Security

Huawei responds to Android ban with service and security guarantees, but its future is unclear

Posted by | Android, Asia, Broadcom, Gadgets, Google, Google Play Store, Honor, huawei, Qualcomm, Security, Xilinx | No Comments

Huawei has finally gone on the record about a ban on its use of Android, but the company’s long-term strategy on mobile still remains unclear.

In an effort to appease its worried customer base, the embattled Chinese company said today that it will continue to provide security updates and after-sales support to its existing lineup of smartphones, but it’s what the company didn’t say that will spark concerns.

Huawei was unable to make guarantees about whether existing customers will continue to receive Android software updates, while its statement is bereft of any mention of whether future phones will ship with the current flavor of Android or something else.

The company, which is the world’s second largest smartphone vendor based on shipments, said it will continue to develop a safe software ecosystem for its customers across the globe. Huawei will also extend the support to Honor, a brand of smartphones it owns. Nearly 50 percent of all of Huawei’s sales comes from outside China, research firm Counterpoint told TechCrunch.

Here’s the statement in full:

Huawei has made substantial contributions to the development and growth of Android around the world. As one of Android’s key global partners, we have worked closely with their open-source platform to develop an ecosystem that has benefitted both users and the industry,

Huawei will continue to provide security updates and after sales services to all existing Huawei and Honor smartphone and tablet products covering those have been sold or still in stock globally. We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally.

In addition, the company said it plans to launch the Honor 20 as planned. The device is set to be unveiled at an event in London tomorrow. While Honor is a sub-brand, any sanctions levied on Huawei will likely be reflected in its business, too.

Huawei’s lukewarm response isn’t unexpected. Earlier, Google issued a similarly non-committal statement that indicated that owners of Huawei phones will continue to be able to access the Google Play Store and Google Play Protect, but — like the Chinese firm — it made no mention of the future, and that really is the key question.

Indeed, sources within both Google and Huawei have told TechCrunch that the immediate plan of action for what happens next remains unclear.

It could turn out that Huawei is forced to use the open source version of Android, AOSP, which comes stripped of Google Mobile Services, a suite for Google services such as Google Play Store, Gmail, and YouTube. That’s unless it doesn’t plump for its own homespun alternative, which media reports have claimed it has built in the case of an emergency situation.

Huawei’s response comes a day after Reuters reported that Google had suspended some of its businesses with the Chinese technology giant. The Android-maker is complying with a U.S. Commerce Department’s directive that placed Huawei and 70 of its affiliates on an “entity list” that requires any U.S. company to gain government approval before doing business with the Chinese tech company.

In the meantime, the troubles are mounting for Huawei. In addition to Android, the U.S. government’s move has seen Intel, Qualcomm, Xilinx, and Broadcom reportedly pause supplying chips to Huawei until a resolution has been reached.

Powered by WPeMatico

Google says its app store will continue to work for existing Huawei smartphone owners

Posted by | Android, Apps, Asia, China, Developer, Gadgets, Google, Google Play, Google Play Store, huawei, Security | No Comments

Google said today that existing users of Huawei Android devices can continue to use Google Play app store, offering some relief to tens of millions of users worldwide even as it remains unclear if the Chinese tech giant will be able to use the fully-functioning version of Android in its future phones.

Existing Huawei phone users will also be able to enjoy security protections delivered through Google Play Protect, the company said in a statement to TechCrunch. Google Play Protect is a built-in malware detector that uses machine learning to detect and weed out rogue apps. Google did not specify whether Huawei devices will receive future Android updates.

The statement comes after Reuters reported on Sunday that Google is suspending some businesses with Huawei, the world’s second largest smartphone maker that shipped over 200 million handsets last year. The report claimed, a point not addressed by Google, that future Android devices from Huawei will not run Google Mobile Services, a host of services offered by Google including Google Play Store, and email client Gmail. A Huawei spokesperson said the company is looking into the situation but has nothing to share beyond this.

For Huawei users’ questions regarding our steps to comply w/ the recent US government actions: We assure you while we are complying with all US gov’t requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.

— Android (@Android) May 20, 2019

 

It’s a major setback for Huawei, which unless resolved in the next few weeks, could significantly disrupt its phone business outside of China. The top Android phone vendor, which is already grappling with controversy over security concerns, will have to rethink its software strategy for future phones if there is no resolution. Dearth — or delay in delivery — of future Android updates would also hurt the company’s reputation among its customers around the globe.

“We are complying with the order and reviewing the implications,” a company spokesperson said in a statement.

The two tech companies find themselves in this awkward situation as a result of the latest development in the ongoing U.S-China trade war. Huawei and 70 of its affiliates have been put on an “entity list” by the U.S. Commerce Department over national security concerns, requiring local giants such as Google and Intel to take approval from the government before conducting business with the Chinese firm.

Huawei may have already foreseen this. A company executive revealed recently that Huawei had built its own Android-based operating system in case a future event prevented it from using existing systems. Per Reuters, Huawei can also continue to use AOSP, the open source Android operating system that ships stripped off Google Mobile Services. And on paper, it can also probably have an app store of its own. But convincing enough stakeholders to make their apps available on Huawei’s store and continually push updates could prove incredibly challenging.

Powered by WPeMatico

WhatsApp exploit let attackers install government-grade spyware on phones

Posted by | Apps, Facebook, Hack, Mobile, NSO Group, Security, WhatsApp | No Comments

WhatsApp just fixed a vulnerability that allowed malicious actors to remotely install spyware on affected phones, and an unknown number reportedly did so with a commercial-grade snooping package usually sold to nation-states.

The vulnerability (documented here) was discovered by the Facebook-owned WhatsApp in early May, the company confirmed to TechCrunch. It apparently leveraged a bug in the audio call feature of the app to allow the caller to allow the installation of spyware on the device being called, whether the call was answered or not.

The spyware in question that was detected as having been installed was Israel-based NSO Group’s Pegasus, which is usually (ostensibly) licensed to governments looking to infect targets of investigations and gain access to various aspects of their devices.

This is, as you can imagine, an extremely severe security hole, and it is difficult to fix the window during which it was open, or how many people were affected by it. Without knowing exactly what the exploit was and what data WhatsApp keeps regarding that type of activity, we can only speculate.

The company said that it suspects a relatively small number of users were targeted, since it would be nontrivial to deploy, limiting it to advanced and highly motivated actors.

Once alerted to the issue’s existence, the company said it took less than 10 days to make the required changes to its infrastructure that would render the attack inoperable. After that, an update went out to the client that further secured against the exploit.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement.

So what about NSO Group? Is this attack their work as well? The company told the Financial Times, which first reported the attack, that it was investigating the issue. But it noted that it is careful not to involve itself with the actual applications of its software — it vets its customers and investigates abuse, it said, but it has nothing to do with how its code is used or against whom.

WhatsApp did not name NSO in its remarks, but its suspicions seem clear:

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”

Naturally when a security-focused app like WhatsApp finds that a private company has, potentially at least, been secretly selling a known and dangerous exploit of its protocols, there’s a certain amount of enmity. But it’s all part of the 0-day game, an arms race to protect against or breach the latest security measures. WhatsApp notified the Department of Justice and “a number of human rights organisations” of the issue.

You should, as WhatsApp suggests, always keep your apps up to date for situations like this, although in this case the problem was able to be fixed in the backend before clients could be patched.

Powered by WPeMatico

Samsung spilled SmartThings app source code and secret keys

Posted by | Android, Apps, computing, data breach, Dubai, Gadgets, gitlab, Password, Samsung, Security, smartphones, smartthings, SMS, Software, spokesperson, Stratics Networks | No Comments

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens (Image: supplied)

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

Powered by WPeMatico

Android Q devices will get over-the-air security updates — but there’s a catch

Posted by | Android, computing, Google, Google I/O 2019, motorola droid, operating system, operating systems, Security, smartphones | No Comments

Devices shipping with Android Q will receive over-the-air security patches without having to go through device manufacturers.

A lack of steady security updates has been a major pain point for Android users over the years. Google finally has a fix for the problem. At its annual developer conference Tuesday, the tech giant said it’ll bypass mobile makers and push security updates directly to devices.

The benefit is that users won’t have to wait lengthy periods for device manufacturers to test and quality assure the patches for their devices for fixes to critical security vulnerabilities that put users at risk.

Better yet, the updates won’t require Android to restart.

Security updates for Android Q will be focused on 14 modules crucial to the operating system’s functioning — including media codecs, which have long plagued the Android software with a steady stream of security flaws.

There’s a catch — two, in fact.

Devices updating to Android Q will not work with over-the-air security updates and some manufacturers can opt-out altogether, according to The Verge, which first reported the news, rendering the feature effectively useless. The new feature will also not be backported to earlier versions of Android. According to distribution data, close to half of all Android users are still on Android 5.0 Lollipop and earlier, it could take years for Android Q to match the same usage share.

Still, Google has to start somewhere. Android Q is expected out later this year.

Powered by WPeMatico

Takeaways from F8 and Facebook’s next phase

Posted by | Advertising Tech, Apps, artificial intelligence, augmented reality, conference call, data privacy, data security, dating, Developer, eCommerce, Enterprise, Entertainment, events, Extra Crunch Conference Call, Facebook, Facebook Dating, facebook groups, Facebook Marketplace, facebook messenger, Facebook Watch, Gadgets, Gaming, hardware, investment opportunities, marketplace, Media, Oculus, Oculus Quest, Oculus Rift, privacy, Security, Social, Startups, TC, transcript, Venture Capital, Virtual reality, WhatsApp | No Comments

Extra Crunch offers members the opportunity to tune into conference calls led and moderated by the TechCrunch writers you read every day. This week, TechCrunch’s Josh Constine and Frederic Lardinois discuss major announcements that came out of Facebook’s F8 conference and dig into how Facebook is trying to redefine itself for the future.

Though touted as a developer-focused conference, Facebook spent much of F8 discussing privacy upgrades, how the company is improving its social impact, and a series of new initiatives on the consumer and enterprise side. Josh and Frederic discuss which announcements seem to make the most strategic sense, and which may create attractive (or unattractive) opportunities for new startups and investment.

“This F8 was aspirational for Facebook. Instead of being about what Facebook is, and accelerating the growth of it, this F8 was about Facebook, and what Facebook wants to be in the future.

That’s not the newsfeed, that’s not pages, that’s not profiles. That’s marketplace, that’s Watch, that’s Groups. With that change, Facebook is finally going to start to decouple itself from the products that have dragged down its brand over the last few years through a series of nonstop scandals.”

(Photo by Justin Sullivan/Getty Images)

Josh and Frederic dive deeper into Facebook’s plans around its redesign, Messenger, Dating, Marketplace, WhatsApp, VR, smart home hardware and more. The two also dig into the biggest news, or lack thereof, on the developer side, including Facebook’s Ax and BoTorch initiatives.

For access to the full transcription and the call audio, and for the opportunity to participate in future conference calls, become a member of Extra Crunch. Learn more and try it for free. 

Powered by WPeMatico

Developers can now verify mobile app users over WhatsApp instead of SMS

Posted by | Android, Apps, authentication, Facebook, iOS, Mobile, Security, SMS, Social, social media, social network, text messaging, verification, WhatsApp | No Comments

Facebook today released a new SDK that allows mobile app developers to integrate WhatsApp verification into Account Kit for iOS and Android. This will allow developers to build apps where users can opt to receive their verification codes through the WhatsApp app installed on their phone instead of through SMS.

Today, many apps give users the ability to sign up using only a phone number — a now popular alternative to Facebook Login, thanks to the social network’s numerous privacy scandals that led to fewer people choosing to use Facebook with third-party apps.

Plus, using phone numbers to sign up is common with a younger generation of users who don’t have Facebook accounts — and sometimes barely use email, except for joining apps and services.

When using a phone number to sign in, it’s common for the app to confirm the user by sending a verification code over SMS to the number provided. The user then enters that code to create their account. This process can also be used when logging in, as part of a multi-factor verification system where a user’s account information is combined with this extra step for added security.

While this process is straightforward and easy enough to follow, SMS is not everyone’s preferred messaging platform. That’s particularly true in emerging markets like India, where 200 million people are on WhatsApp, for example. In addition, those without an unlimited messaging plan are careful not to overuse texting when it can be avoided.

That’s where the WhatsApp SDK comes in. Once integrated into an iOS or Android app, developers can offer to send users their verification code over WhatsApp instead of text messaging. They can even choose to disable SMS verification, notes Facebook.

This is all a part of WhatsApp’s Account Kit, which is a larger set of developer tools designed to allow people to quickly register and log in to apps or websites using only a phone number and email, no password required.

This WhatsApp verification codes option has been available on WhatsApp’s web SDK since late 2018, but hadn’t been available with mobile apps until today.

Powered by WPeMatico

After account hacks, Twitch streamers take security into their own hands

Posted by | computer security, credential stuffing, cryptography, Gaming, johnny xmas, multi-factor authentication, Password, Prevention, salem, Security, SMS, Twitch, twitch tv, video hosting | No Comments

Twitch has an account hacking problem.

After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game but gamers’ other accounts. The passwords were stored using a long-deprecated scrambling algorithm, making them easily cracked.

It didn’t take long for security researcher and gamer Matthew Jakubowski to see the aftermath.

In the weeks following, the main subreddit for Amazon-owned game streaming site Twitch — of which Jakubowski is a moderator — was flooded with complaints about account hijacks. One after the other, users said their accounts had been hacked. Many of the hijacked accounts had used their Town of Salem password for their Twitch account.

Jakubowski blamed the attacks on automated account takeovers — bots that cycle through password lists stolen from breached sites, including Town of Salem.

“Twitch knows it’s a problem — but this has been going on for months and there’s no end in sight,” Jakubowski told TechCrunch.

Credential stuffing is a security problem that requires participation from both tech companies and their users. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts. Customers of DoorDash and Chipotle have in recent months complained of account breaches, but have denied their systems have been hacked, offered little help to their users or shown any effort to bolster their security, and instead washed their hands of any responsibility.

Jakubowski, working with fellow security researcher Johnny Xmas, said Twitch no longer accepting email addresses to log in and incentivizing users to set up two-factor authentication would all but eliminate the problem.

The Russia connection

In new research out Tuesday, Jakubowski and Xmas said Russian hackers are a likely culprit.

The researchers found attackers would run massive lists of stolen credentials against Twitch’s login systems using widely available automation tools. With no discernible system to prevent automated logins, the attackers can hack into Twitch accounts at speed. Once logged in, the attackers then change the password to gain persistent access to the account. Even if they’re caught, some users are claiming a turnaround time of four weeks for Twitch support to get their accounts back.

On the accounts with a stored payment card — or an associated Amazon Prime membership — the attackers follow streaming channels they run or pay a small fee to access, of which Twitch takes a cut. Twitch also has its own virtual currency — bits — to help streamers solicit donations, which can be abused by the attackers to funnel funds into their coffers.

When the attacker’s streaming account hits the payout limit, the attacker cashes out.

The researchers said the attackers stream prerecorded gameplay footage on their own Twitch channels, often using Russian words and names.

“You’ll see these Russian accounts that will stream what appears to be old video game footage — you’ll never see a face or hear anybody talking but you’ll get tons of people subscribing and following in the channel,” said Xmas. “You’ll get people donating bits when nothing is going on in there — even when the channel isn’t streaming,” he said.

This activity helps cloak the attackers’ account takeover and pay-to-follow activity, said Xmas, but the attackers would keep the subscriber counts low enough to garner payouts from Twitch but not draw attention.

“If it’s something easy enough for [Jakubowski] to stumble across, it should be easy for Twitch to handle,” said Xmas. “But Twitch is staying silent and users are constantly being defrauded.”

Two-factor all the things

Twitch, unlike other sites and services with a credential stuffing problem, already lets its 15 million daily users set up two-factor authentication on their accounts, putting much of the onus to stay secure on the users themselves.

Twitch partners, like Jakubowski, and affiliates are required to set up two-factor on their accounts.

But the researchers say Twitch should do more to incentivize ordinary users — the primary target for account hijackers and fraudsters — to secure their accounts.

“I think [Twitch] doesn’t want that extra step between a valid user trying to pay for something and adding friction to that process,” said Jakubowski.

“The hackers have no idea how valuable an account is until they log in. They’re just going to try everyone — and take a shotgun approach.”
Matthew Jakubowski, security researcher and Twitch partner

“Two-factor is important — everyone knows it’s important but users still aren’t using it because it’s inconvenient,” said Xmas. “That’s the bottom line: Twitch doesn’t want to inconvenience people because that loses Twitch money,” he said.

Recognizing there was still a lack of awareness around password security and with no help from Twitch, Jakubowski and Xmas took matters into their own hands. The pair teamed up to write a comprehensive Twitch user security guide to explain why seemingly unremarkable accounts are a target for hackers, and hosted a Reddit “ask me anything” to let users to ask questions and get instant feedback.

Even during Jakubowski’s streaming sessions, he doesn’t waste a chance to warn his viewers about the security problem — often fielding other security-related questions from his fans.

“Every 10 minutes or so, I’ll remind people watching to set-up two factor,” he said.

“The hackers have no idea how valuable an account is until they log in,” said Jakubowski. “They’re just going to try everyone — and take a shotgun approach,” he said.

Xmas said users “don’t realize” how vulnerable they are. “They don’t understand why their account — which they don’t even use to stream — is desirable to hackers,” he said. “If you have a payment card associated with your account, that’s what they want.”

Carrot and the stick

Jakubowski said that convincing the users is the big challenge.

Twitch could encourage users with free perks — like badges or emotes — costing the company nothing, the researchers said. Twitch lets users collect badges to flair their accounts. World of Warcraft maker Blizzard offers perks for setting up two-factor, and Epic Games offers similar incentives to their gamers.

“Rewarding users for implementing two-factor would go a huge way,” said Xmas. “It’s incredible to see how effective that is.”

The two said the company could also integrate third-party leaked credential monitoring services, like Have I Been Pwned, to warn users if their passwords have been leaked or exposed. And, among other fixes, the researchers say removing two-factor by text message would reduce SIM swapping attacks. Xmas, who serves as director of field engineering at anti-bot startup Kasada — which TechCrunch profiled earlier this year — said Twitch could invest in systems that detect bot activity to prevent automated logins.

Twitch, when reached prior to publication, did not comment.

Jakubowski said until Twitch acts, streamers can do their part by encouraging their viewers to switch on the security feature. “Streamers are influencers — more users are likely to switch on two-factor if they hear it from a streamer,” he said.

“Getting more streamers to get on board with security will hopefully go a much longer way,” he said.

Read more:

Powered by WPeMatico

Spy on your smart home with this open source research tool

Posted by | chromium, Gadgets, Internet of Things, IoT, IoT Inspector, Princeton University, privacy, privacy research, Security, smart devices, smart home devices, traffic analyzer, WireShark | No Comments

Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.

The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)

In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)

Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.

A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.

There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.

Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)

One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.

The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.

The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and postdoctoral researcher Danny Yuxing Huang at the university’s Computer Science department.

The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)

“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”

They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)

The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.

For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.

The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos. Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.

Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.

The project team has produced a video showing how to install the app on Mac:

Powered by WPeMatico

Google turns your Android phone into a security key

Posted by | Access Control, Android, authentication, Authenticator, computer security, cryptography, Google, google authenticator, Google Cloud Next 2019, hardware, multi-factor authentication, phishing, Security, security token, TC | No Comments

Your Android phone could soon replace your hardware security key to provide two-factor authentication access to your accounts. As the company announced at its Cloud Next conference today, it has developed a Bluetooth-based protocol that will be able to talk to its Chrome browser and provide a standards-based second factor for access to its services, similar to modern security keys.

It’s no secret that two-factor authentication remains one of the best ways to secure your online accounts. Typically, that second factor comes to you in the form of a push notification, text message or through an authentication app like the Google Authenticator. There’s always the risk of somebody intercepting those numbers or phishing your account and then quickly using your second factor to log in, though. Because a physical security key also ensures that you are on the right site before it exchanges the key, it’s almost impossible to phish this second factor. The key simply isn’t going to produce a token on the wrong site.

Because Google is using the same standard here, just with different hardware, that phishing protection remains intact when you use your phone, too.

Bluetooth security keys aren’t a new thing, of course, and Google’s own Titan keys include a Bluetooth version (though they remain somewhat controversial). The user experience for those keys is a bit messy, though, since you have to connect the key and the device first. Google, however, says that it has done away with all of this thanks to a new protocol that uses Bluetooth but doesn’t necessitate the usual Bluetooth connection setup process. Sadly, though, the company didn’t quite go into details as to how this would work.

Google says this new feature will work with all Android 7+ devices that have Bluetooth and location services enabled. Pixel 3 phones, which include Google’s Titan M tamper-resistant security chip, get some extra protections, but the company is mostly positioning this as a bonus and not a necessity.

As far as the setup goes, the whole process isn’t all that different from setting up a security key (and you’ll still want to have a second or third key handy in case you ever lose or destroy your phone). You’ll be able to use this new feature for both work and private Google accounts.

For now, this also only works in combination with Chrome. The hope here, though, is to establish a new standard that will then be integrated into other browsers, as well. It’s only been a week or two since Google enabled support for logging into its own service with security keys on Edge and Firefox. That was a step forward. Now that Google offers a new service that’s even more convenient, though, it’ll likely be a bit before these competing browsers will offer support, too, once again giving Google a bit of an edge.

Powered by WPeMatico