More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking

 

More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device.

Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm's kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.

Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.

The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.

Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.

The security update rolls out to your device through a long chain:

Qualcomm → Google → Your device's manufacturer → Your network carrier → Your handheld over the air

"Given that many of these devices are either no longer being patched or never received any patches in the first place," said Trend engineer Wish Wu, "they would essentially be left in an insecure state without any patch forthcoming."

Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.

"Smartphones aren't the only problem here," said Trend's Noah Gamer. "Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk."

"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."

Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.

However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.

All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.

The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy's code.

Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.

Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:

1. Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that allows a small section of kernel memory to be tampered with after it is freed, causing an information leakage and a Use After Free issue in Android.

2. The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array used by other kernel functions. With the help of carefully crafted input data, it is possible to generate a malicious index, leading to a buffer overflow.

3. Gaining root access: Using both the flaws together on vulnerable devices, attackers can gain root access on the device.

The researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.

Read more

How to Hack WiFi Password from Smart Doorbells

The buzz around The Internet of Things (IoT) is growing, and it is growing at a great pace.

Every day the technology industry tries to connect another household object to the Internet. One such internet-connected household device is a Smart Doorbell.

Gone are the days when we have regular doorbells and need to open the door every time the doorbell rings to see who is around.

However, with these Internet-connected Smart Doorbells, you get an alert on your smartphone app every time a visitor presses your doorbell and, in fact, you can also view who's in front of your door.

Moreover, you can even communicate with them without ever opening the door. Isn’t this amazing? Pretty much.

But what if your doorbell Reveals your home's WiFi password?

Use Smart Doorbell to Hack WiFi Password

Until now, we have seen how hackers and researchers discovered security holes in Smart Cars,Smart refrigerators, Smart kettles and Internet-connected Toys, raising questions about the security, privacy, and potential misuse of IoTs.

Now, security researchers at UK consultancy Pen Test Partners have discovered a critical security hole in Wi-Fi-enabled video doorbell that could be used to expose the home network password of users.

The security hole is uncovered in Ring – a modern IoT Smart doorbell that connects to the user's home WiFi network, allowing them to view who is in front of the door with the help of their mobile device, even if the user is not at home.

Additionally, the Smart doorbell also gives users option to hook up to some smart door locks, so users can let their guests or family members into their home even if they are not in the house.

Researchers were impressed by the functionality of Ring, though shocked when analysed the security of the device that allowed them to discover the home user's WiFi password.

Press Button, Access a URL and Get WiFi Password!

As researchers explain, with the help of screw gauge, anyone can detach the doorbell mounted on the outside of the house and press the orange button (given on its back), which puts the device's wireless component in AP (Access Point) mode.

"Pressing the setup button [puts] the doorbell’s wireless module (a Gainspan wireless unit) into a setup mode, in which it acts as a Wi-Fi access point," the company's consultant David Lodge explains in a blog post.

You can then use your mobile phone to connect to the server, via a specific URL (http://192.168.240.1/gainspan/system/config/network).

When accessed, the above URL will reveal the wireless module's configuration file in the web browser, including the home WiFi network's SSID and PSK (Pre-Shared Key, a.k.a. password) in clear text.

Now, you just need to do is put the Smart doorbell back on the house's wall and disappear.

Since home WiFi networks have always been trusted by their owners who connect their devices to them, having access to this network, hackers can launch other malicious attacks against the victim's workstations, and other smart devices.

Researchers reported the security hole to Ring that resolved the issue via a firmware update released just two weeks after they were notified.

Read more

New Long-Range Wi-Fi Standard Offers Double Range to Home Devices

It is a common problem: Home Wireless Router's reach is terrible that the WiFi network even does not extend past the front door of the room.

My house also has all kinds of Wi-Fi dead zones, but can we fix it?

The answer is: YES. The problem will improve with a future, longer range version of Wi-Fi that uses low power consumption than current wireless technology and specifically targets at the internet of things (IoTs).

Global certification network the WiFi Alliance has finally approved a new wireless technology standard called 802.11ah, nicknamed "HaLow."

HaLow: Long Range WiFi

Wi-Fi HaLow has twice the range of conventional Wi-Fi and has the ability to penetrate walls that usually create blackspots in our homes.

The Wi-Fi Alliance unveiled this latest WiFi technology at the Consumer Electronics Show (CES) in Las Vegas.

Although currently used 802.11 Wi-Fi standards commonly operate in frequency bandwidths between 2.4GHz and 5GHz, the new WiFi HaLow was specially designed to work in lower bands, offering lower power consumption while boosting connectivity.

Wi-Fi HaLow can activate in the lower 900 MHz band, providing better propagation across longer distances while also coping with large numbers of devices connecting to a network.

WiFi HaLow: Designed now for IoTs

The HaLow standard is seen as an essential for the internet of things (IoTs) and connected home appliances. As more and more appliances in our homes are connecting to the Internet, it is quite harder for our home Wi-Fi wireless routers to reach every device.

"Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today," said Edgar Figueroea, president of the Wi-Fi Alliance.

Several sensor-enabled and internet connected devices in our homes, like door sensors and connected bulbs, require enough power to send data to remote hubs or routers at long distances, but the current Wi-Fi standard does not lend itself to long battery life and transmission distances.

However, HaLow standard will likely offer slower throughput speeds than conventional WiFi that considers the smaller data demands of internet connected devices as opposed to those designed for web browsing.

HaLow Expected to be Useful For Devices From Connected Cars to SmartPhones

HaLow standard is expected to be especially useful in connected cars as well as battery-operated devices around the home like smart thermostats, smart locks, connected bulbs as well as mobile devices.

"Wi-Fi HaLow expands the unmatched versatility of Wi-Fi to enable applications from small, battery-operated wearable devices to large-scale industrial facility deployments - and everything in between," Figueroea said.

The WiFi Alliance is expected to begin certifying first products bearing a Wi-Fi HaLow certification in 2018, after which the technology requires to make its way into your home router, then into your wearable.

Read more

Mark Zuckerberg Plans to Build Iron Man's JARVIS like Artificially Intelligent Assistant

What's the coolest part of the Iron Man movies?

The hyper-intelligent Artificial Intelligence that helps Tony Stark by doing data analysis, charging his armor, presenting information at crucial times and doing other business operations.

That's right — we are talking about J.A.R.V.I.S., Iron Man's personal assistant.

We all dream of having one of its kinds, and even Facebook's Founder and CEO Mark Zuckerberghas ambitions to live more like Iron Man's superhero Tony Stark.

While disclosing his 2016 resolution via a Facebook post on Sunday, Zuckerberg revealed that he is planning to build his own Artificial Intelligence to help him run his home and assist him at office — similar to Iron Man's digital butler Edwin Jarvis.

"You can think of it kind of like Jarvis in Iron Man," Zuckerberg wrote in his Facebook post."I'll start teaching it to understand my voice to control everything in our home — music, lights, temperature and so on."

"I'll teach it to let friends in by looking at their faces when they ring the doorbell. I’ll teach it to let me know if anything is going on in (daughter) Max’s room that I need to check on when I'm not with her. On the work side, it’ll help me visualize data in VR to help me build better services and lead my organizations more effectively."

But you do not expect to run your own house and office with Facebook-branded Artificial Intelligence anytime soon. As, Zuckerberg said that he is building the robot for himself that works for the way his home is configured, not yours.

Other major technology companies, like Microsoft and Google, have also been doing more with Artificial Intelligence and Deep Learning in the past few years as well.

However, if the tech billionaire would be successful in creating a real-world Jarvis, then it would definitely take smart-home technology to the new heights.

Read more