Connect with us

Featured

Hacked from a lightbulb!

Published

on

Vulnerabilities in the Internet of Things (IoT) would enable a hacker to deliver ransomware or other malware to business and home networks by taking over smart lightbulbs and their controller.

The potential threat has been revealed by Check Point Research, the Threat Intelligence arm of Check Point Software Technologies, a global provider of cyber security solutions.

Check Point’s researchers showed how a threat actor could exploit an IoT network, using smart lightbulbs and their control bridge, to launch attacks on conventional computer networks in homes, businesses or even smart cities.  Researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.

In an analysis of the security of ZigBee-controlled smart lightbulbs that was published in 2017, researchers were able to take control of a Hue lightbulb on a network, install malicious firmware on it and propagate to other adjacent lightbulb networks. Using this remaining vulnerability, our researchers decided to take this prior work one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge and ultimately, attacking the target’s computer network. It should be noted that more recent hardware generations of Hue lightbulbs do not have the exploited vulnerability.

The attack scenario is as follows:

  1. The hacker controls the bulb’s colour or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
  2. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
  3. The bridge discovers the compromised bulb, and the user adds it back onto their network.
  4. The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
  5. The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.

“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, Head of Cyber Research, Check Point Research. “It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

The research, which was done with the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify confirmed the existence of the vulnerability in their product, and issued a patched firmware version (Firmware 1935144040) which is now via an automatic update. We recommend users to make sure that their product received the automatic update of this firmware version.

“We are committed to protecting our users’ privacy and do everything to make our products safe,” says George Yianni, Head of Technology Philips Hue. “We are thankful for responsible disclosure and collaboration from Checkpoint, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk.”

Here is a demo video of how the attack works. The full technical research details will be published at a later date in order to give users time to successfully patch their vulnerable devices.

Check Point is the first vendor to provide a consolidated security solution that hardens and protects the firmware of IoT devices. Utilising a recently acquired technology, Check Point allows an organisation to mitigate device level attacks before devices are compromised utilising on-device run time protection.

Featured

Alexa can now read all messages

For the first time, an Alexa skill is available that makes it possible to listen to any kind of message while driving

Published

on

For the first time, Alexa users can now hear all their messages and email read aloud.

Amazon’s Alexa has become a household name. The world’s most popular virtual assistant is getting smarter every day and now, with Amazon Echo Auto, it’s in cars too. 

“In today’s highly connected world, messaging in the form of emails, texts, Facebook Messenger, WhatsApp and work channels like Slack, are integral to our daily routine,” says Barrie Arnold, chief revenue officer at ping. “However, distracted driving is responsible for more than 25% of car crashes and thousands of preventable fatalities every year.” 

ping, a specialist in voice technology founded by Arnold and South African Garin Toren, has developed a new Alexa skill as a companion to its patented smartphone app, that enables any message type to be read aloud. Designed for safety, productivity and convenience, “pingloud” is the first skill of its kind for keeping users connected when they need a hand or an extra pair of eyes.

“The ping Alexa skill is specifically designed to help drivers stay off their phones while giving them exactly what they want – access to their messages.” says Toren, ping CEO. 

Opening up Alexa to developers has resulted in an explosion of new skills available either for free or for a fee that unlocks premium services or features. These tools magnify the usefulness of Alexa devices beyond common tasks like asking for the weather, playing music or requesting help on a homework assignment. According to App Annie, the most downloaded apps in 2019 were Facebook Messenger, Facebook’s main app and WhatsApp, highlighting the importance of messaging. 

“The ping Android app is available worldwide from the Google Pay Store, reading all messages out loud in 30 languages,” says Toren. “The iOS version is in global beta testing with the US launch coming very soon.” 

Once you’ve signed up for ping, it takes a few seconds to link with Alexa, enabling all messages and emails to be read aloud by a smart speaker or Echo Auto device. Simply say, “Hey Alexa, open pingloud.” ping links an account to a voice profile so unauthorised users with access to the same Alexa cannot ask for the authorised user’s messages.

All major message types are supported, including Texts/SMS, WhatsApp, Facebook Messenger, WeChat, Snapchat, Slack, Telegram, Twitter DM’s, Instagram, and all email types. Promotional and social emails are not read by default.

*For more information, visit www.pingloud.com

Continue Reading

Featured

Coronavirus to hit 5G

Published

on

Global 5G smartphone shipments are expected to reach 199 million units in 2020, after disruption caused by the coronavirus scare put a cap on sales forecasts, according to the latest research from Strategy Analytics.

Ken Hyers, Director at Strategy Analytics, said, “Global 5G smartphone shipments will grow more than tenfold from 19 million units in 2019 to 199 million in 2020. The 5G segment will be the fastest-growing part of the worldwide smartphone industry this year. Consumers want faster 5G smartphones to surf richer content, such as video or games. We forecast 5G penetration to rise from 1 percent of all smartphones shipped globally in 2019 to 15 percent of total in 2020.”

Ville-Petteri Ukonaho, Associate Director at Strategy Analytics, added, “China, United States, South Korea, Japan and Germany are by far the largest 5G smartphone markets this year. The big-five countries together will make up 9 in 10 of all 5G smartphones sold worldwide in 2020. However, other important regions, like India and Indonesia, are lagging way behind and will not be offering mass-market 5G for at least another year or two.”

Neil Mawston, Executive Director at Strategy Analytics, added, “The global 5G smartphone industry is growing quickly, but the ongoing coronavirus scare and subsequent economic slowdown will put a cap on overall 5G demand this year. The COVID-19 outbreak is currently restricting smartphone production in Asia, disrupting supply chains, and deterring consumers from visiting retail stores to buy new 5G devices in some parts of China. The first half of 2020 will be much weaker than expected for the 5G industry, but we expect a strong bounce-back in the second half of the year if the coronavirus spread is brought under control.”

Exhibit 1: Global 5G Smartphone Shipments Forecast in 2020 1

Global Smartphone Shipments (Millions of Units)20192020
5G19199
Rest of Market13941165
Total14131364
 
Global Smartphone Shipments (% of Total)20192020
5G1%15%
Rest of Market99%85%
Total100%100%

Source: Strategy Analytics

The full report, Global Handset Sales for 88 Countries & 19 Technologies, is published by the Strategy Analytics Emerging Device Technologies (EDT) service, details of which can be found here: https://tinyurl.com/wep83gc.

Continue Reading

Trending

Copyright © 2020 World Wide Worx