The Voice Assistant Gambit →
Nicole Kobie, writing at New Scientist, tells the tale of newly researched voice assistant attack vectors leveraging signalling flaws (via an ultrasound attack) within both Apple Inc.'s (NasdaqGS: AAPL) and Amazon.com Inc.'s (NasdaqGS: AMZN) voice assitant offerings Siri and Alexa, respectively. The 'Dominoe Effect' of the ultrasound flaws in these products/services traverses down the device foodchain to Alexa and soo-to-be Siri enabled third party devices... Perhaps new protective sound generating devices are in order?
All Amazon and Apple Links in this Post are Non-affiliate
JHutchins' SharknAT&To →
Folks, gird yourselves for the truly horrifying... Read the superlative security reportage by jhutchins at NoMotion, in which, the good Hutchins details the cruft-laden, and fundamentally idiotic practice of hard-coding accounts in low-end routerland. Behold SharknAT&To, and more, much more... Today's Must Read. H/T
"When evidence of the problems described in this report were first noticed, it almost seemed hard to believe. However, for those familiar with the technical history of Arris and their careless lingering of hardcoded accounts on their products, this report will sadly come as no surprise. For everyone else, prepare to be horrified." - via NoMotions' jhutchins
NCCOE Heralds Release of NIST SP 1800-8 Securing Wireless Infusion Pumps
The National Institute of Standards and Technology (NIST) National Center for Cybersecurity Excellence (NCCOE) has released it's latest draft medical device related security document, entitled 'NIST Special Publication 1800-8 Cybersecurity Special Publication 1800-8 Securing Wireless Infusion Pumps - In Healthcare Delivery Organizations'. Authored by Gavin O'Brien, Sallie Edwards, Kevin Littlefield, Neil McNab, Sue Wang and Kangmin Zheng - the document is available as either a PDF or web-based artifact. Enjoy.
"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements designed to enhance patient care, these devices now connect wirelessly to a variety of systems, networks, and other tools within a healthcare delivery organization (HDO) – ultimately contributing to the Internet of Medical Things (IoMT)." - via the National Center for Cybersecurity Excellence (NCCOE)
DARPA Opens Up SDR Hackfest →
Outstanding news via DARPA's Outreach Coordinator, detailing the upcoming DARPA SDR Hackfest. The key acronym here is SDR, which represents Software Defined Radio. DARPA has published a Special Notice (DARPA-SN-17-40) on FBO.gov with information about the workshop/hackfest along with registration information. Enjoy
"Throughout May — as a buildup to a final event in November, the DARPA Bay Area Hackfest — Rondeau will continue his roadshow, which will include hyperlocal visits to small hacker and maker spaces as well as high-profile keynote addresses to the SDR community. On May 9, 10, 11, and 12, respectively, he will visit maker and hacker spaces in Niwot, Colorado; Vista, California; Austin, Texas; and Santa Clara, California." - via DARPA
ATM Equals 'All The Money' →
John Leyden, writing at El Reg, tells the tale of the latest ATM SNAFU. All based on CVE-2017-6968... Astonishing, indeed.
"To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection," said Georgy Zaytsev, a researcher with Positive Technologies. "During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution." - via John Leyden, at El Reg
IoT Security Fail, The Collaborative Fix →
Andrei Robachevsky, a Technology Program Manager at The Internet Society (ISOC), writes of a contemplated security engineering initiative targeting security flaws in the Internet of Things environ. Today's Must Read.
"Unfortunately, as is often the case with fast-pace developments, security of IoT components and the system as a whole is lagging. Price and functionality features take higher priority. We need to make security and privacy the most important features. Never before has the virtual world penetrated so deep into our physical lives, and if the gap isn't shortened there is a high risk of long-term damage to user confidence in the IoT." - Andrei Robachevsky, Technology Program Manager at The Internet Society (ISOC)
All Intel Corporation Platforms At Risk, Remote Exploit Baked In →
via Charlie Demerjian, writing at SemiAccurate, tells the tale of probably the single most egregious flaw in Intel Corporation (Nasdaq: INTC) products discovered to date. Reportedly, all Intel Corporation products, from 2008 till the present (Nehalem to Kabylake) possess the remote and local exploitable flaw. Hat Tip Update: Now Fixed.
The IoT Chain →
Meanwhile, in troubling IoT news, a paper (published by the IACR) entitled "IoT Goes Nuclear: Creating a ZigBee Chain Reaction" & authored by Eyal Ronen, Colin O’Flynn, Adi Shamir and Achi-Or Weingarten (a Weizmann MSc student); we find - perhaps - the ultimate ZigBee nightmare... Today's Must Read (and while your're at it, check out the video to round out your day). Thanks and Tip O' The Hat
Trustwave Locates New VOIP Device Backdoor →
Meanwhile, in the Infosecurity.US What-Could-Possibly-Go-Wrong Department, comes this El Reg news item detailing a report published by researchers at Trustwave, of an undocumented backdoor account in DBLTek GoIP products. The kicker you ask? DBLTek has so far failed to remediate the issue, and has left the 'door' swinging on it's creaky hinges... Oops.
"Trustwave recently reported a remotely exploitable issue in the Telnet administrative interface of numerous DblTek branded devices. The issue permits a remote attacker to gain a shell with root privileges on the affected device due to a vendor backdoor in the authentication procedure." - via the published Trustwave Report
Stack, The Almight Hath Printed →
via Verification Labs, further via Motherboard at Vice comes another attempt by Stack, the almighty hacker god, to enlighten foolish humans on the (apparently) neverending task of securing their unruly inter-web connected printers.