Daily Archives: October 30, 2023

IoT standard Matter 1.2 released

Posted on by

[…] Matter, version 1.2, is now available for device makers and platforms to build into their products. It is packed with nine new device types, revisions, and additions to existing categories, core improvements to the specification and SDK, and certification and testing tools. The Matter 1.2 certification program is now open and members expect to bring these enhancements and new device types to market later this year and into 2024 and beyond.

[…]

The new device types supported in Matter 1.2 include:

  1. Refrigerators – Beyond basic temperature control and monitoring, this device type is also applicable to other related devices like deep freezers and even wine and kimchi fridges.
  2. Room Air Conditioners – While HVAC and thermostats were already part of Matter 1.0, stand alone Room Air Conditioners with temperature and fan mode control are now supported.
  3. Dishwashers – Basic functionality is included, like remote start and progress notifications. Dishwasher alarms are also supported, covering operational errors such as water supply and drain, temperature, and door lock errors.
  4. Laundry Washers – Progress notifications, such as cycle completion, can be sent via Matter. Dryers will be supported in a future Matter release.
  5. Robotic Vacuums – Beyond the basic features like remote start and progress notifications, there is support for key features like cleaning modes (dry vacuum vs wet mopping) and additional status details (brush status, error reporting, charging status).
  6. Smoke & Carbon Monoxide Alarms – These alarms will support notifications and audio and visual alarm signaling. Additionally, there is support for alerts about battery status and end-of-life notifications. These alarms also support self-testing. Carbon monoxide alarms support concentration sensing, as an additional data point.
  7. Air Quality Sensors –  Supported sensors can capture and report on: PM1, PM 2.5, PM 10, CO2, NO2, VOC, CO, Ozone, Radon, and Formaldehyde. Furthermore, the addition of the Air Quality Cluster enables Matter devices to provide AQI information based on the device’s location.
  8. Air Purifiers – Purifiers utilize the Air Quality Sensor device type to provide sensing information and also include functionality from other device types like Fans (required) and Thermostats (optional). Air purifiers also include consumable resource monitoring, enabling notifications on filter status (both HEPA and activated carbon filters are supported in 1.2).
  9. Fans –Matter 1.2 includes support for fans as a separate, certifiable device type. Fans now support movements like rock/oscillation and new modes like natural wind and sleep wind. Additional enhancements include the ability to change the airflow direction (forward and reverse) and step commands to change the speed of airflow. […]

Core improvements to the Matter 1.2 specification include:

  • Latch & Bolt Door Locks – Enhancements for European markets that capture the common configuration of a combined latch and bolt lock unit.
  • Device Appearance – Added description of device appearance, so that devices can describe their color and finish. This will enable helpful representations of devices across clients.
  • Device & Endpoint Composition – Devices can now be hierarchically composed from complex endpoints allowing for accurate modeling of appliances, multi-unit switches, and multi-light fixtures.
  • Semantic Tags – Provide an interoperable way to describe the location and semantic functions of generic Matter clusters and endpoints to enable consistent rendering and application across the different clients. For example, semantic tags can be used to represent the location and function of each button on a multi-button remote control.
  • Generic Descriptions of Device Operational States – Expressing the different operational modes of a device in a generic way will make it easier to generate new device types in future revisions of Matter and ensure their basic support across various clients.
Under-the-Hood Enhancements: Matter SDK & Test Harness

Matter 1.2 brings important enhancements in the testing and certification program which helps companies bring products – hardware, software, chipsets and apps – to market faster. These improvements will benefit the wider developer community and ecosystem around Matter.

  • New Platform Support in SDK – Matter 1.2 SDK is now available for new platforms providing more ways for developers to build new products for Matter.
  • Enhancements to the Matter Test Harness – The Test Harness is a critical piece for ensuring the specification and its features are being implemented correctly. The Test Harness is now available via open source, making it easier for Matter developers to contribute to the tools (to make them better), and to ensure they are working with the latest version (with all features and bug fixes.

[…]

Developers interested in learning more about these enhancements can access the following resources:

[…]

Source: Matter 1.2 Arrives with Nine New Device Types & – CSA-IOT

iLeakage hack can force iOS and macOS browsers to divulge passwords and much more

Posted on by

Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.

 

Further Reading

Intel SGX is vulnerable to an unfixable flaw that can steal crypto keys and more

iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a wide corpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers—primarily Intel and, to a lesser extent, AMD—scrambling to devise mitigations.

Exploiting WebKit on Apple silicon

The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker’s choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as it’s being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.

Top: An email displayed in Gmail’s web view. Bottom: Recovered sender address, subject, and content.
Enlarge / Top: An email displayed in Gmail’s web view. Bottom: Recovered sender address, subject, and content.
Kim, et al.

“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers wrote on an informational website. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.”

[…]

For the attack to work, a vulnerable computer must first visit the iLeakage website. For attacks involving YouTube, Gmail, or any other specific Web property, a user should be logged into their account at the same time the attack site is open. And as noted earlier, the attacker website needs to spend about five minutes probing the visiting device. Then, using the window.open JavaScript method, iLeakage can cause the browser to open any other site and begin siphoning certain data at anywhere from 24 to 34 bits per second.

[…]

iLeakage is a practical attack that requires only minimal physical resources to carry out. The biggest challenge—and it’s considerable—is the high caliber of technical expertise required. An attacker needs to not only have years of experience exploiting speculative execution vulnerabilities in general but also have fully reverse-engineered A- and M-series chips to gain insights into the side channel they contain. There’s no indication that this vulnerability has ever been discovered before, let alone actively exploited in the wild.

That means the chances of this vulnerability being used in real-world attacks anytime soon are slim, if not next to zero. It’s likely that Apple’s scheduled fix will be in place long before an iLeakage-style attack site does become viable.

Source: Hackers can force iOS and macOS browsers to divulge passwords and much more | Ars Technica

Hackers Target European Government With Roundcube Webmail Bug

Posted on by

Winter Vivern, believed to be a Belarus-aligned hacker, attacked European government entities and a think tank starting on Oct. 11, according to an Ars Technica report Wednesday. ESET Research discovered the hack that exploited a zero-day vulnerability in Roundcube, a webmail server with millions of users, and allowed the pro-Russian group to exfiltrate sensitive emails.

Roundcube patched the XSS vulnerability on Oct. 14, two days after ESET Research reported it. Winter Vivern sent malicious code to users disguised in an innocent-looking email from team.management@outlook.com. Users simply viewed the message in a web browser, and the hacker could access all their emails. Winter Vivern is a cyberespionage group that has been active since at least 2020 targeting governments in Europe and Central Asia.

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns,” said Matthieu Faou, a malware researcher at ESET, in a post.

Roundcube released an update for multiple versions of its software on Oct. 16 fixing the cross-site scripting vulnerabilities. Despite the patch and known vulnerabilities in older versions, many applications don’t get updated by users, says Faou.

[…]

Source: Hackers Target European Government With Roundcube Webmail Bug

Privacy advocate challenges YouTube’s ad blocking detection (which isn’t spyware)

Posted on by

Last week, privacy advocate (and very occasional Reg columnist) Alexander Hanff filed a complaint with the Irish Data Protection Commission (DPC) decrying YouTube’s deployment of JavaScript code to detect the use of ad blocking extensions by website visitors.

On October 16, according to the Internet Archives’ Wayback Machine, Google published a support page declaring that “When you block YouTube ads, you violate YouTube’s Terms of Service.”

“If you use ad blockers,” it continues, “we’ll ask you to allow ads on YouTube or sign up for YouTube Premium. If you continue to use ad blockers, we may block your video playback.”

YouTube’s Terms of Service do not explicitly disallow ad blocking extensions, which remain legal in the US [PDF], in Germany, and elsewhere. But the language says users may not “circumvent, disable, fraudulently engage with, or otherwise interfere with any part of the Service” – which probably includes the ads.

Image of 'Ad blockers are not allowed' popup

Image of ‘Ad blockers are not allowed’ popup – Click to enlarge

YouTube’s open hostility to ad blockers coincides with the recent trial deployment of a popup notice presented to web users who visit the site with an ad-blocking extension in their browser – messaging tested on a limited audience at least as far back as May.

In order to present that popup YouTube needs to run a script, changed at least twice a day, to detect blocking efforts. And that script, Hanff believes, violates the EU’s ePrivacy Directive – because YouTube did not first ask for explicit consent to conduct such browser interrogation.

[…]

Asked how he hopes the Irish DPC will respond, Hanff replied via email, “I would expect the DPC to investigate and issue an enforcement notice to YouTube requiring them to cease and desist these activities without first obtaining consent (as per [Europe’s General Data Protection Regulation (GDPR)] standard) for the deployment of their spyware detection scripts; and further to order YouTube to unban any accounts which have been banned as a result of these detections and to delete any personal data processed unlawfully (see Article 5(1) of GDPR) since they first started to deploy their spyware detection scripts.”

Hanff’s use of strikethrough formatting acknowledges the legal difficulty of using the term “spyware” to refer to YouTube’s ad block detection code. The security industry’s standard defamation defense terminology for such stuff is PUPs, or potentially unwanted programs.

[…]

Hanff’s contention that ad-blocker detection without consent is unlawful in the EU was challenged back in 2016 by the maker of a detection tool called BlockAdblock. The software maker’s argument is that JavaScript code is not stored in the way considered in Article 5(3), which the firm suggests was intended for cookies.

Hanff disagrees, and maintains that “The Commission and the legislators have been very clear that any access to a user’s terminal equipment which is not strictly necessary for the provision of a requested service, requires consent.

“This is also bound by CJEU Case C-673/17 (Planet49) from October 2019 which *all* Member States are legally obligated to comply with, under the [Treaty on the Functioning of the European Union] – there is no room for deviation on this issue,” he elaborated.

“If a script or other digital technology is strictly necessary (technically required to deliver the requested service) then it is exempt from the consent requirements and as such would pose no issue to publishers engaging in legitimate activities which respect fundamental rights under the Charter.

“It is long past time that companies meet their legal obligations for their online services,” insisted Hanff. “This has been law since 2002 and was further clarified in 2009, 2012, and again in 2019 – enough is enough.”

Google did not respond to a request for comment.

Source: Privacy advocate challenges YouTube’s ad blocking detection • The Register

Airbus commissions three wind-powered ships

Posted on by

The plane-maker on Thursday revealed it has “commissioned shipowner Louis Dreyfus Armateurs to build, own and operate these new, highly efficient vessels that will enter into service from 2026.”

The ships will have conventional engines that run on maritime diesel oil and e-methanol, the latter fuel made with a process that produces less CO2 than other efforts. Many ships run on heavy fuel oil, the gloopiest, dirtiest, and cheapest of the fuel oils. Airbus has therefore gone out of its way with the choice of diesel and e-methanol.

The ships will also feature half a dozen Flettner rotors, rotating cylinders that produce the Magnus effect – a phenomenon that produces lift thanks to pressure differences on either side of a rotating object. The rotors were invented over a century ago and are generating renewed interest as they reduce ships’ fuel requirements.

Here’s what they’ll look like on Airbus’s boats.

Airbus's future ocean transports

Airbus’s future ocean transports – Click to enlarge

Airbus expects its three vessels to enter service from 2026 and has calculated they will reduce its average annual transatlantic CO2 emissions from 68,000 to 33,000 tonnes by 2030.[…]

The craft will have capacity to move around seventy 40-foot containers and six single-aisle aircraft sub assembly sets – wings, fuselage, engine pylons, horizontal and vertical tail planes. Airbus’s current ships can only move three or four of those sets.

The ships will most often travel from Saint-Nazaire, France, to an A320 assembly line in Mobile, Alabama. […]

Source: Airbus commissions three wind-powered ships • The Register

Apple’s MAC Address Privacy Feature Has Never Worked

Posted on by

Ever since Apple re-branded as the “Privacy” company several years back, it’s been rolling out features designed to show its commitment to protecting users. Yet while customers might feel safer using an iPhone, there’s already plenty of evidence that Apple’s branding efforts don’t always match the reality of its products. In fact, a lot of its privacy features don’t actually seem to work.

Case in point: new research shows that one of Apple’s proffered privacy tools—a feature that was supposed to anonymize mobile users’ connections to Wifi—is effectively “useless.” In 2020, Apple debuted a feature that, when switched on, was supposed to hide an iPhone user’s media access control—or MAC—address. When a device connects to a WiFi network, it must first send out its MAC address so the network can identify it; when the same MAC address pops up in network after network, it can be used to by network observers to identify and track a specific mobile user’s movements.

Apple’s feature was supposed to provide randomized MAC addresses for users as a way of stop this kind of tracking from happening. But, apparently, a bug in the feature persisted for years that made the feature effectively useless.

According to a new report from Ars Technica, researchers recently tested the feature to see if it actually concealed their MAC addresses, only to find that it didn’t do that at all. Ars writes:

Despite promises that this never-changing address would be hidden and replaced with a private one that was unique to each SSID, Apple devices have continued to display the real one, which in turn got broadcast to every other connected device on the network.

One of the researchers behind the discovery of the vulnerability, Tommy Mysk, told Ars that, from the jump, “this feature was useless because of this bug,” and that, try as they might, he “couldn’t stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode.”

What Apple’s justification for advertising a feature that just plainly does not work is, I’m not sure. Gizmodo reached out to the company for comment and will update this story if they respond. A recent update, iOS 17.1, apparently patches the problem and ensures that the feature actually works.

Source: Apple’s MAC Address Privacy Feature Has Never Worked

Android 14 Storage Bug: Users with multiple profiles Locked Out of Devices

Posted on by

Android 14, the latest operating system from Google, is facing a major storage bug that is causing users to be locked out of their devices. This issue is particularly affecting users who utilize the “multiple profiles” feature. Reports suggest that the bug is comparable to being hit with “ransomware,” as users are unable to access their device storage.

Initially, it was believed that this bug was limited to the Pixel 6, but it has since been discovered that it impacts a wider range of devices upgrading to Android 14. This includes the Pixel 6, 6a, 7, 7a, Pixel Fold, and Pixel Tablet. The Google issue tracker for this bug has garnered over 350 replies, but there has been no response from Google so far. The bug has been assigned the medium priority level of “P2” and remains unassigned, indicating that no one is actively investigating it.

Users who have encountered this storage bug have shared log files containing concerning messages such as “Failed to open directory /data/media/0: Structure needs cleaning.” This issue leads to various problematic situations, with some users experiencing boot loops, others stuck on a “Pixel is starting…” message, and some unable to take screenshots or access their camera app due to the lack of storage. Users are also unable to view files on their devices from a PC over USB, and the System UI and Settings repeatedly crash. Essentially, without storage, the device becomes practically unusable.

Android’s user-profile system, designed to accommodate multiple users and separate work and personal profiles, appears to be the cause of this rarely encountered bug. Users have reported that the primary profile, which is typically the most important one, becomes locked out.

Source: Android 14 Storage Bug: Users Locked Out of Devices

Google turned ANC earbuds into heart rate sensor

Posted on by

Google today detailed its research into audioplethysmography (APG) that adds heart rate sensing capabilities to active noise canceling (ANC) headphones and earbuds “with a simple software upgrade.”

Google says the “ear canal [is] an ideal location for health sensing” given that the deep ear artery “forms an intricate network of smaller vessels that extensively permeate the auditory canal.”

This audioplethysmography approach works by “sending a low intensity ultrasound probing signal through an ANC headphone’s speakers.”

This signal triggers echoes, which are received via on-board feedback microphones. We observe that the tiny ear canal skin displacement and heartbeat vibrations modulate these ultrasound echoes.

A model that Google created works to process that feedback into a heart rate reading, as well as heart rate variability (HRV) measurement. This technique works even with music playing and “bad earbuds seals.” However, it was impacted by body motion, and Google countered with a multi-tone approach that serves as a calibration tool to “find the best frequency that measures heart rate, and use only the best frequency to get high-quality pulse waveform.”

Google performed two sets of studies with 153 people that found APG “achieves consistently accurate heart rate (3.21% median error across participants in all activity scenarios) and heart rate variability (2.70% median error in inter-beat interval) measurements.”

Compared to existing HR sensors, it’s not impacted by skin tones. Ear canal size and “sub-optimal seal conditions” also do not impact accuracy. Google believes this is a better approach than putting traditional photoplethysmograms (PPG) and electrocardiograms (ECG) sensors, as well as a microcontroller, in headphones/earbuds:

…this sensor mounting paradigm inevitably adds cost, weight, power consumption, acoustic design complexity, and form factor challenges to hearables, constituting a strong barrier to its wide adoption.

Google closes on:

APG transforms any TWS ANC headphones into smart sensing headphones with a simple software upgrade, and works robustly across various user activities. The sensing carrier signal is completely inaudible and not impacted by music playing. More importantly, APG represents new knowledge in biomedical and mobile research and unlocks new possibilities for low-cost health sensing.

“APG is the result of collaboration across Google Health, product, UX and legal teams,” so this coming to Pixel Buds is far from guaranteed at this point.

Source: Google turned ANC earbuds into heart rate sensor