The web applications and APIs of major car manufacturers, telematics (vehicle tracking and logging technology) vendors, and fleet operators were riddled with security holes, security researchers warn.
In a detailed report, security researcher Sam Curry laid out vulnerabilities that run the gamut from information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping the engines of cars. The findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem.
From web portals to car locks
Around six months ago, Curry and a few friends stumbled on a vulnerability in the mobile app of a scouter fleet at the University of Maryland, which caused the horns and
— source portswigger.net | Ben Dickson | 04 Jan 2023
As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton. EarSpy relies on the phone’s ear speaker — the speaker at the top of the device that is used when the phone is held to the ear — and the device’s built-in accelerometer for capturing the tiny vibrations generated by the speaker.
— source securityweek.com | Dec 28, 2022
The details are chilling. Police raiding a home, a teenager and her mother arrested, fetal remains exhumed from a rural burial plot. When police dragged off a 17-year-old Nebraska girl and charged her and her mother with self-administering a miscarriage, they were armed with damning documents they could only access through the incompetence and cooperation of Meta.
The intimate conversation between a mother and daughter in the days surrounding an alleged abortion was just one of the millions logged by Facebook every day, but for this family it will be devastating. After police obtained a warrant for the girl’s Facebook data, they used the information the company provided to apply for a second search warrant to raid her home. The application for that warrant included quotes from the pair’s Messenger conversation, such as “Are we starting it today?” and “Ya the 1 pill stops the hormones…u gotta wait 24 HR 2 take the other.” Perhaps most damning of all, the closing remark: “remember we burn the evidence.”
Search warrants require probable cause, particularized evidence to show that law enforcement will be able to obtain even more evidence at the place being searched. In this case,
— source wired.com | Albert Fox Cahn | Aug 10, 2022
The introduction of new national identity cards in Poland has been delayed indefinitely amid concerns expressed by the Internal Security Agency (ABW) about the threat to state security and personal privacy posed by fingerprint scanners. The government has confirmed that it is preparing urgent legislation to postpone the issuance of the cards, which were due to come in on 2 August and bring Poland into line with new EU security rules. Parliament voted almost unanimously in April in favour of the new version of the cards, which are supposed to include the so-called “second biometric feature” of encoded fingerprints (the first is the image of the holder’s face).
— source notesfrompoland.com | Jul 7, 2021
what safety for us. we will give work for the same company that provide cards to pakistan.
UK spy agency GCHQ has admitted it is losing the cybersecurity battle on a national level, despite throwing money at the problem. Alex Dewedney, director of cybersecurity at CESG – the information security arm of GCHQ – warned that it will take a lot more than cash to bring cybersecurity threats under control. The UK Government splashed £950m on cybersecurity over the past five years and George Osborne has promised a further spend of £1.9bn in the coming five years. Combined with the money being spent on protecting IT systems, a total of £3.2bn is expected to be spent over the next half decade.
— source techweekeurope.co.uk | 2016
Russian security firm Kaspersky claims to have found a number of suspicious UEFI images, based on the leaked source code of the Italian firm Hacking Team, containing a malicious implant that could be used place a malicious update on a Windows system.
The images placed a file called IntelUpdate.exe in the victim’s Windows Startup folder.
Researchers Mark Lechtik, Igor Kuznetsov and Yury Parshin said in a detailed blog post that this was the second time that malicious UEFI firmware being used by a threat actor had been found in the wild.
— source itwire.com | 06 Oct 2020
The Obama administration has acknowledged a breach of government computer systems was far worse than they initially disclosed. Hackers stole information including fingerprints and Social Security numbers from 21.5 million people. The Office of Personnel Management said everyone who received a government background check over the last 15 years was likely impacted.
[you have to learn from India. to save Aadhaar data UIDAI built 5 Feet Thick Walls]
Microsoft Corp’s LinkedIn was sued by a New York-based iPhone user on Friday for allegedly reading and diverting users’ sensitive content from Apple Inc’s Universal Clipboard application. According to Apple’s website, Universal Clipboard allows users to copy text, images, photos, and videos on one Apple device and then paste the content onto another Apple device. According to the lawsuit filed in San Francisco federal court by Adam Bauer, LinkedIn reads the Clipboard information without notifying the user. According to media reports from last week, 53 apps including TikTok and LinkedIn were reported to be reading users’ Universal Clipboard content, after Apple’s latest privacy feature started alerting users whenever the clipboard was accessed with a banner saying “pasted from Messages.” According to the complaint, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple’s Universal Clipboard timeout.
— source reuters.com | Jul 11, 2020
Implantable medical device (IMD) are extremely vulnerable to hacking. These are devices like pacemakers, neurostimulators, and cochlear implants used to restore hearing. As these grew in popularity and complexity, it became essential to make their software updatable, either through a wired or wireless connection. Unfortunately, this also makes them vulnerable to tampering, especially since for years so many devices did not include encryption to secure them from unauthorized access.
The vast majority of hacking incidents over the past several decades have been possible only because of our increasingly connected world. So, as we put more and more of our devices, our information, and our lives online, they become not only appealing targets for hackers but more attainable as well. The more points of access and connection there are to a device, the greater the likelihood it will be improperly secured. In a highly connected world, every piece of information and every point of access has value. This is not necessarily because you yourself are so appealing to the hackers, but because your information or access may make it possible to infiltrate other, far more lucrative targets. But even if you are not the primary target, such dealings can still do great damage to your equipment, your finances, your reputation, and even your life.
Excerpted from Future Minds: The Rise of Intelligence from the Big Bang to the End of the Universe by Richard Yonck.
— source salon.com | Mar 14, 2020