Connect with us

Science & Tech

More than 83 million smart devices, including baby monitors, at risk from hackers

Published

on

Hackers could listen to and watch live audio and video feeds from smart cameras and baby monitors, due to a vulnerability being disclosed by Mandiant and the US Cybersecurity and Infrastructure Security Agency.

A critical vulnerability affecting more than 83 million smart devices, including smart cameras and baby monitors, could allow hackers to listen to and watch live audio and video feeds, it has emerged.

The flaw “poses a huge risk” to people’s security and privacy said security company Mandiant, which is coordinating its disclosure with the US Cybersecurity and Infrastructure Security Agency (CISA).

While default passwords have prompted UK security services to warn consumers about criminal activity, the flaw discovered by Mandiant also affects devices which do not use default passwords.

According to Mandiant, the problem is in an IoT (Internet of Things) software protocol called Kalay, developed by Taiwanese company ThroughTek, which offers a platform to control smart devices from.

Before the coordinated disclosure was made, ThroughTek warned users to update their software to stop hackers accessing “sensitive information in transmission and on victim devices”.Advertisement

A similar vulnerability was discovered in the Kalay protocol by Nozomi Networks earlier this year, although Mandiant says its discovery is more severe, allowing attackers to remotely control affected devices as well as snoop on them.

Because the Kalay protocol is installed by both original equipment manufacturers (OEMs) and resellers before smart devices reach consumers, Mandiant said it couldn’t determine a complete list of products affected.

However, the business – which is part of cyber security company FireEye – noted ThroughTek’s website “reports more than 83 million active devices on the Kalay platform at the time of writing”.

Back in 2014, the UK’s data watchdog warned Britons that private webcam feeds were being streamed on a Russian website, using default logins and passwords to access the devices.

The British government plans to introduce a new law which will force OEMs and resellers of smart devices to meet minimum security requirements in the UK.

WHAT ARE THE NEW RULES FOR SMART DEVICES?

  • At the point of sale, consumers must be informed of how long their devices will receive security software updates for
  • Manufacturers will be banned from using weak universal default passwords, such as ‘password’ or ‘admin’
  • Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability

The government announced the Product Security and Telecommunications Infrastructure Bill during the Queen’s Speech earlier this year, although this is not yet law.

Announcing the law earlier this year, digital infrastructure minister Matt Warman said: “We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

A spokesperson for the UK’s National Cyber Security Centre (NCSC) said: “We are aware of this vulnerability and ThroughTek has released an update to fix the issue.

“Simply using the platform does not automatically make you vulnerable to real-world impact, as additional information that is hard to guess is needed to exploit the vulnerability in an individual device successfully.

“To maximise protection, the NCSC recommends individuals keep their software up to date by installing the latest vendor updates as soon as practicable.”

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Science & Tech

Egypt: Researchers identify prehistoric killer whale that walked on land from 43-million-year-old fossil

Published

on

“It could kill any creature it crossed paths with,” say Egyptian scientists who have discovered a new killer whale fossil from the African nation’s Whale Valley.

Egyptian scientists have identified a new species of prehistoric killer whale from a 43-million-year-old fossil that was found in Eqypt’s “Whale Valley”.

The ancient fossil, which was unearthed in Egypt’s Western Desert in 2008, has been named as Phiomicetus Anubis, after the god of death in ancient Egypt.

The four-legged whale which is from the family of Protecetids, are extinct semi-aquatic whales that lived from 34 to 59 million years ago.

Egyptian researcher at Mansoura University Abdullah Gohar, shows the fossil of a 43 million-year-old four-legged prehistoric whale known as the "Phiomicetus Anubis," in an evolution of whales from land to sea, which was unearthed over a decade ago in Fayoum in the Western Desert of Egypt,
PIC:AP
Image:Researchers said it was approximately 2.7m (9ft) long and weighed around 600kg

Professor Hesham Sallam, of Mansoura University in Egypt, the leading palaeontologist who examined the fossil, said the creature was unique in its versatility in the way its features were adapted to hunt on land and in the sea – characteristics that made it stand out among other whale fossils.

“We chose the name Anubis because it had a strong and deadly bite,” said Professor Sallam.

“It could kill any creature it crossed paths with.”

The creature’s killer features included an elongated skull and snout. Its sharp hearing and acute sense of smell meant it was an efficient carnivore capable of hunting down, before grasping and chewing prey, researchers said. It was approximately 2.7m (9ft) long and weighed around 600kg.

The fossils of a 43 million-year-old four-legged prehistoric whale known as the "Phiomicetus Anubis," in an evolution of whales from land to sea, which was unearthed over a decade ago in Fayoum in the Western Desert of Egypt
PIC:AP
Image:Professor Sallam said it ‘could kill any creature it crossed paths with’. Pic: AP

Professor Sallam said his team did not start examining the fossil until 2017 because he wanted to assemble the best and the most talented Egyptian palaeontologists for the study.

The fossil sheds light on the evolution of whales from herbivore land mammals into a carnivorous species that today live exclusively in water.

The oldest fossil whales are approximately 50 million years old and are believed to have originated in modern-day Pakistan and India.

Scientists have not been able to reach a conclusive answer as to when whales moved from land to sea.

The location of the discovery of the fossil will give a clue as to how and when this happened.

Continue Reading

Science & Tech

Former US intelligence officers admit to mercenary hacking for United Arab Emirates

Published

on

The charges against them are published amid growing concerns that foreign states may be compromising US security by recruiting intelligence personnel to bolster their own capabilities.

Three former US intelligence and military officers have admitted working as mercenaries for the United Arab Emirates (UAE) and carrying out sophisticated hacking operations targeting victims in America.

The charges against them are published amid growing concerns that foreign states may be compromising US security by recruiting intelligence personnel to bolster their own capabilities.

The men, named as Marc Baier, Ryan Adams, and Daniel Gericke in an unsealed court document, were accused of breaking computer crime laws and export controls and have agreed to pay more than $1.6m (£1.1m) as part of a deferred prosecution agreement.

According to the court document, after leaving US government employment, the three men worked for an American company that provided licensed services to the UAE.

But in January 2016, “after receiving an offer for higher compensation and an expanded budget”, the men left this company and joined a new one called Dark Matter based in the gulf state.

The clandestine unit helped the UAE spy on human rights activists, journalists, and rival governments, according to Reuters, which reported on the clandestine unit called Project Maven before these charges were made public.

While working for the UAE business, which did not have an export licence to receive hacking technology from the US, the men developed “two similar ‘zero-click’ computer hacking and intelligence gathering systems” that were used to target victims in America.

“Today’s announcement shines a light on the unlawful activity of three former members of the US intelligence community and military,” said Steven D’Antuono of the FBI’s Washington Field Office.

“These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyber operations.

“These charges and the associated penalties make clear that the FBI will continue to investigate such violations.”

Bryan Vorndran, of the FBI’s cyber division, added: “This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”

As part of the deferred prosecution, Baier, Adams, and Gericke must cooperate with the Department of Justice’s investigation.

They have agreed to pay $750,000 (£542,000), $600,000 (£430,000), and $335,000 (£242,000) respectively over the next three years – funds which they are prohibited from being reimbursed for by the UAE.

They have also received a lifetime ban on receiving any security clearances, as well as from being employed as hackers or by “certain UAE organisations”.

Continue Reading

Science & Tech

Apple issues emergency software update after discovery of ‘zero click’ malware

Published

on

The spyware has been attributed “with high confidence” to Israel’s NSO Group.

Apple has issued an emergency software update after a flaw was found that allowed spyware attributed to Israel’s NSO Group to infect an iPhone, Apple Watch, or Mac computer without the user having to click on anything.

The malware was found on the phone of an unidentified Saudi activist by Canadian internet security watchdog Citizen Lab.

It is the first time that a “zero-click” exploit – an exploit that allows an attacker to hack into the device without requiring the victim to click on anything, meaning they have no chance to catch the attack – has been caught and analysed.

The phone is thought to have been infected in February, although the researchers discovered the malicious code on 7 September and immediately alerted Apple.

The logo of Israeli cyber firm NSO Group is seen at one of its branches in the Arava Desert, southern Israel July 22, 2021. REUTERS/Amir Cohen
Image:NSO Group is an Israeli cyber surveillance firm

Ivan Krstic, head of Apple security engineering and architecture, said: “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users.Advertisement

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”

“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added.

Citizen Lab researcher Bill Marczak said there was high confidence that Israeli surveillance firm NSO Group was behind the attack, although it was “not necessarily” being attributed to the Saudi government.

In a statement to Reuters, NSO did not confirm or deny that it was behind the technique, saying only that it would “continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime”.

Citizen Lab has previously found evidence of zero-click malware being used to hack the phones of some journalists and other targets but Mr Marczak said this was the first time one had been captured “so we can find out how it works”.

A man reads at a stand of the NSO Group Technologies, an Israeli technology firm known for its Pegasus spyware enabling the remote surveillance of smartphones, at the annual European Police Congress in Berlin, Germany, February 4, 2020
Image:Experts say the average user does not need to be too concerned, as such attacks tend to be highly targeted

Security experts have said that the average user does not need to be too concerned, as such attacks tend to be highly targeted, but the exploit was still alarming.

Mr Marczak said that malicious files were put on the Saudi activist’s phone via the iMessage app before the phone was hacked with NSO’s Pegasus spyware.

This meant the phone was able to spy on its user, without them even knowing.

Citizen Lab researcher John Scott-Railton said: “Popular chat apps are at risk of becoming the soft underbelly of device security. Securing them should be top priority.”

In July it was reported that NSO Group’s spyware had been used to target journalists, political dissidents and human rights activists.

NSO Group says that its spyware is only used by governments to hack the mobile phones of terrorists and serious criminals, but a leaked list featuring more than 50,000 phone numbers of interest to the company’s clients suggested that it is being used much more broadly.

More than 1,000 individuals in 50 countries were allegedly selected for potential surveillance – including 189 journalists and more than 600 politicians and government officials, according to Paris-based journalism non-profit Forbidden Stories and Amnesty International, as well as their media partners.

Mr Marczak said on Monday: “If Pegasus was only being used against criminals and terrorists, we never would have found this stuff.”

It has also been reported that the FBI is investigating NSO Group, and Israel has set up a senior inter-ministerial team to examine the allegations surrounding how the spyware is being used.

Continue Reading

Trending Now