Researchers from the security firm Pen Test Partners published findings this week that an attacker would just need a person's username to track them. A new vulnerability and corresponding exploit of Bluetooth could allow an attacker to determine the encryption keys used during device pairing and let themselves in on the party.
But Matt Wixey, cybersecurity research lead at the technology consulting firm PWC UK, says that it’s surprisingly easy to write custom malware that can induce all sorts of embedded speakers to emit inaudible frequencies at high intensity, or blast out audible sounds at high volume.
At the Defcon hacker conference today, independent security researcher Pedro Cabrera showed off in a series of hacking proofs-of-concept attacks how modern TVs—and particularly Smart TVs that use the internet-connected HbbTV standard implemented in his native Spain, across Europe, and much of the rest of the world—remain vulnerable to hackers.
But at the DefCon security conference in Las Vegas on Saturday, researchers from the BlackBerry are presenting an attack that can intercept GSM calls as they're transmitted over the air and decrypt them to listen back to what was said.
Over the last two and a half years, Davis has found techniques to crack three different types of the Kaba Mas high-security electronic combination locks the company has sold for securing ATM safes, pharmacy drug cabinets, and even Department of Defense facilities, representing millions of locks around the world.
Only three years ago did it suddenly shift its attitude towards security researchers, offering bounties as high as $200,000 to researchers who revealed some types of vulnerabilities in the iPhone .But even then, Apple's bug bounty program remained invite-only, open to only a select group of Apple's preferred and trusted researchers.
Povolny says that with the Avaya desk phones, it took only basic hacking skills to gain access to the device's systems and firmware (the foundational code that coordinates a device's hardware and software) and analyze them for flaws.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.Nathan Hauke and David Renardy of the security firm Two Six Labs started looking for these "algorithmic complexity" issues in mainstream services, and quickly found them in PDF readers, remote desktop servers, and a popular password strength evaluation tool.
An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.Silvanovich, who worked on the research with fellow Project Zero member Samuel Groß, got interested in interaction-less bugs because of a recent, dramatic WhatsApp vulnerability that allowed nation-state spies to compromise a phone just by calling it—even if the recipient didn’t answer the call.
Two years ago, researchers Billy Rios and Jonathan Butts discovered disturbing vulnerabilities in Medtronic's popular MiniMed and MiniMed Paradigm insulin pump lines. Both Medtronic and regulators acknowledge that there is no way to patch the flaws on the affected insulin pump models, or to completely disable the remote feature.
Zoom patched this DoS issue in a May update but for now is only adjusting its auto-join video settings, giving users a more prominent way of choosing whether their video feed automatically launches when they click a Zoom call link.
In March, following a research report from the threat intelligence firm Kaspersky, computer maker Asus disclosed a supply chain attack sometime in the second half of 2018 that had compromised the company's Live Update tool to push malware to almost 1 million customers.
And whether a local government is going to rebuild from an attack on its own or pay the ransom, money to respond comes from public funds or through a municipality's cybersecurity insurance.
On Thursday, researchers from the threat intelligence firm Mimecast are disclosing findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks.
Analysts at two security firms, Crowdstrike and Dragos, tell WIRED that they've seen a new campaign of targeted phishing emails sent to a variety of US targets last week from a hacker group known by the names APT33 , Magnallium, or Refined Kitten, and widely believed to be working in the service of the Iranian government.
Iran's Islamic Revolutionary Guard Corps said on Thursday that the Northrup Grumman-made Global Hawk—part of a multi-billion-dollar program that dates back to 2001—had entered Iranian airspace and crashed in Iranian waters; US Central Command confirmed the time and general location of the attack, but insists that the drone was flying in international airspace.
Scammers are taking advantage of default calendar settings to try to trick users into clicking malicious links. "For the calendar attack, the scammers use a prepared email list to send their fraudulent invitations," says Maria Vergelis, a security researcher at Kaspersky who has been following the method.
or E-ISAC, and the critical infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks.
In early February, an 18-year-old German security researcher named Linus Henze demonstrated a macOS attack that would allow a malicious application to grab passwords from Apple's protected keychain.
Issie Lapowsky covers the intersection of tech, politics, and national affairs for WIRED.In the US, both the DNC and the RNC have worked to fortify their technical infrastructure since 2016, and, based on SecurityScorecard's findings from 2016, it shows, Casey says.
Security News This Week: Oh Great, Google Tracks What You Buy Online With Gmail. Google says it doesn’t use the information to serve ads, and that the page exists “to help you easily view and keep track of your purchases, bookings and subscriptions in one place.” Honestly, it’s no surprise that Google’s machines can read your email.
There’s maybe no better sign of a vulnerability’s severity; the last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe .
With the right timing, she could trick the victim's laptop, for instance, into pairing with her own Bluetooth dongle rather than the Titan key, thus gaining access to both a user's Google account and that computer.
Like Meltdown and Spectre, the new MDS attack takes advantage of security flaws in how Intel's chips perform speculative execution, a feature in which a processor guesses at what operations and data it will be asked to execute or access ahead of time to speed up the chip's performance.