Category: Blog

Weird Sounds Coming From Your Speakers? Could Be A Hacker

Have you been hearing strange, otherworldly sounds on your Bose or Sonos speakers? If so, rest assured that your speakers aren’t haunted. They’ve likely been hijacked by hackers.

Researchers at Trend Micro have confirmed that some models (the Sonos Play:1, the Sonos One and the Bose SoundTouch) of both brands of speakers are vulnerable to hacking if the speaker is connected to a misconfigured network.

If the hackers find such a speaker, they can take control of the speaker and direct to play any audio file hosted at a specific URL.

It should be noted that this is an extremely exotic, fairly elaborate hack, and one that’s not likely to gain the hacker much, if anything in the way of useful information about the target network. Overwhelmingly, if and where this hack is seen at all, it will be used to play pranks on the target. About the worst thing that could happen is that the hacker would play a particularly annoying or alarming sound (a woman screaming, glass breaking, a baby crying or similar), which might lead to some sleepless nights or confusion, but not much else.

Even so, it’s worth making note of, because if a hacker is able to take control of a speaker connected to your network, it means that there’s a misconfiguration somewhere that could lead to a more serious hack down the road. If it happens to you, it’s well worth reviewing your network setup and security settings.

A spokesman for Sonos had this to say about the hack: “…looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers.”

Interestingly, this isn’t the first time such a hack has been seen. In 2014, a developer created a hack that went by the name “Ghosty” that did more or less the same thing.

Vertical Video Support On YouTube For iOS Finally Here

The owners of Android devices have been able to properly view vertical videos for more than two years, but for Apple users, it was a different story.

Instead of getting the traditional full-screen experience when viewing vertical videos, Apple users were saddled with annoying vertical bars that would appear on either side of the video itself. It’s a small thing, but undeniably annoying. Now, at long last, the problem has been solved and now Apple users can enjoy the same vertical, full-screen experience as the rest of us.

YouTube announced the upgrade in a tweet that read as follows:

“Bye-bye, black bars. Now the YouTube player on iOS will automatically adapt to the shape of the video you’re viewing!”

It matters because smartphones were designed to be held in that position, so it’s the natural way to interact with the device, no matter what you’re doing with it, including watching videos.

There’s one caveat, however: A surprising number of vertical videos won’t go full screen because they’ve actually been encoded with black bars on the sides, which technically makes them landscape vids that are only mimicking the appearance of a vertical video.

Now that YouTube has made this change, over time, you’ll probably see fewer and fewer videos shot like this and uploaded. In the short to medium term, don’t be the least bit surprised if you run into videos shot like this on a regular basis.

Why it took the company so long to update the Apple version of their app with this functionality, no one knows, but it’s not hard to hazard a few guesses. In any event, it’s not something that’s likely to have a major impact on your life, but it is a welcome change and we were happy to see it.

Select HP Laptop Models Recalled Over Battery Issue

Did you purchase an HP laptop between December of 2015 and December of 2017? If so, then you may have problems.

The US Consumer Product Safety Commission has been made aware of eight instances where HP battery packs overheated, charred, or melted, creating a worrisome fire hazard that has gotten the attention of user groups scattered all over the internet.

It also got the attention of HP itself, and the company recently announced “a worldwide voluntary safety recall and replacement program” for laptops shipped during the timeframe mentioned above.

If you own one of the following models, you may be impacted:

  • HP ProBook 640 G2
  • HP ProBook 645 G2
  • HP ProBook 650 G2
  • HP ProBook 655 G2
  • HP ProBook 640 G3
  • HP ProBook 645 G3
  • HP ProBook 650 G3
  • HP ProBook 655 G3
  • HP ZBook 17 G3
  • HP ZBook Studio G3
  • HP ZBook 17 G4
  • HP x360 310 G2
  • HP Pavillion x360
  • HP ENVY m6
  • Or the HP 11 Notebook PC

You can visit HP’s website and download a tool you can use to test your laptop to see if it has one of the defective battery packs. A BIOS update is also available that will safely and completely discharge the battery. Although of course, until you get a replacement, you’ll only be able to power your laptop via the AC power supply.

According to the company, “Many of these batteries are internal to the system, which means they are not customer replaceable. HP is providing battery replacement services by an authorized technician at no cost.”

While it’s a nice gesture, it would be even better if the company hadn’t shipped the defective batteries in the first place and caused a major inconvenience to its customers. This most recent recall comes on the heels of another one less than a year ago, in which the company recalled more than 100,000 similarly defective laptops at the end of January, 2017.

Better Parental Controls Underway For Apple Devices

Recently, a group of investors wrote an open letter to Apple, urging the company to do more in regards to offering better and more robust parental controls on the devices the company makes. Although the group of investors control some $2 billion in Apple stock, this is a drop in the proverbial bucket, given the company’s $900 billion market cap. Nonetheless, the letter seems to have gotten Apple’s attention.

In a statement published in the Wall Street Journal, the company said: “We think deeply about how our products are used and the impact they have on users and the people around them. We take this responsibility very seriously, and we are committed to meeting and exceeding our customers’ expectations, especially when it comes to protecting kids.”

Previously, the company has touted the suite of parental controls it’s had in place on the devices it makes since 2008. For example, every iPhone sold has a settings app with a parental controls section that allows adults to control in-app purchases, install and delete apps, and restrict website access.

Those are all good things, but the group of investors is pushing for more. Although the company has not released any details about their planned enhancements, it does appear that the letter has prompted them to think even more deeply about the matter, and in that same letter, also requested that apple aid research that studies what impacts excessive smartphone use has on mental health.

To their credit, Apple has done more with parental controls than many, if not most other tech companies, and it is very good to see that they’re listening and responding to the concerns of their investors. This kind of responsiveness bodes well, and depending on the particulars of their plan, it could well cause other companies in the industry to attempt to match their moves.

Hard Drives May Double In Speed With New Technology

What’s an HDD manufacturer to do when faced with competition by faster, more efficient SSD drives?

Go big, and go faster. At least that’s the strategy that both Seagate and Western Digital are adopting.

SSDs tend to get prohibitively expensive as their size crosses the 1TB threshold, which creates an opportunity for HDD manufacturers. Seagate is currently selling drives with an impressive 14TB of capacity, and has plans on the drawing board to introduce a 40TB drive by 2023, with Western Digital not far behind, aiming for a 40TB drive by 2025.

That’s impressive, but as Seagate mentioned in a recent blog post:

“Capacity is only half of the solution. If the ability to rapidly access data doesn’t keep pace with all that capacity, the value potential of data is inhibited. Therefore, the advancement of digital storage requires both elements: increased capacity and increased performance.”

In order to address the performance side of the equation, Seagate is experimenting with a new approach called “multi-actuator technology.”

HDDS are based on platters, with an actuator arm on the top and bottom that write to the platters.

Actuators are all aligned and are designed to move in tandem, but at any given moment, only one arm is writing to the disk.

Seagate’s new solution utilizes two sets of actuator arms, each controlled independent of the other. With two heads capable of reading and writing simultaneously, HDD speeds can effectively be doubled.

It’s an idea that has been around for a while, but until recently, thanks to the prohibitive cost of the components, it was simply impractical. With component prices falling, it’s suddenly viable. The combination of massive HDDs and the new technology are making people take a second look at HDD technology.

This is a great advance that breathes new life into HDDs, and is a truly exciting innovation.

New Wifi Standard WPA3 May Be Coming

Remember the KRACK WiFi (WPA2) vulnerability, discovered by Mathy Vanhoef? It turns out that his discovery was a catalyst for action. Recently, the WiFi Alliance, which is the industry’s standards organization, released details about its new WPA3 protocol.

Here’s a quick rundown of the changes you can expect to see in the months ahead:

  • Enhancements in encryption capabilities – The new protocol will enable encrypted connections between connected devices and the router/access point, and the cryptographic standard has been improved. According to the WiFi Alliance, it will be “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, which will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.”
  • The ability to configure one WiFi enabled device to configure other devices on the network – As an example, you’ll now be able to configure a network-connected smart device that doesn’t have a display screen from your smartphone or PC connected to the same network.
  • More protection – In addition to offering more robust encryption, the new standard will also offer enhanced protection against brute force attacks by halting the WiFi authentication process after some number of failed login attempts. This mirrors the functionality found on many web-based authentication systems.

All of these are welcome changes indeed, but despite relatively quick action on the part of the WiFi Alliance, it will still be several months before consumers are able to purchase devices that offer WPA3 support.

Mathy Vanhoef, the researcher who brought the KRACK attack to the world’s attention, had this to say about the recent announcement:

“The standards behind WPA3 already existed for a while, but now, devices are required to support them. Otherwise, they won’t receive the WPA3-Certified label. Linux’s open source Wi-Fi client and access point already support the improved handshake, it just isn’t used in practice. But hopefully, that will change now.”

This is good news indeed, and will help make wireless networks more secure. Kudos to Mathy Vanhoef for his discovery, and for spurring the industry into action.

Electronic Device Search Rules Better Defined By US Customs

There’s a constant tug of war playing out on the national stage. On one side, privacy advocates are pushing for greater autonomy for end users, and hard limits to the types of searches that law enforcement agencies are allowed to conduct.

On the other side are the government agencies themselves, which often cite national security concerns as the justification for more and easier access to the sensitive data contained on personal devices like laptops and smartphones.

Generally speaking, the privacy advocates lose those battles. This was the case recently, when the CBP (the US Customs and Border Protection agency) published their latest electronic search guidelines. The most significant change is that the new guidelines explicitly define the difference between basic and advanced searches.

CBP agents are authorized to choose any travel, with or without cause or suspicion, for basic searches. Under the clarified rules, a basic search is limited to an examination of data found on the device itself, which is accessible through already installed apps, or through the device’s OS.

Advanced searches may be conducted, but agents must demonstrate that there’s a reasonable suspicion of criminal activity, or that the person carrying the device represents a “national security concern.”

The individual singled out for an advanced search may be permitted to be present while the search is conducted, but are not permitted to view the actual search itself for fear of revealing law enforcement techniques. Of significance, even during the conduct of an advanced search, agents are not permitted to search cloud-based data. They are restricted to data stored on the device itself.

While none of this sounds especially heavy-handed, the biggest complaint privacy advocates have about the updated rules is the fact that border agents can, at their own discretion, still carry out warrantless searches without any judicial oversight whatsoever.

Although this may not impact you directly, it pays to be mindful of the recent changes.

Vulnerabilities Found In Some GPS Services

A duo of researchers stumbled across a series of vulnerabilities in literally hundreds of GPS services that leave sensitive GPS tracking data open to hackers. Dubbed “Trackmageddon” by the researchers, the vulnerabilities span a range of weaknesses that include default or easy-to-guess passwords, IDOR (Insecure Direct Object Reference) issues, insecure API endpoints, and data collection folders that are entirely unsecured.

The reason so many different tracking services are impacted is that most of them rely on the same online software to deliver their services, and that software (believed to be designed by ThinkRace, one of the largest vendors of GPS tracking devices) itself is flawed. As more and more companies license it, the issues spread, exposing the data of an increasing number of customers who are entirely in the dark about how vulnerable their location data is.

The researchers have made attempts to contact the vendors offering GPS tracking services with vulnerabilities, but so far, have met with only limited success. According to their report:

“We tried to give the vendors enough time to fix (also respond for that matter) while we weighed this against the current immediate risk of the users.

We understand that only a vendor fix can remove a user’s location history (and any other stored user data for that matter) from the still affected services, but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices, much higher than the risk of historic data being exposed.”

As to the types of data being exposed, it includes: GPS coordinates, phone numbers, IMEI numbers, device information, and depending on which online service is being used, a hacker could even gain access to audio, video, and photos uploaded by the device being used.

While extremely convenient, these services do carry significant risks. Use them at your own risk.

Backdoor In Certain Lenovo Switches Discovered

Does your company utilize either RackSwitch or BladeCenter networking switches? Are those switches running ENOS (the Enterprise Network Operating System)? If so, there’s a backdoor in your network you weren’t aware of. Even worse, it’s been there since 2004.

Engineers at Lenovo recently discovered the backdoor in the firmware when they conducted an internal security audit. These products were added to the company’s portfolio via acquisition from Nortel, and Lenovo only just became aware of their existence.

A spokesman for the company had this to say: “The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”

Updates are available on Lenovo’s website, and links to the updates are available inside the company’s security advisory on this topic.

It should be noted that this backdoor would be relatively difficult for a would-be hacker to exploit, because it’s not a hidden account whose password could be guessed at or cracked via brute force, but rather an authentication bypass mechanism that requires a strict set of conditions to trigger. Lenovo describes the various configurations of security settings that activate the backdoor in their security advisory.

In any case, the presence of a backdoor into your network (even one that’s hard to trigger and access) isn’t something to be taken lightly. If you’re able, grab the firmware updates from Lenovo at your next opportunity and seal the breach. If that is impractical for some reason, Lenovo has spelled out a few mitigation strategies your company can apply as a stop gap, until you can get the firmware updates in place.

Kudos to Lenovo from their swift, deft handling of the issue!

Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.