Samsung Smart TV security hole allows hackers to watch you, change channels or plug in malware
Samsung Galaxy S3 among Android phones vulnerable to remote wipe hack
Feds Want 'Black Boxes' in New Cars, But Who Will Be Tracking You?
Posted on: 12/22/2012
by Lisa Vaas
Did your Samsung Smart TV just switch channel?
Don't blame the dog for stepping on the remote control - there's a remote possibility it could be hackers who've hijacked your smart TV.
Researchers with Malta-based security consultancy and bug seller ReVuln have found a vulnerability in an unspecified model of a Samsung LED 3D TV that they exploited to get root access to the TV and any attached USB drives.
In a video titled "The TV is Watching You", ReVuln shows a Samsung TV screen with which the researchers systematically fiddle.
Here's what the researchers found they could access:
- TV settings and channel lists
- SecureStorage accounts
- Widgets and their configurations
- History of USB movies
- Whole partitions
- USB drives attached to the TV
By exploiting the vulnerability, ReVuln also found that they could retrieve the drive image, mount it locally, and check for sensitive documents or material that should remain private, such as usernames, passwords, financial documents, or any other type of material typically kept on USB drives.
If the victim uses a remote controller, ReVuln also found that they could get its configuration and thereby control the TV remotely.
ReVuln also found they could install malware remotely to gain complete root access to the TV, co-founder Luigi Auriemma told IDG News Service:
"If the attacker has full control of the TV...then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to 'watch' the victim."
The vulnerability extends beyond one specific model tested in the firm's lab, he said:
"The vulnerability affects multiple models and generations of the devices produced by this vendor, so not just a specific model as tested in our lab at ReVuln."
ReVuln is a recent entrant into the market for buying and selling bug and vulnerability information and mostly focuses on vulnerabilities in SCADA and ICS software that run utilities, industrial systems and the like.
Auriemma has played around with TVs before. In April, he stumbled on a vulnerability in all current versions of Samsung TVs and Blu-Ray systems that would allow an attacker to gain remote access.
At the time, he said that the vulnerabilities could be found in all Samsung devices with support for remote controllers.
One hopes that the researchers have acted responsibly and informed Samsung of the vulnerabilities in their consumer devices, and that an over-the-internet firmware update to plug the security holes will be forthcoming.
Posted on 10/01/2012
by Luke Brown
An Android developer/researcher has discovered a major flaw in the way Samsung phones like the Galaxy S2 and Galaxy S3 interact with unstructured supplementary service data (USSD) code.
Ravi Borgaonkar, the researcher who found the issue, said most phones require users to hit the "dial" button before completing the code, but Samsung's unique TouchWiz interface means their devices do not.
This makes Samsung's handsets vulnerable to a string of malicious code that can not only erase a SIM card in its entirety, but can also restore a phone to its factory default settings remotely.
In both instances, the action happens without warning, and will wipe out all pertinent data before a user even knows what has happened.
Samsung not the only maker at risk
Though Borgaonkar has tested this hack out with the Samsung phones, he believes there may be more devices vulnerable to the malware, depending on what version of Android they are operating.
The malware targets specifically Android 2.3, 3.0: Honeycomb, 4.0: Ice Cream Sandwich, and 4.1: Jelly Bean.
As such, HTC, Sony, and Motorola devices could potentially be at risk, including phones like the HTC One X, Motorola Droid Razr M, and Sony Ericsson Experia Active.
According to Borgaonkar, Android Security was made aware of the flaw in June, and has pushed an update out to all carriers to help prevent the hack from taking hold.
The best way for consumers to stay out of trouble is to make sure the latest updates have been installed, and to avoid suspicious links, apps, or QR codes that could be carrying the infecting code.
TechRadar has reached out to Samsung, and will update this story if and when they return request for comment.
Posted on 12/09/2012
By MARK GREENBLATT
The National Highway Traffic Safety Administration would like to make it mandatory for automakers to install a so-called "black box" in all new cars and light trucks.
The devices, also known as event data recorders, have long been used by investigators to discover the root cause of commercial airplane crashes. In recent years however, automakers have quietly begun installing similar products in more and more cars.
Lt. Gov. Timothy Murray of Massachusetts found out the hard way last year.
He crashed a car he was driving and told police that he was wearing a seatbelt and was not speeding at the time of the crash.
However the black box installed in his car revealed he was actually speeding at 75 miles per hour in a 65 mile per hour zone, before accelerating to more than 100 miles per hour.
According to Scott Ferson, a spokesman for the lieutenant governor's campaign, Murray believes he either fell asleep or hit black ice.
The lieutenant governor was not issued a ticket at the time of the accident. However, after police examined the vehicle's black box they handed Murray a $555 ticket for speeding in excess of 100 miles per hour.
ABC NewsThe National Highway Traffic Safety Administration would like to make it mandatory for automakers to install a so-called "black box" in all new cars and light trucks. Mandatory Black Boxes in Cars Spark Controversy.
Ferson says that Murray did not dispute the findings of the black box investigation and elected to pay the fine in full. He also said the lieutenant governor reimbursed the state for the cost of the vehicle he crashed, which was government owned.
The data recorders track a number of items, including vehicle speed, whether a driver tried to step on the brakes before a crash, information about engine throttle, air bag readiness before a crash, and whether seat belts were buckled.
The NHTSA believes the data the black boxes could collect will save lives in the future by providing a broader picture of why and how crashes occur.
"A broader EDR requirement would ensure the agency has the safety-related information it needs to determine what factors may contribute to crashes across all vehicle manufacturers," NHTSA Administrator David Strickland said.
Consumer and privacy advocates do not disagree there are many potential benefits from the devices, but insist that proper safeguards be put in place to prevent your car from turning into a spy of sorts for insurance companies that may want to raise your rates.
"There are important safety concerns here and they shouldn't be ignored, but there are also pressing privacy concerns," said Chris Calabrese of the American Civil Liberties Union. "Chiefly, who's going to access this information and how long is it going to be collected? I'd make sure that the owner of the vehicle controls the data."