Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Thursday, February 02, 2017 Wang Wei

Two Arrested in London for Hacking Washington CCTV Cameras Before Trump Inauguration
Two suspected hackers have reportedly been arrested in London on suspicion of hacking 70 percent of the CCTV cameras in Washington with ransomware ahead of President Donald Trump's inauguration last month.

The arrest took place on 20th January by the officers from the National Crime Agency (NCA) of UK after it received a request from United States authorities, but it has not been disclosed until now.

The NCA raided a house in the south of London last month and detained a British man and a Swedish woman, both 50-years-old, reported The Sun.

Some 123 of the 187 police CCTV cameras used to monitor public areas in Washington DC stopped working on 12 January, just 8 days before the inauguration of Donald Trump, after a cyber attack hit the storage devices.

The cyber attack lasted for about three days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January.

It was reported that the surveillance cameras were left useless after a ransomware made its way onto the storage devices that records feds data from CCTV cameras across the city. The hackers demanded ransom money, but the Washington DC Police rejected their demand.

Ransomware is an infamous piece of malware that has been known for locking up computer files and then demanding a ransom in Bitcoins in order to help victims unlock their files.

However, instead of fulfilling ransom demands of hackers, the DC police took the storage devices offline, removed the infection and rebooted the systems across the city.

The storage devices were successfully put back to rights, and the surveillance cameras were back to work. According to authorities, no valuable data was lost, and the ransomware infection merely crippled the affected computer network devices.

The "officers executed a search warrant at an address in Natal Road, SW16, on the evening of Thursday 19 January. A man and a woman were arrested and later bailed until April 2017," according to the NCA.

The intention of these two 50-year-old suspects is still unclear.

Wednesday, February 17, 2016 Swati Khandelwal

hacking-smart-home-security
If you are using a SimpliSafe wireless home alarm system to improve your home security smartly, just throw it up and buy a new one. It is useless.

The so-called 'Smart' Technology, which is designed to make your Home Safer, is actually opening your house doors for hackers. The latest in this field is SimpliSafe Alarm.

SimpliSafe wireless home alarm systems – used by more than 300,000 customers in the United States – are Hell Easy to Hack, allowing an attacker to easily gain full access to the alarm and disable the security system, facilitating unauthorized intrusions and thefts.

…and the most interesting reality is: You Can Not Patch it!

As the Internet of Things (IoT) is growing at a great pace, it continues to widen the attack surface at the same time.

Just last month, a similar hack was discovered in Ring – a Smart doorbell that connects to the user's home WiFi network – that allowed researchers to hack WiFi password of the home user.

How to Hack SimpliSafe Alarms?


According to the senior security consultant at IOActive Andrew Zonenberg, who discovered this weakness, anyone with basic hardware and software, between $50 and $250, can harvest alarm's PIN and turn alarm OFF at a distance of up to 200 yards (30 meters) away.

Since SimpliSafe Alarm uses unencrypted communications over the air, thief loitering near a home with some radio equipment could sniff the unencrypted PIN messages transferred from a keypad to the alarm control box when the house owner deactivates the alarm.

The attacker then records the PIN code on the microcontroller board's memory (RAM) and later replay this PIN code to disable the compromised alarm and carry out burglaries when the owners are out of their homes.

Moreover, the attacker could also send spoofed sensor readings, like the back door closed, in an attempt to fool alarm into thinking no break-in is happening.

Video Demonstration of the Hack


You can watch the video demonstration that shows the hack in work:


"Unfortunately, there's no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Zonenberg explains.

Here's Why Your Smart Alarms are Unpatchable


Besides using the unencrypted channel, SimpliSafe also installs a one-time programmable chip in its wireless home alarm, leaving no option for an over-the-air update.

"Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol," Zonenberg adds. But, "this isn't an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable."

This means there is no patch coming to your SimpliSafe Alarm, leaving you as well as over 300,000 homeowners without a solution other than to stop using SimpliSafe alarms and buy another wireless alarm systems.

Zonenberg said he has already contacted Boston-based smart alarm provider several times since September 2015, but the manufacturer has not yet responded to this issue. So, he finally reported the issue to US-CERT.

Tuesday, January 05, 2016 Swati Khandelwal

long-range-wifi-network
It is a common problem: Home Wireless Router's reach is terrible that the WiFi network even does not extend past the front door of the room.

My house also has all kinds of Wi-Fi dead zones, but can we fix it?

The answer is: YES. The problem will improve with a future, longer range version of Wi-Fi that uses low power consumption than current wireless technology and specifically targets at the internet of things (IoTs).

Global certification network the WiFi Alliance has finally approved a new wireless technology standard called 802.11ah, nicknamed "HaLow."

HaLow: Long Range WiFi


Wi-Fi HaLow has twice the range of conventional Wi-Fi and has the ability to penetrate walls that usually create blackspots in our homes.

The Wi-Fi Alliance unveiled this latest WiFi technology at the Consumer Electronics Show (CES) in Las Vegas.

Although currently used 802.11 Wi-Fi standards commonly operate in frequency bandwidths between 2.4GHz and 5GHz, the new WiFi HaLow was specially designed to work in lower bands, offering lower power consumption while boosting connectivity.

Wi-Fi HaLow can activate in the lower 900 MHz band, providing better propagation across longer distances while also coping with large numbers of devices connecting to a network.

WiFi HaLow: Designed now for IoTs


The HaLow standard is seen as an essential for the internet of things (IoTs) and connected home appliances. As more and more appliances in our homes are connecting to the Internet, it is quite harder for our home Wi-Fi wireless routers to reach every device.
"Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today," said Edgar Figueroea, president of the Wi-Fi Alliance.
Several sensor-enabled and internet connected devices in our homes, like door sensors and connected bulbs, require enough power to send data to remote hubs or routers at long distances, but the current Wi-Fi standard does not lend itself to long battery life and transmission distances.

However, HaLow standard will likely offer slower throughput speeds than conventional WiFi that considers the smaller data demands of internet connected devices as opposed to those designed for web browsing.

HaLow Expected to be Useful For Devices From Connected Cars to SmartPhones


HaLow standard is expected to be especially useful in connected cars as well as battery-operated devices around the home like smart thermostats, smart locks, connected bulbs as well as mobile devices.
"Wi-Fi HaLow expands the unmatched versatility of Wi-Fi to enable applications from small, battery-operated wearable devices to large-scale industrial facility deployments - and everything in between," Figueroea said.
The WiFi Alliance is expected to begin certifying first products bearing a Wi-Fi HaLow certification in 2018, after which the technology requires to make its way into your home router, then into your wearable.

Thursday, September 03, 2015 Khyati Jain

Hackers Can Easily Hijack Popular Baby Monitors to Watch Your Kids
Several video baby monitors from six different manufacturers were under scrutiny for in-depth security testing, and the outcome was negative.

Yes, they lacked in serving basic security through their devices.

At the High Technology Crime Investigation Association (HTCIA) conference on September 2, 2015, a critical security research was made public by Rapid7 after following a disclosure policy.

A month ago, The Hacker News (THN) posted about how IoT is making the smart cities vulnerable to the technology. Similarly, this time a highly personal IoT device i.e. ‘Baby Monitors’ has been anticipated as a victim of hacking of such devices.

According to a 2014 Gartner’s report, the IoT space is expected to be crowded with over 25 billion devices in five years, i.e. by 2020.

Reportedly, ten vulnerabilities were found in the Baby Monitoring devices and the related vendors were contacted to get their comments on how are they going to address the severe flaws residing in their products.

The newly found vulnerabilities subject to affect the baby monitors in the following manner:
  • Privilege Escalation
  • Backdoor Credentials
  • Reflective, Stored XSS
  • Predictable Information Leak
  • Authentication Bypass
  • Direct Browsing
  • Cleartext Cloud API

To summarize the outcomes, the storage of the video recordings are not kept encrypted, the passwords are easily guessable and the communications (local as well as cloud based) do not use encrypted protocols to name a few.

The vulnerabilities are assigned CVE numbers after the vendors, and the US-CERT has been notified about the issue.

The disclosure report consists of the Vendor names (like iBaby Labs, Inc, Philips Electronics N.V. and Summer Infant, etc.), the related product/s, flaw/s associated and mitigation methods.

Only one vendor Philips N.V., responded with concern over the issues reported that were associated with their product, and assured a fix soon.

Also, you can read about the official statement regarding iBaby Labs Monitors’ Security made by Elnaz Sarraf (Vice President iBaby Labs).

Written by Mark Stanislav and Tod Beardsley, Rapid7 has prepared a full fledged case study explaining the vulnerabilities and exposures related to baby monitors; leading to the hacking of the IoT devices.

The white paper depicts just one scenario of how an IoT device can pose a threat to your life. Also, it makes you aware of the security concerns arriving with the Internet of Things in future.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!