Forwarded from BlackBox (Security) Archiv
Your Hard Drive May Be Listening
Researchers demonstrated that a hard drive can be used as a microphone, allowing attackers to listen in to conversations.
If you are already nervous about malicious computer attacks, then here’s some unwelcome news: there are many ways in which our technology is vulnerable to attacks based on physics, rather than on software. University of Michigan computer scientist Kevin Fu and his colleagues have found several unsettling ways that sound waves and other sources of interference could be used to commandeer household devices and personal electronics. At the American Association for the Advancement of Science (AAAS) conference in Washington, DC, two weeks ago, he reported his latest scary find: your computer hard drive could—without you knowing it—be used to record your voice.
Sensors are ubiquitous and essential—think of the thermometers in freezers for human eggs, accelerometers in airbags, and voltage monitors in pacemakers. The devices reading these sensors almost universally accept their data without question, but Fu and his colleagues have repeatedly shown that, using carefully crafted electromagnetic and acoustic interference, an attacker can take control of sensor outputs.
For example, the team has shown that appropriate electromagnetic waves can cause a thermocouple—a sensor that produces a voltage to represent the temperature—to be read as showing −1847 degrees Fahrenheit when it was actually at room temperature. They similarly caused the voltage sensor in a pacemaker to provide inaccurate signals.
The researchers produced additional mayhem with sound waves, demonstrating that accelerometers in Fitbits, smart phones, and other devices are vulnerable. In one experiment, they showed that certain high-frequency sound waves can cause a Fitbit to add steps without moving. In another test, they used a specific acoustic waveform to force the graph of the voltage output of an accelerometer to spell out the word “WALNUT.” This waveform worked even when the sound was surreptitiously embedded in a sound track, so an attacker could, in principle, control your phone’s accelerometer by tricking you into watching an online video.
The team’s latest trick is to turn a hard drive into a microphone. They tapped into the feedback system that helps control the position of the read head above the magnetic disk. When the head is buffeted by sound waves, the vibrations are reflected in the voltage signal produced by the drive’s position sensors. By reading this signal, Fu and his colleagues were able to make high-quality recordings of people speaking near the drive.
In another test, they showed that music played nearby could be recorded with high enough fidelity that the music recognition app Shazam could successfully identify the song. Malicious software could use this technique to record audio and then secretly upload it to a remote site, thus bugging a room without ever planting a microphone.
The team proposes defenses against every attack they develop, but Fu is still concerned. He worries most about the security of sensor-dependent systems that make independent decisions, such as temperature controllers in embryo labs, self-driving cars, and even spacecraft. “We just blindly trust these sensors,” he says. The industry needs to take these threats more seriously, and “computer scientists need to spend more time in physics labs.”
https://physics.aps.org/articles/v12/24
#Researchers #HardDrive #listening #conversations #attackers
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Researchers demonstrated that a hard drive can be used as a microphone, allowing attackers to listen in to conversations.
If you are already nervous about malicious computer attacks, then here’s some unwelcome news: there are many ways in which our technology is vulnerable to attacks based on physics, rather than on software. University of Michigan computer scientist Kevin Fu and his colleagues have found several unsettling ways that sound waves and other sources of interference could be used to commandeer household devices and personal electronics. At the American Association for the Advancement of Science (AAAS) conference in Washington, DC, two weeks ago, he reported his latest scary find: your computer hard drive could—without you knowing it—be used to record your voice.
Sensors are ubiquitous and essential—think of the thermometers in freezers for human eggs, accelerometers in airbags, and voltage monitors in pacemakers. The devices reading these sensors almost universally accept their data without question, but Fu and his colleagues have repeatedly shown that, using carefully crafted electromagnetic and acoustic interference, an attacker can take control of sensor outputs.
For example, the team has shown that appropriate electromagnetic waves can cause a thermocouple—a sensor that produces a voltage to represent the temperature—to be read as showing −1847 degrees Fahrenheit when it was actually at room temperature. They similarly caused the voltage sensor in a pacemaker to provide inaccurate signals.
The researchers produced additional mayhem with sound waves, demonstrating that accelerometers in Fitbits, smart phones, and other devices are vulnerable. In one experiment, they showed that certain high-frequency sound waves can cause a Fitbit to add steps without moving. In another test, they used a specific acoustic waveform to force the graph of the voltage output of an accelerometer to spell out the word “WALNUT.” This waveform worked even when the sound was surreptitiously embedded in a sound track, so an attacker could, in principle, control your phone’s accelerometer by tricking you into watching an online video.
The team’s latest trick is to turn a hard drive into a microphone. They tapped into the feedback system that helps control the position of the read head above the magnetic disk. When the head is buffeted by sound waves, the vibrations are reflected in the voltage signal produced by the drive’s position sensors. By reading this signal, Fu and his colleagues were able to make high-quality recordings of people speaking near the drive.
In another test, they showed that music played nearby could be recorded with high enough fidelity that the music recognition app Shazam could successfully identify the song. Malicious software could use this technique to record audio and then secretly upload it to a remote site, thus bugging a room without ever planting a microphone.
The team proposes defenses against every attack they develop, but Fu is still concerned. He worries most about the security of sensor-dependent systems that make independent decisions, such as temperature controllers in embryo labs, self-driving cars, and even spacecraft. “We just blindly trust these sensors,” he says. The industry needs to take these threats more seriously, and “computer scientists need to spend more time in physics labs.”
https://physics.aps.org/articles/v12/24
#Researchers #HardDrive #listening #conversations #attackers
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Forwarded from BlackBox (Security) Archiv
Congratulations, YouTube... Now Show Your Work
Earlier this week, #YouTube finally acknowledged their #recommendation #engine suggests harmful content. It’s a small step in the right direction, but YouTube still has a long history of dismissing independent #researchers. We created a #timeline to prove it.
Over the past year and some, it’s been like clockwork.
First: a news story emerges about YouTube’s recommendation engine harming users. Take your pick: The #algorithm has radicalized young adults in the U.S., sowed division in #Brazil, spread state-sponsored #propaganda in #HongKong, and more.
Then: YouTube responds. But not by admitting fault or detailing a solution. Instead, the company issues a statement diffusing blame, criticising the research methodologies used to investigate their recommendations, and vaguely promising that they’re working on it.
In a blog post earlier this week, YouTube acknowledged that their recommendation engine has been suggesting borderline content to users and posted a timeline showing that they’ve dedicated significant resources towards fixing this problem for several years. What they fail to acknowledge is how they have been evading and dismissing journalists and academics who have been highlighting this problem for years. Further, there is still a glaring absence of publicly verifiable data that supports YouTube’s claims that they are fixing the problem.
That’s why today, #Mozilla is publishing an #inventory of YouTube’s responses to external #research into their recommendation engine. Our timeline chronicles 14 responses — all evasive or dismissive — issued over the span of 22 months. You can find them below, in reverse chronological order.
💡 We noticed a few trends across these statements:
‼️ YouTube often claims it’s addressing the issue by tweaking its algorithm, but provides almost no detail into what, exactly, those tweaks are
‼️ YouTube claims to have data that disproves independent research — but, refuses to share that data
‼️ YouTube dismisses independent research into this topic as misguided or anecdotal, but refuses to allow third-party access to its data in order to confirm this
👉🏼 Read more:
https://foundation.mozilla.org/en/blog/congratulations-youtube-now-show-your-work/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
Earlier this week, #YouTube finally acknowledged their #recommendation #engine suggests harmful content. It’s a small step in the right direction, but YouTube still has a long history of dismissing independent #researchers. We created a #timeline to prove it.
Over the past year and some, it’s been like clockwork.
First: a news story emerges about YouTube’s recommendation engine harming users. Take your pick: The #algorithm has radicalized young adults in the U.S., sowed division in #Brazil, spread state-sponsored #propaganda in #HongKong, and more.
Then: YouTube responds. But not by admitting fault or detailing a solution. Instead, the company issues a statement diffusing blame, criticising the research methodologies used to investigate their recommendations, and vaguely promising that they’re working on it.
In a blog post earlier this week, YouTube acknowledged that their recommendation engine has been suggesting borderline content to users and posted a timeline showing that they’ve dedicated significant resources towards fixing this problem for several years. What they fail to acknowledge is how they have been evading and dismissing journalists and academics who have been highlighting this problem for years. Further, there is still a glaring absence of publicly verifiable data that supports YouTube’s claims that they are fixing the problem.
That’s why today, #Mozilla is publishing an #inventory of YouTube’s responses to external #research into their recommendation engine. Our timeline chronicles 14 responses — all evasive or dismissive — issued over the span of 22 months. You can find them below, in reverse chronological order.
💡 We noticed a few trends across these statements:
‼️ YouTube often claims it’s addressing the issue by tweaking its algorithm, but provides almost no detail into what, exactly, those tweaks are
‼️ YouTube claims to have data that disproves independent research — but, refuses to share that data
‼️ YouTube dismisses independent research into this topic as misguided or anecdotal, but refuses to allow third-party access to its data in order to confirm this
👉🏼 Read more:
https://foundation.mozilla.org/en/blog/congratulations-youtube-now-show-your-work/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
Dozens of telegram accounts hacked in Russia
If you log on to #Telegram, you usually get a secret code sent to your mobile phone. Only with this secret code you can access your Telegram #account. According to the #security #researchers of the IB group, however, #hackers managed to gain access to these #secret #codes and successfully retrieve telegram chats from a handful of Russian users.
Dmitry Rodin, runs a successful code school in Russia. In a conversation with #Forbes magazine, he now confirmed the incidents. His Telegram account was also successfully #hacked. He told the media that he had received a telegram warning that someone had tried to access his account. Dmitry Rodin ignored the first notification, but there was another warning. Someone from Samara, Russia, had successfully logged into his account. He immediately ended all active sessions except his own.
#GroupIB and Dmitry Rodin are both pretty sure that no #vulnerability in the Telegram Messenger was #exploited to gain access to the affected Telegram accounts.
"Maybe someone logged into my account by intercepting the SMS. This would indicate that there is a problem on the operator's side. This would mean that other accounts that use SMS as an authentication factor are also threatened." (Dmitry Rodin)
Group-IB has been informed about at least 13 such cases so far. The security researchers of Group-IB assume, however, that it will not stay that way. Moreover, they speak of a completely new type of threat for anyone who uses SMS codes to log in.
"This number is likely to increase, however, as it is a new type of threat that is just beginning to spread" (Group-IB)
Most worryingly, both Group-IB and Dmitry Rodin suspect that passwords (OTP) were compromised at one point. If this hypothesis is true, it is a very large security #threat, as this technology is used in many logins and financial transactions around the world.
👉🏼 Read more:
https://www.forbes.com/sites/thomasbrewster/2019/12/12/mystery-russian-telegram-hacks-intercept-secret-codes-to-spy-on-messages
👉🏼 Read as well:
https://tarnkappe.info/group-ib-dutzende-telegram-accounts-in-russland-gehackt/
📺 Ability Inc. Advert 1:
https://youtu.be/CfnVvptL-8E
📺 Ability Inc. Advert 2:
https://youtu.be/FwdnY-EIMRc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
If you log on to #Telegram, you usually get a secret code sent to your mobile phone. Only with this secret code you can access your Telegram #account. According to the #security #researchers of the IB group, however, #hackers managed to gain access to these #secret #codes and successfully retrieve telegram chats from a handful of Russian users.
Dmitry Rodin, runs a successful code school in Russia. In a conversation with #Forbes magazine, he now confirmed the incidents. His Telegram account was also successfully #hacked. He told the media that he had received a telegram warning that someone had tried to access his account. Dmitry Rodin ignored the first notification, but there was another warning. Someone from Samara, Russia, had successfully logged into his account. He immediately ended all active sessions except his own.
#GroupIB and Dmitry Rodin are both pretty sure that no #vulnerability in the Telegram Messenger was #exploited to gain access to the affected Telegram accounts.
"Maybe someone logged into my account by intercepting the SMS. This would indicate that there is a problem on the operator's side. This would mean that other accounts that use SMS as an authentication factor are also threatened." (Dmitry Rodin)
Group-IB has been informed about at least 13 such cases so far. The security researchers of Group-IB assume, however, that it will not stay that way. Moreover, they speak of a completely new type of threat for anyone who uses SMS codes to log in.
"This number is likely to increase, however, as it is a new type of threat that is just beginning to spread" (Group-IB)
Most worryingly, both Group-IB and Dmitry Rodin suspect that passwords (OTP) were compromised at one point. If this hypothesis is true, it is a very large security #threat, as this technology is used in many logins and financial transactions around the world.
👉🏼 Read more:
https://www.forbes.com/sites/thomasbrewster/2019/12/12/mystery-russian-telegram-hacks-intercept-secret-codes-to-spy-on-messages
👉🏼 Read as well:
https://tarnkappe.info/group-ib-dutzende-telegram-accounts-in-russland-gehackt/
📺 Ability Inc. Advert 1:
https://youtu.be/CfnVvptL-8E
📺 Ability Inc. Advert 2:
https://youtu.be/FwdnY-EIMRc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv