Tag: Privacy Breach

Facebook Could Soon Design Its Own Chipsets

It might be an understatement to say that Facebook has had a tumultuous month and a half. Ever since the Cambridge Analatyica data breach controversy broke out, Facebook has been under the cosh for its lackadaisical data privacy guidelines. However, not all is gloomy for the social media giant as the company seeks to build its own chipset designing team.

According to a job listing on its corporate website, Facebook is looking to hire a manager to build an:

End-to-end SoC/ASIC, firmware and driver development organization.

The listing indicates that the process of building this team is still in its early stages. Interestingly, Facebook AI researcher Yann LeCun tweeted about some of the job postings as well.

Interested in designing ASIC & FPGA for AI?
Design engineer positions are available at Facebook in Menlo Park.

I used to be a chip designer many moons ago: my engineering diploma was in Electrical… https://t.co/D4l9kLpIlV

— Yann LeCun (@ylecun) April 18, 2018

Facebook, just like a lot of other tech giants, appears to have taken this step to, in the future, reduce the cost of production and also have greater control over the final product. As Apple has proven time and again, optimisation of software and hardware can do wonders for a product.

The social media company has joined a long list of companies moving away from outsourcing chipmaking tasks. According to a few people close to the matter, Facebook is building a team to design its own semiconductors to lower their dependence on chipmakers such as Intel Corp. and Qualcomm Inc. Apple started making its own chipsets in 2010 and now uses them across many of its major product lines like iPhones, iPads etc. Google as well, has developed its own artificial intelligence chip.

Facebook has long been rumoured to be working on a bunch of smart speakers. The company will also launch the Oculus Go, a standalone VR headset which will run on a Qualcomm chipset. Building a team to design its own chipsets could be for the future of its hardware business.

April 19, 2018
OnePlus Admits Credit Card Information Of 40,000 Customers May Have Been Stolen

OnePlus has just launched the new Lava Red colour variant of the OnePlus 5T in India, a few weeks after it was unveiled in China. While OnePlus 5T suitors might be rejoicing about another possible option to buy, there are a few customers who might be left with a sour taste in their mouths after shopping on the OnePlus store.

A few days ago, OnePlus shut down all credit card payments options on its official website after a few reports claimed that a lot of customers were facing issues after making payments on the OnePlus store. Affected customers reported cases of fraudulent transactions made without their knowledge, with one person saying someone ordered US $200 worth of Papa John’s pizza.

After an investigation, OnePlus posted a statement which will not ring a tone of good news in the ears of the Chinese company or the aggrieved customers. In its forums, the company posted the following:

We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.

[amazon_link asins=’B0756ZFXVB’ template=’ProductAd’ store=’igyaan-21′ marketplace=’IN’ link_id=’3ecc45bb-fdb2-11e7-a7fd-b3483aaa3cda’]

The company confirmed that the severity of the problem is far larger than initially thought. It continues to state that this could have affected anyone who input credit card information on OnePlus’ website from as far back as mid-November 2017. During the investigation, it was discovered that one of OnePlus’ systems had been attacked by a malicious script that intermittently captured data from a user’s browser window.

While the infected server has since been isolated, it is unclear as to how much damage the infected server inflicted while its two-month-long active period. OnePlus says that credit card numbers, expiry dates, and security codes may have all been compromised. However, as a silver lining in the dark clouds, credit cards already saved on the site are apparently unaffected, according to OnePlus.

While the company took the opportunity and apologised to its customers, it is hard to imagine that the company’s reputation will remain unscathed after such a severe incidence. Whether the inability to make payments on its official website will have a huge impact on the sales, especially a few days after the company announced its record sales numbers of 2017, is yet to be seen. However, above the sales figures and record numbers lies the trust of a consumer, and that might be dented after such a huge security failure.

January 20, 2018
UIDAI Claims All Aadhar Biometric Private Data Is Safe

The Unique Identification Authority of India (UIDAI) has responded to reports that someone sold over 1 billion Aadhar card details for just Rs. 500. In a statement, the organisation has claimed that all data is safe. In response, UIDAI has also filed an FIR for unauthorised access to Aadhaar data, such as names and other demographic details, due to the misuse of the grievance redressal facility at the office of the Surat district administration in Gujarat.

UIDAI denied that the breach allowed access to millions of Aadhaar cardholders’ details, saying the search facility is available for the purpose of grievance redressal to designated personnel and state government officials and details are limited to the particular Aadhaar number punched in.

UIDAI assures there has not been any Aadhaar data breach. The Aadhaar data, including biometric information, is fully safe. UIDAI reiterates that the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details.

Stating that the given case appears to be a misuse of the grievance redressal search facility, UIDAI said it maintains a complete log and traceability and legal action will follow.

The news broke out when a report in The Tribune claimed that after paying just Rs. 500 to an agent, the investigators were handed a login ID and password to the particulars of any Aadhaar number.

Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

You can read the in-depth report on the matter here.

January 5, 2018
Google Could Owe Over US $650 To Every iPhone User

Lawsuits and counter lawsuits within tech companies have been going on since as far as one can imagine. But, a tech giant owing considerable amount of money to consumers could be the new talking point. British consumers who used an iPhone between June 2011 and February 2012 could receive as much as US $672 each from Google as compensation for the search giant bypassing Safari privacy settings between those dates.

Google’s backdoor method of installing cookies on iPhones despite them being blocked in Safari’s settings was discovered in 2012.

A British campaign group launched a class action lawsuit on behalf of the 5.4 million iPhone users in England and Wales affected by Google’s ‘Safari workaround.’ The lawsuit could cost Google as much as US $3.63 billion.

The campaign group, You Owe Us, has said that the British iPhone owners affected by the breach of privacy do not need to take any action at this stage to be included in the lawsuit.

We have started a representative action against Google because we believe they abused the rights of iPhone users by taking their data unlawfully.

A representative action is when a group of people affected by the same issue are represented by a single person to bring a claim. Consumers can use such an action to hold large companies to account. Representative actions need representatives, ours is Richard Lloyd.

If you were affected you will automatically be part of the claim and you do not need to take any further action. Richard Lloyd and the lawyers are taking care of the case.

The compensation amount has not been officially decided yet. The campaign group says that the amount would be decided by the court.

November 30, 2017
Apple Has Fixed The MacOS Security Flaw Already

Only yesterday (29th November), the news broke out of a major security flaw that allowed anyone to gain root access to a Mac device running MacOS High Sierra.

Apple issued a statement:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Apple’s latest MacOS High Sierra operating system had a very serious flaw that allowed anyone with access to a Mac gain root access by simply typing “root” as the username. The flaw didn’t even require someone to enter a password, which means that anyone with zero hacking knowledge and evil intentions could get into your Mac.

November 30, 2017
This MacOS High Sierra Bug Lets Anyone Login Into A Mac

Securing our gadgets in this day and age is of utmost priority since most of our lives are now digital. But, it appears that your Mac running MAcOS High Sierra might be susceptible to a serious security hack.

Apple’s latest MacOS High Sierra operating system has a very serious flaw that can allow anyone with access to a Mac gain root access by simply typing “root” as the username. It appears that the flaw doesn’t even require someone to enter a password, which means that anyone with zero hacking knowledge and evil intentions can get into your Mac.

Apple has responded to the complaints and announced that it is working on a fix.

Patrick Wardle, a security researcher with Synack said:

We always see malware trying to escalate privileges and get root access. This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.

This was Apple’s response:

We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012.

If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the ‘Change the root password’ section.

If you are one of the many people who updated their Mac machine to the latest OS, it will be sensible to follow Apple’s instructions until a new update fixes this major security bug.

November 29, 2017
Another OnePlus App Can Allow Hackers To Steal Your Photos, GPS And More

OnePlus cannot seem to catch a break. A few days after it was revealed that OnePlus left an application that allowed backdoor entry to OnePlus devices, a new application has been found recording sensitive data and storing it unencrypted inside the phone. This app is reportedly called OnePlusLogKit and, like its name suggests, logs an extensive amount of user data.

The same researcher who exposed the EngineerMode app a few days ago has made the new revelation as well. The researcher wrote in a post that all of the user data stored by this app is unencrypted, and also added that this data could also likely be sent to China. The researcher, who goes by the moniker of Elliot Anderson also said that he believes that the app may have been intentionally left on users’ devices by the Chinese smartphone maker.

He said that all one had to do to trigger the app into logging the data and accessing it was to dial *#800# on the smartphone’s dial pad. This action automatically opens up the app’s interface with which one can either switch the logging feature on or off.

<Thread> Hi @Oneplus ?! Remember me? Let's talk about another debug app you left in your device.
OnePlusLogKit is a system application which allow you to do a multitude of things: get wifi logs, nfc logs, gps logs pic.twitter.com/HvnErm8rXg

— Baptiste Robert (@fs0c131y) November 15, 2017

These findings do not come at an ideal time for OnePlus. The Chinese smartphone maker is gearing up to launch the OnePlus 5T on the 16th of November. The device will be OnePlus’ sixth device in its short lifespan and take a design detour from previous OnePlus phones with thin bezels and tall display.

OnePlus was just recently accused of collecting sensitive data of users and the company has barely come out of the aftermath following such serious allegations. It won’t be surprising if OnePlus left the application inside the phones on purpose since it admitted to collecting data from its phones to improve the user experience.

November 16, 2017
All WiFi Devices Vulnerable To KRACK Attacks

Security researchers claimed to have found severe vulnerabilities in WPA2 ( WiFi Protected Access II). This is an extremely popular security protocol, so much so that it used by almost every WiFi device on the planet. The vulnerabilities can allow anyone near your your router to access the WiFi traffic being sent through it.

There is a dedicated website called krackattacks.com, named after the proof-of-concept attack called KRACK (Key Reinstallation Attacks). Researcher Mathy Vanhoef of imec-DistriNet, KU Leuven.

Concretely, attackers can use this novel [KRACK] attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.

The attack targets WiFi clients using WPA2, and compromises the encryption protocol used for communicating with the router. Once this is done, any data or information that the victim transmits can be decrypted. He adds that the attack is exceptionally devastating against Linux and smartphones running Android 6.0 or higher, though devices running Apple’s mobile and desktop operating system, Windows, OpenBSD etc. are all vulnerable, too. To protect yourself against attacks, it’s Wi-Fi clients like laptops, smartphones, smart home devices, and the likes, will need to install security updates.

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates

The vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086,CVE-2017-13087, and CVE-2017-13088.

October 17, 2017
Some Google Home Minis Just Won’t Stop Listening To You

Google recently hosted its launch event on October 4th and announced the new Google Home Mini. A US$49 smart speaker to compete with Amazon Echo Dot but, with Google’s own AI Google Assistant. The Home Mini was available for pre-orders from 4th October and some of the early units shipped have a defect that was anticipated due to the “always listening” feature.

Smart home products are a great addition and smart speakers like the Amazon Echo, Google Home do make your life easier with voice commands. But, the fact that these speakers are always listening to you and how much of that is recorded and sent back to the company is a cause for scepticism in the minds of a lot of consumers.

Artem Russakovskii of Android Police had his Google Home Mini delivered a few days ago and started experiencing abnormality in the smart speaker’s behaviour. The speaker won’t respond to most of the commands and the reason turned out to be the fact that it was constantly being triggered to listen to commands.

Google has responded to this defect and acknowledged that some of the Google Home Minis do have this serious issue :

We have learned of an issue impacting a small number of Google Home Minis that could cause the touch mechanism to behave incorrectly. We are rolling out a software update today that should address the issue.

Google says that the long press function, also found on the Google Home is at the centre of this issue. The Home Mini fell prey to a “phantom touch” issue wherein it registered a physical long press and started listening to the users in order to provide an answer. Google however, was quick to work on fixing this major privacy issue. A minor software update has been already pushed to Home Mini which disables that hardware gesture, leaving the Home Mini only accessible via the “OK Google” command. Google has already updated its documentation to reflect that this is temporarily disabled, and it may stay that way once units are fully available on the market.

October 11, 2017
OnePlus Found Recording Personal Data Of Users

In a yet another case of a Chinese smartphone maker recording sensitive data of its users, OnePlus has been found to do something similar. Normally, there is a certain level of information sent to the company like crashes, bugs and general issues that could be fixed by a software update. However, OnePlus was found to collect data that includes IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, serial numbers, and more.

Christopher Moore, a software engineer, made a post on his personal blog showing his discoveries. During a Hack Challenge, Moore began proxying the internet traffic from his OnePlus 2 using OWASP ZAP. What this means is that it essentially allowed him to view all incoming and outgoing internet traffic from his phone. Among the usual network activity, he noticed a large amount of requests to open.oneplus.net. Through deeper inspection, he found the domain name to be an Amazon AWS instance owned by OnePlus. He was able to decrypt the data (using the authentication key on the phone) which revealed that his OnePlus 2 was sending time-stamped information about locks, unlocks, and unexpected reboots.

It is quite usual for a phone to log OS crashes as it allows developers to find a fix for such bugs. But, as Moore notes in his blog, sending the data of every time the phone is locked or unlocked seems a bit intrusive. Moore discovered that some of the data being sent to OnePlus’ servers included the phone’s IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, Wi-Fi connection info, and the phone’s serial number. He later found out that the data included every time an app was opened.

OnePlus had this to say in response:

We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.

There are rumours that OnePlus is working on the OnePlus 5T which might be launched in November and it is to be seen if this information of sensitive data recording will have any repercussions on the company’s plans.

October 11, 2017