Amazon Key hacked: Tech-savvy couriers could exploit cameras and sneak into homes

"Amazon Key" smart lock system could be exploited by tech-savvy delivery drivers.

The Amazon Key was always going to be a tough sell - is there a security risk?

Amazon has pledged to release a security patch after a team of cybersecurity researchers showed its delivery service, which lets couriers inside homes, could be hacked.

Security wise, the proposition of dropping off packages inside houses was always going to be a tough sell. And according to US firm Rhino Security Labs, issues in camera software linked to the "Amazon Key" smart lock system could be exploited by tech-savvy delivery drivers.

The new approach to drop-offs, announced on 25 October, is built upon a mobile application and a camera known as the Cloud Cam, which lets users watch the delivery as it's happening in real-time.

Upon arrival, couriers scan a barcode to confirm their identity and the details of the order, after which the camera automatically starts recording.

The smart lock opens the door and, while under the watchful eye of the home-owner, the application will later ping when the entrance is closed again.

Updates and notifications are provided at every step.

But according to Rhino Security Labs, a Wi-Fi cyberattack could disable the camera – essentially freezing the image on the application to make it look like the front door is shut, and locked. It does this with a technique known as "deauthorisation".

"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, the founder Rhino Security Labs,told Wired.

"Disabling that camera on command is a pretty powerful capability when you're talking about environments, where you're relying heavily on that being a critical safety mechanism."

The company has also uploaded the proof-of-concept demo of the hack in action to YouTube.

In response, Amazon has confirmed a fix is on the way "later this week" that will give users a notification if the camera is tampered with or offline for an extended period of time. It stressed that all of its drivers go through "comprehensive" background checks.

"Safety and security are built into every aspect of the service," a spokesperson said, adding: "The service will not unlock the door if the Wi-Fi is disabled and the camera is not online."

Hackers Beat iPhone X’s Face ID Security In Just One Week

PA

Hackers claim to have beaten Apple’s facial recognition security technology just one week after the iPhone X went on sale.

Apple has previously claimed their FaceID system on the new iPhone X cannot be fooled by photos, impersonators and masks but cyber security firm Bkav said a 3D-printed mask which costs $150 (£115) to make has already fooled the new software.

FaceID is used to unlock the new iPhone X, as well as allowing users to authorise payments and log in to apps. Apple has been using fingerprint sensor embedded in the home button for several years, but completely removed the home button on the newest iPhone model.

Watch the video here:

The researchers said their findings proved that Face ID is ‘not an effective security measure’, although making the mask did require a detailed facial scan, and would be difficult for normal users to replicate.

When the iPhone X was unveiled in September, Apple claimed there was a ‘one in a million chance of another person being able to unlock the phone’ and said they’d ‘stress-tested the technology using silicone masks made by Hollywood studios’, writesthe Telegraph.

Bkav constructed the mask using a combination of 3D printing, a silicone nose and printed images of the eyes.

In a video released by the company you can appears see Face ID supposedly being fooled when a cloth covering the mask is taken away.

PA

The Telegraph states because the video ‘does not show Face ID being set up’, it cannot be confirmed Bkav’s technique actually works.

When asked who’d be targeted by the hack, they said:

Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID’s issue. Security units’ competitors, commercial rivals of corporations, and even nations might benefit from our PoC.

FaceID caused some embarrassment for Apple back when it was being unveiled ahead of its release.

Things obviously didn’t go according to plan when Craig Federighi, Apple senior vice president, attempted to demo the feature in front of the audience in the room and no doubt the millions of people watching at home.

Federighi was extolling the virtues of Face ID, telling the audience how easy it would be to operate and how secure the phone would be as a result.

PA

And then he was left completely embarrassed when he tried to lift the phone to his face, only to be told to enter the code for the phone because it had failed. A classic.

Before the fiasco, Federighi said:

With iPhone X, your iPhone is locked until you look at it, and it recognises you. Nothing has ever been more simple, natural and effortless.

We call this Face ID. Face ID is the future of how we unlock our smartphones and protect our sensitive information.

Apple said their Face ID technology is unsuitable for children under the age of 13 or for twins, suggesting these users set up a passcode instead.

The company did not respond to a request by The Telegraph for comment on Bkav’s findings.

What is IcedID? Hackers using new banking Trojan to spy and steal from targets in US and UK

Security experts suspect that a small but experienced cybercrime gang may be running IcedID malware.

In addition to being equipped with data-stealing abilities, IcedID can also monitor victims’ online activities

A new banking Trojan dubbed IcedID has recently been spotted operating in the wild. Although IcedID is fairly new to the cybercrime arena, security experts suggest that the malware's capabilities are on par with Dridex, Zeus and Gozi – all of which are proliferating banking malware that have previously caused widespread destruction and chaos in cyberspace.

The hackers operating the malware are going after banks, payment card providers, mobile service providers and others in the US. The malware has also been found targeting two UK banks. In addition to being equipped with data-stealing abilities, IcedID can also monitor victims' online activities.

According to security researchers at IBM X-Force, who uncovered the banking malware, either an experienced hacker or a small cybercrime gang may likely be operating IcedID.

"X-Force's analysis of IcedID's delivery method suggests that its operators are not new to the cybercrime arena, opting to infect users via the Emotet Trojan," IBM researchers said in a blog. Although the malware does not borrow code from other malware strains, researchers say that it still comes packed with features that "allow it to perform advanced browser manipulation tactics" employed by other sophisticated banking Trojans.

The X-Force researchers say that the hackers operating IcedID are using Emotet – a well-known malware distribution tool. "It was originally a banking Trojan that preceded Dridex. As such, it is designed to amass and maintain botnets. Emotet persists on the machine and then fetches additional components such as a spamming module, a network worm module, and password and data stealers for Microsoft Outlook email and browser activity," X-Force researchers explained.

The malware can also steal data via both redirection and web injection attacks, similar to TrickBot and Dridex. The malware can spread over networks and infect terminal servers. Researchers believe that the malware may soon begin targeting businesses.

Given that IcedID is still the new kid on the cybercrime block, it is still uncertain as to how successful the malware may be in the future. However, X-Force researchers believe that the malware may soon be updated by hackers to make it even more potent

How to Stop Spam Emails from Reaching Your Inbox

People all over the world have been dealing with issues of spam mails maliciously finding their ways into their electronic mail boxes.

 

If you are very active online and enter your personal details on various websites anytime it is requested, your email may become inundated by unsolicited emails which go into your spam box.

Spam—phishing, marketing, and scam emails—is annoying, that we can all agree on.

Many people have made enquiries on how to stop these emails from getting into the inbox of people who use iMac, MacBook Pro, iPhone and iPad and www.macworld.com has highlighted how it can be achieved.

The basis of Internet email is that every part of the system more or less mostly trusts every other part. That’s one problem, because since server and messages are mostly trusted, scammers, spammers, and aggressive legitimate marketers can’t simply be blocked before the message lands at your email host, the site at which email is accepted for your address.

Another is that return addresses can be forged—at least some of the time—because there’s no verification system that ensures an email you receive was sent from the address shown to have sent it. There are ways for owners of domains and operators of mail servers to specify and validate the only legitimate servers that a return address comes from, but they’re neither universally deployed nor perfect.

And even if there were a way to prevent malicious and criminal parties from being able to send email from accounts under their control, an unknown, very large number of computers and email accounts have been hijacked or can be on a moment’s notice, sending scams through addresses that otherwise have only carried legitimate email until that point.

However, you can take steps that will help mitigate it, if you aren’t already. These are some of the steps:

Stop unwanted emails at your email host

Enable any spam-filtering options available. Apple automatically performs some blocking and filtering for iCloud. Some hosts, like Fastmail, plug in a well-known system called SpamAssassin, which uses a large set of rules to guess whether email is legitimate or not, or unwanted or not. You can train SpamAssassin, as you can train Gmail and other services by marking email as spam and, conversely, checking the junk or spam folder to mark messages as “ham”—desirable email.

Install SpamSieve for macOS to stop spam

SpamSieve  is a very long-running, still regularly updated app that maintains its own database of spam and ham, and which plugs into Mail, Outlook, and other macOS email software. It relies on Bayesian analysis of spam and ham, letting it use word frequency to provide a probability of whether a given message is legit or should quit.

Set up rules to stop spam

Both on a mail host and in email software, like Apple’s Mail for macOS, you can set rules that filter incoming messages and mark them automatically as junk or throw them into the trash. I have a persistent spammer who, for some reason, isn’t automatically marked as spam and hasn’t been shut down despite operating openly from the same address and domain. Tired of marking by hand, I created a filter that marks the messages as junk.

Never click a URL in an email

Phishing relies on fooling you about messages, so even if you take all protections above, you’ll still wind up with messages that look real. I’ve taken to rarely clicking on a link, but instead visiting a site if I need to know something, unless I can absolutely be confident the URL looks exactly like what I expect.

Mail software can do a lot more. For example, you can blacklist and whitelist URLs, so that messages that contained certain paths or pointed to any domain would require extra steps to go through, while links to legitimate domains were highlighted to show they have been both verified as secure and you’d marked them as acceptable.

Decades into the spam battle, the weapons of defence still seem pretty paltry.

Apple support has also identified ways by which you can report junk mail to reduce the amount you receive.

Report junk mail

You can report junk mail to the mail administrators of both iCloud and the Internet domain from which the email was sent. If the administrators can verify that the message is junk mail, they can help make sure that future messages from that sender aren’t delivered to your mailbox. Follow the instructions for your email client:

Mail on your Mac

• Open the message and choose Forward as Attachment from the Message menu.
• Forward the message to iCloud spam@icloud.com.
• Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com

Microsoft Outlook 2010

 
• Choose File > Options.
• In the Options window, click Mail in the left-hand panel.
• In the Replies and Forwards section, note the current setting so that you can change it back later. Then change the When forwarding a message setting to Attach original message.
• Click OK.
• Forward the message to iCloud spam@icloud.com.
• Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com.
• To return Outlook to your previous settings, repeat steps 1 to 4, but in step 3 change the When forwarding a message setting back to the way it was. If you don’t remember the setting, choose Include original message text.