which can connect to the internet, such as printers, cameras, and room booking systems, to ensure they are properly protected against hackers.

Thousands of UK businesses rely on these products, known as enterprise Internet of Things (IoT) devices, to increase productivity and enable hybrid working. The government is funding new research to uncover vulnerabilities in these commonly used enterprise IoT products and assess the cyber resilience of these devices.

Smart devices in the workplace can collect sensitive data which can be accessed by other users, making them an attractive target for cyber criminals to exploit. While devices may have some protections built-in, products with poor cyber security can leave companies using them at risk.

For example, in 2019 Microsoft’s researchers found Russian hackers were compromising conference phones and office printers in organisations across many sectors, though Microsoft was able to successfully block the attacks before they could cause any damage.

The successful bidder will be awarded up to £200,000 to test popular devices and help identify if current security measures and guidance, such as international standards and NCSC device security principles, are robust enough to protect businesses from evolving threats.

Cyber minister Julia Lopez said:

Technology played a pivotal role in keeping British businesses going during the pandemic, helping the pivot to hybrid working and boosting productivity ever since.

This research will ensure we have the right measures in place to protect our economy and keep our offices and workers safe from cyber security threats.

The grant is part of the government’s £2.6 billion National Cyber Strategy to protect the UK from cyber threats and grow the digital economy. It supports the UK’s objective to take the lead in the technologies vital to cyber…

Source…