Rick Richardson's Views On Technology
  • Home
  • Blog

BlueBorne a Silent Bluetooth Vulnerability

9/24/2017

0 Comments

 
Picture
A set of previously unknown security vulnerabilities in Bluetooth technology reportedly left billions of devices at risk of hacking, a team of Internet-of-Things (IoT) researchers has said.

Experts from Armis, a security firm, claimed last week to have found a series of flaws that put up to 5.3 billion devices with Bluetooth capabilities at risk of a highly-infectious type of attack. It could reportedly take over smartphones, smartwatches, TVs, and laptops.

Based on a proof-of-concept, the security gaps – which have been dubbed "BlueBorne" – could be used by hackers to spread malware or intercept data.

Unlike traditional cyberattacks, the Bluetooth method doesn't need a victim to fall for a malware-ridden link or download a booby-trapped document.

"These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date and can enable a complete takeover of the target device," experts asserted.

If Bluetooth is enabled, Armis explained in a YouTube video; a hacker could connect to the device and force surrounding web-connected technology to become a "carrier" for the virus.

"These silent attacks are invisible to traditional security controls and procedures," said Yevgeny Dibrov, the chief executive of Armis, in a statement.

"Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," he added.

"Previously identified flaws found in Bluetooth were primarily at the protocol level," Armis claimed. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device."

In many ways, if it takes hold, the flaw resembles a digital airborne virus.

While the total number of potentially-at-risk devices is astounding, there has seemingly been no known cases of hackers using the technique to exploit Bluetooth in the wild.

But that may change as it will continue to impact devices which no longer receive security updates and bug fixes.

"The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive," researchers said.

"If no patch is on the horizon then you should seriously consider replacing that device with one that is being patched or actively maintained," he added. "When exploits like these are found on technology that is integrated into almost every device we use, it's a real concern."

What devices are affected?

Android. All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution, one results in information leak, and the last allows an attacker to perform a Man-in-The-Middle attack.

Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin on September 4, 2017. 

Windows. All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack.
Microsoft issued security patches to all supported Windows versions on July 11, 2017, with coordinated notification on Tuesday, September 12. Windows users should check with the Microsoft release here for the latest information.
​
iOS. All iPhone, iPad, and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. iOS 10 fixed the problem, so no new patch is needed to deal with it. Users should upgrade to the latest iOS or tvOS version available.

0 Comments

Securing the Data Center on Wheels

9/17/2017

0 Comments

 
Picture
Today’s connected car is not so much a smartphone on wheels; with so many microprocessors chatting with one another across and beyond the vehicle, it is now more aptly described as a data center on wheels.
A tremendous influx of software content, connectivity, entertainment services and autonomy functionality is transforming vehicles. We are rapidly approaching a point in which the automobile will be built around the software, as opposed to the other way around.

Tesla recently made the first deliveries of its mass market “Model 3” electric vehicle. Controls are focused around a large touch screen and the shifter adds “Autopilot” to the traditional “Park”, “Reverse”, “Neutral” and “Drive” options. Full self-driving capability is promised for a later date with simply an Over-the-Air software update.

This generalized shift to software, in turn, means the opportunity for a cyber-attack is growing rapidly. Even with the larger potential attack surface, and while cybersecurity threats will never be eliminated altogether, it is also true that substantial work is taking place to engineer tomorrow’s vehicles to be systematically more able to deal with those threats in a safe and predictable manner.

Vehicle manufacturers have announced these important vehicle cybersecurity enhancements:
     •  Building-in security features to protect safety critical systems,
     •  Isolation of control systems from communications systems,
     •  Leveraging security techniques to limit unauthorized access to software and updates,
     •  Use of threat modeling and simulated attacks to inform design decisions and
   • Creation of the  Auto ISAC (Automotive Information Sharing and Analysis Center) to enhance cybersecurity awareness and collaboration across the industry.

Cybersecurity is being moved to the vehicle’s design foundation, thanks to increased coordination across the broadening, diversifying automotive ecosystem. We are seeing the industry move away from the traditional point-to-point approach to self-healing systems.

The effect is the emergence of a holistic, systems-level approach to building organically secure vehicles that are ultimately capable of self-healing. Self-healing means responding to the inevitable cybersecurity threats in a safe and predictable manner. For example, in detecting and suppressing the introduction of malware or anomalous instructions in the auto ecosystem from manufacturers and suppliers, to communication and control systems throughout vehicle lifetimes.

Security by Design. Security simply can no longer be an afterthought. Security must be a foundational consideration throughout the entire software-development flow for automobiles, from design to delivery. Original equipment manufacturers (OEMs), Tier 1 suppliers and other industry stakeholders must all start wearing their Chief Security Officer hat.

The industry has always had a strong emphasis on physical security; security processes for brakes, steering and other physical components have long been intensely codified. So sudden has been the surge toward software in vehicles, however, that it has somewhat crept up on the industry. Cybersecurity has effectively been stapled on top of more and more sophisticated services leveraging increased Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications. 

There have been some limited-in-scope efforts to move toward an approach of security by design and establish shared guidelines. For example, the U.S. Department of Transportation (DoT) set up the Public Key Infrastructure (PKI) and its certification process that ensures trust and security in the building of V2V and V2I systems.

There is now recognition growing across the industry that the collaboration must be significantly more inclusive in order to sufficiently address the challenges. In the last two years, cybersecurity incidents have been reported broadly across the industry at Chrysler, Ford, GM and Tesla, as well as in commercial vehicles. High tech car thieves today are leveraging laptops and potentially even smartphone apps to steal vehicles.
Risk Management. There is a bit of sensational hysteria growing around the global security conversation with automobiles becoming more and more connected and autonomous. The truth is that the global, increasingly broad automotive ecosystem is working more collaboratively to architect vehicles with cybersecurity at their foundation.

Risk based approaches such as NIST’s Cybersecurity Framework (CsF) are already mandatory for government agencies and recommended for critical infrastructure such as transportation.

Reporting, Sharing and Training. While the automotive industry has a very mature approach to reporting, information sharing and training when it comes to physical issues with the car—well-defined reporting and recall processes around a problem with the brake or accelerator, etc.—the model around software and cybersecurity is not nearly as formalized.
​
The good news is that new technologies such as automotive Intrusion Prevention Systems (IPS) and Runtime App Self Protection (RASP) are emerging to limit the scale of harm that can be unleashed by any single attack, to reduce attack surfaces and to harden cybersecurity capabilities. Because coordination is increasing, the ecosystem is moving toward a system-of-systems approach to automotive security.
0 Comments

Selfie App Spots Early Signs of Pancreatic Cancer

9/10/2017

0 Comments

 
Picture
Pancreatic cancer has a meager survival rate, with just 9% of patients surviving past five years. The disease, which killed Apple's co-founder Steve Jobs, is one of the hardest types of cancer to treat, but detecting and treating it early can make a big difference to survival rates. But researchers at the University of Washington have come up with a simple and incredibly accurate way to test for the cancer that people can administer themselves.

The team developed an app called BiliScreen, and with a smartphone's camera, it uses computer vision algorithms to detect levels of the chemical bilirubin in the whites of a person's eyes. With pancreatic cancer, bilirubin levels start to increase and eventually, it turns the whites of the eye yellow, which is also the case for hepatitis. However, when that yellowing becomes noticeable, the cancer is already very developed. BiliScreen can detect miniscule levels of bilirubin and provide users with an assessment of whether their levels are high enough to indicate possible disease. This is easier and cheaper than a blood test, which is the traditional test for the cancer and can be done before any symptoms start to show.
​
To take lighting into account, the app can be used with either a special box that blocks out ambient light or paper glasses with colored squares around the edges that the app is calibrated to. With the box, BiliScreen was around 90% as accurate as a blood test in identifying concerning levels of bilirubin in a small, 70-person clinical study. 

0 Comments

Magnify Your Smartphone Screen

9/3/2017

1 Comment

 
Picture
It seems no matter how big screens get on smartphones, they’ll never really be big enough. When Apple debuted the original iPhone in 2007, it only had a 3.5-inch display. Ten years on and smartphone screens have now ballooned up to a little over six inches. Some of the new “plus” models are practically tablets at this point.

If, however, you’re still in the camp that prefers something a bit more manageable but sort of wishes the screen was bigger at times, the Canyoze Screen Magnifier may well be a worthwhile investment. If you have kids, elderly family members, or simply want to share your screen with others without having to huddle close together, this is one surefire way to handle it.

Rather than spending extra on a tablet or even a mobile projector, the Canyoze will magnify your existing smartphone’s screen by up to 3x. Or in this case, enlarge it to a 7.6-inch screen. While it may slightly diminish the overall resolution of the picture or movie you’re viewing, it doesn’t require any electricity to work its magic so it will work anywhere you want it to, like on the plane or at the park.

It’s an easy way to show movies or YouTube clips on your phone, so everyone has a front row seat. Or use it to blow up photos when you’re gathered around to see the latest pics from your vacation.
​
When not in use, the Canyoze conveniently packs away into a folder that measures just 4.72” x 0.79” x 5.12”. For less than ten bucks, it’s a handy tool to keep on hand.
1 Comment

    Author

    Rick Richardson, CPA, CITP, CGMA

    Rick is the editor of the weekly newsletter, Technology This Week. You can subscribe to it by visiting the website.

    Rick is also the Managing Partner of Richardson Media & Technologies, LLC. Prior to forming his current company, he had a 28-year career in technology with Ernst & Young, the last twelve years of which he served as National Director of Technology.

    Mr. Richardson has been named to the "Technology 100"- the annual honors list of the 100 key achievers in technology in America. He has also been honored by the American Institute of CPAs with two Lifetime Achievement awards and a Special Career Recognition Award for his contributions to the profession in the field of technology.

    In 2012, Rick was inducted into the Accounting Hall of Fame by CPA Practice Advisor Magazine. He has also been named to the 100 most influential individuals in the accounting profession in America by Accounting Today magazine.

    In 2017, Rick was inducted as a Marquis Who’s Who Lifetime Achiever, a registry of professionals who have excelled in their fields for many years and achieved greatness in their industry.

    He is a sought after speaker around the world, providing his annual forecast of future technology trends to thousands of business executives, professionals, community leaders, educators and students.

    Picture
    Picture
    Picture
    Picture
    Picture

    Archives

    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015

    Categories

    All
    Artificial Intelligence
    Audit
    Back Up
    Back-Up
    Blockchain
    Climate
    Cloud
    Collaboration
    Communication
    Coronavirus
    COVID 19
    COVID-19
    Digital Assistant
    Display
    Drone
    Edge Computing
    Education
    Enterprise
    Hardware
    Home Automation
    Internet Of Things
    Law
    Medicine
    Metaverse
    Mobile
    Mobile Payments
    Open Source
    Personalization
    Power
    Privacy
    Quantum Computing
    Remote Work
    Retail
    Robotics
    Security
    Software
    Taxes
    Transportation
    Wearables
    Wi Fi
    Wi-Fi

    RSS Feed

    View my profile on LinkedIn
Powered by Create your own unique website with customizable templates.