Amazon Key hacked: Tech-savvy couriers could exploit cameras and sneak into homes
"Amazon Key" smart lock system could be exploited by tech-savvy delivery drivers.
Amazon has pledged to release a security patch after a team of cybersecurity researchers showed its delivery service, which lets couriers inside homes, could be hacked.
Security wise, the proposition of dropping off packages inside houses was always going to be a tough sell. And according to US firm Rhino Security Labs, issues in camera software linked to the "Amazon Key" smart lock system could be exploited by tech-savvy delivery drivers.
The new approach to drop-offs, announced on 25 October, is built upon a mobile application and a camera known as the Cloud Cam, which lets users watch the delivery as it's happening in real-time.
Upon arrival, couriers scan a barcode to confirm their identity and the details of the order, after which the camera automatically starts recording.
The smart lock opens the door and, while under the watchful eye of the home-owner, the application will later ping when the entrance is closed again.
Updates and notifications are provided at every step.
But according to Rhino Security Labs, a Wi-Fi cyberattack could disable the camera – essentially freezing the image on the application to make it look like the front door is shut, and locked. It does this with a technique known as "deauthorisation".
"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, the founder Rhino Security Labs,told Wired.
"Disabling that camera on command is a pretty powerful capability when you're talking about environments, where you're relying heavily on that being a critical safety mechanism."
In response, Amazon has confirmed a fix is on the way "later this week" that will give users a notification if the camera is tampered with or offline for an extended period of time. It stressed that all of its drivers go through "comprehensive" background checks.
"Safety and security are built into every aspect of the service," a spokesperson said, adding: "The service will not unlock the door if the Wi-Fi is disabled and the camera is not online."
Hackers Beat iPhone X’s Face ID Security In Just One Week
Hackers claim to have beaten Apple’s facial recognition security technology just one week after the iPhone X went on sale.
Apple has previously claimed their FaceID system on the new iPhone X cannot be fooled by photos, impersonators and masks but cyber security firm Bkav said a 3D-printed mask which costs $150 (£115) to make has already fooled the new software.
FaceID is used to unlock the new iPhone X, as well as allowing users to authorise payments and log in to apps. Apple has been using fingerprint sensor embedded in the home button for several years, but completely removed the home button on the newest iPhone model.
Watch the video here:
The researchers said their findings proved that Face ID is ‘not an effective security measure’, although making the mask did require a detailed facial scan, and would be difficult for normal users to replicate.
When the iPhone X was unveiled in September, Apple claimed there was a ‘one in a million chance of another person being able to unlock the phone’ and said they’d ‘stress-tested the technology using silicone masks made by Hollywood studios’, writesthe Telegraph.
Bkav constructed the mask using a combination of 3D printing, a silicone nose and printed images of the eyes.
In a video released by the company you can appears see Face ID supposedly being fooled when a cloth covering the mask is taken away.
The Telegraph states because the video ‘does not show Face ID being set up’, it cannot be confirmed Bkav’s technique actually works.
When asked who’d be targeted by the hack, they said:
Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue. Security units’ competitors, commercial rivals of corporations, and even nations might benefit from our PoC.
FaceID caused some embarrassment for Apple back when it was being unveiled ahead of its release.
Things obviously didn’t go according to plan when Craig Federighi, Apple senior vice president, attempted to demo the feature in front of the audience in the room and no doubt the millions of people watching at home.
Federighi was extolling the virtues of Face ID, telling the audience how easy it would be to operate and how secure the phone would be as a result.
And then he was left completely embarrassed when he tried to lift the phone to his face, only to be told to enter the code for the phone because it had failed. A classic.
Before the fiasco, Federighi said:
With iPhone X, your iPhone is locked until you look at it, and it recognises you. Nothing has ever been more simple, natural and effortless.
We call this Face ID. Face ID is the future of how we unlock our smartphones and protect our sensitive information.
Apple said their Face ID technology is unsuitable for children under the age of 13 or for twins, suggesting these users set up a passcode instead.
The company did not respond to a request by The Telegraph for comment on Bkav’s findings.
What is IcedID? Hackers using new banking Trojan to spy and steal from targets in US and UK
Security experts suspect that a small but experienced cybercrime gang may be running IcedID malware.
A new banking Trojan dubbed IcedID has recently been spotted operating in the wild. Although IcedID is fairly new to the cybercrime arena, security experts suggest that the malware's capabilities are on par with Dridex, Zeus and Gozi – all of which are proliferating banking malware that have previously caused widespread destruction and chaos in cyberspace.
The hackers operating the malware are going after banks, payment card providers, mobile service providers and others in the US. The malware has also been found targeting two UK banks. In addition to being equipped with data-stealing abilities, IcedID can also monitor victims' online activities.
According to security researchers at IBM X-Force, who uncovered the banking malware, either an experienced hacker or a small cybercrime gang may likely be operating IcedID.
"X-Force's analysis of IcedID's delivery method suggests that its operators are not new to the cybercrime arena, opting to infect users via the Emotet Trojan," IBM researchers said in a blog. Although the malware does not borrow code from other malware strains, researchers say that it still comes packed with features that "allow it to perform advanced browser manipulation tactics" employed by other sophisticated banking Trojans.
The X-Force researchers say that the hackers operating IcedID are using Emotet – a well-known malware distribution tool. "It was originally a banking Trojan that preceded Dridex. As such, it is designed to amass and maintain botnets. Emotet persists on the machine and then fetches additional components such as a spamming module, a network worm module, and password and data stealers for Microsoft Outlook email and browser activity," X-Force researchers explained.
The malware can also steal data via both redirection and web injection attacks, similar to TrickBot and Dridex. The malware can spread over networks and infect terminal servers. Researchers believe that the malware may soon begin targeting businesses.
Given that IcedID is still the new kid on the cybercrime block, it is still uncertain as to how successful the malware may be in the future. However, X-Force researchers believe that the malware may soon be updated by hackers to make it even more potent
People all over the world have been dealing with issues of spam mails maliciously finding their ways into their electronic mail boxes.
If you are very active online and enter your personal details on various websites anytime it is requested, your email may become inundated by unsolicited emails which go into your spam box.
Spam—phishing, marketing, and scam emails—is annoying, that we can all agree on.
Many people have made enquiries on how to stop these emails from getting into the inbox of people who use iMac, MacBook Pro, iPhone and iPad and www.macworld.com has highlighted how it can be achieved.
The basis of Internet email is that every part of the system more or less mostly trusts every other part. That’s one problem, because since server and messages are mostly trusted, scammers, spammers, and aggressive legitimate marketers can’t simply be blocked before the message lands at your email host, the site at which email is accepted for your address.
Another is that return addresses can be forged—at least some of the time—because there’s no verification system that ensures an email you receive was sent from the address shown to have sent it. There are ways for owners of domains and operators of mail servers to specify and validate the only legitimate servers that a return address comes from, but they’re neither universally deployed nor perfect.
And even if there were a way to prevent malicious and criminal parties from being able to send email from accounts under their control, an unknown, very large number of computers and email accounts have been hijacked or can be on a moment’s notice, sending scams through addresses that otherwise have only carried legitimate email until that point.
However, you can take steps that will help mitigate it, if you aren’t already. These are some of the steps:
Stop unwanted emails at your email host
Enable any spam-filtering options available. Apple automatically performs some blocking and filtering for iCloud. Some hosts, like Fastmail, plug in a well-known system called SpamAssassin, which uses a large set of rules to guess whether email is legitimate or not, or unwanted or not. You can train SpamAssassin, as you can train Gmail and other services by marking email as spam and, conversely, checking the junk or spam folder to mark messages as “ham”—desirable email.
Install SpamSieve for macOS to stop spam
SpamSieve is a very long-running, still regularly updated app that maintains its own database of spam and ham, and which plugs into Mail, Outlook, and other macOS email software. It relies on Bayesian analysis of spam and ham, letting it use word frequency to provide a probability of whether a given message is legit or should quit.
Set up rules to stop spam
Both on a mail host and in email software, like Apple’s Mail for macOS, you can set rules that filter incoming messages and mark them automatically as junk or throw them into the trash. I have a persistent spammer who, for some reason, isn’t automatically marked as spam and hasn’t been shut down despite operating openly from the same address and domain. Tired of marking by hand, I created a filter that marks the messages as junk.
Never click a URL in an email
Phishing relies on fooling you about messages, so even if you take all protections above, you’ll still wind up with messages that look real. I’ve taken to rarely clicking on a link, but instead visiting a site if I need to know something, unless I can absolutely be confident the URL looks exactly like what I expect.
Mail software can do a lot more. For example, you can blacklist and whitelist URLs, so that messages that contained certain paths or pointed to any domain would require extra steps to go through, while links to legitimate domains were highlighted to show they have been both verified as secure and you’d marked them as acceptable.
Decades into the spam battle, the weapons of defence still seem pretty paltry.
Apple support has also identified ways by which you can report junk mail to reduce the amount you receive.
Report junk mail
You can report junk mail to the mail administrators of both iCloud and the Internet domain from which the email was sent. If the administrators can verify that the message is junk mail, they can help make sure that future messages from that sender aren’t delivered to your mailbox. Follow the instructions for your email client:
Mail on your Mac
Open the message and choose Forward as Attachment from the Message menu.
Forward the message to iCloud spam@icloud.com.
Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com
Microsoft Outlook 2010
Choose File > Options.
In the Options window, click Mail in the left-hand panel.
In the Replies and Forwards section, note the current setting so that you can change it back later. Then change the When forwarding a message setting to Attach original message.
Click OK.
Forward the message to iCloud spam@icloud.com.
Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com.
To return Outlook to your previous settings, repeat steps 1 to 4, but in step 3 change the When forwarding a message setting back to the way it was. If you don’t remember the setting, choose Include original message text.
Welcome to the New Data Revolution with Glo & Iflix! Enjoy Unbelievable Internet Subscription Rates
Subscribers on the network of the grandmasters of data, Globacom, are in for excess data season as the company once again blazed the trail by launching a new data revolution, which confers on its subscribers, an unfair advantage with unmatched data packages; the biggest ever in the industry.
The launch of the Glo Data Revolution was done alongside the unveiling of an exclusive partnership with Iflix, the world’s leading entertainment services for emerging markets, which gives the teeming subscribers of the telecoms firm, 60 days of unlimited access to the world’s best television programmes, series, movies, cartoons and more on their devices.
Speaking at the launch of the super-size offer on Monday at the company’s headquarters, Mike Adenuga Towers in Lagos, Globacom’s Regional Director, Planning and Technical, Sanjib Roy said the new offer gives both new and existing subscribers who renew their subscriptions before expiration up to 4GB of data for just N1,000. This 4GB data, for example, translates to about 4,000 pages of web browsing.
In the same vein, the 12.5GB is given for a N2,500 data bundle. This, for instance, could be used for 250 hours of content broadcast. Just as subscribers stand to gain 24GB for N4,000 and a massive 30GB for N5,000. The 30GB for N5,000 can enable the subscriber to enjoy videos for over 600 hours, for instance.
The Globacom top official added that for small plans, new subscribers and those who renew with N100 subscription will have a 90MB bundle; while for N200, they will get 250MB with which they can send 400 emails for example. For N500, the customer gets a whopping 2GB of data, which the subscribers can use to do 10 days of unlimited chatting if need be, Roy explained.
According to him, the new bundle offers are unprecedented and the biggest thing in Nigeria’s telecom history, adding that “never has the subscriber to any network in Nigeria had it so big and so good. All you need to do is get on the Glo data network and stay on by continuing to renew your subscription to enjoy the benefits that give you the unfair advantage over other data users”.
Explaining the Glo-Iflix partnership, which is available on the Glo Café platform, Roy said that beyond giving subscribers of the telecoms firm, 60 days of unlimited access to the world’s best television programmes, series, movies, cartoons and more on their devices, after the 60 days, the Glo subscribers will get access at a specially discounted price of N100 per month only. Subscribers need to send “Buzz” to 105 to access the Iflix service.
Iflix, he reiterated, offers subscribers the most extensive selection of iconic, critically-acclaimed TV series and fan-favourite films both internationally and locally available in the region, including hit titles such as Big Bang Theory, Suits, Flash, Arrow, Hercules, Mission Impossible, as well as highly anticipated Bollywood hits ABCD, Chennai Express, Phantom, and PK. On the local front, Iflix offers such Nollywood titles as Head Gone, Jenifa’s Diary, The visit, Bukas and Joints and much more.
In addition to the above, the company also offers to subscribers who recharge up to N500 and above free YouTube streaming from 1.00 am to 5.30am. YouTube is apopular video-sharingg site that allows users to upload, view, rate, share, add to favorites, report, comment on videos. All the subscriber needs to do is to dial *777# to buy a data plan to activate the services.
What is EngineerMode? Hidden OnePlus backdoor could allow hackers to take over your phone
Security researchers have discovered a hidden backdoor inadvertently left on many OnePlus smartphones that could be exploited by hackers to gain full access to users' devices. Robert Baptiste, a security researcher going by the name Elliot Alderson - an ode to the character in the popular Mr Robot TV series - discovered a factory-installed app on OnePlus devices that could be used by hackers to obtain root access to the phone, its files and software using just a few lines of code.
The researcher said he discovered the EngineerMode app when examining the latest firmware for the OnePlus 5 handsetand said it could be exploited to allow root level control of devices running the firmware oneplus_5_oxygenos_4.5.14.
The app can diagnose GPS, check the root status and perform numerous automated tests and hardware scans among other functions. However, Baptiste found that by launching the "DiagEnabled" activity in the app with a specific password, the device could be rooted to give an attacker total control over it.
The EngineerMode tool, made by Qualcomm, comes pre-installed on most OnePlus devices including OnePlus 2, 3, 3T and the newly launched OnePlus 5.
Although the tool is password-protected, researchers at security firm NowSecure have already managed to crack the password.
"With the password, the EngineerMode app enables a debugging mode that is generally only needed for development of the device and grants full root privileges on the device via a simple ADB command or potentially by installing an APK from the Play Store," the NowSecure Mobile Threat Research Team wrote in a blog post.
Upon entering the password "angela" - likely another Mr Robot reference to the character Angela Moss - the developer gains permanent root access to the Android Debug Bridge process and, essentially, root privileges on the affected OnePlus device.
However, hackers would need to have physical access to the phone to carry out the exploit.
"At this time, the (app) is most useful to an attacker with physical access to a OnePlus device or an owner looking to root their own device," NowSecure said. "What seems especially careless is OnePlus leaving behind a system-signed .apk and a native library with a SHA256 hash of the password that was easily reversed."
To find out if your OnePlus device has EngineerMode installed, head over to the device's "Settings" > "Apps" > "Menu" > "Show System Apps." You can then search for EngineerMode in the app list to check if it is installed.
OnePlus later said the EngineerMode is a "diagnostic tool used mainly used for factory production line functionality testing and after sales support".
"We've seen several statements by community developers that are worried because this apk grants root privileges," the Chinese smartphone maker said in a statement. "While it can enable adb [Android Debug Bridge] root which provides privileges for adb commands, it will not let 3rd party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device."
"While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA."
The news come just a month after OnePlus was discovered collecting its users' sensitive, personally identifiable information. It later scaled back its data collection programme. It also comes as its new OnePlus 5T is launched.
Hackers fool the iPhone X's Face ID using a cheesy-looking mask
There is no such thing as foolproof phone security.
Case in point: Security researchers at Bkavhave reportedly defeated the iPhone X's Face ID feature using a simply-constructed 3D mask.
The average person probably doesn't need to worry about the purported hack, but billionaires, celebrities, and high-profile public figures like presidents may want to rethink their use of Apple's nascent facial recognition technology.
Apple is trying to convince people Face IDis more secure than its Touch ID fingerprint sensor, which is still used in the iPhone 8 in addition to earlier models. But stories about weak spots (especially if you've got a twinor you're a kid) keep popping up.
While Apple acknowledges that Face ID isn't hack-proof, the company says it's built the face recognition technology to have 1 in a million chance of somebody else unlocking your iPhone X compared to the 1 in 50,000 chance using Touch ID.
Not only that, but Apple says it worked with Hollywood makeup artists and mask makers to ensure that elaborate masks couldn't be used to bypass a person's iPhone X.
Before Bkav, a security firm, released its results, others have tried to trick Face ID using detailed masks and failed. The Wall Street Journal's Joanna Stern had a mold of her face made by a professional prosthetic company and, sure enough, her iPhone X wouldn't unlock when a colleague donned her fake face. Wired's David Pierce also attempted a much more detailed recreation of his face using a variety of different materials, but also failed to trick Face ID.
Bkav's rudimentary mask, though, tripped up the feature. The mask, which you can see below, included a 3D-printed face with 2D-printed eyes and lips and a 3D nose constructed of silicone. Mashable has reached out to Apple for comment on the hack.
If this hack looks basic, that's because it is — at least on the surface. Bkav says the crude mask only cost about $150 to make.
Rich and famous more at risk
That may sound really scary, but this hack won't affect most people.
For starters, the lengths one must go through — it took about a week for Bkav to create a mask that successfully tricked the iPhone X — isn't worth it in most cases.
Then there's the matter of getting scans of your eyes and mouth. According to Wired, Bkav's researchers need to manually scan a person's face for five minutes before getting enough detail to reconstruct a false mask.
Billionaires, celebrities and public figures, who will have their faces photographed and widely published could be easier targets.
Additionally, the silicone nose needs to be made by hand. An initial version of the nose reportedly didn't work and needed to be modified to deceive the iPhone X's TrueDepth cameras and built-in AI.
Though similar facial recognition unlocking technology on Samsung's Galaxy S8 andNote 8 phones is much easier to bypass (in some cases, it can be fooled by a picture), the alternative and more secure iris scanner built into these phones is much more difficult to hack, requiring very specific printers and contact lenses.
All things considered, Bkav's researchers say billionaires, celebrities and public figures, who will have their faces photographed and widely published could be easier targets for its hacks. With enough effort, a skilled craftsman could reconstruct a mask similar to the one Bkav made using lots of photographs.
"Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue," the researchers said in a statement. "Security units' competitors, commercial rivals of corporations, and even nations might benefit from our PoC [proof of concept]."
Set up a strong passcode
Bkav still has some further explaining to do to convince other security experts that the hack is genuine, but given their track record — in 2008, they were the first ones to bypass face biometrics that shipped on top-brand laptops from the likes of Lenovo, Toshiba, Asus, and more — it appears sound.
Still, the researchers say Face ID is weaker than Apple claims:
You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.
I tried covering half my face (both sides), and then only my eyes, only my mouth, and then placed my hand spread open on my face, and I couldn't get Face ID to unlock on my own iPhone X. That's how it should work.
Face ID, like the face recognition technology on other phones, requires a person's eyes to be open in order to work. So if someone points your iPhone X at your face while you're sleeping it won't unlock.
However, while requiring your eyes to be open is one way to check against fakes, it's not a way to verify the face it's looking at is really alive. One way Apple could make Face ID just a smidgen more secure is to require a blink during the face detection process. Android introduced this blink check on Android 4.0 in 2011 after hackers cracked its face unlock feature.
Biometric security in our smartphones has improved significantly over the last few years. Though this Face ID hack looks terrifying, it's just as complex and time-consuming as recreating a mold of your fingerprint to fool Touch ID.
Unless you're holding the codes to nuclear codes (in which case you probably wouldn't even be allowed to use this tech) or have something in your device that's totally worth stealing, the amount of work required for this hack isn't going to produce a valuable return for hackers.
In any case, should you elect to not use Face ID as your main method of security for your iPhone X, make sure you have a really strong 6-digit or alphanumeric passcode in place (never just use four digits). Hackers could always try to brute force their way into your phone using software, but barring that, they can't obtain a code that's stored in the only impenetrable place in the world: your mind.