Category Archives: hacks

Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Google’s Leaked Recordings Violates Data Security Policies

A report, based on the Belgium-based NWT VRT revealed that Google employees routinely listened to audio files recorded by Google Home Smart Home speaker, and Google Assistant smartphones.

As per ZdNet, the report elucidates how employees listen to snippets of the recordings when the user activates the device with the usual “OK Google” commands.

After receiving copies of several recordings, NWS VRT approached users, asking them to check their voices or those of their children and to talk to digital assistance or PDAs.

Google responded to the report by posting a blog titled “More information about our processes to safeguard speech data”.

Google acknowledged that it uses sequences of linguists from around the world who “understood the nuances and accents of a particular language”, and had reviewed and copied a small series of questions to better understand these languages. The terms and condition indicate that the users’ conversations are recorded.

Google blog mentions that that capturing interaction is an important part of the sound technology in the process of creating products like Google Assistant. According to them, various security measures are implemented to protect the privacy of users during the review process.

However, according to Google, the availability of the document violates the privacy policy.

Google product manager of Search David Monsees in a blog penned by him said, “We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.”

According to Google, it applies a wide range of safeguards to protect user privacy throughout the entire review process. The blog further adds, “Language experts only review around 0.2% of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.”

The company states that Google Assistant sends audio data to Google after device activation. He also said that devices, including Google Assistant can sometimes receive something like “false accept”, which means there are fewer voices or words in the background than their software interprets as keywords.

Although Google stated that the audio was recorded after the command was heard, NWT VRT stated that out of over a thousand sample heard, 153 should never be recorded and that the “OK Google” command was not clearly given.

In February, Google detailed that its Nest Guard, the centerpiece of the Nest Secure home alarm system, would soon receive Google Assistant functionality — meaning the device needed to have both a speaker and microphone.

Users were not made aware that the Nest Guard had a microphone at all, however.
Google responded that it was nothing more than a mistake to not to tell users about the Nest Guard microphones.

Earlier this year, Amazon found a team of people to answer questions about speakers powered by Alexa Amazon, similar to Google, to improve the accuracy of its voice assistant.

The recording sent to the human team does not have a full name, but is linked to the account name, the device serial number, and the user name of the clip.

Some team members are tasked with copying commands and analyzing whether Alexa answers correctly or not. Others were asked to write background noises and poorly calculated conversations by the device.

Also, Read

Google Duplex Assistant to Reach iPhones, Most Android Phones

Google Stored G Suite Customers Passwords in Plain Text

The post Google’s Leaked Recordings Violates Data Security Policies appeared first on .

New Hacking Technique Using Bluetooth Exposed

Bluetooth makes it easy to transfer files, photos, and documents to devices, such as mobile phones, PDAs, and laptops in a short distance. This wireless communication protocol was developed in 1998. Bluetooth technology has revolutionized wireless communication between devices with its simple and ubiquitous features. Unfortunately, Bluetooth technology has increased security issues in individuals. Hackers continue to use Bluetooth vulnerabilities for various known activities, such as: theft of personal data, installation of malware and others. This is a newly discovered major security breach that not only affects mobile phones, but even cars and systems.

BlueBorne

BlueBorne is a security hole in some Bluetooth implementations. It was reviewed on April 2017 by security researchers in Armis. Vulnerabilities exist on mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux. This can allow hackers to take control of the device and attack the center’s users to steal information.

The researchers explained the scope of the attack vectors as follows: “For the attack, the target device does not need to be coupled to a drive device or configured invisible mode.” So far, Armis Labs has identified eight days-zero vulnerabilities indicating the existence and potential of attack vectors. Armis believes that there are more vulnerabilities to be expected on various platforms using Bluetooth, and this vulnerability is fully functional and can be exploited successfully.

BlueBorne has become a dangerous threat because of the kind of complex medium. Unlike most Internet-based attacks, BlueBorne attacks spread through the air. This means that hackers can silently connect to smartphones and computers and take control of devices without user intervention.

Btlejacking

Btlejacking, this Bluetooth attack vector, was released in August 2018 at the DefCon conference in Las Vegas by Damien Cauquil, Head of Research and Development at Digital Security. With this new technology, hackers can disrupt and recover Bluetooth devices with low power consumption. This is based on an interference vulnerability identified as CVE-2018-7252, which affects versions 4.0, 4.1, 4.2, and 5 of the BLE devices. In order to exploit the weak points, the attacker must be within 5 meters of distance.

Hundreds of millions of Bluetooth devices are potentially vulnerable to attack vectors, allowing hackers to discover BLE connections, block BLE devices, and control vulnerable Bluetooth devices. Attacks on Bluetooth enabled devices can be done with a micro-integrated BIT computer that costs only $ 15 and a few lines of open source code.

Bleedingbit

Security researchers at security firm Armis have discovered two new “BleedingBit” bugs on Bluetooth chips that affect companies around the world. The first bug, followed by CVE-2018-16986, was a remote code execution bug that involved four chip models embedded in seven Cisco access points and five Meraki access points. By exploiting the vulnerabilities, remote attackers can send dangerous BLE transmission messages, called “ad packages,” stored on vulnerable memory chips. When BLE is enabled, these malicious messages may be called to trigger a critical memory overflow. It can also allow hackers to corrupt memory, access the operating system, create a backdoor, and remotely execute malicious code.

The second chip vulnerability was identified as CVE-2018-7080 and affected multiple Aruba access points, including the full 300 series, and allowed attackers to access completely new and different firmware versions and install them.

BleedingBit is cited as a wake-up call to enterprise security for two reasons.

“First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can destroy network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device,” said Yevgeny Dibrov, Armis CEO in a blog post.

CarsBlues

Privacy4Cars researchers have discovered a new major vulnerability, CarsBlues, in the information and entertainment systems of different types of vehicles. This attacks can be done in minutes with cheap, available hardware and software. This allows hackers to remove personal identification information (PII) from users who have synchronized their mobile phone with their car via Bluetooth. It is estimated that tens of millions of vehicles worldwide are victims of hacker attacks.

Also, Read:

Intel Discovers And Publishes New Bluetooth Vulnerability

The post New Hacking Technique Using Bluetooth Exposed appeared first on .