Tuesday, 1 September 2015

Samsung Smart Fridge Leaves Gmail Logins Open to Attack


Samsung Smart Fridge – MiTM attacks on Connections

Security researchers have identified a possible way of stealing user’s Gmail identifications from Samsung smart fridge. At the recent DEF CON hacking conference, Pen Test Partners have discovered the MiTM – man-in-the-middle, weakness which enabled the exploit at the time of the IoT hacking challenge. The hack was against the RF28HMELBSR smart fridge, a part of Samsung’s line-up of Smart Home appliances that is controlled through their Smart Home app.

Though the fridge gears SSL, it tends to fail in validating SSL certificates thus enabling man-in-the middle attacks on most of the connections. Internet connected devices are designed to download Gmail Calendar information to on-screen display. Security shortcomings would mean that hackers who tend to be on the same network could possibly steal Google login information from their neighbours.

According to a security researcher at Pen Test Partners, Ken Munro, `the internet-connected device is designed to download Gmail Calendar information on its display and it seems to work the same way like any device running a Gmail calendar. User or owner of the calendar, logged in, can make updates and those changes are then seen on any devices which a user could view the calendar on

Fridge Fails to Validate Certificate

The fridge fails to validate the certificate while the SSL is in place and hence the hacker who tend to access the network where the fridge is on, probably through a de-authentication and fake Wi-Fi access point attack, can man-in-the-middle, the fridge calendar client and steal Google login information from the neighbours.

Since the fridge has not yet been in Europe, the UK based security consultancy fell short of time at DEF CON in trying to interrupt communications between the fridge terminal and the software update server. Efforts were made to mount a firmware-based attack through a customer updates was not successful but they had more safety when it pulled apart the mobile app and discovered the possible security problem in the process, though was not confirmed.

Name of a file that was found in a keystore of the mobile app’s code indicated that it comprises of the certificate which was used to encrypt traffic between the mobile app and the fridge.

Working on IoT Security/Hacking Research

The certificate had the correct password though the information to the certificate seemed to be stored in the mobile app in an obscured manner.

Then the next step would be to find out the password and use the certificate data in order to confirm to the fridge and send commands over the air to it. Pedro Venda of Pen Test Partners adds that `they wanted to pull the terminal unit out of the fridge in order to get physical access to things such as the USB port and serial or JTAG interfaces, but were unable to do so since they had run out of time. The MiTM is sufficient enough to expose a user’s Gmail information’.

 The team at Pen Test Partners are working on more IoT security and hacking research. It had published research that revealed Samsung’s smart TV’s failure to encrypt voice recordings sent through internet, in February. Samsung had informed that they were looking into the issue and stated that `at Samsung they understand that the success depends on consumer’s trust and the products and services provided. Protecting consumers’ privacy is the top priority and will work hard each day to safeguard valued Samsung users’.

Certifi-gate Vulnerability


Certifi-gate Vulnerability – Disclosed at Black Hat Conference

Mobile application manipulating the Certifi-gate vulnerability which was disclosed at Black Hat conference in Las Vegas earlier this month has been removed from the Google Play store. Although the number of Recordable Activator downloads, which is a screen recorder app for Android devices soars between 100,000 and a half million, researchers at Check Point Software Technologies discovering the vulnerability stated that it would be successfully manipulated on only three devices.

The company had mentioned in a blog post, that the data seems to come from Check Point’s home-based Certifi-gate scanner application. Data from scans utilising the scanning app portray that LG devices the most are at a risk, together with Samsung and HTC, and 16% of the devices responding to scans indicate that they host vulnerable plugins. Certifi-gate which was revealed at Black Hat, three weeks ago and when misused, enables an attacker to take complete control of the device by using malicious mobile app or SMS message. The weakness is due to the third party remote support tools which are either pre-installed on Android devices by the developers and/or carriers, or are available to be downloaded.

Mobile Remote Support Tools – mRST

Mobile remote support tools – mRST tend to be generally signed with OEM certificates proving them system level privileges for the purpose of handling remote support tasks. It was revealed by Check Point at Black Hat that there are authentication problems which could be bypassed by malicious app utilising one of these mRST tools.

The issue with Recordable Activator is that it tends to download vulnerable form of TeamViewer as well as abused insecure communication between the app and system-level plugins. App that are signed with OEM certificates are treated as trusted and evade native Android restriction avoiding app like Recordable Activator in obtaining excessive permissions.

It could then be utilised in exploiting the prevailing authentication vulnerability as well as connect with the plugin in order to record whatever is happening on the screen, according to Check Point. Ohad Bobrov, researcher of Check Point, had explained at Black Hat that a malicious app tends to impersonate the original mRST to obtain access to everything on the device.

Tools Pre-installed with No UI

Bobrov stated during a press conference at Black Hat that the reason of this problem was that on several devices, these tools are preinstalled and in many cases since these tools do not have a UI, one is not aware of its existence on the device since one does not see an icon and it is not visible on the device to show that it exists.

Thus it tends to get easier for an attacker to take control of it. Check Point states that to patch up this problem is not easy since the tools which are generally preinstalled, may need manufacturers to push updated ROMs to vulnerable devices. Though new versions of remote support tools like TeamViewer tend to be released, the older versions could still be likely to be in circulation for a while.

He further adds that it would take a long time till a new version comes up though but the more problematic issue is not the bug but its architecture. The vendors and OEMS have signed this vulnerable mRST with their certificate and one cannot withdraw or else the plugin will not function.

Monday, 31 August 2015

HTC Vive Launches This Year, but the Bulk will be Released in 2016


HTC has announced its plans to provide a limited release of its much-waited virtual reality headset named Vive this year. HTC will be launching its devices in limited quantity later this year followed by a large-scale massive launch in the first half of 2016. It has kept both the dates of launches under wrap for the time being but the virtual reality segment is already buzzing with this promising announcement. HTC Vive headset provides much freedom of movement to the users by allowing them to walk freely which helps in adding extra depth to the wholesome gaming experience. On the other hand, the available virtual reality sets just let the users move them within a restricted space.

How virtual reality headsets work? 

Virtual reality headsets are basically worn by the users on their eyes and headsets happens to provide one a kind full 3D virtual environment to the gamers to explore. In order to enhance the gaming experience an additional connected controller is provided. Virtual reality sphere is mainly used for gaming sector and virtual devices are gradually increasing their support for several popular titles.

Market analysts are predicting that the virtual reality can even make foray in the film industry with time and popularity. In the recent times, few filmmakers had utilized this technology to understand its potential in the entertainment industry.

HTC gives a major preference to Vibe 

HTC is a trusted name in the field of Smartphones but over the years, it has received serious competition from the Smartphone majors- Apple and Samsung. HTC had made its foray in the virtual reality sector in order to give a boot to its business operations. Earlier HTC had developed a remarkable Steam online gaming platform in collaboration with Valve. Now it is relying on its partner to launch the virtual reality device called Vive on full scale in first quarter of 2016.

HTC to get stiff competition in 2016 

HTC’s Vive will get some stiff competition from other upcoming virtual devices namely Facebook’s Occult Rift and Sony’s Project Morpheus, which are expected to be launched in 2016. Therefore it is quite unclear why HTC decided to go for only a limited in 2015 rather than going with wider launch in 2015 and getting a huge share of virtual reality market. HTC must be trying to get few people used to its Vive then build a demand for this remarkable when it opens up for wider scale launch in first half of 2016. With all these marvelous projections, expectations and launches 2016 certainly will be a decisive year for the virtual reality devices.

Future prospects of HTC Vive 

HTC understands the importance of 2016 when a large number of virtual reality devices will be rolling out to appease the customers and it is hoping to grab a bigger pie of the market by building a demand with limited launch this year. The head of marketing executive for HTC Jeff Gattis had predicted selling of virtual devices anywhere between 2-3 million next year.

Saturday, 29 August 2015

A Little Light Interaction Leaves Quantum Physicists Beaming

A remarkable research conducted by a group of physicists had brought insightful revelations where it is possible to make building block of the quantum computer with the use of pure light. This team of physicists comes from University of Toronto and they had successfully published their paper in the Nature Physics on ‘logic gateway’ an essential segment of computer circuitry.

What are logic gate? 

Logic gates segments are designed to execute operations on the input data in order to create outputs. In the earlier times during the phase of classical computers, the diodes or transistors formed the logic gates but with the advancement of quantum computer component it is now comprised of both the individual atoms as well as subatomic particles. Processing of information as per the laws of the quantum physics usually takes place when these particles interact with each other.

In the quantum computing the light particles are known as ‘photos’ and offers various advantages but it is extremely difficult to invoke interaction among them in a profitable manner. The research conducted by the physicist from University of Toronto is centered on finding successful ways of creating such interactions.

Researchers are upbeat with their experiment results

One of the paper’s authors Aephraim Steinberg had shed some amazing insight on the experiment results. Physicists at the University Of Toronto had studied the effect of photon on an optical beam but they had advanced their experiment in a wholesome fashion. In usual conditions, light beam passes through each other without causing change on effect on the other. In order to effectively develop technologies such as optical quantum computers it is necessary to make beams interact with one another. But no one had achieved feat with using just single photon.

How this experiment was conducted? 

The researchers had conducted this experiment of creating light beams interaction in a delicate process of two steps. A shot of single photon was forced at the rubidium atoms so that it iced to a millionth of a degree above absolute zero. Later on the photons become intertwined with the atoms and this resulted in rubidium interaction to another optical beam. The photon started changing the atom’s refractive index which brought a minute but calculable “phase shift” in the beam. This method used in the experiment can be actively brought into use in the optical quantum logic gate, which will facilitate input-output and information-processing.

Where this experiment can be applied? 

The best place to use this experiment in wholesome application is in the quantum logic gates. This advanced process will help in seeing the interactions in a new manner and in the study of optics a new filed will be revealed. Currently the researchers are working further to answer two important questions i.e. what happens when dealing with one particle of light at time and how differently the light beams will interact with other. Researchers are hopeful of finding these essential questions answers soon with continuous research and experimentations.

Gmail to Auto-Sync Events to Google Calendar

Google is all set to bring productivity and efficient management of precious time by collaborating its two prominent app in one of kind auto sync crossover. It had brought new feature auto sync the two major apps i.e. Gmail and Google Calendar in order to make personal life, business, travel and event management a breeze. In upcoming days when you receive the Gmail notification for any booking of flight, restaurant, hotel or other event information then its details will be automatically added to the Google Calendar. This crossover will laminate the need of typing or adding those details back in the Calendar as a reminder for later on.

Who will benefit from this crossover? 

People who engage in lot of travel related to work or happen to go on long drives, vacations or just wishes to get better management over these activities will benefit from this new feature. This new feature will get automatically enabled by default for all the people using theses Google Apps regardless of their mobile OS. With this feature Gmail will be able to auto-populate the Google Calendar in a timely fashion with information even related to the delay in the fights, check-in times, flight number and much more. This feature will work efficiently along all the mobile platforms such as Android, iOS and other along with the desktops.

Google has high hopes with this integration

Google is hopeful that this new feature of auto sync will help in providing better ways to the users for saving time and engaging with one another in a productive manner.

Another new feature has been integrated which brings an ability to reuse the old posts. This feature remains enabled by default on both the devices i.e. mobile Calendar and desktop but users can easily turn off or delete the events as per their need. In the educational field this feature can be used to form new announcements by simply tweaking the old posts rather than going through the trouble writing new post from the scratch.

Privacy will be maintained with this new feature

Google had given a huge emphasis upon the privacy and had ensured that the events and plans are broadcasted to the public in any case. The events added in the Calendar from the Gmail will only be made visible to the calendar owner. In the visibility section users can even adjust the visibility criteria along with deleting the unwanted items which might get added to the Calendar.

In order to activate this beneficial program Google Calendar will sent a one-time email notification which will give all the essential details regarding the settings as well the sharing details. Google will be releasing this new feature of auto syncing among the Gmail and Calendar apps by the end of September. This update is expected to bring a new level of productivity among the users and a lot of time will be saved which usually gets wasted in creating events based on the information received via Gmail regarding the work, personal events and tour and programs.