Saturday, August 08, 2015

Researchers find major security flaw with ZigBee smart home devices


Hue bridge

Manufacturers of smart home devices using the ZigBee standard are aiming for convenience at the expense of security, according to researchers from the Austrian security firm Cognosec. By making it easier to have smart home devices talk to each other, many companies also open up a major vulnerability with ZigBeee that could allow hackers to control your smart devices. And that could be a problem if you rely on things like smart locks or a connected alarm system for home security. Specifically, Cognosec found that ZigBee's reliance on an insecure key link with smart devices opens the door for hackers to spoof those devices and potentially gain control of your connected home.

"Tests with light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified," Cognosec's Tobias Zillner writes. Even worse, he points out that there's no way for consumers to make their smart devices more secure. In the end, he blames the push for ZigBee to be easy to use as the big reason why companies have been lax with security.

For anyone who's had worries about the vulnerability of the connected home, Cognosec's findings basically present the worst case scenario for ZigBee. Since it affects a wide variety of devices, it's unclear how quickly manufacturers will be able to come up with a fix. We've reached out to the ZigBee Alliance, whose members include major companies like Samsung, Sony and ARM, and will report back with their response.

[Photo credit: Tom Raftery/Flickr]

Filed under:


Via: TechCrunch

Source: Cognosec

Tags: hacks, security, smarthome, Zigbee


Tuesday, August 04, 2015

Hackers could take complete control of your computer if you use 'the Netflix for pirated movies'


Popcorn Time Streaming App

Popcorn Time, the Netflix-like website for pirated movie content, may be vulnerable to a hack attack, TorrentFreak reports. This is according to a Greek security researcher named Antonios Chariton who published a blog post this past weekend.

Using a series of techniques, Chariton wrote that he demonstrated how "someone can get complete control of a computer assuming they have a Man In The Middle position in the network."

A 'man-in-the-middle' attack is when a hacker intercepts a data request between two machines. It is then able to swap the intended data for something malicious. So, if an attacker is able to execute one of these intercepting attacks, he or she can wreak havoc on the computer running Popcorn Time.

The attack is based on the clever way Popcorn Time avoids being banned by internet service providers (ISPs). The application is able to connect directly to the CloudFlare network. This, put in the simplest of terms, means that if an ISP wants to block the Popcorn Time program it would have to ban the entire CloudFlare website and not just the pirated content program. This is a smart way to avoid widespread ISP blocks.

The problem, however, is that the connection to CloudFlare is made over the HTTP protocol, and it's been shown that HTTP is just not secure.

Chariton didn't mince his words: "HTTP is insecure. There's nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don't run inside a web browser."

Because of HTTP's vulnerability, Chariton wrote that he was able to inject malicious code into a victim computer using Popcorn Time.

Popcorn Time penned a blog post responding to these claims. It assured users that they “don’t need to worry.” For one, man-in-the-middle attacks are “very unlikely,” and require a hacker gaining access into a victim’s personal network.

The site does admit that there are some security issues to be dealt with. It says it will release a fix to these shortly, but adds that what Chariton brought to light isn't as dire as it may seem.

SEE ALSO: The malware that's been holding gamers' files hostage for $500 is now even more destructive

Join the conversation about this story »

NOW WATCH: All the incredibly useful things you didn't know your iPhone headphones could do


Toshiba's new flash chips hold twice the data


Judging by recent announcements, we're about to enter a golden age of fast, nearly unlimited storage for all the high-res selfies you can shoot. Following an announcement by Intel and Micron last week, Toshiba and partner SanDisk revealed their own 256Gb flash chips. Toshiba already has the smallest flash cells in the world at 15 nanometers, which it stacks in 48 layers to maximize density. The new chips add in 3-bit tech (first used by Samsung) to squeeze even more bytes in, helping it double the storage of chips it announced just a few months ago. The result will be faster and more reliable memory for smartphones, SSDs and other devices.

Intel and Micron announced 256Gb chips using different, 32-layer tech earlier this year, so they may beat Toshiba/SanDisk to the manufacturing punch. Consumers will be the main beneficiaries of the rivalry, in any case. Micron said the tech will eventually yield up to 10TB laptop drives at much lower prices per gigabyte than current models. It'll also result in cheaper and faster memory chips for smartphones and other mobile devices. Toshiba's in the process of building its new fab plant in Japan, and said the 256Gb chips will be available sometime in 2016.

Filed under:


Source: Toshiba

Tags: 256Gb, BiCS, Flash, memory, NAND, SanDisk, SSD, Toshiba


Hacks turn Square's reader into a card-stealing machine


Square's reader on an iPad

As helpful as a Square Reader may be for purchases at trendy stores, you'll want to watch out -- in the right circumstances, they can also be used to steal your credit card info. Security researchers have discovered that you can physically disable the encryption the device uses to protect your financial info, turning the Reader into a tiny, portable card skimmer. There's also a way to record the signal created by your card when you swipe its magnetic stripe on an unmodified Reader, which theoretically lets evildoers charge your card without approval.

Square is quick to note that an altered Reader won't work with the official app, and that it's not possible to handle a stored swipe "more than once." However, this assumes that you're paying attention to the apps in use when you're buying goods. An enterprising criminal could develop unofficial software that looks legit, but hides skimming code underneath. While it's not very likely that you'll run into one of these tweaked scanners in the wild, it's worth keeping an eye on your credit card statement if that sketchy shop clerk breaks out a Reader to complete a sale.

Filed under: , , ,


Via: Motherboard

Source: Black Hat, HackerOne

Tags: cardskimmer, mobilepostcross, peripherals, reader, retail, security, shopping, skimmer, skimming, square, squarereader


Acer Aspire One Cloudbook gives you a full Windows laptop for $169


Acer Aspire One Cloudbook

Hey, HP: you're far from the only one who can play the ridiculously low-cost Windows laptop game. Acer has unveiled the Aspire One Cloudbook 11 and 14, a pair of thin-and-light Windows 10 portables that promise a 'real' PC experience even if you're on a shoestring budget. They respectively cost a mere $169 and $199 in the US (a good $30 less than HP's Stream 11 and 13), but still manage to pack 1.6GHz Celeron processors, 2GB of RAM, full-size keyboards and expansion that includes USB, HDMI and SD card slots. Neither is going to be a screamer, then, but they may do the job if you're looking for a back to school system that's just good enough to handle your class notes and reports. Slideshow-308844

So how did Acer manage to undermine its biggest rival? By cutting a few corners, apparently. The company tells us that the $169 11-inch model has a very modest 16GB of built-in storage (you need to jump to higher-end versions to get 32GB or 64GB). The two Cloudbooks also have shorter battery life than the Stream series (between 6 to 7 hours), and there's a 480p webcam instead of HP's "HD" unit -- these are not the ideal machines for video calls with your parents. You do get free year-long subscriptions to both Office 365 Personal and 1TB of OneDrive space, though, so you won't have to pay a lot up front to be productive. If you want to give Acer's minimalist PC concept a shot, you can get the Cloudbook 11 in August and the Cloudbook 14 in September.

Filed under: ,


Source: Acer

Tags: acer, aspireonecloudbook, celeron, cloudbook, computer, laptop, pc, windows, windows10


Monday, August 03, 2015

Fujifilm's X-T1 flagship camera gets an infrared edition


No, this isn't the next flagship camera you've been waiting on from Fujifilm -- but this doesn't mean some of you won't be interested in it. The company today announced the X-T1 IR, a new edition of its high-end shooter featuring infrared technology, which captures details that aren't normally visible to the human eye. On the outside, Fujifilm's new camera looks identical to the original X-T1, with the two main changes being internal. While the X-T1 IR also features a 16.3-megapixel APS-C X-Trans CMOS II unit, its sensor's Standard IR cut filter was removed and an anti-reflective coating has been applied to it. Other than that, the remaing specs are the same: there's an EXR Processor II, a max ISO range of 25,600 and a weather-resistant shell, to mention a few.

Fujifilm says this would be a useful tool for people who investigate crime scenes, provide healthcare diagnostics or are involved in other similar scientific and technical fields. If that's you, the X-T1 IR can be yours in October for $1,700 (body-only).

Filed under: ,


Tags: Fujifilm, Fujifilm X-T1, Fujifilm X-T1 IR, Fujifilm X-T1IR, FujifilmX-T1, FujifilmX-T1IR, IR, X-T1 IR