17.8 C
Wednesday, August 16, 2017

Target hack strips banks and credit unions of $200M

The widespread security breach reportedly compromised 40 million credit and debit cards, which are costing banks a pretty penny to reissue. February 18, 2014 7:47 PM PST (Credit: Target) Not only were as many as 110 million Target customers affe...

Belkin’s WeMo Connected Home Devices Vulnerable to Takeover: IOactive

Researchers at IOactive warn of multiple vulnerabilities in devices that could enable an attacker to control a connected home. As the number of Internet-connected devices, including those within the home, escalates, there are growing concerns about security risks. Security firm IOActive  revealed Feb. 18 that it discovered multiple vulnerabilities in Belkin's WeMo connected home devices. The WeMo devices—which include Internet-connected power and light switches that enable users to control their plugged-in devices over the Internet via iOS and Android apps—are vulnerable to multiple risks that could enable an attacker to control a user's device, add malicious firmware updates or even gain access to a user's home network, according to IOActive. IOActive first contacted the U.S. Computer Emergency Response Team (CERT) on Oct 23, and CERT contacted Belkin on Oct 24, said Mike Davis, IOActive's principal research scientist. "We can confirm Belkin got the vulnerability information, as a member of the Belkin team contacted me via LinkedIn; we discussed the vulnerabilities, but they didn't follow up on it," Davis told eWEEK. Belkin was unable to provide a comment to eWEEK by press time about the IOActive security issues. IOActive reported that the WeMo devices could potentially be infected with malicious updates.

According to IOActive's research, the WeMo firmware updates are secured with public key encryption to protect against unauthorized modifications. The problem is that the signing key is available on the device itself. The WeMo updates occur via a connection to Belkin—which is done by insecure Domain Name System (DNS) requests that are easily hijacked, Davis said. "This wouldn't be a problem if it weren't for the lack of SSL [Secure Sockets Layer] signature checking on the firmware upgrade link," Davis said. "So at this point, if the firmware is correctly signed, the device has no way of knowing it has received a malicious update." There are multiple ways that a device can check to see if an SSL certificate is in fact valid. What is needed, Davis said, is simple checking that the certificate wasn't self-signed, and that the certificate was signed by a valid certificate authority. Belkin's WeMo is using a protocol to communicate with devices in a manner that is not particularly secure, Davis said. Session Traversal Utilities for Network Address Translation (STUN) and the associated Traversal Using Relays around Network Address Translation (TURN) are being misused. "They are misusing a subproject of the Asterisk open-source project, which provides a STUN/TURN proxy reference implementation," Davis said. "The current configuration Belkin is running, essentially using STUN/TURN to create a virtual VPN of the Belkin device, was never considered in the proxies' security model." Risks While there are risks in the WeMo security model, Davis said that he has zero evidence that someone is hacking away at the Belkin network. "This was just a fun project I tinkered with once Amazon offered me the light switch for sale," Davis said. "But if I were being perfectly honest here, I'm surprised that no one else reported this issue while we took a glacial pace in releasing this due to unresponsiveness from the vendor." From a threat-mitigation perspective, there isn't much a WeMo user can do to limit the risk. One possibility is to put the WeMo devices on their own subnet, restricting the ability of the WeMo devices to interact with the rest of the home network. That said, if the concern is that an attacker may control the user's power switch remote, that is still a problem, Davis said. "Right now, we're saying that there is no safe configuration with the device firmware as it is," Davis said. "And without a clear accounting of how these issues were addressed, we would continue recommending that they be disconnected from the network." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Belkin WeMo smart home networks in danger of hacks

Researchers warn that more than 500,000 home automation devices have vulnerabilities that would allow attackers to remotely take control of thermostats, lighting, sprinkler systems, and more. February 18, 2014 6:10 PM PST Belkin WeMo switches ca...

Asus router vulnerabilities go unfixed despite reports

You may not think of your Wi-Fi router as a wide-open barn door between your computer and the Internet, but for many Asus router owners, it is. February 18, 2014 4:50 PM PST Despite a few quirks, the Asus RT-N66U makes an excellent N900 router f...

E-Z-2-Use attack code exploits critical bug in majority of Android phones

Just-released code creates drive-by attack that exploits 14-month old bug.

Google Acquires Sound-Based Log-In Vendor SlickLogin

Google just bought a company that lets users log in to secure accounts with a system that uses sounds with a special app rather than through typed passwords. Google is bringing SlickLogin into its fold to add the Israeli startup's sound-based log-in authentication services to Google's always-broadening reach in the IT marketplace. The acquisition was unveiled in a post on SlickLogin's Website by the three founders of the startup. "Today we're announcing that the SlickLogin team is joining Google, a company that shares our core beliefs that logging in should be easy instead of frustrating, and authentication should be effective without getting in the way," wrote the co-founders, CEO Or Zelig, CTO Eran Galili and Vice President of Research & Development Ori Kabeli. "Google was the first company to offer 2-step verification to everyone, for free—and they're working on some great ideas that will make the Internet safer for everyone. We couldn't be more excited to join their efforts." The system allows users to place their telephone next to their laptops or tablets when logging in to secure sites so that the company's app can "hear" the high-pitched sounds used for authentication and log the user in, according to the SlickLogin Website. "We started SlickLogin because security measures had become overly complicated and annoying," the site states. "Our friends thought we were insane, but we knew we could do better. So we set out to improve security while still making it simple for people to log in." The financial terms of the deal were not announced, but the deal is expected to total several million dollars, according to a Feb. 17 story by Reuters about the acquisition. SlickLogin's use of high-frequency sounds to authenticate user identities "could serve as a replacement to traditional passwords or function as the second step in a two-factor authentication process," according to Reuters. "Websites that support SlickLogin's technology will play a unique, almost silent tone that can be read by an app on the user's smartphone," Reuters reported. "To confirm your identity, the app analyzes the signal and then confirms your authenticity to the server the site is hosted on.

The ultrasonic tone is different each time a user logs in, eliminating the ability to 'steal' someone else's auditory signature." The acquisition by Google comes on the heels of a string of other purchases the company has made recently. In January, Google acquired Bitspin, the Swiss maker of the free Timely alarm clock app for Android, which is available for free on Google Play. Bitspin allows users to customize many features that they want to use in the alarm clock app, according to the company. One of the most useful features of Timely is that it uses the cloud to back up and synchronize a user's alarms with multiple devices. The app also features what Bitspin calls "hand-crafted, high quality sounds" and a Smart Rise feature to make waking up by the alarm sounds a pleasant experience. Users can choose the colors of the app as well as its appearance and more, including Google Now integration, recurring alarms, screen animations and adaptive snooze features. In September 2013, Google bought Bump, which created the Bump app that lets users move files from smartphones to computers and vice versa by "bumping" the spacebar with the device to make the transfer, or by bumping their smartphones together.

The company was acquired for a reported $40 million. On Dec. 31, 2013, however, just four months after the Bump acquisition, Bump announced that Google would discontinue its services. In June 2013, Google made another intriguing mobile app acquisition when it bought Waze, a crowd-based traffic and navigation app for mobile devices. Waze collects and communicates user-generated reports on traffic and navigation information to help drivers ease their commuting stresses. Google paid about $1.3 billion to acquire the Israel-based Waze to add to Google's growing portfolio of popular and revenue-enhancing mapping tools. Google's discussions with Waze began after previous talks between Waze and Facebook failed to reach a similar agreement. Those discussions came after yet another rumored deal arose in late 2012 when Apple purportedly was about to purchase Waze.

At the time, the rumors called for Apple to acquire Waze to bolster its own mapping services, which had suffered after Apple tried to build a Google Maps replacement for its iOS 6 operating system in September 2012.

It’s OK to parody the NSA

NSA backs down, admits man can use their seal for T-shirts and mugs on Zazzle.

Clapper: We should have disclosed NSA bulk data collection in 2001

Intelligence chief says program would have seen support in the wake of 9/11 attacks.

How the US could block the Comcast/Time Warner Cable merger

Comcast/TWC merger may require extensive consumer protection provisions.

Password leak in WeMo devices makes home appliances susceptible to hijacks...

Belkin devices can be remotely commandeered using firmware update mechanism.

New Snowden docs show NSA, GCHQ spied on WikiLeaks, Pirate Bay...

GCHQ conducts broad surveillance of social media and watched WikiLeaks users.

NHS England delays care.data for six months after GP and patient...

NHS England has responded to rising criticism over its plans for a centralised patient record database by postponing the care.data programme for six months. It follows protests from patients, doctors and privacy groups over plans to extract patient re...