Security researchers have discovered a slew of vulnerabilities affecting 4G hotspots from ZTE, and the company hasn't provided fixes for all of the affected devices.
The security flaws could allow a potential hacker to redirect traffic from the hotspot to other malicious websites, researchers said.
The vulnerabilities were disclosed on Saturday at Defcon, an annual hacking conference in Las Vegas.
A Pen Test Partners researcher who goes by the handle "Dave Null" described ZTE's security issues at length, as well as his concerns with how the Chinese phone company responded to the disclosure.
Null said that the vulnerabilities were simple to pull off -- an attacker only needed the victim to visit a malicious website using one of ZTE's hotspots.
The researcher found a model of hotspots were disclosing the device's passwords when a website's code requested it.
Now get a load of QOP
DEF CON At the DEF CON hacking conference in Las Vegas on Saturday, infosec gurus from Check Point are scheduled to describe a technique for exploiting SQLite, a database used in applications across every major desktop and mobile operating system, to gain arbitrary code execution.
In a technical summary provided to The Register ahead of their presentation, Check Point's Omer Gull sets out how he and his colleague Omri Herscovici developed techniques referred to as Query Hijacking and Query Oriented Programming, in order to execute malicious code on a system.
Query Oriented Programming is similar in a way to return oriented programming in that it relies on assembling malicious code from blocks of CPU instructions in a program's RAM.
The difference is that QOP is done with SQL queries.
SQLite is built into all sorts of things, from web browsers to embedded devices to Android, Windows, iOS, various BSDs, and commercial software.
Most mobile calls around the world are made over the Global System for Mobile Communications standard; in the US, GSM underpins any call made over AT or T-Mobile's network.
And the vulnerability has been around for decades.
Regular GSM calls aren't fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can't just tune into phone calls over the air like radio stations.
"GSM is a well documented and analyzed standard, but itâs an aging standard and it's had a pretty typical cybersecurity journey," says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity.
"The weaknesses we found are in any GSM implementation up to 5G.
Regardless of which GSM implementation youâre using there is a flaw historically created and engineered that youâre exposing."
You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where weâre digging into the latest and greatest hacks on display.
A researcher found itâs possible to break into one just by sending a text message.
To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties.
Boeingâs 787 jets might not be very secure, it turns outâAndy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the planeâs components.
Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm.
Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose.
Hackers and security researchers at the Black Hat and Defcon conferences in Las Vegas this week tackled everything from election security to misinformation campaigns to Android malware that comes preinstalled on your devices.
Meanwhile, Samsung grabbed the spotlight by unveiling its Galaxy Note 10 and Note 10 Plus phones alongside a superthin Galaxy Book S laptop.
It was also a big week for weird science news, like tardigrades on the moon, the discovery of a prehistoric dog-size parrot and Jupiter getting slammed by something massive.
He spent thousands on a data-collecting monstrosity to figure out why people considered the security conference's network dangerous.
Mehdi Yahyanejad uses an innovative technology to get past internet censorship in Iran and bring information to poor and isolated communities in Mexico.
AT may be vindicated in withholding its 5G service from consumers so far.
Every year the great and good (and bad) of the hacker/information-security world descend on Las Vegas for a week of conferences, in which many present their latest discoveries, and every year I try to itemize the most interesting (according to me) Black Hat talks for TechCrunch.
There are far too many for anyone to attend.
In truth there is a lot of extremely good security out there, especially amid the big tech companies, and it keeps getting better, as the market for 0-days (previously undiscovered exploits) indicates.
Most (though certainly not all) of the exploits below have already been reported and fixed, and patches have been rolled out.
All the 4G Modules Could Be Hacked, from Baiduâs Security Lab, recounts the researchersâ investigation of 4G modules for IoT devices â the components which connect machines to the Internet via cell networks, basically.
The results show all of them have similar vulnerabilitiesâ and ends with the equally memorable âhow to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.â Extra points for the slide with âBuild Zombie cars (just like Furious 8)â, too.
The first time I saw Mike Spicer, I spotted him from a mile away.
Because the hardware on Spicer's back was a surveillance tool nicknamed the "Wi-Fi Cactus."
Antennas stick out like the spikes on a cactus, which is how it got half of its name.
In four days, Spicer collected 427 gigabytes of people's network traffic at a rate of about eight gigabytes an hour.
For three years, Spicer, the chief technology officer at MerchGo, an ecommerce company, has monitored traffic at security conferences with the Cactus.
He spent more than $2,700 building and upgrading the machine.
Security researchers have discovered a slew of vulnerabilities affecting 4G hotspots from ZTE, and the company hasn't provided fixes for all of the affected devices.
The security flaws could allow a potential hacker to redirect traffic from the hotspot to other malicious websites, researchers said.
The vulnerabilities were disclosed on Saturday at Defcon, an annual hacking conference in Las Vegas.
A Pen Test Partners researcher who goes by the handle "Dave Null" described ZTE's security issues at length, as well as his concerns with how the Chinese phone company responded to the disclosure.
Null said that the vulnerabilities were simple to pull off -- an attacker only needed the victim to visit a malicious website using one of ZTE's hotspots.
The researcher found a model of hotspots were disclosing the device's passwords when a website's code requested it.
Now get a load of QOP
DEF CON At the DEF CON hacking conference in Las Vegas on Saturday, infosec gurus from Check Point are scheduled to describe a technique for exploiting SQLite, a database used in applications across every major desktop and mobile operating system, to gain arbitrary code execution.
In a technical summary provided to The Register ahead of their presentation, Check Point's Omer Gull sets out how he and his colleague Omri Herscovici developed techniques referred to as Query Hijacking and Query Oriented Programming, in order to execute malicious code on a system.
Query Oriented Programming is similar in a way to return oriented programming in that it relies on assembling malicious code from blocks of CPU instructions in a program's RAM.
The difference is that QOP is done with SQL queries.
SQLite is built into all sorts of things, from web browsers to embedded devices to Android, Windows, iOS, various BSDs, and commercial software.
That gong you just heard?
The over-the-top experiential marketing experience is open for just four days in the desert east of Los Angeles, taking over a boutique setting and remaking it in the brandâs own quirky, sauce- and sass-filled image.
On Thursday, the Irvine-based brand packed The Bell for the first of four nights that the pop-up will be operating in Palm Springs, and Adweek was there for all the festivities.
The lineup included food tastings (announced, of course, by gong), synchronized swimmers in hot-sauce suits, a poolside concert by Fletcher, a âfreezeâ lounge, a slew of Baja Blast variations and more selfies than anyone could possibly count.
No one seemed to mind.
MediaâLos Angeles Times, BuzzFeed, Tastemade, local television stations, and yours truly from Adweekâoccupied plenty of the space, as did hard-core fans who were extremely quick on the draw when reservations became available.
If you can pull off a very specific iPhone hack, Apple has a million dollars for you.
Apple announced a big changes to its bug-bounty program it launched in 2016.
The biggest is a new $1 million reward if you find a very specific exploit.
The $1 million will go to security researchers (or group of researchers) that are able to carry out a âzero-click full chain kernel execution attack with persistence,â Techcrunch reports.
Itâs an attack that would result in the hacker getting to the core of Appleâs operating system, iOS, and gaining control of the iPhone in question without any user interaction.
If someone (or several someones) are able to pull the hack off and share how they did with Apple, theyâll get $1 million.
For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities.
You know it better as Darpa, the government's mad science wing.
And Darpa wants you to know: its endgame goes way beyond securing the vote.
The agency hopes to use voting machines as a model system for developing a secure hardware platformâmeaning that the group is designing all the chips that go into a computer from the ground up, and isnât using proprietary components from companies like Intel or AMD.
âThe goal of the program is to develop these tools to provide security against hardware vulnerabilities,â says Linton Salmon, the projectâs program manager at Darpa.
To vote using the system, you go up to a touchscreen, make your picks (Which Is The Best Star Wars Movie; Are Hot Dogs Sandwiches), confirm your selections, and then send them to print out.
The first time I called into an elevator, I picked up my iPhone and dialed the numberâlabeled on my list as the Crown Plaza Hotel in Chicagoâand immediately heard two beeps, then a recording of a woman's voice, who told me to press one to talk.
After just one ring I heard a series of four tones and was immediately listening to the inside of another elevator.
This time I heard a few muffled voices, then a woman answered: "There are people in here, yes."
"Turn it over," I heard a woman's voice say in a Midwestern accent.
This was my introduction to the illicit thrill of elevator phone phreaking.
I had learned about this hobbyâand received my list of working elevator phonesâjust a few days earlier from Will Caruana, a thirtysomething freelance security researcher.
Researchers presenting at the Black Hat security conference in Las Vegas this week demonstrated a relatively simple way to break into someoneâs iPhone Face IDâso long as theyâre completely conked out.
On Wednesday, a research team from Tencent showed their biometric bypass technique to conference attendees, according to a report from Threatpost.
In order to circumvent Appleâs advanced security protocol, the researchers reportedly only needed glasses with black tape on the lenses and smaller pieces of white tape on the black tape.
Apparently, if you put taped glasses on an unconscious personâs face, you can trick Apple Face ID into unlocking the phone.
Security researchers demonstrate how to bypass Face ID with glasses and tape https://t.co/sr5Mtt81E7 by @ChanceHMiller pic.twitter.com/PMxmF4BcTg
The researchers were trying to hack the systemâs âlivenessâ detection part of the biometric process that distinguishes between âfakeâ and ârealâ human characteristics, according to Threatpost.
In a presentation at the Black Hat security conference in Las Vegas, data scientists examined various ways to identify deepfake videos â something that is going to become increasingly important as US elections approach in 2020.
George Williams, director of data science at GSI, explained that AIs are better at spotting deepfakes than fleshbags.
Earlier this year, humans were pitted against a generative adversarial network (GAN) to call out a selection of deepfakes, and the carbon-based humanoids did pretty well, spotting 88 per cent of fakes.
But the machines managed an average rate of 92 per cent.
"That seems pretty good, but when you consider the sheer volume of content that can be put out on social media, you're going to see a lot of mistakes and false positives," he said.
"Some of the content will get past both humans and machines."
Apple used the annual Black Hat security conference in Las Vegas on Thursday to make some changes to its bug bounty scheme.
Until recently, Appleâs previous highest bounty was $200,000 for friendly reports of bugs that could then be fixed with software updates.
And Apple also only offered bug bounties to invited researchers who tried to find flaws in its phones and cloud backups, Reuters reported.
But now at the conference Apple has made some changes, as it seeks to ensure that the iPhone is the most safeguarded and privacy focused handset on the market.
First off, Apple has opened its bug bounty program to all security researchers, and its dramatically increased the payout for the most serious of flaws.
Reuters reported that Appleâs bug bounty scheme now includes not just the iPhone, but also Mac software, and it is offering researchers a range of bug bounties for the most significant findings.
Revenge plan morphs into data leak discovery
Black Hat When Europe introduced the General Data Protection Regulation (GDPR) it was supposed to be a major step forward in data safety, but sloppy implementation and a little social engineering can make it heaven for identity thieves.
In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.
Pavur's research started in an unlikely place - the departure lounge of a Polish airport.
They didn't, but it sparked an idea to see what information you could get on other people and Pavur's partner agreed to act as a guinea pig for the experiment.
Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.
Apple's security engineering boss Ivan KrstiÄ told Black Hat attendees that Cupertino is expanding its bug-bounty program in various ways.
And the maximum payout for an exploit chain that can achieve a total and automatic iPhone takeover â no user interaction required, kernel-level, and persistent, and requiring just a victim's cellphone number â will be upped to $1m from $200,000.
Developer-mode iPhones that grant access to the firmware and operating system, to make finding low-level holes easier, will be given to selected infosec gurus to probe.
Check Point continues beef with WhatsApp
Around this time last year, Check Point revealed it was possible to slyly manipulate messages in private and group WhatsApp conversations.
At the time, the chat app's maker Facebook didn't think it was too big a deal, and it still doesn't: according to Check Point's reps at Black Hat this Thursday, the weaknesses remain largely unfixed.
Apple Pay has a slew of protective features that make it a secure method of online credit card transactions.
And since 2016, third-party merchants and services have been able to embed Apple Pay into their websites and offer it as a payment option.
But at the Black Hat security conference in Las Vegas on Thursday, one researcher is presenting findings that this integration inadvertently introduces vulnerabilities that could expose the host website to attack.
But the findings illustrate the unintended issues that can emerge from web interconnections and third-party integrations.
Joshua Maddux, a security researcher at the analysis firm PKC Security, first noticed the issue last fall when he was implementing Apple Pay support for a client.
You set up Apple Pay functionality in your web service by integrating with the Apple Pay application programming interfaceâallowing Apple to power the module with its existing Apple Pay infrastructure.
That gong you just heard?
The over-the-top experiential marketing experience is open for just four days in the desert east of Los Angeles, taking over a boutique setting and remaking it in the brandâs own quirky, sauce- and sass-filled image.
On Thursday, the Irvine-based brand packed The Bell for the first of four nights that the pop-up will be operating in Palm Springs, and Adweek was there for all the festivities.
The lineup included food tastings (announced, of course, by gong), synchronized swimmers in hot-sauce suits, a poolside concert by Fletcher, a âfreezeâ lounge, a slew of Baja Blast variations and more selfies than anyone could possibly count.
No one seemed to mind.
MediaâLos Angeles Times, BuzzFeed, Tastemade, local television stations, and yours truly from Adweekâoccupied plenty of the space, as did hard-core fans who were extremely quick on the draw when reservations became available.
For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities.
You know it better as Darpa, the government's mad science wing.
And Darpa wants you to know: its endgame goes way beyond securing the vote.
The agency hopes to use voting machines as a model system for developing a secure hardware platformâmeaning that the group is designing all the chips that go into a computer from the ground up, and isnât using proprietary components from companies like Intel or AMD.
âThe goal of the program is to develop these tools to provide security against hardware vulnerabilities,â says Linton Salmon, the projectâs program manager at Darpa.
To vote using the system, you go up to a touchscreen, make your picks (Which Is The Best Star Wars Movie; Are Hot Dogs Sandwiches), confirm your selections, and then send them to print out.
Researchers presenting at the Black Hat security conference in Las Vegas this week demonstrated a relatively simple way to break into someoneâs iPhone Face IDâso long as theyâre completely conked out.
On Wednesday, a research team from Tencent showed their biometric bypass technique to conference attendees, according to a report from Threatpost.
In order to circumvent Appleâs advanced security protocol, the researchers reportedly only needed glasses with black tape on the lenses and smaller pieces of white tape on the black tape.
Apparently, if you put taped glasses on an unconscious personâs face, you can trick Apple Face ID into unlocking the phone.
Security researchers demonstrate how to bypass Face ID with glasses and tape https://t.co/sr5Mtt81E7 by @ChanceHMiller pic.twitter.com/PMxmF4BcTg
The researchers were trying to hack the systemâs âlivenessâ detection part of the biometric process that distinguishes between âfakeâ and ârealâ human characteristics, according to Threatpost.
Apple used the annual Black Hat security conference in Las Vegas on Thursday to make some changes to its bug bounty scheme.
Until recently, Appleâs previous highest bounty was $200,000 for friendly reports of bugs that could then be fixed with software updates.
And Apple also only offered bug bounties to invited researchers who tried to find flaws in its phones and cloud backups, Reuters reported.
But now at the conference Apple has made some changes, as it seeks to ensure that the iPhone is the most safeguarded and privacy focused handset on the market.
First off, Apple has opened its bug bounty program to all security researchers, and its dramatically increased the payout for the most serious of flaws.
Reuters reported that Appleâs bug bounty scheme now includes not just the iPhone, but also Mac software, and it is offering researchers a range of bug bounties for the most significant findings.
Apple's security engineering boss Ivan KrstiÄ told Black Hat attendees that Cupertino is expanding its bug-bounty program in various ways.
And the maximum payout for an exploit chain that can achieve a total and automatic iPhone takeover â no user interaction required, kernel-level, and persistent, and requiring just a victim's cellphone number â will be upped to $1m from $200,000.
Developer-mode iPhones that grant access to the firmware and operating system, to make finding low-level holes easier, will be given to selected infosec gurus to probe.
Check Point continues beef with WhatsApp
Around this time last year, Check Point revealed it was possible to slyly manipulate messages in private and group WhatsApp conversations.
At the time, the chat app's maker Facebook didn't think it was too big a deal, and it still doesn't: according to Check Point's reps at Black Hat this Thursday, the weaknesses remain largely unfixed.
If you can pull off a very specific iPhone hack, Apple has a million dollars for you.
Apple announced a big changes to its bug-bounty program it launched in 2016.
The biggest is a new $1 million reward if you find a very specific exploit.
The $1 million will go to security researchers (or group of researchers) that are able to carry out a âzero-click full chain kernel execution attack with persistence,â Techcrunch reports.
Itâs an attack that would result in the hacker getting to the core of Appleâs operating system, iOS, and gaining control of the iPhone in question without any user interaction.
If someone (or several someones) are able to pull the hack off and share how they did with Apple, theyâll get $1 million.
The first time I called into an elevator, I picked up my iPhone and dialed the numberâlabeled on my list as the Crown Plaza Hotel in Chicagoâand immediately heard two beeps, then a recording of a woman's voice, who told me to press one to talk.
After just one ring I heard a series of four tones and was immediately listening to the inside of another elevator.
This time I heard a few muffled voices, then a woman answered: "There are people in here, yes."
"Turn it over," I heard a woman's voice say in a Midwestern accent.
This was my introduction to the illicit thrill of elevator phone phreaking.
I had learned about this hobbyâand received my list of working elevator phonesâjust a few days earlier from Will Caruana, a thirtysomething freelance security researcher.
In a presentation at the Black Hat security conference in Las Vegas, data scientists examined various ways to identify deepfake videos â something that is going to become increasingly important as US elections approach in 2020.
George Williams, director of data science at GSI, explained that AIs are better at spotting deepfakes than fleshbags.
Earlier this year, humans were pitted against a generative adversarial network (GAN) to call out a selection of deepfakes, and the carbon-based humanoids did pretty well, spotting 88 per cent of fakes.
But the machines managed an average rate of 92 per cent.
"That seems pretty good, but when you consider the sheer volume of content that can be put out on social media, you're going to see a lot of mistakes and false positives," he said.
"Some of the content will get past both humans and machines."
Revenge plan morphs into data leak discovery
Black Hat When Europe introduced the General Data Protection Regulation (GDPR) it was supposed to be a major step forward in data safety, but sloppy implementation and a little social engineering can make it heaven for identity thieves.
In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.
Pavur's research started in an unlikely place - the departure lounge of a Polish airport.
They didn't, but it sparked an idea to see what information you could get on other people and Pavur's partner agreed to act as a guinea pig for the experiment.
Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.
Apple Pay has a slew of protective features that make it a secure method of online credit card transactions.
And since 2016, third-party merchants and services have been able to embed Apple Pay into their websites and offer it as a payment option.
But at the Black Hat security conference in Las Vegas on Thursday, one researcher is presenting findings that this integration inadvertently introduces vulnerabilities that could expose the host website to attack.
But the findings illustrate the unintended issues that can emerge from web interconnections and third-party integrations.
Joshua Maddux, a security researcher at the analysis firm PKC Security, first noticed the issue last fall when he was implementing Apple Pay support for a client.
You set up Apple Pay functionality in your web service by integrating with the Apple Pay application programming interfaceâallowing Apple to power the module with its existing Apple Pay infrastructure.