Daily Archives: January 10, 2023

Microsoft’s new AI can simulate anyone’s voice with 3 seconds of audi

Posted on by

On Thursday, Microsoft researchers announced a new text-to-speech AI model called VALL-E that can closely simulate a person’s voice when given a three-second audio sample. Once it learns a specific voice, VALL-E can synthesize audio of that person saying anything—and do it in a way that attempts to preserve the speaker’s emotional tone.

Further Reading

Meta’s AI-powered audio codec promises 10x compression over MP3

Its creators speculate that VALL-E could be used for high-quality text-to-speech applications, speech editing where a recording of a person could be edited and changed from a text transcript (making them say something they originally didn’t), and audio content creation when combined with other generative AI models like GPT-3.

Microsoft calls VALL-E a “neural codec language model,” and it builds off of a technology called EnCodec, which Meta announced in October 2022. Unlike other text-to-speech methods that typically synthesize speech by manipulating waveforms, VALL-E generates discrete audio codec codes from text and acoustic prompts. It basically analyzes how a person sounds, breaks that information into discrete components (called “tokens”) thanks to EnCodec, and uses training data to match what it “knows” about how that voice would sound if it spoke other phrases outside of the three-second sample. Or, as Microsoft puts it in the VALL-E paper:

To synthesize personalized speech (e.g., zero-shot TTS), VALL-E generates the corresponding acoustic tokens conditioned on the acoustic tokens of the 3-second enrolled recording and the phoneme prompt, which constrain the speaker and content information respectively. Finally, the generated acoustic tokens are used to synthesize the final waveform with the corresponding neural codec decoder.

Microsoft trained VALL-E’s speech-synthesis capabilities on an audio library, assembled by Meta, called LibriLight. It contains 60,000 hours of English language speech from more than 7,000 speakers, mostly pulled from LibriVox public domain audiobooks. For VALL-E to generate a good result, the voice in the three-second sample must closely match a voice in the training data.

On the VALL-E example website, Microsoft provides dozens of audio examples of the AI model in action. Among the samples, the “Speaker Prompt” is the three-second audio provided to VALL-E that it must imitate.

Source: Microsoft’s new AI can simulate anyone’s voice with 3 seconds of audio | Ars Technica

It’s fun, but it’s not quite there yet though

Astronomers Find the Edge of Our Galaxy, 1.04m light years away

Posted on by

(Andromeda Galaxy)

In the quest to find the outer limits of our galaxy, astronomers have discovered over 200 stars that form the Milky Way’s edge, the most distant of which is over one million light-years away—nearly halfway to the Andromeda galaxy.

The 208 stars the researchers identified are known as RR Lyrae stars, which are stars with a brightness that can change as viewed from Earth. These stars are typically old and brighten and dim at regular intervals, which is a mechanism that allows scientists to calculate how far away they are. By calculating the distance to these RR Lyrae stars, the team found that the farthest of the bunch was located about halfway between the Milky Way and the Andromeda galaxy, one of our cosmic next-door neighbors.

“This study is redefining what constitutes the outer limits of our galaxy,” said Raja GuhaThakurta in a press release. GuhaThakurta is professor and chair of astronomy and astrophysics at the University of California Santa Cruz. “Our galaxy and Andromeda are both so big, there’s hardly any space between the two galaxies.”

Image for article titled Astronomers Find the Edge of Our Galaxy
Illustration: NASA, ESA, AND A. FEILD (STSCI)

The Milky Way galaxy consists of a few different parts, the primary of which is a thin, spiral disk about 100,000 light-years across. Our home solar system sits on one of the arms of this disk. An inner and outer halo surround the disk, and these halos contain some of the oldest stars in our galaxy.

Previous studies have placed the edge of the outer halo at 1 million light-years from the Milky Way’s center, but based on the new work, the edge of this halo should be about 1.04 million light-years from the galactic center. Yuting Feng, a doctoral student at the university working with GuhaThakurta, led the study and is presenting the findings this week at the American Astronomical Society meeting in Seattle.

[…]

Source: Astronomers Find the Edge of Our Galaxy

Hydrogen masers (jets at 500 km/s) reveal new secrets of a massive star

Posted on by

While using the Atacama Large Millimeter/submillimeter Array (ALMA) to study the masers around oddball star MWC 349A scientists discovered something unexpected: a previously unseen jet of material launching from the star’s gas disk at impossibly high speeds. What’s more, they believe the jet is caused by strong magnetic forces surrounding the star.

The discovery could help researchers to understand the nature and evolution of massive stars and how hydrogen are formed in space. The new observations were presented today (January 9) in a press conference at the 241st meeting of the American Astronomical Society (AAS) in Seattle, Washington.

Located roughly 3,900 light-years away from Earth in the constellation Cygnus, MWC 349A’s unique features make it a hot spot for in optical, infrared, and radio wavelengths. The massive star—roughly 30 times the mass of the sun—is one of the brightest radio sources in the sky, and one of only a handful of objects known to have hydrogen masers. These masers amplify microwave radio emissions, making it easier to study processes that are typically too small to see. It is this unique feature that allowed scientists to map MWC 349A’s disk in detail for the first time.

“A maser is like a naturally occurring laser,” said Sirina Prasad, an undergraduate research assistant at the Center for Astrophysics | Harvard & Smithsonian (CfA), and the primary author of the paper. “It’s an area in that emits a really bright kind of light. We can see this light and trace it back to where it came from, bringing us one step closer to figuring out what’s really going on.”

The massive star MWC 349A is one of the brightest radio sources in the sky. But, at 3,900 light-years away from Earth, scientists needed help to see what’s really going on, and in this case, to discover a jet of material blasting out from the star’s gas disk at 500 km/s. Previously hidden amongst the winds flowing out from the star, the jet was discovered using the combined resolving power of ALMA’s Band 6 (right) and Band 7 (left), and hydrogen masers— naturally occurring lasers that amplify microwave radio emissions, shown here in this ALMA science image. The revelation may help scientists to better understand the nature and evolution of massive stars. Credit: ALMA (ESO/NAOJ/NRAO), S. Prasad/CfA

Leveraging the resolving power of ALMA’s Band 6, developed by the U.S. National Science Foundation’s National Radio Astronomy Observatory (NRAO), the team was able to use the masers to uncover the previously unseen structures in the star’s immediate environment. Qizhou Zhang, a senior astrophysicist at CfA, and the project’s principal investigator added, “We used masers generated by hydrogen to probe the physical and dynamic structures in the gas surrounding MWC 349A and revealed a flattened gas disk with a diameter of 50 au, approximately the size of the Solar System, confirming the near-horizontal disk structure of the star. We also found a fast-moving jet component hidden within the winds flowing away from the star.”

The observed jet is ejecting material away from the star at a blistering 500 km per second. That’s akin to traveling the distance between San Diego, California, and Phoenix, Arizona, in the literal blink of an eye. According to researchers, it is probable that a jet moving this fast is being launched by a magnetic force. In the case of MWC 349A, that force could be a magnetohydrodynamic wind—a type of wind whose movement is dictated by the interplay between the star’s magnetic field and gases present in its surrounding disk.

“Our previous understanding of MWC 349A was that the star was surrounded by a rotating disk and photo-evaporating wind. Strong evidence for an additional collimated jet had not yet been seen in this system. Although we don’t yet know for certain where it comes from or how it is made, it could be that a magnetohydrodynamic wind is producing the jet, in which case the magnetic field is responsible for launching rotating material from the system,” said Prasad. “This could help us to better understand the disk- dynamics of MWC 349A, and the interplay between circumstellar disks, winds, and jets in other star systems.”

More information: These results will be presented during a press conference at the 241st proceedings of the American Astronomical Society on Monday, January 9th at 2:15pm Pacific Standard Time (PST).

Source: Hydrogen masers reveal new secrets of a massive star

Citizen’s volunteer ‘safety’ app accidentally doxxes singer Billie Eilish

Posted on by

Citizen, the provocative crime-reporting app formerly known as Vigilante, is in the news again for all the wrong reasons. On Thursday evening, it doxxed singer Billie Eilish, publishing her address to thousands of people after an alleged burglary at her home.

Shortly after the break-in, the app notified users of a break-in in Los Angeles’ Highland Park neighborhood — including the home’s address. As reported by Vice, Citizen’s message was updated at 9:41 PM to state that the house belonged to Eilish. According to Citizen’s metrics, the alert was sent to 178,000 people and viewed by nearly 78,000. On Friday morning, Citizen updated the app’s description of the incident, replacing the precise address with a nearby cross-street.

Although celebrity home addresses are often publicly available (usually on seedy websites specializing in such invasive nonsense), a popular app pushing the home address of one of pop music’s biggest stars to thousands of users is… new. Unfortunately, it’s also just the latest potentially destructive move from Citizen.

 

When Citizen launched as Vigilante in 2016, Apple quickly pulled the title from the App Store based on concerns about its encouraging users to thrust themselves into dangerous situations. So it rebranded as Citizen with a new focus on safety, and Apple re-opened its gates. The app began advising users to avoid incidents in progress while providing tools to help those caught in a dangerous situation. Although that sounds reasonable, at least one episode reveals an overzealousness company prioritizing attention and profit over social responsibility.

Visual of three phones showing screenshots from the Citizen app
Citizen

In May 2021, CEO Andrew Frame ordered the launch of a live stream, encouraging the app’s users to hunt down a suspected wildfire arsonist (based on a tip from an LAPD sergeant and emails from residents questioned by police). He offered a $10,000 bounty for finding the suspect, which grew to $30,000 later in the evening. As the hunt continued, the CEO reportedly grew more frantic, with one of his internal Slack conversations encouraging the team to “get this guy before midnight” in an ecstatic, all-caps message.

[…]

Source: Citizen’s volunteer ‘safety’ app accidentally doxxes singer Billie Eilish | Engadget

Google will pay $9.5 million to settle Washington DC AG’s location-tracking lawsuit

Posted on by

Google has agreed to pay $9.5 million to settle a lawsuit brought by Washington DC Attorney General Karl Racine, who accused the company earlier this year of “deceiving users and invading their privacy.” Google has also agreed to change some of its practices, primarily concerning how it informs users about collecting, storing and using their location data.

“Google leads consumers to believe that consumers are in control of whether Google collects and retains information about their location and how that information is used,” the complaint, which Racine filed in January, read. “In reality, consumers who use Google products cannot prevent Google from collecting, storing and profiting from their location.”

Racine’s office also accused Google of employing “dark patterns,” which are design choices intended to deceive users into carrying out actions that don’t benefit them. Specifically, the AG’s office claimed that Google repeatedly prompted users to switch in location tracking in certain apps and informed them that certain features wouldn’t work properly if location tracking wasn’t on. Racine and his team found that location data wasn’t even needed for the app in question. They asserted that Google made it “impossible for users to opt out of having their location tracked.”

 

The $9.5 million payment is a paltry one for Google. Last quarter, it took parent company Alphabet under 20 minutes to make that much in revenue. The changes that the company will make to its practices as part of the settlement may have a bigger impact.

Folks who currently have certain location settings on will receive notifications telling them how they can disable each setting, delete the associated data and limit how long Google can keep that information. Users who set up a new Google account will be informed which location-related account settings are on by default and offered the chance to opt out.

Google will need to maintain a webpage that details its location data practices and policies. This will include ways for users to access their location settings and details about how each setting impacts Google’s collection, retention or use of location data.

Moreover, Google will be prevented from sharing a person’s precise location data with a third-party advertiser without the user’s explicit consent. The company will need to delete location data “that came from a device or from an IP address in web and app activity within 30 days” of obtaining the information

[…]

Source: Google will pay $9.5 million to settle Washington DC AG’s location-tracking lawsuit | Engadget

Spy Tech Palantir’s Covid-era UK health contract extended without public consultation or competition

Posted on by

NHS England has extended its contract with US spy-tech biz Palantir for the system built at the height of the pandemic to give it time to resolve the twice-delayed procurement of a data platform to support health service reorganization and tackle the massive care backlog.

The contract has already been subject to the threat of a judicial review, after which NHS England – a non-departmental government body – agreed to three concessions, including the promise of public consultation before extending the contract.

Campaigners and legal groups are set to mount legal challenges around separate, but related, NHS dealing with Palantir.

In a notice published yesterday, the NHS England said the contract would be extended until September 2023 in a deal worth £11.5 million ($13.8 million).

NHS England has been conducting a £360 million ($435 million) procurement of a separate, but linked, Federated Data Platform (FDP), a deal said to be a “must-win” for Palantir, a US data management company which cut its teeth working for the CIA and controversial US immigration agency ICE.

The contract notice for FDP, which kicks off the official competition, was originally expected in June 2022 but was delayed until September 2022, when NHS England told The Register it would be published. The notice has yet to appear

[…]

Source: Palantir’s Covid-era UK health contract extended • The Register

LG allows you to choose picture mode by comparing pictures

Posted on by

An image showing LG’s new personalized picture wizard software feature on its 2023 TVs.

Setting up a new TV? Ask any videophile or home theater nerd and they’ll probably tell you to set your picture mode to the movie/cinema option (or whatever’s closest on your particular TV) and leave it there. Traditionally, this has been the most color accurate option and leans toward a pleasant, warm white balance instead of the cooler temperature that usually accompanies “standard” modes. But there are inevitably those people who prefer the standard or vivid settings — much to the chagrin of enthusiasts.

With its new 2023 TV lineup, LG is throwing these conventional choices out the window — if you’re willing to try — and has come up with a new way of personalizing your picture preferences. Instead of giving you a few labeled options to switch between, a new “Personalized Picture Wizard” will present you with a series of images. On each screen, you choose one or two that look best to you.

A photo showing the process of LG’s personalized picture wizard TV software feature.
Of course AI deep learning is involved. It’s 2023.
Photo by Chris Welch / The Verge

After you do this six times, the TV will formulate a preset that’s based on your selections. It considers the brightness, color, and contrast levels that you indicated a preference for. LG says a ton of AI deep learning is involved throughout this process; it sampled millions of images in creating the Picture Wizard. If you’re ready to see how your picture mode looks while watching real content, you can hit “apply.”

Obviously LG will still be offering the tried and true picture settings along with deeper calibration options; your personalized picture mode will appear right alongside those in the settings menu on 2023 LG TVs. So you can easily switch between all of them and see the differences. For now, you can only create one personalized picture mode that applies to everyone using the same TV, but LG told me that it eventually wants to let each user profile make their own.

[…]

Source: LG wants to reinvent how you think of TV picture modes – The Verge

Apple Faces French $8.5M Fine For Illegal Data Harvesting

Posted on by

France’s data protection authority, CNIL, fined Apple €8 million (about $8.5 million) Wednesday for illegally harvesting iPhone owners’ data for targeted ads without proper consent.

[…]

The French fine, though, is the latest addition to a growing body of evidence that Apple may not be the privacy guardian angel it makes itself out to be.

[…]

Apple failed to “obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals,” the CNIL said in a statement. The CNIL’s fine calls out the search ads in Apple’s App Store, specifically. A French court fined the company over $1 million in December over its commercial practices related to the App Store.

[…]

Eight million euros is peanuts for a company that makes billions a year on advertising alone and is so inconceivably wealthy that it had enough money to lose $1 trillion in market value last year—making Apple the second company in history to do so. The fine could have been higher but for the fact that Apple’s European headquarters are in Ireland, not France, giving the CNIL a smaller target to go after.

Still, its a signal that Apple may face a less friendly regulatory future in Europe. Commercial authorities are investigating Apple for anti-competitive business practices, and are even forcing the company to abandon its proprietary charging cable in favor of USB-C ports.

Source: Apple Faces Rare $8.5M Fine For Illegal Data Harvesting

Asus brings glasses-free 3D to OLED laptops | Ars Technica

Posted on by

Asus announced an upcoming feature that allows users to view and work with content in 3D without wearing 3D glasses. Similar technology has been used in a small number of laptops and displays before, but Asus is incorporating the feature for the first time in OLED laptop screens. Combined with high refresh rates, unique input methods like an integrated dial, and the latest CPUs and laptop GPUs, the company is touting the laptops with the Asus Spatial Vision feature as powerful niche options for creative professionals looking for new ways to work.

Asus’ Spatial Vision 3D tech is debuting on two laptops in Q2 this year: the ProArt Studiobook 16 3D OLED (H7604) and Vivobook Pro 16 3D OLED (K6604).

Asus' ProArt Studiobook 16 3D OLED (H7604) is one of the two PCs announced with Asus Spatial Vision.
Asus’ ProArt Studiobook 16 3D OLED (H7604) is one of the two PCs announced with Asus Spatial Vision.
Asus

The laptops each feature a 16-inch, 3200×2000 OLED panel with a 120 Hz refresh rate. The OLED panel is topped with a layer of optical resin, a glass panel, and a lenticular lens layer. The lenticular lens works with a pair of eye-tracking cameras to render real-time images for each eye that adjust with your physical movements.

In a press briefing, an Asus spokesperson said that because the OLED screens claim a low gray-to-gray response time of 0.2 ms, as well as the extremely high contrast that comes with OLED, there’s no crosstalk between the left and right eye’s image, ensuring more realistic-looking content. However, Asus’ product pages for the laptops acknowledge that  experiences may vary, and some may still suffer from “dizziness or crosstalk due to other reasons, and this varies according to the individual.” Asus said it’s aiming to offer demos to users, which would be worth trying out before committing to this unique feature.

The ProArt Studiobook 16 3D OLED weighs 5.29 lbs and is 0.94-inches thick.
The ProArt Studiobook 16 3D OLED weighs 5.29 lbs and is 0.94-inches thick.
Asus

On top of the lenticular lens is a 2D/3D liquid-crystal switching layer, which is topped with a glass front panel with an anti-reflective coating. According to Asus, it’ll be easy to switch from 2D mode to 3D and back again. When the laptops aren’t in 3D mode, their display will appear as a highly specced OLED screen, Asus claimed.

The laptops can apply a 3D effect to any game, movie, or content that supports 3D. However, content not designed for 3D display may appear more “stuttery,” per a demo The Verge saw. The laptops are primarily for people working with and creating 3D models and content, such as designers and architects.

The Vivobook Pro 16X 3D OLED weighs 4.41 lbs and is 0.9-inches thick.
Enlarge / The Vivobook Pro 16X 3D OLED weighs 4.41 lbs and is 0.9-inches thick.
Asus

The two laptops will ship with Spatial Vision Hub software. It includes a Model Viewer, Player for movies and videos, Photo Viewer for transforming side-by-side photos shot with a 180-degree camera into one stereoscopic 3D image, and Connector, a plug-in that Asus’ product page says is compatible with “various apps and tools, so you can easily view any project in 3D.”

Asus’ Spatial Vision laptops have glasses-free 3D that’s similar to some Acer products already released. In May, Acer announced the SpatialLabs View and SpatialLabs View Pro portable monitors that can convert 2D content into stereoscopic 3D by rendering images for the left and right eye and projecting them through an optical lens. The monitors require an Intel Core i7 CPU and RTX 3070 Ti for laptops or RTX 2080 for desktops, however. Asus’ laptops give you everything you need to try the emerging technology.

Acer has also released its laptops with glasses-free 3D: the ConceptD SpatialLabs Edition workstation-esque clamshell and the Acer Predator Helios 300 Spatial Edition gaming laptop.

[…]

Source: Asus brings glasses-free 3D to OLED laptops | Ars Technica

US Moves To Bar Noncompete Agreements in Labor Contracts

Posted on by

In a far-reaching move that could raise wages and increase competition among businesses, the Federal Trade Commission on Thursday unveiled a rule that would block companies from limiting their employees’ ability to work for a rival. From a report: The proposed rule would ban provisions of labor contracts known as noncompete agreements, which prevent workers from leaving for a competitor or starting a competing business for months or years after their employment, often within a certain geographic area. The agreements have applied to workers as varied as sandwich makers, hair stylists, doctors and software engineers.

Studies show that noncompetes, which appear to directly affect roughly 20 percent to 45 percent of private-sector U.S. workers, hold down pay because job switching is one of the more reliable ways of securing a raise. Many economists believe they help explain why pay for middle-income workers has stagnated in recent decades. Other studies show that noncompetes protect established companies from start-ups, reducing competition within industries. The arrangements may also harm productivity by making it hard for companies to hire workers who best fit their needs.

The F.T.C. proposal is the latest in a series of aggressive and sometimes unorthodox moves to rein in the power of large companies under the agency’s chair, Lina Khan. “Noncompetes block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand,” Ms. Khan said in a statement announcing the proposal. “By ending this practice, the F.T.C.’s proposed rule would promote greater dynamism, innovation and healthy competition.”

Source: US Moves To Bar Noncompete Agreements in Labor Contracts – Slashdot

200 Million Twitter Users’ Data for Sale on the Dark Web for $2

Posted on by

[…]

The short version of the latest drama is this: data stolen from Twitter more than a year ago found its way onto a major dark web marketplace this week. The asking price? The crypto equivalent of $2. In other words, it’s basically being given away for free. The hacker who posted the data haul, a user who goes by the moniker “StayMad,” shared the data on the market “Breached,” where anyone can now purchase and peruse it. The cache is estimated to cover at least 235 million people’s information.

[…]

According to multiple reports, the breach material includes the email addresses and/or phone numbers of some 235 million people, the credentials that users used to set up their accounts. This information has been paired with details publicly scraped from users’ profiles, thus allowing the cybercriminals to create more complete data dossiers on potential victims. Bleeping Computer reports that the information for each user includes not only email addresses and phone numbers but also names, screen names/user handles, follower count, and account creation date.

[…]

The data that appeared on “Breached” this week was actually stolen during 2021. Per the Washington Post, cybercriminals exploited an API vulnerability in Twitter’s platform to call up user information connected to hundreds of millions of user accounts. This bug created a bizarre “lookup” function, allowing any person to plug in a phone number or email to Twitter’s systems, which would then verify whether the credential was connected to an active account. The bug would also reveal which specific account was tied to the credential in question.

The vulnerability was originally discovered by Twitter’s bug bounty program in January of 2022 and was first publicly acknowledged last August.

[…]

 

Source: 200 Million Twitter Users’ Data for Sale on the Dark Web for $2

Californian law forces salary disclosure for companies > 15 people – fair and inclusive

Posted on by

The law affects every company with more than 15 employees looking to fill a job that could be performed from the state of California. It covers hourly and temporary work, all the way up to openings for highly paid technology executives.

That means it’s now possible to know the salaries top tech companies pay their workers. For example:

  • A program manager in Apple
  • ’s augmented reality group will receive base pay between $121,000 and $230,000 per year, according to an Apple posting Wednesday.
  • A midcareer software engineer at Google
  • Health can expect to make between $126,000 and $190,000 per year.
  • A director of software engineering at Meta

Notably, these salary listings do not include any bonuses or equity grants, which many tech companies use to attract and retain employees.

[…]

In the U.S., there are now 13 cities and states that require employers to share salary information, covering about 1 in 4 workers, according to Payscale, a software firm focusing on salary comparison.

California’s pay transparency law is intended to reduce gender and race pay gaps and help minorities and women better compete in the labor market. For example, people can compare their current pay with job listings with the same job title and see if they’re being underpaid.

Women earn about 83 cents for every dollar a man earns, according to the U.S. Census.

[…]

There are two primary components to California Senate Bill No. 1162, which was passed in September and went into effect Jan. 1.

First is the pay transparency component on job listings, which applies to any company with more than 15 employees if the job could be done in California.

The second part requires companies with more than 100 employees to submit a pay data report to the state of California with detailed salary information broken down by race, sex and job category. Companies have to provide a similar report on the federal level, but California now requires more details.

Employers are required to maintain detailed records of each job title and its wage history, and California’s labor commissioner can inspect those records. California can enforce the law through fines and can investigate violations. The reports won’t be published publicly under the new law.

[…]

The new law doesn’t require employers to post total compensation, meaning that companies can leave out information about stock grants and bonuses, offering an incomplete picture for some highly paid jobs.

For high-paying jobs in the technology industry, equity compensation in the form of restricted stock units can make up a large percentage of an employee’s take-home pay. In industries such as finance, bonuses make up a big portion of annual pay.

[…]

The new law also allows companies to provide wide ranges for pay, sometimes ranging over $100,000 or more between the lowest salary and the highest salary for a position. That seemingly violates the spirit of the law, but companies say the ranges are realistic because base pay can vary widely depending on skills, qualifications, experience and location.

[…]

Some California companies are not listing salaries for jobs clearly intended to be performed in other states, but advocates hope California’s new law could spark more salary disclosures around the country. After all, a job listing with an explicit starting salary or range is likely to attract more candidates than one with unclear pay.

[…]

Source: Here’s how much top tech jobs in California pay, according to job ads

Connected car security is very poor – fortunately they do actually take it seriously, fix bugs quickly

Posted on by

Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers —  by exploiting vulnerabilities in the vehicles’ telematic systems, automotive APIs and supporting infrastructure, according to security researchers.

Specifically, the vulnerabilities affect Mercedes-Benz, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar and Land Rover, plus fleet management company Spireon and digital license plate company Reviver.

The research builds on Yuga Labs’ Sam Curry’s earlier car hacking expeditions that uncovered flaws affecting Hyundai and Genesis vehicles, as well as Hondas, Nissans, Infinitis and Acuras via an authorization flaw in Sirius XM’s Connected Vehicle Services.

All of the bugs have since been fixed.

“The affected companies all fixed the issues within one or two days of reporting,” Curry told The Register. ” We worked with all of them to validate them and make sure there weren’t any bypasses.”

[…]

Curry and the team discovered multiple vulnerabilities in SQL injection and authorization bypass to perform remote code execution across all of Spireon and fully take over any fleet vehicle.

“This would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles,” the researchers wrote.

The bugs also gave them full administrator access to Spireon and a company-wide administration panel from which an attacker could send arbitrary commands to all 15 million vehicles, thus remotely unlocking doors, honking horns, starting engines […]

[…]

With Ferrari, the researchers found overly permissive access controls that allowed them to access JavaScript code for several internal applications. The code contained API keys and credentials that could have allowed attackers to access customer records and take over (or delete) customer accounts.

[…]

a misconfigured single-sign on (SSO) portal for all employees and contractors of BMW, which owns Rolls-Royce, would have allowed access to any application behind the portal.

[…]

misconfigured SSO for Mercedes-Benz allowed the researchers to create a user account on a website intended for vehicle repair shops to request specific tools. They then used this account to sign in to the Mercedes-Benz Github, which held internal documentation and source code for various Mercedes-Benz projects including its Me Connect app used by customers to remotely connect to their vehicles.

The researchers reported this vulnerability to the automaker, and they noted that Mercedes-Benz “seemed to misunderstand the impact” and wanted further details about why this was a problem.

So the team used their newly created account credentials to login to several applications containing sensitive data. Then they “achieved remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees.”

One of these was the carmaker’s version of Slack. “We had permission to join any channel, including security channels, and could pose as a Mercedes-Benz employee who could ask whatever questions necessary for an actual attacker to elevate their privileges across the Benz infrastructure,” the researchers explained.

A Mercedes-Benz spokesperson confirmed that Curry contacted the company about the vulnerability and that it had been fixed.

[…]

vulnerabilities affecting Porsche’s telematics service that allowed them to remotely retrieve vehicle location and send vehicle commands.

Plus, they found an access-control vulnerability on the Toyota Financial app that disclosed the name, phone number, email address, and loan status of any customers. Toyota Motor Credit told The Register that it fixed the issue

[…]

Source: Here’s how to remotely takeover a Ferrari…account, that is • The Register