OnePlus Mobile Phone Found To Be Collecting User Data

If you own a smartphone made by Chinese manufacturer OnePlus, you can thank security researcher Chris Moore for making a discovery that the manufacturer wasn’t going to tell you about.

It turns out that OnePlus phones running the OxygenOS are recording a disturbing amount of user data and sending it back to a company server. The data being collected on users include, but are not limited to:

• Any time the user locks or unlocks the phone
• Any time the user launches, uses or closes an app
• Which WiFi networks the device connects to
• The phone’s IMEI
• The phone number tied to the phone
• Mobile network names

All of this makes it very easy for the company to personally identify users.

When Moore was conducting his tests, he noted that the phone sent more than 16MB of data back to the server in a span of just ten hours. If you’re on a data plan with tight limits, that could max out your usage in no time.

The company issued a response to the findings, confirming that it does indeed transmit analytic data to an Amazon server in two distinct streams, one designed to help them fine-tune their software and the second for sale support, but insists that nothing nefarious is going on. They further stress that users can turn off some of the data collection by going into Settings  Advanced, and then deselecting the option to “Join The User Experience Program” which is set to active by default.

Unfortunately, this only deactivates the first of the two data streams. It is apparently impossible to deactivate the second.

The company’s official explanation seems a bit thin, but unfortunately, there’s little to be done. While you can limit the amount of data collected on you, at this time, there’s no way to stop it completely. Keep this in mind if you use a OnePlus phone.

Hard Drives Susceptible To Sound Waves, Can Double As Microphones

File this one away under “obscure and terrifying.”

Recently, a security researcher named Alfredo Ortega, speaking at a security conference in Buenos Aires, unveiled research revealing that the hard drive in your computer can be, with a bit of work, turned into a rudimentary microphone and used to spy on you.

It should be noted that this hack only works on HDDs and takes advantage of the way they are designed. Understand that this isn’t a flaw; it’s simply the way the technology works.

An HDD cannot be read or written to if it is subject to vibration. Your machine has to wait for the oscillation to stop before it can perform an action. Modern OSs come with built in tools that measure HDD operations to the nanosecond, and herein lies the secret of Ortega’s discovery.

The longer the delay, the louder the sound, and the more intense the vibration, which leads to longer delays in the read-write function of the drive.

Knowing this, Ortega figured that it would be possible to work backwards and reconstruct the sound that caused the vibration on the HDD platters.

He was at least partially correct. While his reverse engineering technology is not yet sufficiently developed to pick up conversations, he notes that there is research that can recover voice data from very low-quality signals using pattern recognition. He figures that it’s just a matter of time before someone applies it to his research.

Per Mr. Ortega: “I didn’t have time to replicate the pattern-recognition portion of that research into mine. However, it’s certainly applicable. For that reason, I would not discard that additional data like voice could be recovered in the future.”

It’s not something to be worried about immediately, but the day’s coming when your own hard drive could be used against you.

Firefox Doubles Its Speed With Latest Release

The new version of Firefox is out, and if you’ve moved away from the browser in recent years, it may be time to give it another look.

Dubbed “Quantum,” Firefox’s latest offering has been completely redesigned, and has a lot to like, not the least of which is its raw speed. This latest version is twice as fast and now handily beats Google Chrome in speed tests, thanks in no small part to its next-gen CSS engine, and the fact that it is the first browser to fully utilize the power of multicore processors.

It also consumes 30 percent less memory and positively sips battery power, making it a great choice for laptop and smartphone users.

In addition to that, the revamped browser offers improved tracker blocking, built-in screenshot functionality and of particular interest, support for WebVR, which enables webmasters to take full advantage of the capabilities offered by virtual reality headsets.

You can get Mozilla’s latest offering from their website right now if you’re a PC user, though you’ll have to wait a bit if you’re on a smartphone. The latest release is scheduled to appear on the Google Play Store in a matter of days, but there is, as yet, no ETA on when it will be appearing in Apple’s App Store.

Speed is life in business, and if you’re looking to squeeze out a bit more efficiency and performance from the machines on your network, the new Firefox browser is definitely worth checking out. It’s only a matter of time before the other major players catch up, but until they do, Firefox’s Quantum browser looks to be the new reigning king of the hill and represents a big win for mobile users, given the power savings on offer. Kudos to Mozilla for an exceptional update!

Always Connected Laptops Could Be The Next Generation Of Hardware

What’s the next big thing for the PC world? If the industry’s major players have anything to say about it, it will be the “always-on” PC.

Forget about plugging into your company’s network. Forget about free WiFi Hotspots. With an always-on PC, you won’t have to worry about either. If they’re not available, your PC can connect via the same cellular data network your smartphone uses, which means you’ll always be just a few mouse clicks away from your data.

It sounds fantastic, but there is, of course, one giant wrinkle in the equation: cost. More specifically, although several major hardware manufacturers are planning to sell always-on PCs soon, nobody knows how much the data plans will wind up costing in the longer term.

A few telecommunications companies have already given some indications here. T-Mobile has announced that its ONE unlimited service will be available for $20 a month. AT&T’s rates are significantly higher, charging $30 a month for 3GB of DataConnect data, and Verizon is charging $10 a month per gigabyte of data.

Depending on how much data you’re working with, that can get expensive very quickly. You could easily wind up paying more on your data plan than the PC itself set you back, and that’s before taking into account what impact the recent reversal on the Net Neutrality policy may have going forward.

One thing’s for certain: carriers won’t be able to get away with charging too much for the service, or customers will simply opt not to play the game, preferring to continue to flock to free WiFi hotspots as they’re doing now.

The first always-on PCs will start shipping in 2018, at which time we’ll find out how anxious the market is to embrace the new feature, and what kind of premium they’ll be willing to pay for it. Stay tuned.

Apple Might Be Working On Universal Apps Across Mac, iOS

Apple has been quietly working on something called “Project Marzipan” for a couple of years now, and it appears that they’re getting closer to unveiling it.

The company seeks to bring its MacOS and iOS platforms closer together by developing universal apps that will work in either environment. This mirrors Microsoft’s Universal Windows app strategy, where apps can detect the environment they’re running on and adjust their display and navigation accordingly.

Project Marzipan presents some real challenges for Apple because MacOS programs use an entirely different set of development tools, although there is some overlap. The programming language called Swift, for example, can be used to make apps that run in either environment, and if the company placed a greater emphasis on it, the process of creating their own universal apps would be greatly simplified.

The thinking behind Marzipan seems to be driven by the company’s desire to breathe new life into the Mac App Store, which hasn’t seen nearly the level of success as their iOS Store. The move would be a boon to developers because creating a common platform would allow Mac app developers to get their product in front of more potential customers.

Another potential reason is that the company may be planning to ultimately merge MacOS and iOS into a singular operating system that runs every Apple product. It’s a compelling theory, but the company has said nothing to confirm it.

In any event, if Apple goes ahead with Marzipan, and at this point, all indications are that they will, then we can expect a public announcement to that effect at next year’s World Wide Developer Conference. The first of the universal apps should appear not long after that, although the process of merging the two app stores and building out a robust collection of universal apps could take more than a year.

Major Security Flaw Discovered In Intel Processors

There’s some bad news if you own a computer driven by an Intel processor. Recently, a dangerous, catastrophic security flaw has been discovered in Intel’s X86-64 architecture that allows hackers to access the kernel, which sits at the heart of your OS. By accessing the kernel, a hacker can gain access to virtually everything on the targeted machine.

This is accomplished by way of a little-known feature called “speculative execution” which allows the processor to perform operations before it’s received definitive instructions that they need to be done. It’s a way of milking more speed out of the system.

Unfortunately, any such system runs the risk of giving programs permission to execute that, under normal circumstances, would not get permission. For example, a hacker could exploit this time-saving trick to force a piece of malware that Windows Defender (or related programs designed to safeguard your system) would otherwise catch and keep from running.

The truly terrifying part about this newly discovered exploit is its scope and scale. Intel chips are found in the majority of PCs and laptops being sold today, and this exploit has been sitting undiscovered until now, in every chip the company has made over the last ten years.

So far, Google researchers have identified two distinct attacks that could be used to exploit the flaw, dubbed “Meltdown” and “Spectre,” both being every bit as bad as they sound, and both capable of giving a hacker complete control over a target system. Fortunately, there have been no reported instances of either being used in the wild…yet.

The company is aware of the problem, and although they are playing things close to the vest, a fix is already in the works. Unfortunately, there’s a drawback. In order to implement the fix, it’s going to require a huge restructuring. This will likely eliminate the “speculative execution” feature, which is going to notably slow systems down. Early estimates are that when the fix is rolled out, you’ll see your system’s performance degraded by between 17-23%.

If there’s a silver lining in all this, if you happen to own a machine built around an AMD processor, give yourself a pat on the back. They don’t contain the flaw.

Virus Spread Through Facebook Messenger Mines For Cryptocurrency

Facebook scams are fairly common occurrences, owing to the sheer size of the platform’s user base. It’s no surprise that there’s a new one making the rounds that you should be aware of.

This latest threat was discovered by researchers at Trend Micro, and makes use of Facebook Messenger. If you get a message containing an embedded video file saved as a zip (the file name usually appears as “video_xxxx.zip”), don’t click on it, even if it’s from someone you know.

This file is a modified form of a legitimate piece of software called “XMRig”, an open source project that allows users to mine the cryptocurrency called Monero.

When the user clicks on this poisoned version, it will direct them to a website controlled by the hackers, in addition to quietly installing the corrupted software in the background. Once installed, the hackers put the infected PC’s processor to work for them, creating a distributed network of hash power to solve advanced cryptographic puzzles and generate new Monero “coins” for themselves.

The hackers have gone to some lengths to mask their true intentions. The site appears to be a video streaming service, and users who click on the embedded file will actually see a video playing. Of course, the website is also part of the C&C structure.

There are several intriguing things to note about this new threat:

  • It only affects people who use the Google Chrome web browser
  • It only affects PCs and Laptops. Smartphones are not impacted in any way
  • The miner software is actually controlled via the C&C server, meaning that the hackers can upgrade their malware, adding new functionality in the blink of an eye

So far, the virus has been spreading mostly in south east Asia, but has also begun appearing in the Ukraine and Venezuela. Given the global nature of Facebook’s user base, this is wholly unsurprising, so be on the lookout for it. Don’t click embedded files in Messenger, even if you think you know the sender.

Nvidia Dropping Driver Support For Older Operating Systems

AMD long ago dropped support of 32-bit operating systems, and now, Nvidia is following suit. The long-anticipated move by the company will mean the end of driver support for the 32-bit builds of Windows 7, Windows 8, Windows 8.1, Windows 10, Linux and FreeBSD.

Nvidia is taking a balanced, responsible approach here. The company has pledged to continue offering 32-bit driver security updates until January 2019, but will immediately discontinue making performance updates to the drivers of older OS’s.

In some respects, it’s long overdue. Today’s application environment is incredibly resource intensive, with a growing number of applications requiring more computing horsepower than 32-bit systems can deliver, since a 32-bit OS can only support up to 4GB of RAM.

The picture gets even bleaker if you’re a gamer. Even modest games tend to require more than 4GB of RAM these days, and most top-tier titles no longer offer support for 32-bit systems. That, combined with the fact that 32-bit systems are somewhat less secure overall, it’s probably time they were put to pasture.

Given this landscape, it’s probably time to pronounce the 32-bit operating system dead. If you’ve got some legacy applications still running on an old machine, now is the time to get serious about your migration plan.

Most of the older OS’s are no longer receiving security updates, which leaves you increasingly vulnerable to a wide range of hacks. That, coupled with the increasingly sparse driver support makes it inevitable that you’ll have to migrate at some point, and it’s always better to do it on your terms than someone else’s.

If you haven’t yet worked out what to do about your old legacy systems, it’s long past time to do so. The clock has been ticking for a while now, and the ticking just got a little bit louder.

Weird Sounds Coming From Your Speakers? Could Be A Hacker

Have you been hearing strange, otherworldly sounds on your Bose or Sonos speakers? If so, rest assured that your speakers aren’t haunted. They’ve likely been hijacked by hackers.

Researchers at Trend Micro have confirmed that some models (the Sonos Play:1, the Sonos One and the Bose SoundTouch) of both brands of speakers are vulnerable to hacking if the speaker is connected to a misconfigured network.

If the hackers find such a speaker, they can take control of the speaker and direct to play any audio file hosted at a specific URL.

It should be noted that this is an extremely exotic, fairly elaborate hack, and one that’s not likely to gain the hacker much, if anything in the way of useful information about the target network. Overwhelmingly, if and where this hack is seen at all, it will be used to play pranks on the target. About the worst thing that could happen is that the hacker would play a particularly annoying or alarming sound (a woman screaming, glass breaking, a baby crying or similar), which might lead to some sleepless nights or confusion, but not much else.

Even so, it’s worth making note of, because if a hacker is able to take control of a speaker connected to your network, it means that there’s a misconfiguration somewhere that could lead to a more serious hack down the road. If it happens to you, it’s well worth reviewing your network setup and security settings.

A spokesman for Sonos had this to say about the hack: “…looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers.”

Interestingly, this isn’t the first time such a hack has been seen. In 2014, a developer created a hack that went by the name “Ghosty” that did more or less the same thing.

Vertical Video Support On YouTube For iOS Finally Here

The owners of Android devices have been able to properly view vertical videos for more than two years, but for Apple users, it was a different story.

Instead of getting the traditional full-screen experience when viewing vertical videos, Apple users were saddled with annoying vertical bars that would appear on either side of the video itself. It’s a small thing, but undeniably annoying. Now, at long last, the problem has been solved and now Apple users can enjoy the same vertical, full-screen experience as the rest of us.

YouTube announced the upgrade in a tweet that read as follows:

“Bye-bye, black bars. Now the YouTube player on iOS will automatically adapt to the shape of the video you’re viewing!”

It matters because smartphones were designed to be held in that position, so it’s the natural way to interact with the device, no matter what you’re doing with it, including watching videos.

There’s one caveat, however: A surprising number of vertical videos won’t go full screen because they’ve actually been encoded with black bars on the sides, which technically makes them landscape vids that are only mimicking the appearance of a vertical video.

Now that YouTube has made this change, over time, you’ll probably see fewer and fewer videos shot like this and uploaded. In the short to medium term, don’t be the least bit surprised if you run into videos shot like this on a regular basis.

Why it took the company so long to update the Apple version of their app with this functionality, no one knows, but it’s not hard to hazard a few guesses. In any event, it’s not something that’s likely to have a major impact on your life, but it is a welcome change and we were happy to see it.