Billions of voice-activated Internet of Things devices may be subject to external attack due to BlueBorne vulnerabilities, Armis revealed on Wednesday.
Hackers could exploit BlueBorne to mount an airborne attack, using Bluetooth to spread malware and access critical data, including sensitive personal information.
More than 20 million Amazon Echo and Google Home digital assistant speakers could have been impacted by the flaws, but both Amazon and Google already have taken the matter in hand.
Amazon customers don't need to take any action, as its devices will be updated automatically with the needed security fixes, said spokesperson Sarah Sobolewski.
"Customer trust is important to us, and we take security seriously," she told TechNewsWorld.
Google users also need not take any action, as Google Home was patched several weeks ago, the company said.
Neither Google nor Armis have found any evidence of BlueBorne in the wild.
BlueBorne Attack Scenario
The BlueBorne vulnerabilities could allow a man-in-the-middle attack, which would enable hackers to access personal data even if users don't visit any malicious sites, download any suspicious file attachments, or take any other direct action to enable it.
"We discovered the Bluetooth vulnerability while doing research into Bluetooth connectivity and vulnerabilities of Linux-based IoT devices," said Nadir Israel, CTO of Armis.
The firm's researchers initially found the info leak and remote code execution vulnerability, and then tested Android, Windows and iOS devices to confirm the issues, he told TechNewsWorld. They identified eight vulnerabilities, four of them critical.
The Bluetooth vulnerabilities are the most severe to date, Israel said. While previous vulnerabilities were found at the protocol level of Bluetooth, BlueBorne resides at the implementation level, making it deeper and more serious than the others.
Armis worked with Google, Microsoft, Apple and Linux on the disclosure process to make sure patches were made available when the vulnerability was made public.
The researchers originally found that all Linux devices from 3.3 rc1, released six years ago, were affected. However, additional research found that devices dating back to version 2.6.32 from July 2009 to version 4.14 were impacted.
One critical point is that BlueBorne could become a "forever day" point of exposure, because Linux-based IoT devices have no clear upgrade path to address the vulnerability.
Exploding Market
IoT and intelligent home devices have been a growing area of concern for cybersecurity professionals, in part because of the sensitive nature of the tasks that smart home devices engage in -- for example, making sure homes are properly secured.
Consumers should be wary of in-home devices, suggested Andrew Howard, chief technology officer at Kudelski Security.
"Smarter and more feature-rich devices inherently mean enhanced security risks for the consumer," he told TechNewsWorld. "These devices track, store and share more data than the average user understands, and vulnerabilities are inevitable."
Amazon Echo and Google Home are the two leading devices in the exploding category of smart speakers -- voice-controlled devices that can answer questions, play music, read news, give horoscopes and, perhaps most importantly, act as hubs for a growing list of IoT devices in the home that use artificial intelligence to control security and energy use, run home appliances, and perform remote operations like starting automobiles.
Amazon Echo and Google Home account for about 27 million devices in the U.S. smart speaker market, with Amazon controlling about 73 percent, or 20 million devices, according to research Consumer Intelligence Research Partners released last week.
The installed base grew about 7 million -- from 20 million to 27 million -- in the most recent quarter, the report shows.
The entire smart speaker installed base in the U.S. consisted of about 5 million Amazon Echos just last year. The market now is set to be flooded with devices, ranging from the high-end Apple HomePod to a new device from Microsoft and Harman Kardon called "Invoke," and a new device from Lenovo.
Amazon and Google plan several new additions to their lines, ranging from high-end smart speakers for audiophiles to mass market devices that will be more portable or expand the system within the home.
The BlueBorne vulnerabilities likely won't have much of an impact on demand for smart speakers going forward, said Mark Beccue, principal analyst atTractica.
Appthority on Thursday warned that up to 700 apps in the enterprise mobile environment, including more than 170 that were live in official app stores, could be at risk to due to the Eavesdropper vulnerability.
Affected Android apps already may have been downloaded up to 180 million times, the firm said, based on its recent research.
The vulnerability has resulted in large-scale data exposure, Appthority said.
Eavesdropper is the result of developers hard-coding credentials into mobile applications that utilize the Twilio Rest API or SDK, according to Appthority. That goes against the best practices that Twilio recommends in its own documentation, and Twilio already has reached out to the development community, including those with affected apps, to work on securing the accounts.
Appthority's Mobile Threat Team first discovered the vulnerability back in April and notified Twilio about the exposed accounts in July.
The vulnerability reportedly exposes massive amounts of sensitive and even historic data, including call records, minutes of the calls made on mobile devices, and minutes of call audio recordings, as well as the content of SMS and MMS text messages.
Reducing the Risk
The best approach for an enterprise is to identify the Eavesdropper-vulnerable apps in its environment and determine whether the data exposed by the app is sensitive, Appthority suggested.
"Not all conversations involve confidential information, and the nature of the app's use in the enterprise may not involve data that is sensitive or of concern," noted Seth Hardy, Appthority director of security research.
"If the messages, audio content or call metadata turn out to be sensitive or proprietary, there may not be much that can be done about exposed conversations resulting from prior use of the app," he told TechNewsWorld.
"However, a lot can be done to protect future exposures, including either addressing and confirming the fix with the developer, or finding an alternate app that has the same or similar functionality without the Eavesdropper vulnerability," Hardy said. "In all cases, the enterprise should contact developers to have them delete exposed files."
Sloppy Coding
The Eavesdropper vulnerability is not limited to apps created using the Twilio Rest API or SDK, Appthority pointed out, as hard-coding of credentials is a common developer error that can increase security risks in mobile applications.
"The core problem is developer laziness, so what Appthority found isn't a particular revelation," said Steve Blum, principal analyst at Tellus Venture Associates.
"It's just one more example of bad practices leading to bad results, as it's very tempting for a coder to take shortcuts while developing an app, with the sincere intent of cleaning things up later," he told TechNewsWorld.
"With apps being developed by a single person or a small team, there are no routine quality control checks," Blum added. "Right now, it's up to the stores -- Apple and Android, primarily -- to do QC work, and I'd bet they're taking a look at this particular problem and might screen more thoroughly for hard-coded credentials in the future."
For security and privacy to come first, it may be essential for coding in general to go through a paradigm shift, suggested Roger Entner, principal analyst at Recon Analytics.
"Unfortunately, too often security is seen as a cost center, and privacy is seen as the revenue generator for the company that develops the app," he told TechNewsWorld.
"Therefore, apps are often not secure -- and privacy is nonexistent -- to minimize cost and maximize revenue," Entner explained. "The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps."
No Easy Fix
One of the most worrisome facts about this vulnerability is that Eavesdropper doesn't rely on a jailbreak or root of the device. Nor does it take advantage of other known operating system vulnerabilities.
Moreover, the vulnerability is not resolved after the affected app has been removed from a user's device. Instead, the app's data remains open to exposure until the credentials are properly updated.
"There isn't a consumer workaround other than uninstalling all affected apps and hoping that your data hasn't already been compromised," warned Paul Teich, principal analyst at Tirias Research.
Some users may purchase phones that are preloaded with apps that could compromise their personal information.
"Twilio could force developers to update their app code by invalidating or revoking all access credentials to their compromised services APIs," Teich told TechNewsWorld.
However, "the sudden impact would be that a lot of valued consumer smartphone apps and services would simply stop working all at the same time," he said.
It appears that users have few options, and it could be difficult for consumers even to have visibility into Eavesdropper-affected apps.
Those who work at a company "can ask their IT security team for a list of apps that are approved, and then delete vulnerable apps and install non-Eavesdropper affected apps instead," suggested Appthority's Hardy.
"The big challenge is how to stop the flow of information from this breach while still providing access to valued services," said Tirias' Teich.
This situation occurred in no small part because developers were sloppy. However, consumer attitudes likely played a role as well. Many people favor ease of use over mobile device security.
Depending on who you ask, robotic grasping has been solved for a while now. That is, the act of physically grasping an object, not dropping it, and then doing something useful is a thing that robots are comfortable with. The difficult part is deciding what to grasp and how to grasp it, and that can be very, very difficult, especially outside of a structured environment.
This is a defining problem for robotics right now: Robots can do anything you want, as long as you tell them exactly what that is, every single time. In a factory where robots are doing the exact same thing over and over again, this isn’t so much of an issue, but throw something new or different into the mix, and it becomes an enormous headache.
Over the past several years, researchers like Pieter Abbeel at UC Berkeley have been developing ways of teaching robots new skills, rather than actions, and how to learn, rather than just how to obey. This week, Abbeel and several of his colleagues from UC Berkeley and OpenAI are announcing a new startup (with US $7 million in seed funding) called Embodied Intelligence, which will “enable industrial robot arms to perceive and act like humans instead of just strictly following pre-programmed trajectories.”
A nice little summary of what Embodied has in mind, from their press release:
We are building technology that enables existing robot hardware to handle a much wider range of tasks where existing solutions break down, for example, bin picking of complex shapes, kitting, assembly, depalletizing of irregular stacks, and manipulation of deformable objects such as wires, cables, fabrics, linens, fluid-bags, and food.
To equip existing robots with these skills, our software builds on the latest advances in deep reinforcement learning, deep imitation learning, and few-shot learning, to all of which the founding team has made significant contributions. The result isn’t just a new set of skills in the robot repertoire, but teachable robots, that can be deployed for new tasks on short turn-around.
The background here will be familiar to anyone who has followed Abbeel’s research at UC Berkeley’s Robot Learning Lab (RLL). While the towel foldingis probably the most famous research out of RLL, the lab has also been working on adaptive learning through demonstration, as with this robotic knot tying from 2013:
There are two important things that are demonstrated here. First, you’ve got the learning from demonstration bit, where a human shows the robot how to tie a knot without any explicit programming necessary, and then generalizes the demonstration to apply the skill that it represents to future knot-tying tasks. This leads to the second important thing: Since there are no fixtures, the rope (being rope) can start off in all kinds of different configurations, so the robot has to be able to recognize that and modify its behavior accordingly.
While humans can do this kind of thing without thinking, robots still can’t, which is why there’s been such a big gap between the capabilities of humans and robotic manipulators. Embodied wants to bridge this gap with robots that can learn quickly and flexibly.
“Around 2012, we concluded that it would be really hard to get to the real-world capabilities that we’d want with the more engineered approaches that we’d been following,” Abbeel tells us. “They had a lot of learning in them, but it was a combination of learning and engineering to get everything to work.” Then came a breakthrough in the field of AI: The ImageNet project at Stanford showed that learning could do a lot more than it could before, if you were willing to collect enough data and train a big, deep neural net for your tasks.
Abbeel and his team have since been “pushing reinforcement learning and imitation learning pretty hard,” he says, “and we’ve reached a point where we really believe that the time is right to start putting this into practice, not necessarily for a home robot, which needs to deal with an enormous amount of variation, but in manufacturing and logistics.”
Embodied is targeting repetitive manipulation tasks where the current state-of-the-art in automation is simply not capable enough, as well as tasks that would require robots to be reprogrammed very frequently. “On a practical level,” Abbeel says, “we’re building a software system that can learn new skills very, very quickly, which makes it very different from traditional automation.”
The idea is that with a flexible enough learning framework, programming becomes trivial, because the robot can rapidly teach itself new skills with just a little bit of human demonstration at the beginning. As Abbeel explains, “The big difference is that we bring software that we only have to write once, ahead of time, for all applications. And then to make the robot capable for a specific application, all we need to do is collect new data for that application. That’s a paradigm shift from needing to program for every specific task you care about to programming once and then just doing data collection, either through demonstrations or reinforcement learning.”
Teaching the robot new skills is a process that has been evolving rapidly over the last few years. As you saw in the knot-tying video, the way you use to have to do it was by physically moving the robot around and pushing buttons on a controller. Most industrial robots work the same way, through a teach pendant of some sort. It’s time consuming and not particularly intuitive, and it also creates a void between what the robot is experiencing and what the human teacher is experiencing, since the human’s perspective (and indeed entire perception system) is quite different from that of the robot that’s being taught.
Based on some more recent research at RLL, Embodied is taking a new approach based on virtual reality. “What’s really interesting is that we’ve hit a point where virtual reality has become a commodity,” Abbeel says. “What that means is actually you can teach robots things in VR, such that the robot experiences everything the way that it will experience it when doing the job itself. That’s a big change in terms of the quality of data that you can get.”
Because the data collected in this way is much high quality, teaching robots new skills is much faster. You can read the paper here, but teaching each of the tasks in the video above took no more than 30 minutes of demonstration (and sometimes significantly less) to achieve high success rates (in the mid 80 percent to high 90 percent). Remember, the system is learning a skill rather than a sequence of actions, meaning that it can extrapolate to adapt to variability that it wasn’t explicitly trained on. This is crucial for operating outside of a research environment.
Once the initial demonstration phase is over, the robot is probably not moving as fast as a human moves, and it’s also probably not as reliable as a human. A success rate of 80 or 90 percent is research good, but it’s not good enough that any manufacturing customer would be okay with it for their robots, especially if it’s slow. Embodied understands this, but Abbeel says that the robots will get better very quickly: “It might not reach 100 percent accuracy, and it might not be moving at human speed, but the next phase of learning perfects and speeds up the execution through reinforcement learning, and that together gives you a new skill.”
Embodied will be focusing on the kinds of visual motor skills that current robots don’t excel at, where you need continual visual feedback to execute on what you’re doing. Manipulating wires and cables is a good example of this—if you want your robot to be able to plug one thing into another thing, it has to be able to recognize and grasp a floppy thing in an arbitrary location and orientation, a skill that it can be difficult to program explicitly.
As far as the complexity of skills that Embodied will be able to teach its system, Abbeel says that it’s really up to what’s possible to do in teleop. “The way we characterize it is as long as a human can teleoperate the robot to do the job, then it should be learnable. Of course, the more complex the task, the more data will be needed, and that’s what we’ll figure out over time—what is the amount of data collection that's needed for a given task. But, the practical metric would be, we sit behind our teleop, we try to do a task with the robot, if we can do it, then we know it's going to be within the scope of what we can provide.”
We should mention that there are a few other companies already in this space, including Kindred, Kinema Systems, and RightHand Robotics, which offer robot manipulation solutions that can (to some extent) manage variability and adapt to new tasks. We’ll have to wait and see how well Embodied Intelligence compares—Abbeel told us to expect some video demos within the next few months.
The latest developmental beta release of GeckoLinux brings this custom spinoff distro of openSuse to new levels of performance and convenience.
When I first looked at GeckoLinux in late 2015, I was impressed with the developer's efforts to smooth over what I did not like about using the Suse infrastructure.
GeckoLinux impressed me then. It does not disappoint me now. That infant entry to LinuxLand has matured significantly in Development Release 423.171028.16 Beta, which became available late last month.
This latest release excels in refining the pitfalls of more traditional Suse-based distros. It offers an impressive variety of options and easier operation than others provide.
For me, Suse-branded distros are awkward and inconvenient to set up and use. I much prefer the Debian universe's simplicity. GeckoLinux gives me that sense of user-friendliness.
GeckoLinux's latest developmental beta maintains the clean, uncluttered design that comes from modifying openSuse themes and functionality.
I see GeckoLinux doing for the OpenSuse/Suse world much of what Linux Mint did for the Ubuntu universe years ago. Linux Mint is an Ubuntu-based breakaway distro that smooths over the rigid ideology of the Ubuntu ecosystem. Both GeckoLinux and Linux Mint provide very workable alternatives to their forbears.
That is probably why I am drawn to the Cinnamon desktop version of GeckoLinux. I like the way GeckoLinux integrates the Cinnamon user interface.
GeckoLinux's Cinnamon desktop puts a smooth user interface within a well-polished openSuse spin.
Flavored Choices
GeckoLinux offers users a variety of desktop environments. You can choose among Budgie, Cinnamon, GNOME, KDE Plasma, LXQt, MATE and Xfce. Plus, GeckoLinux's live medium lets you more easily try out all the options and install the OS from the live session. The Calamares Installer is much improved.GeckoLinux goes a big step further. You can install it to a USB drive and create a second partition to serve as a persistent environment. That lets you save configuration changes and installed software within the live session environment.
The result is something that most distros -- Debian or Suse-based -- do not offer. This makes GeckoLinux an excellent portable Linux OS. The live session environment is much more functional than serving as just a demonstration tool and installation medium.
I can drop the USB drive in my pocket and boot up any computer I encounter into a fully-functional GeckoLinux OS without making any other adjustments to the host hardware.
When I first installed GeckoLinux to a USB drive with the added persistence partition in earlier versions, I found the performance quite buggy. Not so this time around.
Speaking of easy installations, another nicety with GeckoLinux is its offline installation capability. You do not need an Internet connection to run the live DVD or USB image to start installing the OS to a hard drive.
More Amenities
GeckoLinux's developer added a small improvement that makes a huge advancement for using the live session environment. He cut loose the need to enter username and password just to enter the live session platform. Those two embellishments alone make GeckoLinux a winning combination.
One of the developer's founding principles is to make GeckoLinux easy to set up and easier to use. That speaks volumes if you are familiar with the Suse Linux way of doing things.
The beta versions are a bit challenging to find on the GeckoLinux website. You can avoid the searching routine by clicking here.
GeckoLinux editions are available in both static and rolling editions. The static editions, which are based on openSuse Leap 42.2, provide periodic life cycle and long support lifetime.The rolling edition is based on the stable openSuse Tumbleweed release.
Important Differences
GeckoLinux uses the official OpenSuse YaST2 package manager repository. However, it is the modifications the developer makes to the theme and patterns that make it a better offering. Plus, you can add additional repositories for even more differentiation.
One of the things I dislike about the openSuse world is the use of Patterns. This configuration routine installs applications in category blocks. You get lots of applications you do not need.
GeckoLinux's reliance on installing software patterns is reduced to the bare minimum. This eliminates the hassle of continually removing unwanted packages only to find them added to the next round of system updates.
GeckoLinux sports some key differences over openSuse. One is how it handles codecs. GeckoLinux comes with proprietary media codecs and other necessities. openSuse makes you install them manually.
GeckoLinux eases up on the OpenSuse strictness in dealing with proprietary software by allowing packages from the Pacman repository when they are available.
GeckoLinux also has a better font rendering than openSuse's default font configuration.
Bottom Line
GeckoLinux is an ideal option for switching to a new distro experience. I particularly like how the Cinnamon desktop works. Since I favor the Cinnamon environment in Linux Mint, changing over to GeckoLinux came with no difficulties. All the settings and features played out as expected.
Kudos to the developer for making GeckoLinux such a solid alternative computing platform. I did not expect a developing early beta to be so glitch-free.
A three-pronged banking malware campaign has been infecting Android phones since the beginning of this year, according to security researchers.
Attackers have been stealing credentials, planting the Marcher banking Trojan on phones, and nicking credit card information. So far, they have targeted customers of BankAustria, Raiffeisen Meine Bank and Sparkasse, but the campaign could spread beyond Vienna.
The attack begins with a phishing message delivered by email to a phone, security researchers at Proofpoint explained in a Friday post. The message pretends to be from the target's bank and contains a link that often is obscured by a Web address shortener like bit.ly.
The link takes the victim to a bogus bank page where the bandits request the target's bank account or PIN information.
Once the hackers have that information, they instruct victims to log into their accounts using their email address and password. All the information entered at the fake banking site is harvested by the hackers.
Permission to Hijack
Instead of getting access to an account, banking customers get a popup message instructing them to install the bank's security app. About 7 percent of targets have downloaded the "security app," which is really the Marcher malware, Proofpoint estimated.
Once installed, the malware asks for extensive permissions -- everything from receiving, sending, reading and writing SMS messages to opening network sockets, reading address books, changing system settings and even locking the phone.
In addition, when applications like the Google Play store are opened, the malware will ask for the user's credit card information.
While banking Trojans and phishing are common fare for cybercriminals, combining the two in a focused campaign isn't, noted Patrick Wheeler, director of threat intelligence at Proofpoint.
"In general, we don't see a lot of crossover between phishing actors and those who distribute malware," he told TechNewsWorld. "The combination of the socially engineered banking Trojan download and multistep phishing attack that gathers credentials or financial information at each step, is fairly unusual."
Not Your Typical Email Attack
The Marcher campaign in Austria is significantly more coordinated than the standard email attack, noted Matt Vernhout, director of privacy at 250ok.
"However, it may have limited impact, as the number of steps required to complete the attack may be more than most individuals are willing to complete," he told TechNewsWorld.
Marcher has been around for a long time, which is why its perpetrators may find it necessary to modify the way they create landing pages to ensnare victims.
"This is likely because security vendors and domain hosts are hot on their heels shutting them down," said Armando Orozco, a senior malware intelligence analyst with Malwarebytes.
"They need other avenues to keep their business model going," he told TechNewsWorld.
Future Expansion
The likelihood of the Marcher campaign spreading is very high, said Proofpoint's Wheeler.
"Marcher has been observed worldwide, and we have already seen a variety of schemes to distribute the malware, primarily via SMS, and increasingly sophisticated social engineering from actors associated with Marcher," he said.
"Any attack such as this one is usually a canary in the coal mine," noted Rajiv Dholakia, vice president of products at Nok Nok Labs.
"One should expect variations of this to continue to evolve and spread around the world," he told TechNewsWorld.
It's not unusual for malware to be released in a single country or region and then, depending on its success, expand to other countries, said Damien Hugoo, director of product marketing at Easy Solutions.
"We have seen many banking Trojans start out in Europe in the past year and expand globally," he told TechNewsWorld.
Protect Yourself
What can consumers do to protect themselves from this kind of attack?
One defense is to use Android phones that are easy to keep current with the latest version of the operating system, like Google's Pixel and Nexus phones, suggested Daniel Miessler, director of advisory services at IOActive.
"Pixel and Nexus stay updated constantly," he told TechNewsWorld.
Also, "never use app stores other than the official Google Play store," Miessler advised, and "for the highest security, refrain from installing apps that are not extremely well known and well-tested."
Consumers need to be vigilant.
"As with phishing attacks on any platform, the onus is on consumers to beware of scams and look for red flags. Unsolicited emails or texts asking for information or giving extensive reasoning for why they should download an app are clear warning signs," advised Proofpoint's Wheeler.
"Apps that ask for extensive permissions or that do not come from legitimate app stores should also be avoided," he said, "unless consumers are absolutely sure of the origin and necessity of the app."
