Sep 25

iOS 9 hack lets anyone see all photos and contacts even if phone is locked

A bug in iOS 9 lets anyone see all of a person’s pictures or contact information, even if they have locked their phone.

A very quick workaround, which uses Siri, lets people into the phone even if the passcode and Touch ID fingerprint sensor is turned on.

To exploit the bug, would-be hackers repeatedly mash the numbers on the passcode screen until the iPhone threatens to lock the user out. Speaking to Siri to help open the Clock app, and then clicking through, allows people unfettered access to the Photos and Contacts app, potentially making available personal data.

The exploit has been shown in a proof-of-concept video by Jose Rodriguez, who has a track record of finding similar bugs in iOS. Rodriguez confirmed that the phone was not his to Apple Insider.

The bug can be easily prevented by heading to Settings and choosing Touch ID & Passcode. Turning off Siri when the phone is locked stops the hack from working.

Another way of keeping the phone safe is by using a longer, alphanumeric password, rather than the four or six digit passcodes that are set up by default.

The problem does not seem to have been fixed in iOS 9.0.1, the recently rolled out update to the system.

Similar bugs have been found in various first updates to iOS — versions 7, 6 and 4 were all initially vulnerable to similar hacks. Since the iPhone’s lock screen is the main defence against people getting unwanted access to the phone, it has become a particular target for hackers.

Sep 25

Millions of fingerprints stolen in US government hack

Hackers who breached US government networks stole far more fingerprint records than first thought, officials have said.

In a statement, the White House said more than 5.6 million fingerprint records were stolen from the Office of Personnel Management (OPM).

An initial investigation suggested only 1.1 million were lost.

The OPM acts as the personnel office for the US government and keeps records on 21.5 million federal staff.

Identity risk

The OPM attack was uncovered in April this year and saw attackers make off with ID and security clearance information about US government staff. Social security numbers, names, addresses, health, financial and biometric data were all taken.

Fingerprint records were also stolen and the continuing investigation into the breach has revealed that far more went missing than initially thought.

The OPM played down the significance of the fingerprint theft saying that the ability to abuse the data was “currently limited”. However, it acknowledged that the risk could rise as technology improved and fingerprints were increasingly used as a guarantee of identity.

“An inter-agency working group with expertise in this area … will review the potential ways adversaries could misuse fingerprint data now and in the future,” it said in a statement.

The FBI, Pentagon and Department of Homeland Security are all part of the task force assessing how losing fingerprint data might affect victims.

The OPM said it would soon start a massive project to inform all the people whose data had been stolen.

Ken Munro from security firm Pen Test Partners said: “The biggest concern about biometrics since day one has been revocation.

“It is easy to get a new password, pin or credit card after a breach but it’s rather harder to get new fingers.”

The announcement about the scale of the hack comes as Chinese President Xi Jinping makes a state visit to the US. Security experts have pointed the finger at China as the source of the attack but it has always denied any involvement.

Mr Xi and President Obama are due to talk about cybersecurity when they meet later this week.

Sep 10

Apple’s El Capitan desktop software to come on September 30?

During its iPhone event in San Francisco, Apple may have leaked the ship date of its Mac software.

Apple may have leaked the ship date of its El Capitan desktop software during its big event in San Francisco on Wednesday.

Craig Federighi, Apple’s senior vice president of software engineering, showed off the new 3D Touch feature on the iPhone 6S smartphone while on stage at the event. During the demonstration, he opened a personal email from Phil Schiller, Apple’s senior vice president of marketing, with the subject line “El Capitan status.”

“El Capitan is looking great and the feedback from the beta has been fantastic,” Schiller wrote in the email. “El Capitan ship date is September 30.”

The email was marked as confidential. It’s unclear if Apple was just being cheeky with the supposed leak or if indeed El Capitan will ship on September 30. Apple didn’t immediately respond to request for comment.

Sep 10

Laser Pointer Hack Easily Dupes Driverless Cars

A simple off-the-shelf laser pointer could be combined with a very basic computer to disrupt the multithousand-dollar laser ranging, or Lidar, systems installed in most self-driving cars, a security researcher warned last week.

A setup that costs about US$60 could trick the Lidar system, which autonomous vehicles use to sense objects in the road, into responding as though there were obstacles ahead in situations where there were none, said Jonathan Petit, principal scientist at Security Innovation.

That type of hack wouldn’t cause the driverless car to crash, but it could force the vehicle to slow down or even stop. In a worst-case scenario, the spurious signals could force an autonomous vehicle to remain stationary due to its sensing of phantom obstacles.

Petit, who recently joined Security Innovation, co-authored a paper describing a proof-of-concept attack, based on experiments carried out while he was a research fellow at the University of Cork’s Computer Security Group. The paper, “Potential Cyberattacks on Automated Vehicles,” by Petit and Steven E. Shladover, who was a master’s student at the university when he worked on the project, is slated for presentation at the Black Hat Europe security conference in November.

Phantom Menace

The researchers sought to test the vulnerabilities of autonomous vehicles — notably their sensors, which appeared to be the technologies most susceptible to a simple attack. To actually hack the systems, they developed a simple setup that included a low-power laser and a pulse generator.

In previous research, hackers had attempted to spoof a self-driving car’s GPS devices or wireless tire sensors. However, the Cork team aimed to create a problem by making the sensors detect something that actually wasn’t there.

“The outcome was to create fake objects that would be detected by the Lidar system,” Petit told TechNewsWorld.

The sensors in the system rely on a classifier to determine what an object might be, he added.

“All these sensors will detect noise, and nothing is 100 percent reliable, but if the Lidar picked up some reflections, it will basically try to do a check and determine if there is in fact a problem,” Petit explained.

The hack affects the Lidar system only. Cameras and other vehicle sensors used to confirm that there is in fact an object ahead are unaffected.

Short- and Long-Term Hacks

When a phantom object is detected, the car may exhibit both short- and long-term responses. The short-term reaction may be nothing more than an unnecessary stop. However, a system that’s tricked into believing there’s a blockage in the road could change the car’s plotted course and take an alternate route, possibly affecting affect the trip in the long term.

“This all depends on how the system reacts to what it sees ahead,” noted Petit. “The outcome depends on sensor fusion” — that is, combining sensory data that has been derived from disparate sources, which reduces uncertainty.

“A camera could check the data,” Petit explained, “but we know that an attacker could also target the other sensors. The concern is that if there are too many false positives, systems will be shut down one by one, and then the damage that any one attack can do is worse.”

Jun 23

New Lego game plays the same on PC, Mac or mobile device

Lego Minifigures Online will let people play in the same virtual world from a variety of devices.

Due out June 29 from game developer Funcom, the buy-to-play game will support Windows PCs, Apple’s Mac, and Linux, iOS and Android devices. That means you’ll be able to join fellow players in the same online world from different devices, allowing you to interact with a wider variety of people and switch between multiple platforms yourself.

Lego Minifigures Online lets you create a team of more than 100 Lego Minifigures, each with its own personality and capabilities. You then guide your team through various adventures as you journey through classic Lego worlds.

“From Pirate World to Space World, players must play together and smash their way through aliens, sea monsters, and more to unlock the full potential of their Minifigures,” Lego said in a press release. “Along the way, players will also encounter plenty of that great, universal Lego humor!”

Beyond the usual Lego game play, what makes the new game so special is that for the first time ever, players can join each other in the same consistent and persistent virtual world whether they’re at a PC, Mac, iOS device or Android gadget. You can switch from your desktop or mobile device and keep the same game alive with your friends and other players. Funcom is also jumping onto a new trend. PC gaming is making a comeback lately in part because high-powered computers can support games with more cutting-edge features. But mobile gaming is still hot, so Lego Minifigures Online will tap into the best of both worlds.

“Not only will it feel like a fresh, new experience for those who have played the earlier free-to-play PC version, there is also so much potential unlocked now that gamers can play with each other across platforms on a broad range of devices,” Funcom CEO Rui Casais said in a statement. “Maybe you are playing on an iPhone while your friend is on an Android tablet and your grandma is on a high-powered PC; you’ll still play together in the same world, along with thousands of other Lego fans from all over the globe.”

There is that one gotcha. As Casais said, the game was initially available for the PC in a free-to-play version. Now that the game is expanding its horizons to the Mac and mobile platforms, players will have to pay to play. To entice players to pay, Funcom promises new features and content, gameplay additions and major improvements across the board.

Lego Minifigures Online will be available for the PC, Mac and Linux on as well as Valve’s online Steam store for $29.99 on June 29, and will include all worlds and content in the game. The iOS and Android versions will be debut in the App Store and on Google Play respectively for $4.99, which will include just the first online world. Users of iOS devices will be able to buy more worlds starting June 29, while Android users will be able to pick up additional worlds later this summer.