Security risk

03 Jun 2020
The lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently-launched COVID-19 tracking technology, which partially depends on a system originally developed to combat
02 May 2020
A security lapse exposed one of the core databases of the coronavirus self-test symptom checker app launched by India's largest cellphone network, Jio, shortly before the government lockdown began in late March. The database, which had no password protection and contained millions of logs and
11 May 2020
The Indian state of Madhya Pradesh created a COVID-19 dashboard that displayed the names of at least 5,400 quarantined people, their device IDs and names, their OS version, app version codes, current GPS coordinates, and office GPS coordinates. Shortly after the dashboard's existence was posted on
06 May 2020
Shortly after launch, security researcher Baptiste Robert discovered that India's contact tracing app, Aarogya Setu ("Health Bridge"), allows users to spoof their GPS location, find out how many people reported themselves as infected within any 500-metre radius, and mount a triangulation attack to
10 May 2020
A number of incidents in which Zoom events in education settings were disrupted led the New York City school district to ban the use of Zoom for remote learning. Among the Zoombombing incidents: saboteurs inserted racist and anti-Semitic messages into a virtual graduation ceremony at Oklahoma City
18 May 2020

New BIAS attack works agaisnt Bluetooth devices and firmware from Apple, Broadcom, Cypress, Intel, Samsung, and others.

Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices. The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the
26 Apr 2020
A reverse-engineering analysis of Vietnam's official Bluetooth-based contact tracing app, Bluezone, which was developed by a coalition of local technology companies and the Ministry of Information and Communications, shows that the app is broadcasting a fixed six-character ID the app assigned to
25 Sep 2017
Mexico is one of the biggest buyers of next-generation surveillance technology. And now data leaked to Forbes indicates it's taken an unprecedented step in becoming the first-known buyer of surveillance technology that silently spies on calls, text messages and locations of any mobile phone user
29 Mar 2020

Saudi Arabia appears to be exploiting weaknesses in the global mobile telecoms network to track its citizens as they travel around the US, according to a whistleblower who has shown the Guardian millions of alleged secret tracking requests.

Data revealed by the whistleblower, who is seeking to expose vulnerabilities in a global messaging system called SS7, appears to suggest a systematic spying campaign by the kingdom, according to experts.

The data suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019.

The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies.

The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed. The data leaked by
23 Jul 2018

Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must
13 Sep 2017

Questions are being raised again about the security of Bluetooth after researchers uncovered another flaw that could potentially compromise billions of devices.

Armis published details of the Bluetooth vulnerability it is calling ‘Blueborne’. The attack disguises itself as a Bluetooth device and exploits a weaknesses in the protocol to deploy malicious code.

“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,” warned the researchers. “Unlike the common misconception, Bluetooth enabled devices are constantly
18 Nov 2019

An engineering and computer science professor and his team from The Ohio State University discovered a design flaw in low-powered Bluetooth devices that leaves them susceptible to hacking.

An engineering and computer science professor and his team from The Ohio State University discovered a design flaw in low-powered Bluetooth devices that leaves them susceptible to hacking. Zhiqiang Lin, associate professor of computer science and engineering at the university, found the commonly
06 Feb 2020

On November 3rd, 2019, [...] a critical vulnerability affecting the Android Bluetooth subsystem [was reported]. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020 .

On November 3rd, 2019, [...] a critical vulnerability affecting the Android Bluetooth subsystem [was reported]. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is as follows: On Android 8.0 to 9.0, a remote

Researchers at the Center for IT-Security, Privacy and Accountability (CISPA) have identified a security vulnerability related to encryption on Bluetooth BR/EDR connections.  The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used.

Researchers at the Center for IT-Security, Privacy and Accountability (CISPA) have identified a security vulnerability related to encryption on Bluetooth BR/EDR connections. The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up
28 Nov 2018
In November 2018, Germany's Federal Cyberintelligence Agency (Bundesamt für Sicherheit in der Informationstechnik, or BSI) released a highly detailed analysis of the myriad ways that Windows 10 tracks users and showing that only enterprise versions of Windows have the ability to turn them off. BSI
04 Apr 2019
The Five Star Movement, a populist party, which is currently in power along with the League in Italy initially grew out of Il Blog delle Stelle (formerly Beppe Grillo’s blog). The Five Star Movement was founded by comedian Beppe Grillo, along with Gianroberto Casaleggio, a web strategist in 2009. As
18 Feb 2019
In February 2019, with a general election expected in May, the Australian government revealed that Australia's main political parties had been hacked by a "sophisticated state actor". The Australian Cyber Security Centre uncovered the hack while investigating a just-revealed hack of the Australian
05 Nov 2018
Shortly before the 2018 US midterm elections, Georgia secretary of state and gubernatorial candidate Brian Kemp accused Georgia's Democratic Party of hacking into the state's voter registration database, though without providing any evidence to support the claim. The motives behind the claim were
20 Sep 2018
In September 2018, Google warned a selection of US senators and their aides that their Gmail accounts were being targeted by foreign government hackers. Google has issued warnings of phishing attempts by state-sponsored actors since 2012, though getting a notice does not mean the account has been
08 Jul 2018
In July 2018, members of the Internal Security Organisation, Uganda's counterintelligence agency, raided South African telecommunications provider MTN's Uganda data centre in Mutundwe. In a letter to the police, MTN said the ISO kidnapped a data manager who worked for the contractor that ran the
11 Aug 2018
At the 2018 DefCon security conference, a researcher from the security firm Nuix presented the discovery that body cameras from five different manufacturers shoe cameras are in use by US law enforcement are vulnerable to remote digital attacks, some of which could manipulate footage so it could not
27 Apr 2018
For years, car manufacturers including Range Rover, BMW, and Volkswagen kept secret security risks in their vehicles' keyless entry systems that exposed hundreds of millions of car owners to the risk of theft from attackers using gadgets available online for £100. In March 2018, Range Rovers were
05 Jun 2018
In 2018, a South Carolina woman realised her FREDI video baby monitor had been hacked when the camera began panning across the room to the spot where she breastfed her son. A 2015 study conducted by Rapid7 found that baby monitors have a number of vulnerabilities that are both easily exploited and
05 Jun 2018
In June 2018, after privacy activists found security flaws in toys such as My Friend Cayla and others and the US Consumer Product Safety Commission opened an investigation into the problems of connected gadgets, Amazon, Walmart, and Target announced they would stop selling CloudPets. Made by Spiral
26 Sep 2018
In September 2018, researchers discovered that websites accessed via mobile phones could access an array of device sensors, unlike apps, which request permissions for such access. The researchers found that 3,695 of the top 100,000 websites incorporate scripts that tap into one or more sensors
14 Sep 2018
In September 2018, a number of people whose Google Pixel phones, Essential Phone, OnePlus 6, Nokia handsets, and other devices running Android 9 Pie discovered that the devices had, apparently autonomously, activated the software's Battery Saver feature. Google later explained that an internal
12 Oct 2018
In October 2018, the app that supports the burglar alarm functions of Yale's "smart" locks and burglar alarms was disabled for 24 hours after an "unforeseen issue while carrying out unplanned network maintenance". Customers complained that they were unable to open or lock doors or disarm alarms, and
16 Dec 2017
In December 2017, it was revealed that the large telco Bharti Airtel made use of Aadhaar-linked eKYC (electronic Know Your Customer) to open bank accounts for their customers without their knowledge or consent. eKYC is a way of using data in the UIDAI database as part of the verification process
15 Mar 2018
The small, portable GrayKey box, costing $15,000 for an internet-connected version tied to a specific location or $30,000 for an offline version usable anywhere, takes two minutes to install proprietary software designed to guess an iPhone's passcode. Intended for use by law enforcement officials
Like other countries, the US began incorporating RFID chips into its passports in 2006. The chips, which store passport information including name, date of birth, passport number, photo, and biometric identifiers, enable machine-readable border controls like those now seen at an increasing number of
Reporter Kashmir Hill tested life in a smart home by adding numerous connected devices. The self-heating bed gave her daily reports on whether she'd reached her "sleep goal". She liked the convenience of the voice-activated lights, coffee maker, and music, the ability to convey a message to a
In a report on mobile security updates, the US Federal Trade Commission finds that because of the complexity of the mobile ecosystem applying security updates to operating system software on some mobile devices is time-consuming and complicated. Based on information gathered from eight device
Two of the most notorious malware outbreaks of 2017 were the ransomware WannaCry and the wiper malware NotPetya. Both relied on the NSA's EternalBlue exploit of the Microsoft Server Message Block, which was leaked online by the hacker group The Shadow Brokers. Along with EternalBlue, The Shadow
The story began with the free Bylock messaging app, which was used between 2014 and 2016 and which the Turkish government associated with treason and followers of Fethullah Gülen, the group they believe was behind the attempted 2016 coup. The app was downloaded roughly half a million times and had
The popular app Citymapper, which began in London and has since expanded to New York, Paris, and Amsterdam, is a live journey planning application that integrates all available modes of transport. Providing this service allows Citymapper to collect vast amounts of data: where, when, and by what
Security researcher Scott Helme found more than 4,000 websites, including many belonging to the UK government, were infected with Coinhive, code that mines the cryptocurrency Monero. Among the sites affected were those belonging to the Information Commissioner's Office, the Student Loans Company
30 Jan 2018
As a gift in 2012, the Chinese government built the African Union's $200 million Addis Ababa headquarters, where African ministers and heads of state meet twice a year to discuss major continental issues. In 2017, Le Monde Afrique discovered that the building's computer systems incorporated an
19 Dec 2014
In 2014, researchers at Princeton University outlined an attack that uses multiple third-party cookies to link traffic so that individual users can be identified and tracked from anywhere in the world. A nation-state wishing to surveil particular users outside its jurisdiction, for example, may have
Researchers at Princeton University have shown that a vulnerability identified 11 years ago in the password managers built into web browsers can be exploited to allow third parties to track users across more than a thousand websites. The attack depends on the managers' autofill capability, and works
09 Nov 2017
Logitech's announcement that it would end service and support for its Harmony Link devices in 2018 sparked online outrage after consumers realised this meant the devices would be disabled and that only those with devices still under warranty would get free replacements. Logitech has since said it
An investigation by the Irish Data Protection Commissioner has led Eir, a telecommunications company, to replace almost 20,000 modems supplied to customers with basic broadband packages without access to fibre services. The action follows an incident in 2016 in which nearly 2,000 customer routers
Privacy and child advocacy groups in the US, Denmark, Belgium, the Netherlands, Sweden, Germany, and the UK are filing complaints with regulators after a study by the Norwegian Consumer Council found critical security flaws and missing privacy protection in children's smartwatches. The watches
30 Aug 2016
In 2016, researchers at the University of Birmingham and the German engineering firm Kasper & Oswald discovered two vulnerabilities in the keyless entry systems affecting practically every car Volkswagen Group had sold since 1995, estimated at 100 million vehicles. Two separate attacks use cheap
02 Aug 2016
At the 2016 Usenix Workshop on Offensive Technologies, researchers from the University of Michigan presented the results of tests that showed that industrial vehicles - a 2006 semi-trailer and a 2001 school bus - were subject to the same security flaws as had already been found in domestic cars. Via
06 Jun 2016
In 2016, security expert Ken Munro discovered security bugs in the onboard wifi in Mitsubishi's Outlander hybrid car that could be exploited to turn off the car's alarm. Some aspects of the Outlander can be controlled by a smartphone app that talks to the car via the onboard wifi. Security flaws in
20 May 2015
Over the course of a few seconds in April 2013, a false tweet from a hacked account owned by the Associated Press is thought to have caused the Dow-Jones Industrial Average to drop 143.5 points and the Standard & Poor's 500 Index to lose more than $136 in value. The tweet was retweeted 4,000 times
In the early 2000s, "Agbogbloshie", a section of Old Fadama, a large slum on the outskirts of Accra, Ghana, became a dumping ground for unwanted electronic waste, recast as "donations", from the developed world, which found it cheaper to ship in bulk than to recycle: old computers, cameras, TV sets
09 Jul 2015
In 2015, Chinese hackers stole sensitive information including social security numbers and residency, employment, educational, and medical histories concerning more than 21 million people from the US Office of Personnel Management. OPM houses this information about all federal employees along with
11 Apr 2016
In March 2016, a hacker group identifying itself as Anonymous Philippines defaced the website of the Philippine Commission on the Elections (Comelec), leaving a message that accused Comelec of not doing enough to secure the voting machines due to be used in the general election the following month
10 Mar 2016
In 2016, Spanish Jose Carlos Norte, the chief technology officer at Telefonica subsidiary EyeOS, used the scanning software Shodan to find thousands of publicly exposed telematics gateway units. TGUs are small radio-enabled devices that are attached to industrial vehicles so their owners can track
15 Mar 2016
In 2016, when security expert Matthew Garrett stayed in a London hotel where the light switches had been replaced by Android tablets, it took him only a few hours to gain access to all of the room's electronics. The steps he followed: plug his laptop into a link in place of one of the tablets; set
28 Oct 2016
In a presentation at London's 2016 Black Hat cybersecurity conference, researchers from UCL showed that it was possible to use ultrasound to track consumers across multiple devices. Marketers were already using beacons inaudible to the human ear to activate functions on devices via their microphones
10 Jun 2016
In June 2016, National Security Agency deputy director Richard Ledgett told a conference on military technology conference that the agency was researching whether internet-connected biomedical devices such as pacemakers could be used to collect foreign intelligence. Ledgett identified the complexity
06 Oct 2015
In 2015, the Canadian Department of National Defence issued a procurement request for a contractor who could find "vulnerabilities and security measures" in a 2015 pick-up truck whose model and make were not specified and "develop and demonstrate exploits" for the military. The contractor was to
06 Apr 2017
In 2015, the Swedish startup hub Epicenter began offering employees microchip implants that unlock doors, operate printers, and pay for food and drink. By 2017, about 150 of the 2,000 workers employed by the hub's more than 100 companies had accepted the implants. Epicenter is just one of a number
A 2017 research report found that the most vulnerable smartphone users are the ones whose devices are most open to fraud and harassment. Cheaper, low-end devices are less secure to begin with, and they are also less often replaced than their more expensive counterparts made by. Apple and Google. At
23 Jun 2018
Even after they move out, domestic abusers may retain control over their former residence via Internet of Things devices and the mobile phone apps that control them. Using those tools, abusers can confuse, intimidate, and spy upon their former spouses and partners. Lack of knowledge about how these
In 2017, a website run by the Jharkhand Directorate of Social Security leaked the personal details of over.1 million Aadhaar subscribers, most of them old age pensioners who had enabled automatic benefits payment into their bank accounts. Aadhaar is a 12-digit unique identification number issued to