Daily Archives: February 19, 2020

Vodafone: Yes, we slurp data on customers’ network setups, but we do it for their own good. No, you can’t opt out.

Posted on by

Seeking to improve its pisspoor customer service rating, UK telecoms giant Vodafone has clarified just how much information it slurps from customer networks. You might want to rename those servers, m’kay?

The updates are rather extensive and were noted by customers after a headsup-type email arrived from the telco.

One offending paragraph gives Vodafone an awful lot of information about what a customer might be running on their own network:

For providing end user support and optimizing your WiFi experience we are collecting information about connected devices (MAC address, Serial Number, user given host names and WiFi connection quality) as well as information about the the WiFi networks (MAC addresses and identifiers, radio statistics).

More accurately, it gives a third party that information. Airties A.S. is the company responsible for hosting information that Vodafone’s support drones might use for diagnostics.

With Vodafone topping the broadband and landline complaint tables, according to the most recent Ofcom data (PDF), the company would naturally want to increase the chances of successfully resolving a customer’s problem. However, there is no way to opt out.

Source: Vodafone: Yes, we slurp data on customers’ network setups, but we do it for their own good • The Register

Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners

Posted on by

Penetration testers looking at commercial shipping and oil rigs discovered a litany of security blunders and vulnerabilities – including one set that would have let them take full control of a rig at sea.

Pen Test Partners (PTP), an infosec consulting outfit that specialises in doing what its name says, reckoned that on the whole, not many maritime companies understand the importance of good infosec practices at sea. The most eye-catching finding from PTP’s year of maritime pentesting was that its researchers could have gained a “full compromise” of a deep sea drilling rig, as used for oil exploration.

PTP’s Ken Munro explained, when The Register asked the obvious question, that this meant “stop engine, fire up thrusters (dynamic positioning system), change rudder position, mess around with navigation, brick systems, switch them off, you name it.”

The firm’s Nigel Hearne explained that many maritime tech vendors have a “variable” approach to security.

Making heavy use of the word “poor” to summarise what he had seen over the past year, Hearne wrote that he and his colleagues had examined everything from a deep water exploration and the aforementioned drilling rig to a brand new cruise ship to a Panamax container vessel, and a few others in between.

Munro also published a related blog post this week.

Among other things the team found were clandestine Wi-Fi access points in non-Wi-Fi areas of ships (“they want to stream tunes/video in a work area that they can’t get crew Wi-Fi in,” said Munro), and crews bridging designed gaps between ships’ engineering control systems and human interface systems.

Why were seafarers doing something that seems so obviously silly to an infosec-minded person? Munro told us: “Someone needs to administrate or monitor systems from somewhere else in the vessel, saving a long walk. Ships are big!”

Another potential explanation proferred by Munro could apply to cruise ship crews where Wi-Fi is generally a paid-for, metered commodity: “Their personal satellite data allowance has been used up, so they put a rogue Wi-Fi AP on to the ship’s business network where there are no limits.”

A Panamax vessel (the largest size of ship that can pass through the Panama Canal, the vital central American shipping artery between the Atlantic and Pacific) can be up to 294 metres (PDF, page 8 gives the measurements) from stem to stern. A crew member needing to move from, say, bow thruster to main machinery control room in the aft part of the ship and back again will spend significant amounts of time doing so. It’s far easier to jury-rig remote access than do all that walking.

PTP also found that old infosec chestnut, default and easy-to-guess passwords – along with a smattering of stickers on PCs with passwords in plaintext.

Default passwords aboard ships. Pic: Pen Test Partners

Default passwords aboard ships. Pic: Pen Test Partners

“One of the biggest surprises (not that I should have been at all surprised in hindsight) is the number of installations we still find running default credentials – think admin/admin or blank/blank – even on public facing systems,” sighed Hearne, detailing all the systems he found that were using default creds – including an onboard CCTV system.

The pentesters also found “hard coded credentials” embedded in critical items including a ship’s satcom (satellite comms mast) unit, potentially allowing anyone aboard the ship to log in and piggyback off the owners’ paid-for internet connection – or to cut it off

Source: Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners • The Register

The Paywalled Garden: iOS is Adware

Posted on by

Over the years, Apple has built up a portfolio of services and add-ons that you pay for. Starting with AppleCare extended warranties and iCloud data subscriptions, they expanded to Apple Music a few years ago, only to dramatically ramp up their offerings last year with TV+, News+, Arcade, and Card. Their services business, taken as a whole, is quickly becoming massive; Apple reported $12.7 billion in Q1 2020 alone, nearly a sixth of its already gigantic quarterly revenue.

All that money comes from the wallets of 480 million subscribers, and their goal is to grow that number to 600 million this year. But to do that, Apple has resorted to insidious tactics to get those people: ads. Lots and lots of ads, on devices that you pay for. iOS 13 has an abundance of ads from Apple marketing Apple services, from the moment you set it up and all throughout the experience. These ads cannot be hidden through the iOS content blocker extension system. Some can be dismissed or hidden, but most cannot, and are purposefully designed into core apps like Music and the App Store. There’s a term to describe software that has lots of unremovable ads: adware, which what iOS has sadly become.

If you don’t subscribe to these services, you’ll be forced to look at these ads constantly, either in the apps you use or the push notifications they have turned on by default. The pervasiveness of ads in iOS is a topic largely unexplored, perhaps due to these services having a lot of adoption among the early adopter crowd that tends to discuss Apple and their design. This isn’t a value call on the services themselves, but a look at how aggressively Apple pushes you to pay for them, and how that growth-hack-style design comes at the expense of the user experience. In this post, I’ll break down all of the places in iOS that I’ve found that have Apple-manufactured ads. You can replicate these results yourself by doing a factory reset of an iPhone (backup first!), installing iOS 13, and signing up for a new iCloud account.

Source: The Paywalled Garden: iOS is Adware – Steve Streza

This Bracelet Prevents Smart Speakers From Spying on You

Posted on by

You probably don’t realize just how many devices in your home or workplace are not only capable of eavesdropping on all your conversations but are specifically designed to. Smartphones, tablets, computers, smartwatches, smart speakers, even voice-activated appliances that have access to smart assistants like Amazon’s Alexa or Google Assistant feature built-in microphones that are constantly monitoring conversations for specific activation words to bring them to life. But accurate voice recognition often requires processing recordings in the cloud on faraway servers, and despite what giant companies keep assuring us, there are obvious and warranted concerns about privacy.

You could simply find yourself a lovely cave deep in the woods and hide out the rest of your days away from technology if you don’t want to be the victim of endless eavesdropping, but this wearable jammer, created by researchers from the University of Chicago, is a (slightly) less drastic alternative. It’s chunky, there’s no denying it, but surrounding an inner core of electronics and batteries are a series of ultrasonic transducers blasting sound waves in all directions. While inaudible to human ears, the ultrasonic signals take advantage of a flaw found in sensitive microphone hardware that results in these signals being captured and interfering with the recordings of lower parts of the audio spectrum where the frequencies of human voices fall.

The results are recordings that are nearly incomprehensible to both human ears and the artificial intelligence-powered voice recognition software that smart assistants and other voice-activated devices rely on.

But why pack the technology into a wearable bracelet instead of creating a stationary device you could set up in the middle of a room for complete privacy? An array of transducers pointing in all directions are needed to properly blanket a room in ultrasonic sound waves, but thanks to science, wherever the signals from two neighboring transducers overlap, they cancel each other out, creating dead zones where microphones could continue to effectively operate.

By incorporating the jamming hardware into a wearable device, the natural and subconscious movements of the wearer’s arms and hands while they speak keep the transducers in motion. This effectively eliminates the risk of dead zones being created long enough to allow entire words or sentences to be detected by a smart device’s microphone. For those who are truly worried about their privacy, the research team has shared their source code for the signal generator as well as 3D models for the bracelet on GitHub for anyone to download and build themselves. You’ll need to supply your own electronics, and if you’re going to all the trouble, you might as well build one for each wrist, all but ensuring there’s never a dead zone in your silencing shield.

Source: This Punk Bracelet Prevents Smart Speakers From Hearing You

This is nice  because Project Alias / Parasite is aimed at a very specific machine, whereas this will protect you wherever you go. It’s just a bit clunky.

Generating electricity ‘out of thin air’ using a protein and moisture in the air

Posted on by

Scientists at the University of Massachusetts Amherst have developed a device that uses a natural protein to create electricity from moisture in the air, a new technology they say could have significant implications for the future of renewable energy, climate change and in the future of medicine.

As reported today in Nature, the laboratories of electrical engineer Jun Yao and microbiologist Derek Lovley at UMass Amherst have created a device they call an “Air-gen.” or air-powered generator, with electrically conductive nanowires produced by the microbe Geobacter. The Air-gen connects electrodes to the protein nanowires in such a way that electrical current is generated from the water vapor naturally present in the atmosphere.

“We are literally making electricity out of thin air,” says Yao. “The Air-gen generates 24/7.” Lovely, who has advanced sustainable biology-based electronic materials over three decades, adds, “It’s the most amazing and exciting application of protein nanowires yet.”

The new technology developed in Yao’s lab is non-polluting, renewable and low-cost. It can generate power even in areas with extremely low humidity such as the Sahara Desert. It has significant advantages over other forms of renewable energy including solar and wind, Lovley says, because unlike these other renewable energy sources, the Air-gen does not require sunlight or wind, and “it even works indoors.”

The Air-gen device requires only a thin film of protein nanowires less than 10 microns thick, the researchers explain. The bottom of the film rests on an electrode, while a smaller electrode that covers only part of the nanowire film sits on top. The film adsorbs from the atmosphere. A combination of the electrical conductivity and surface chemistry of the protein nanowires, coupled with the fine pores between the nanowires within the film, establishes the conditions that generate an between the two electrodes.

The researchers say that the current generation of Air-gen devices are able to power small electronics, and they expect to bring the invention to commercial scale soon. Next steps they plan include developing a small Air-gen “patch” that can power electronic wearables such as health and fitness monitors and smart watches, which would eliminate the requirement for traditional batteries. They also hope to develop Air-gens to apply to cell phones to eliminate periodic charging.

[…]

Source: New green technology generates electricity ‘out of thin air’

Internet Society told to halt .org sale to dodgy companies… by its own advisory council

Posted on by

The Internet Society’s own members are now opposing its sale of the .org internet registry to an unknown private equity firm.

The Chapters Advisory Council, the official voice of Internet Society (ISOC) members, will vote this month on whether to approve a formal recommendation that the society “not proceed [with the sale] unless a number of conditions are met.”

Those conditions largely comprise the publication of additional details and transparency regarding ISOC’s controversial sell-off of .org. Despite months of requests, neither the society nor the proposed purchaser, Ethos Capital, have disclosed critical elements of the deal, including who would actually own the registry if the sale went through.

Meanwhile, word has reached us that Ethos Capital attempted to broker a secret peace treaty this coming weekend in Washington DC by inviting key individuals to a closed-door meeting with the goal of thrashing out an agreement all sides would be happy with. After Ethos insisted the meeting be kept brief, and a number of those opposed to the sale declined to attend, Ethos’s funding for attendees’ flights and accommodation was suddenly withdrawn, and the plan to hold a confab fell apart, we understand.

ISOC – and .org’s current operator, the ISOC-controlled Public Interest Registry (PIR) – are still hoping to push DNS overseer ICANN to make a decision on the .org sale before the end of the month. But that looks increasingly unlikely following an aggressive letter from ICANN’s external lawyers last week insisting ICANN will take as much time as it feels necessary to review the deal.

The overall lack of transparency around the $1.13bn deal has led California’s Attorney General to demand documents relating to the sale – and ISOC’s chapters are demanding the same information as a pre-condition to any sale in their proposed advice to the ISOC board.

That information includes: full details of the transaction; a financial breakdown of what Ethos Capital intends to do with .org’s 10 million internet addresses; binding commitments on limiting price increases and free speech protections; and publication of the bylaws and related corporate documents for both the replacement to the current registry operator, PIR, and the proposed “Stewardship Council” which Ethos claims will give .org users a say in future decisions.

Disregarded

“There is a feeling amongst chapters that ISOC seems to have disregarded community participation, failed to properly account for the potential community impact, and misread the community mindset around the .ORG TLD,” the Chapters Advisory Council’s proposed advice to the ISOC board – a copy of which The Register has seen – states.

Although the advisory council has no legal ability to stop ISOC, if the proposed advice is approved by vote, and the CEO and board of trustees push ahead with the sale regardless, it could have severe repercussions for the organization’s non-profit status, and would further undermine ISOC’s position that the sale will “support the Internet Society’s vision that the Internet is for everyone.”

[…]

That lack of transparency was never more clear than when the ISOC board claimed to have met for two weeks in November to discuss the Ethos Capital offer to buy .org, but made no mention of the proposal and only made ISOC members and chapters aware of the decision after it had been made.

With a spotlight on ISOC’s secretive deliberations – and with board members now claiming they are subject to a non-disclosure agreement over the sale – the organization has added skeleton minutes that provide little or no insight into deliberations. It is not clear when those minutes were added – no update date is provided.

“The primary purpose of the Chapters Advisory Council shall be to channel and facilitate advice and recommendations to and from the President and Board of Trustees of the Internet Society in a bottom up manner, on any matters of concern or interest to the Chapter AC and ISOC Chapters,” reads the official description of the council on ISOC’s website.

With Ethos having failed to broker a secret deal, and ICANN indicating that it will consider the public interest in deciding whether to approve the sale, if ISOC’s advisory council does vote to advise the board not to move forward with the sale, the Internet Society will face a stark choice: stick by the secretive billionaires funding the purchase of .org with the added risk of blowing up the entire organization; or walk away from the deal.

Source: Revolution, comrades: Internet Society told to halt .org sale… by its own advisory council • The Register