IoT

16 Jun 2020
The US National Basketball Association’s plan to restart its season includes isolating players and other personnel at Walt Disney World in Orlando, Florida with a plan for frequent testing, quarantine protocols, and bracelets that beep if people come within six feet for too long. In addition, the
18 May 2020

New BIAS attack works agaisnt Bluetooth devices and firmware from Apple, Broadcom, Cypress, Intel, Samsung, and others.

Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices. The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the
23 Jul 2018

Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must
13 Sep 2017

Questions are being raised again about the security of Bluetooth after researchers uncovered another flaw that could potentially compromise billions of devices.

Armis published details of the Bluetooth vulnerability it is calling ‘Blueborne’. The attack disguises itself as a Bluetooth device and exploits a weaknesses in the protocol to deploy malicious code.

“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,” warned the researchers. “Unlike the common misconception, Bluetooth enabled devices are constantly
06 Feb 2020

On November 3rd, 2019, [...] a critical vulnerability affecting the Android Bluetooth subsystem [was reported]. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020 .

On November 3rd, 2019, [...] a critical vulnerability affecting the Android Bluetooth subsystem [was reported]. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is as follows: On Android 8.0 to 9.0, a remote
01 Nov 2019
A woman was killed by a spear to the chest at her home in Hallandale Beache, Florida, north of Miami, in July. Witness "Alexa" has been called yet another time to give evidence and solve the mystery. The police is hoping that the smart assistance Amazon Echo, known as Alexa, was accidentally
12 Sep 2019
Denmark released 32 prisoners as part of an ongoing review of 10,700 criminal cases, after serious questions arose regarding the reliability of geolocation data obtained from mobile phone operators. Among the various problems with the software used to convert the phone data into usable evidence, it
31 Jul 2019
The Lumi by Pampers nappies will track a child's urine (not bowel movements) and comes with an app that helps you "Track just about everything". The activity sensor that is placed on the nappy also tracks a baby's sleep. Concerns over security and privacy have been raised, given baby monitors can be
11 Jan 2018
A 19-year-old medical student was raped and drowned in the River Dresiam in October 2016. The police identified the accused by a hair found at the scene of the crime. The data recorded by the health app on his phone helped identify his location and recorded his activities throughout the day. A
03 Apr 2018
The body of a 57-year-old was found in the laundry room of her home in Valley View, Adelaide, in September 2016. Her daughter-in-law who was in the house at the time of the murder claimed that she was tied up by a group of men who entered the house and managed to escape when they left. However, the
03 Oct 2018
The 90-year old suspect when to his stepdaughter's house at San Jose, California for a brief visit. Five days later, his stepdaugter's body, Karen was discovered by a co-worker in her house with fatal lacerations on her head and neck. The police used the data recorded by the victim's Fitbit fitness
05 Dec 2018
On 14 May 2018, the husband of the victim, a pharmacist living in Linthorpe in Middlesbrough, subdued his wife with insulin injection before straggling her. He then ransacked the house to make it appear as a burglary. The data recorded by the health app on the murder’s phone, showed him racing
29 Jul 2017
A man from Middletown, Ohio, was indicted in January 2017 for aggravated arson and insurance fraud for allegedly setting fire to his home in September 2016. Ohio authorities decided and succeeded to obtain a search warrant for the data recorded on the pacemaker after identifying inconsistencies in
07 Feb 2018
In February 2019 Google engineers announced that they had created faster, more efficient encryption system that could function on less-expensive Android phones that were too low-powered to implement existing full-device encryption. The scheme, known as Adiantum, uses established and well-vetted
28 Jan 2019
As part of its planning for the 2020 Olympic Games, due to be held in Tokyo, Japan approved a law that would allow the government to conduct a survey to identify vulnerable Internet of Things devices. The National Institute of Information and Communications Technology staff who carry out the survey
14 Feb 2019
In 2016, Jamie Siminoff, the CEO of the miniature security camera company Ring, emailed his employees information them that the company would adopt a new mission to fight crime by using consumer electronics. The company, which Amazon acquired in 2018, sells its cameras with a social app, "Neighbors"
10 Jan 2019
The miniature security camera maker Ring, which was acquired by Amazon in 2017 for a reported $1 billion, has a history of inadequate oversight of the data collected by those cameras on behalf of its customers. In 2016, it reportedly granted virtually unlimited access to its Ukraine-based research
21 Feb 2019
In February 2019, a faulty firmware update meant that Nike's latest $350 Adapt BB self-lacing shoes could not pair with the app that allows owners to adjust their tightness, customise the lights, and check remaining battery life. Because the shoes have no physical laces, the error effectively made
10 Apr 2019
An investigation by Bloomberg, disclosed that thousands of Amazon employees around the world are listening in on Amazon Echo users.
14 Nov 2018
In yet another murder case, a New Hampshire judge ordered Amazon to turn over two days of Amazon Echo recordings in a double murder case in November 2018. Prosecutors believe that recordings from an Amazon Echo in the Farmington home where two women were murdered in January 2017 may yield further
23 Aug 2018
In August 2018, domestic abuse victims, their lawyers, shelter workers, and emergency responders began finding that the Internet of Things was becoming an alarming new tool for harassment, monitoring, revenge, and control. Smartphone apps enable abusers to remotely control everyday objects inside
01 Jun 2018
In June 2018, security researchers found that Google's smart speaker and home assistant, Google Home, and its Chromecast streaming device could be made to leak highly accurate location information because they failed to require authentication from other machines on their local network. The attack
28 Jul 2018
In 2018, documents filed in a court case showed that a few days before the 2017 inauguration of US president Donald Trump - timing that may have been a coincidence - two Romanian hackers took over 123 of the police department's 187 surveillance cameras in Washington, DC with the intention of using
15 Apr 2018
In a talk at the 2018 Wall Street Journal CEO Council Conference, Darktrace CEO Nicole Eagan gave as an example of the new opportunities afforded by the Internet of Things a case in which attackers used a thermometer in a lobby aquarium to gain a foothold in a casino's network and exfiltrate the
27 Apr 2018
For years, car manufacturers including Range Rover, BMW, and Volkswagen kept secret security risks in their vehicles' keyless entry systems that exposed hundreds of millions of car owners to the risk of theft from attackers using gadgets available online for £100. In March 2018, Range Rovers were
05 Jun 2018
In 2018, a South Carolina woman realised her FREDI video baby monitor had been hacked when the camera began panning across the room to the spot where she breastfed her son. A 2015 study conducted by Rapid7 found that baby monitors have a number of vulnerabilities that are both easily exploited and
05 Jun 2018
In June 2018, after privacy activists found security flaws in toys such as My Friend Cayla and others and the US Consumer Product Safety Commission opened an investigation into the problems of connected gadgets, Amazon, Walmart, and Target announced they would stop selling CloudPets. Made by Spiral
10 May 2018
In May 2018, researchers in the US and China demonstrated that they could send commands that activate Apple's Siri, Amazon's Alexa, and Google Assistant but that are inaudible to the human ear. The researchers were able to make smartphones and smart speakers dial phone numbers and open websites; the
06 May 2018
In May 2018, the UK's Information Commissioner's Office announced it would investigate Police Scotland after Privacy International filed a complaint that offers' use of "cyber kiosks", which when connected to a device can view all its data, violated the Data Protection Act. Trials of the technology
20 Jul 2018
Britain's £11 billion plan to offer smart meters to all homes and businesses by the end of 2020 was based in part on claims that the meters would give consumers better information about the energy they were using and offer sophisticated variable rate charging as part of working to combat climate
15 Sep 2018
In 2014, Britain announced an infrastructure plan requiring all energy suppliers to offer smart meters to all homes and businesses by the end of 2020. With two years to go, at the end of 2018, the problems customers experienced after making the switch led to calls to halt the rollout, which had
13 Oct 2018
In October 2018, a transparency report from the smart home company Nest, which Google acquired for $3.2 billion in 2014, found that between 2015 and 2018 Nest had been told to hand over data on 300 separate occasions relating to up to 525 Nest account holders. Nest turned over data in fewer than 20%
12 Oct 2018
In October 2018, the app that supports the burglar alarm functions of Yale's "smart" locks and burglar alarms was disabled for 24 hours after an "unforeseen issue while carrying out unplanned network maintenance". Customers complained that they were unable to open or lock doors or disarm alarms, and
09 Oct 2018
In October 2018 Amazon patented a new version of its Alexa virtual assistant that would analyse speech to identify signs of illness or emotion and offer to sell remedies. The patent also envisions using the technology to target ads. Although the company may never exploit the patent, the NHS had
28 Mar 2018
In March 2018, Facebook announced it was scrapping plans to show off new home products at its developer conference in May, in part because revelations about the use of internal advertising tools by Cambridge Analytica have angered the public. The new products were expected to include connected
Reporter Kashmir Hill tested life in a smart home by adding numerous connected devices. The self-heating bed gave her daily reports on whether she'd reached her "sleep goal". She liked the convenience of the voice-activated lights, coffee maker, and music, the ability to convey a message to a
15 Jan 2018
Modern vehicles are networks of sophisticated computers on wheels that can collect more intimate data about ourselves and our lives than smartphones do. The agreements covering nearly every new vehicle that is leased or sold in the US often now include a clause permitting the manufacturer to monitor
14 Jan 2018
Police investigating the 2016 rape and murder of a 19-year-old medical student were unable to search the iPhone of suspect Hussein Khavari, an Afghan refugee who declined to give them his password. The investigators gained access to the phone via a private company in Munich, and went through Apple's
30 Oct 2017
In October 2017, the farm equipment manufacturer John Deere began requiring American farmers to sign an agreement forbidding almost all repair and modification of the equipment they buy and also preventing them from suiting for software-related problems. In response, the began hacking their John
04 Dec 2017
The French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), has issued a formal notice to Genesis Industries Limited, the maker of the connected toys My Friend Cayla and I-QUE. Genesis has two months to bring the toys into compliance with data protection
24 Nov 2017
Recognising that many parents will be considering purchasing connected toys and other devices for their children, for Christmas 2017 the UK's Information Commissioner's Office issued a list of 12 guidelines for assessing products before purchasing. These include: research the product's security
12 Oct 2017
Some of the Google Home Mini units distributed before release to the tech press and at "Made By Google" events had a defective touch panel. The devices were meant to turn on recording only when the owner woke it up with "OK, Google" or applied a long press to the centre of the touch panels. Instead
21 Aug 2017
Sonos, which makes connected home sound systems, has told its customers that they will not be able to opt out of a new privacy policy launched in August 2017 that allows the company to begin collecting audio settings, errors, and other account data. Customers can opt out of sending some types of
10 Nov 2017
Owners of the Hong Kong-based sex toy company Lovense's vibrators who installed the company's remote control app were surprised to discover that the app was recording user sessions without their knowledge. They had authorised the app to use the phone's built-in microphone and camera, but only for
11 Sep 2017
On September 11, 2017, while Florida residents were evacuating during the approach of Hurricane Irma, Tesla rolled out a real-time software update that increased the battery capacity of some of its Model S sedans and Model X SUVs. The update extended the vehicles' range, enabling drivers to travel
14 Nov 2017
The UK consumer watchdog Which? has called on retailers to stop selling popular connected toys it says have proven security issues. These include Hasbro's Furby Connect, Vivid Imagination's I-Que robot, and Spiral Toys' Cloudpets and Toy-fi Teddy. In its report, Which? found that these toys do not
Privacy and child advocacy groups in the US, Denmark, Belgium, the Netherlands, Sweden, Germany, and the UK are filing complaints with regulators after a study by the Norwegian Consumer Council found critical security flaws and missing privacy protection in children's smartwatches. The watches
A report from the University of Washington studies parents' and children's interactions with general-purpose connected devices and connected toys. There are numerous privacy issues: toy companies may collect masses of children's intimate data; the toys may enable parents to spy on their children
04 Oct 2017
In 2017, after protests from children's health and privacy advocates, Mattel cancelled its planned child-focused "Aristotle" smart hub. Aristotle was designed to adapt to and learn about the child as they grew while controlling devices from night lights to homework aids. However, Aristotle was only
08 Sep 2016
The "couples vibrator" We-Vibe 4 Plus is controlled via a smartphone app connected to the device via Bluetooth. In 2016, researchers revealed at Defcon that the devices uses its internet connectivity to send information back to its manufacturer including the device's temperature, measured every
06 Jun 2016
In 2016, security expert Ken Munro discovered security bugs in the onboard wifi in Mitsubishi's Outlander hybrid car that could be exploited to turn off the car's alarm. Some aspects of the Outlander can be controlled by a smartphone app that talks to the car via the onboard wifi. Security flaws in
22 May 2015
In 2015, the Carrefour supermarket in Lille installed a system of LED lights designed by Philips that send special offers and location data to customers' smartphones. Using the system, customers who install an app can use their smartphone camera to detect all the promotions around them or search for
30 Oct 2015
In 2015, plans to install smart electricity meters in 95% of Austrian homes by 2019 were in doubt because of legal uncertainty about data protection, with customers trying to prevent their deployment, according to Die Presse newspaper. The idea is that smart meters will allow customers to log on and
08 Aug 2016
Many people fail to recognise the sensitivity of the data collected by fitness tracking devices, focusing instead on the messages and photographs collected by mobile phone apps and social media. Increasingly, however, researchers are finding that the data collected by these trackers - seemingly
24 Apr 2016
As part of its Smart Nation programme, in 2016 Singapore launched the most extensive collection of data on everyday living ever attempted in a city. The programme involved deploying myriad sensors and cameras across the city-state to comprehensively monitor people, places, and things, including all
31 May 2016
As speech recognition and language-processing software continue to improve, the potential exists for digital personal assistants - Apple's Siri, Amazon's Alexa, and Google Assistant - to amass deeper profiles of customers than has ever been possible before. A new level of competition arrived in 2016
01 Jun 2016
The price of using voice search is that Google records many of the conversations that take place in their presence. Users wishing to understand what Google has captured can do so by accessing the portal the company introduced in 2015. Their personal history pages on the site include both a page
18 May 2016
In 2016, Verbraucherzentrale NRW, a consumer protection organisation in the German state of North Rhine-Westphalia accused Samsung of harvesting data and sending it back to the company over the internet without informing users as soon as its smart televisions are connected to the internet. The
15 Mar 2016
In 2016, when security expert Matthew Garrett stayed in a London hotel where the light switches had been replaced by Android tablets, it took him only a few hours to gain access to all of the room's electronics. The steps he followed: plug his laptop into a link in place of one of the tablets; set
30 Jan 2016
By 2016, a logical direction for data-driven personalisation efforts to go was toward the "Internet of Emotions": equipping devices with facial, vocal, and biometric sensors that use affective computing to analyse and influence the feelings of device owners. Of particular concern is the potential
14 May 2015
In 2015, Chinese authorities banned the 1.6 million members of the country's People's Liberation Army from using smartwatches and other wearable technology in order to prevent security breaches. Army leaders announced the decision after a soldier in the city of Nanjing was reported for trying to use
24 Nov 2015
In 2015, ABI Research discovered that the power light on the front of Alphabet's Nest Cam was deceptive: even when users had used the associated app to power down the camera and the power light went off, the device continued to monitor its surroundings, noting sound, movement, and other activities
10 Nov 2016
In 2016, researchers at Dalhousie University in Canada and the Weizman Institute of Science in Israel developed a proof-of-concept attack that allowed them to take control of LED light bulbs from a distance of up to 400 metres by exploiting a flaw in the Zigbee protocol implementation used in the
28 Oct 2016
In a presentation at London's 2016 Black Hat cybersecurity conference, researchers from UCL showed that it was possible to use ultrasound to track consumers across multiple devices. Marketers were already using beacons inaudible to the human ear to activate functions on devices via their microphones
10 Jun 2016
In June 2016, National Security Agency deputy director Richard Ledgett told a conference on military technology conference that the agency was researching whether internet-connected biomedical devices such as pacemakers could be used to collect foreign intelligence. Ledgett identified the complexity
07 Oct 2015
The news that connected TVs and set-top boxes were listening in on their owners' conversations led the state of California to pass legislation (AB1116) prohibiting companies from operating a voice recognition feature without prominently informing the user or installer during initial setup. In
05 Apr 2016
In April 2016, Google's Nest subsidiary announced it would drop support for Revolv, a rival smart home start-up the company bought in 2014. After that, the company said, the thermostats would cease functioning entirely because they relied on connecting to a central server and had no local-only mode
08 Mar 2016
In 2016 the Dutch Data Protection Authority (AP) ruled that the Personal Data Protection Act prohibits companies from monitoring their employees' health via wearables, even when employees have given their permission. The ruling concluded the AP's investigation into two companies; in one of them
In 2017, when user Robert Martin posted a frustrated, disparaging review of the remote garage door opening kit Garadget on Amazon, the peeved owner briefly locked him out of the company's server and told him to send the kit back. After complaints on social media and from the company's board members
27 Apr 2017
Connecticut police have used the data collected by a murder victim's Fitbit to question her husband's alibi. Richard Dabate, accused of killing his wife in 2015, claimed a masked assailant came into the couple's home and used pressure points to subdue him before shooting his wife, Connie. However
23 Jun 2018
Even after they move out, domestic abusers may retain control over their former residence via Internet of Things devices and the mobile phone apps that control them. Using those tools, abusers can confuse, intimidate, and spy upon their former spouses and partners. Lack of knowledge about how these
A 2017 lawsuit filed by Chicagoan Kyle Zak against Bose Corp alleges that the company uses the Bose Connect app associated with its high-end Q35 wireless headphones to spy on its customers, tracking the music, podcasts, and other audio they listen to and then violates their privacy rights by selling