Schneier on Security: Tagged spoofing

Entries Tagged "spoofing"

Page 3 of 6

Security Risks from Remote-Controlled Smart Devices

We’re starting to see a proliferation of smart devices that can be controlled from your phone. The security risk is, of course, that anyone can control them from their phones. Like this Japanese smart toilet:

The toilet, manufactured by Japanese firm Lixil, is controlled via an Android app called My Satis.

But a hardware flaw means any phone with the app could activate any of the toilets, researchers say.

The toilet uses bluetooth to receive instructions via the app, but the Pin code for every model is hardwired to be four zeros (0000), meaning that it cannot be reset and can be activated by any phone with the My Satis app, a report by Trustwave’s Spiderlabs information security experts reveals.

This particular attack requires Bluetooth connectivity and doesn’t work over the Internet, but many other similar attacks will. And because these devices send to have their code in firmware, a lot of them won’t be patchable. My guess is that the toilet’s manufacturer will ignore it.

On the other end of your home, a smart TV protocol is vulnerable to attack:

The attack uses the Hybrid Broadcast Broadband TV (HbbTV) standard that is widely supported in smart television sets sold in Europe.

The HbbTV system was designed to help broadcasters exploit the internet connection of a smart TV to add extra information to programmes or so advertisers can do a better job of targeting viewers.

But Yossef Oren and Angelos Keromytis, from the Network Security Lab, at Columbia University, have found a way to hijack HbbTV using a cheap antenna and carefully crafted broadcast messages.

The attacker could impersonate the user to the TV provider, websites, and so on. This attack also doesn’t use the Internet, but instead a nearby antenna. And in this case, we know that the manufacturers are going to ignore it:

Mr Oren said the standards body that oversaw HbbTV had been told about the security loophole. However, he added, the body did not think the threat from the attack was serious enough to require a re-write of the technology’s security.

Posted on June 10, 2014 at 8:24 AM • View Comments

Academic Paper Spam

There seems to be an epidemic of computer-generated nonsense academic papers.

Labbé does not know why the papers were submitted—or even if the authors were aware of them. Most of the conferences took place in China, and most of the fake papers have authors with Chinese affiliations. Labbé has emailed editors and authors named in many of the papers and related conferences but received scant replies; one editor said that he did not work as a program chair at a particular conference, even though he was named as doing so, and another author claimed his paper was submitted on purpose to test out a conference, but did not respond on follow-up. Nature has not heard anything from a few enquiries.

In this arms race between fake-paper-generator and fake-paper-detector, the advantage goes to the detector.

Posted on March 7, 2014 at 6:13 AM • View Comments

Brian Krebs

Nice profile of Brian Krebs, cybersecurity journalist:

Russian criminals routinely feed Mr. Krebs information about their rivals that they obtained through hacks. After one such episode, he began receiving daily calls from a major Russian cybercriminal seeking his files back. Mr. Krebs is writing a book about the ordeal, called “Spam Nation,” to be published by Sourcebooks this year.

In the meantime, hackers have been competing in a dangerous game of one-upmanship to see who can pull the worst prank on Mr. Krebs. They often steal his identity. One opened a $20,000 credit line in his name. Admirers have made more than $1,000 in bogus PayPal donations to his blog using hacked accounts. Others have paid his cable bill for three years with stolen credit cards.

The antics can be dangerous. In March, as Mr. Krebs was preparing to have his mother over for dinner, he opened his front door to find a police SWAT team pointing semiautomatic guns in his direction. Only after his wife returned home from the grocery store to find him handcuffed did the police realize Mr. Krebs had been the victim of “swatting.” Someone had called the police and falsely reported a murder at their home.

Four months after that, someone sent packets of heroin to Mr. Krebs’s home, then spoofed a call from his neighbor to the police. But Mr. Krebs had already been tipped off to the prank. He was tracking the fraud in a private forum—where a criminal had posted the shipment’s tracking number - and had alerted the local police and the F.B.I.

Posted on February 20, 2014 at 4:09 PM • View Comments

Brian Krebs Harassed

This is what happens when you’re a security writer and you piss off the wrong people: they conspire to have heroin mailed to you, and then to tip off the police. And that’s after they’ve called in a fake hostage situation.

Posted on July 31, 2013 at 6:25 AM • View Comments

Detecting Spoofed GPS Signals

This is the latest in the arms race between spoofing GPS signals and detecting spoofed GPS signals.

Unfortunately, the countermeasures all seem to be patent pending.

Posted on August 9, 2012 at 6:32 AM • View Comments

Students Hack DHS Drone

A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won’t be able to do this?

EDITED TO ADD (7/9): It wasn’t a DHS drone. It was a drone owned by the university.

Posted on July 9, 2012 at 6:02 AM • View Comments

GPS Spoofers

Great movie-plot threat:

Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. “They are always visible because they need a clear view of the sky,” Humphreys told Wired.co.uk.

He explains that someone who directed a spoofer towards the antenna could cause two different problems which could have a major impact on the largely automated high-frequency trading systems. The first is simply causing confusion by manipulating the times—a process called “time sabotage”—on one of the global stock exchanges. This sort of confusion can be very damaging.

Posted on March 2, 2012 at 6:11 AM • View Comments

More on the Captured U.S. Drone

There’s a report that Iran hacked the drones’ GPS systems:

“The GPS navigation is the weakest point,” the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran’s “electronic ambush” of the highly classified US drone. “By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.”

The “spoofing” technique that the Iranians used—which took into account precise landing altitudes, as well as latitudinal and longitudinal data—made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.

Free-Riding on Plant Security Countermeasures

There’s a security story from biology I’ve used a few times: plants that use chemicals to call in airstrikes by wasps on the herbivores attacking them. This is a new variation: a species of orchid that emits the same signals as a trick, to get pollinated.

Posted on August 9, 2011 at 1:09 PM • View Comments

Why it's So Difficult to Trace Cyber-Attacks

I’ve been asked this question by countless reporters in the past couple of weeks. Here’s a good explanation. Shorter answer: it’s easy to spoof source destination, and it’s easy to hijack unsuspecting middlemen and use them as proxies.

No, mandating attribution won’t solve the problem. Any Internet design will necessarily include anonymity.

Posted on June 13, 2011 at 6:52 AM • View Comments

←Previous 1 2 3 4 5 6 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.