Amazon’s Ring Sees a Slew of Horrifying Hacks

The videos are blood curdling. We are now seeing negative stories break about Ring video hackings. They are of predatory, pranking or threatening (mostly) men speaking to women through rings speaker feature. 

This is a horrible PR incident for Ring, though their response seems like a perfectly logical answer to how this might have happened (double use of username/passwords) and that they are we’re still investigating this issue & taking appropriate steps to protect our devices based on our investigation, we’re able to confirm this is in no way related to a breach of Ring’s security.” If the problem is user error but the consequences can cripple your business… How do you insure that it doesn’t happen again? Forced 2FA?

Why it’s hot?

This is especially important for our security category clients. This can be an opportunity but it’s also a risk for current clients. This also can lead to generalized fear of technology and this kind of security progress. It hurts the category generally. If people can’t trust that they’re not being watched, digital security is rendered moot.

Amazon crowdsourcing answers to questions posed to Alexa

Crowdsourcing strikes again. Incentivized by the lure of social-capital, users can submit answers to questions posed to Alexa to receive points and status within the network of answer-ers. The public, using the up-and-down vote system will presumably let the best answer float to the top.

Though, “In some cases, human editors as well as algorithms will be involved in quality-control measures,” says Fast Company.

From Fast Company: “Starting today, Amazon is publicly launching a program called Alexa Answers, which lets anyone field questions asked by users for which Alexa doesn’t already have a response—ones such as:

  • What states surround Illinois?
  • What’s the proper amount of sleep?
  • How many instruments does Stevie Wonder play?
  • How much is in a handle of alcohol?

From then on, when people ask a question, Alexa will speak an answer generated through Alexa Answers, noting that the information is ‘according to an Amazon customer.'”

Why it’s hot:

Will value-based questions be answerable? If so, owning the answer to ‘what’s the best burger in Brooklyn?’ would be very lucrative.

Can brands leverage this tech to their advantage? Either by somehow “hacking” this system in playful way, or by replicating such an answer system with their own user base, to plug into an Alexa skill?

On a broader level:

How much do we trust the crowd? Recent history has left many questioning the validity of “the wisdom of the people”.

Civil society runs on a foundation of shared understandings about the world. If we trust answers about our reality to come from the crowd, how will bad actors use such a system to undermine our shared understanding or subtly sway public knowledge to support their agenda? Alexa, does life start at conception?

Undetectable Commands for Apple’s Siri and Amazon’s Alexa Raise Serious Security Risks

Researchers in the U.S. and China have discovered ways to send hidden commands to digital assistants—including Apple’s Siri, Amazon’s Alexa, and Google’s Assistant—that could have massive security implications.

Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doorswire money or buy stuff online — simply with music playing over the radio.

This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list.

“My assumption is that the malicious people already employ people to do what I do,” said Nicholas Carlini, a fifth-year Ph.D. student in computer security at U.C. Berkeley and one of the paper’s authors.

Last year, researchers at Princeton University and China’s Zhejiang University also found voice-activated devices could be issued orders using inaudible frequencies. Chinese researchers called the technique DolphinAttack.

 

Amazon told The New York Times it has taken steps to ensure its speaker is secure. Google said its platform has features that mitigate such commands. And Apple noted an iPhone or iPad must be unlocked before Siri will open an app.

Still, there are several examples of companies taking advantage of weaknesses in the devices, from Burger King’s Google Home commercial to South Park‘s stunt with Alexa.

And the number of devices in consumers’ homes is on the rise. Digital assistants have been among the hottest gifts of the past two holiday seasons. And Amazon, alone, is expected to sell $10 billion worth of the devices by 2020.

Source: NY Times and Fortune

Why It’s Hot

It seems like every week we are posting something else about Voice (Alexa, Google Home) and emerging capabilities or how brands are using them. As with any tech, there are concerns about how it will be used. I do wonder though if there’s something positive here, versus scary?

“Smart” Cities can be hacked

Last Friday at 11:40PM, Dallas’s city hurricane warning system sounded: 156 emergency sirens all at once. The alarms a total of 15 times, with each burst lasting 90 seconds, until the alarms fell silent around 1:20AM on Saturday morning.

“But as the New York Times reports, there was no hurricane coming—the sounds were triggered by a hacker who’d penetrated the system’s security measures. Few details have emerged about the hack, save for the fact that it’s thought to have been carried out locally and was very effective (technicians couldn’t stop the hacker, so they had to shut down the entire system to quiet the alarms).”

As cities and government entities rapidly adopt technologies and networks into day-to-day life and infrastructures, have they overlooked the potential shortfalls of a ubiquitous digital infrastructure?

In the same way that new buildings must meet baseline architectural requirements, perhaps the same minimums should be demanded of tech- and cyber- security.

Source: https://www.technologyreview.com/s/604124/smart-cities-could-be-crippled-by-dumb-security/

Hackers Remotely Shut Down a Jeep at 70 MPH

There are connected cars and then there are cars that can be ‘disconnected,’ at least from the driver.

In a somewhat on-the-edge experiment published this week, two well-known hackers tapped into a moving Jeep and remotely operated the radio, air conditioning and windshield wipers.

Then, while the car was moving at 70 miles an hour, the car’s acceleration was remotely shut down, leaving the volunteer driver & writer from Wired slowing on a busy highway.

Aerial view of a freeway interchange, LA

Aerial view of a freeway interchange, LA

The two hackers, Charlie Miller and Chris Vasalek, have been conducting car-hacking research to determine if an attacker could gain wireless control to vehicles via the internet.

They created software code that could send commands through the Jeep’s entertainment system to its dashboard functions, brakes, steering and transmission from a laptop many miles away, according to the first-person account in Wired.

Why Its Hot:

The timing of the widely reported Jeep experiment is interesting in light of a new privacy bill in congress that would stop car makers from using data collected from vehicles for advertising or marketing. More about the bill can be found here.

Drivers shouldn’t have to choose between being connected and being protected. Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers. When consumers feel safe with technology it flourishes but when the opposite is true it can become an epic failure.

But the Jeep episode shows that sending unwanted ads to drivers on the move may be the least of the issues. The silver lining in all of this is that the vulnerabilities in the coming interconnected world of things are being identified and highlighted.

As you might imagine, Fiat Chrysler has issued a software fix that Jeep owners can either download and install or ask a dealer to install it.  There will be more bumps in the road that get identified. Then they can be addressed.

Read the full story here

Hackers Show Vulnerability of “Connected Cars”

When we think of hacks, we often think email, banks, phones. But many people don’t think of things like cars as a hackable devices, too. So researchers in St. Louis set out to demonstrate that the automakers need to be far more active in the security of the internet-connected vehicles.

The subject was Fiat Chrysler’s line of Uconnect vehicles. Using a Jeep Cherokee, the researchers demonstrated that using the vehicle’s Sprint network data connection, they could successfully attack a driver’s vehicle to remotely by pure anonymized hack. Some 470,000+ vehicles on the roads offer this connectivity, making vulnerability to hack no small risk.

So what could the hackers exploit? Quite a lot. While the driver was cruising at highway speed, they were able to alter wipers, display personalized messages on the dashboard, even disable the transmission to prevent acceleration. Traffic piled up behind the driver, as the subject was left helpless.

IMG_0724-582x437

But the hackers are doers of good. They sought to share these exploits with the hacker community, so that those with malicious intent do not find them first. What’s shocking is the automotive industries apparent attempt to minimize these studies. In a longer expose of the study, Wired highlights that automakers are more interested in out-competing for features over addressing real consumer safety concerns with this untested new drivable devices.

Why It’s Hot

As we are always looking for what is new, shiny and internet-driven, cases like this demonstrate why consumers need to remain vigilant in the connected age. In this case, it took hacker advocacy to open our eyes to corporate sluggishness and blindness to the dangers that new products can pose.

Via Ars Technica

Canada’s Largest Bitcoin Exchange is Shutting Down After Suspected Hack

Canadian Bitcoin exchange Cavirtex has announced that it may have suffered a security breach and is shutting down its operations soon [https://www.cavirtex.com/news]. While the company says it hasn’t lost any of its reserves, it feels “the damage to [its] reputation caused by the potential compromise will significantly harm [its] ability to continue to operate successfully.” The company has ceased accepting deposits and will halt withdrawals on March 25. Unfortunately, this is not an isolated incident.

Chinese exchange Bter lost $1.75 million to hackers earlier this week and $5 million was stolen from Slovenia’s Bitstamp last month.

Capture

Why It’s Hot:
Bitcoin, an innovative payment network and a “new” kind of money, was first introduced in 2009. Over the years a number of companies, such as Overstock, Amazon, Target, CVS, Victoria’s Secret and Subway are accepting it as a form of payment. Unfortunately, it also seems to have attracted the attention of cybercriminals and businesses dealing in cryptocurrency should invest heavily in security measures.