Password bypass flaw in Western Digital My Cloud drives puts data at risk

Password bypass flaw in Western Digital My Cloud drives puts data at risk
A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.
Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.
The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.
The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter.
Details of the bug were also independently found by another security team, which released its own exploit code.
Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.
After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.
A year later, WD still hasn’t released a patch.
The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”
WD said that several of its My Cloud products are vulnerable — including the EX2, EX4 and Mirror, but not My Cloud Home.
In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

Source: Gadgets – techcrunch

The Pansar Augmented watch hides it smarts behind an analog face

The Pansar Augmented watch hides it smarts behind an analog face
The Pansar Augmented is a Swedish smart watch that looks like a standard three-handed wristwatch. However, with the tap of a button, you can view multiple data points including weather, notifications, and even sales data from your CRM.
Pansar is a Swedish watch company that uses Swiss movements and hand assembled components to add a dash of luxury to your standard workhorse watch.

The watch is fully funded on Kickstarter. It costs $645 for early birds.
The watch mostly displays the time but when the data system is activated the hands move to show any data you’d like.
The world is full of interesting data: be it the quest for information on the perfect wave, keeping track on your stock value, or the number of followers you’ve acquired since yesterday. Pansar Augmented collects the data that matters to you and streams it conveniently to the hands of your watch. This is made possible because of the unique dual directional Swiss movement combined with the Pansar Augmented app.

The watch comes in three models: the Ocean Edition that shows “relevant data on weather, wind, and swell amongst others,” the Accelerator Edition that shows website visits or Instagram views, and the Quantifier Edition for the “analytical mind” that wants to track sales numbers.
It’s definitely a clever twist on the traditional smart watch vision and, thanks to some nice styling, these could be some nice pieces for folks who don’t want the distractions of a normal Apple Watch or Android Wear device.

Source: Gadgets – techcrunch

The VoCore2 is a tiny computer that can play tiny Doom

The VoCore2 is a tiny computer that can play tiny Doom
The VoCore2 is a Wi-Fi capable computer with a 580 MHz CPU and 128 RAM that supports video, USB, and Ethernet. And it plays Doom. That’s right: this is a computer you can easily swallow and allow your biome flora to play a hard core FPS while you slowly digest the package.
The product started life on Indiegogo where it raised $100,000. Now it’s available for $17 for the barebones unit or $24 for the unit with USB and MicroSD card. You can also buy a four inch display for it that lets you display video at 25fps.
What is this thing good for? Well, like all single board computers it pushes the limits on what computing means in the 21st century. A computer the size of a Euro coin could fit in all sorts of places and for all sorts of weird projects and even if you don’t use it to build the next unmanned Red-Tailed Hawk nest surveillance drone it could be cool to blast some demons on a computer the size of a joystick button.
The VoCore2 is shipping soon and is available for purchase here.

Source: Gadgets – techcrunch

Tomu is a fingernail-sized computer that is easy to swallow

Tomu is a fingernail-sized computer that is easy to swallow
I’m a huge fan of single board computers, especially if they’re small enough to swallow. That’s why I like the Tomu. This teeny-tiny ARM processor essentially interfaces with your computer via the USB port and contains two LEDs and two buttons. Once it’s plugged in the little computer can simulate a hard drive or mouse, send MIDI data, and even blink quickly.
The Tomu runs the Silicon Labs Happy Gecko EFM32HG309 and can also act as a Universal 2nd Factor security token. It is completely open source and all the code is on their GitHub.
I bought one for $30 and messed with it for a few hours. The programs are very simple and you can load in various tools including a clever little mouse mover – maybe to simulate mouse usage for an app – and a little app that blinks the lights quickly. Otherwise you can use it to turn your USB hub into an on-off switch for your computer. It’s definitely not a fully fledged computer – there are limited I/O options, obviously – but it’s a cute little tool for those who want to do a little open source computing.

One problem? It’s really, really small. I’d do more work on mine but I already lost it while I was clearing off a desk so I could see it better. So it goes.

Source: Gadgets – techcrunch

SNES.party lets you play Super Nintendo with your friends

SNES.party lets you play Super Nintendo with your friends
Hot on the heels of the wonderful NES.party comes Haukur Rosinkranz’s SNES.party, a site that lets you play Super Nintendo with all your buds.
Rosinkranz is Icelandic but lives in Berlin now. He made NES.party a year ago while experimenting with WebRTC and WebSockets and he updated his software to support the SNES.
“The reason I made it was simply because I discovered how advanced the RTC implementation in Chrome had become and wanted to do something with it,” he said. “When I discovered that it’s possible to take a video element and stream it over the network I just knew I had to do something cool with this and I came up with the idea of streaming emulators.”
He said it took him six months to build the app and a month to add NES support.
“It’s hard to say how long it took because I basically created my own framework for web applications that need realtime communication between one or more participants,” he said. He is a freelance programmer.
It’s a clever hack that could add a little fun to your otherwise dismal day. Feel like a little Link to the Past? Pop over here and let’s play!

Source: Gadgets – techcrunch

‘Unhackable’ BitFi crypto wallet has been hacked

‘Unhackable’ BitFi crypto wallet has been hacked
The BitFi crypto wallet was supposed to be unhackable and none other than famous weirdo John McAfee claimed that the device – essentially an Android-based mini tablet – would withstand any attack. Spoiler alert: it couldn’t.
First, a bit of background. The $120 device launched at the beginning of this month to much fanfare. It consisted of a device that McAfee claimed contained no software or storage and was instead a standalone wallet similar to the Trezor. The website featured a bold claim by McAfee himself, one that would give a normal security researcher pause:

Further, the company offered a bug bounty that seems to be slowly being eroded by outside forces. They asked hackers to pull coins off of a specially prepared $10 wallet, a move that is uncommon in the world of bug bounties. They wrote:
We deposit coins into a Bitfi wallet
If you wish to participate in the bounty program, you will purchase a Bitfi wallet that is preloaded with coins for just an additional $10 (the reason for the charge is because we need to ensure serious inquiries only)
If you successfully extract the coins and empty the wallet, this would be considered a successful hack
You can then keep the coins and Bitfi will make a payment to you of $250,000
Please note that we grant anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes, and our infrastructure
Hackers began attacking the device immediately, eventually hacking it to find the passphrase used to move crypto in and out of the the wallet. In a detailed set of tweets, security researchers Andrew Tierney and Alan Woodward began finding holes by attacking the operating system itself. However, this did not match the bounty to the letter, claimed BitFi, even though they did not actually ship any bounty-ready devices.

Something that I feel should be getting more attention is the fact that there is zero evidence that a #bitfi bounty device was ever shipped to a researcher. They literally created an impossible task by refusing to send the device required to satisfy the terms of the engagement.
— Gallagher (@DanielGallagher) August 8, 2018

Then, to add insult to injury, the company earned a Pwnies award at security conference Defcon. The award was given for worst vendor response. As hackers began dismantling the device, BitFi went on the defensive, consistently claiming that their device was secure. And the hackers had a field day. One hacker, 15-year-old Saleem Rashid, was able to play Doom on the device.

Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018

The hacks kept coming. McAfee, for his part, kept refusing to accept the hacks as genuine.

The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged "hacks" did not get the coins.
— John McAfee (@officialmcafee) August 3, 2018

Unfortunately, the latest hack may have just fulfilled all of BitFi’s requirements. Rashid and Tierney have been able to pull cash out of the wallet by hacking the passphrase, a primary requirement for the bounty. “We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” Tierney told TheNextWeb. “We believe all conditions have been met.”
The end state of this crypto mess? BitFi did what most hacked crypto companies do: double down on the threats. In a recently deleted Tweet they made it clear that they were not to be messed with:

I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers. pic.twitter.com/McyBGqM3bt
— Matthew Green (@matthew_d_green) August 6, 2018

The researchers, however, may still have the last laugh.

Claiming your front door has an unpickable lock does not make your house secure. No more does offering a reward only for defeating that front door lock, and repeatedly saying no one has claimed the reward, prove your house is secure, especially when you’ve left the windows open.
— Alan Woodward (@ProfWoodward) August 14, 2018

Source: Gadgets – techcrunch

Fossil announces new update to Android Wear watches with HR tracking, GPS

Fossil announces new update to Android Wear watches with HR tracking, GPS
Fossil’s Q watch line is an interesting foray by a traditional fashion watchmaker into the wearable world. Their latest additions to the line, the Fossil Q Venture HR and Fossil Q Explorist HR, add a great deal of Android Wear functionality to a watch that is reminiscent of Fossil’s earlier, simpler watches. In other words, these are some nice, low-cost smartwatches for the fitness fan.
The original Q watches included a clever hybrid model with analog face and step counter. As the company expanded into wearables, however, they went the Android Wear route and created a number of lower-powered touchscreen watches. Now, thanks to a new chipset, Fossil is able to add a great deal more functionality in a nice package. The Venture and the Explorist adds untethered GPS, NFC, heart rate and 24-hour battery life. It also includes an altimeter and gyroscope sensor.
The new watches start at $255 and run the Qualcomm Snapdragon Wear 2100 chip, an optimized chipset for fitness watches.
The watch comes in multiple styles and with multiple bands and features 36 faces, including health and fitness-focused faces for the physically ambitious. The watch also allows you to pay with Google Pay — Apple Pay isn’t supported — and you can store content on the watch for runs or walks. It also tracks swims and is waterproof. The Venture and Explorist are 40mm and 45mm, respectively, and the straps are interchangeable. While they’re no $10,000 Swiss masterpiece, these things look — and work — pretty good.

Source: Gadgets – techcrunch

UK report highlights changing gadget habits — and our need for an online fix

UK report highlights changing gadget habits — and our need for an online fix
A look back at the past decade of consumer technology use in the UK has shone a light on changing gadget habits, underlining how Brits have gone from being smartphone dabblers back in 2008 when a top-of-the-range smartphone cost ~£500 to true addicts in today’s £1k+ premium smartphone era.
The report also highlights what seems to be, at times, a conflicted relationship between Brits and the Internet.
While nine in ten people in the UK have home access to the Internet, here in 2018, some web users report feeling being online is a time-sink or a constraint on their freedom.
But even more said they feel lost or bored without it.
Over the past decade the Internet looks to have consolidated its grip on the spacetime that boredom occupied for the less connected generations that came before.
The overview comes via regulator Ofcom’s 2018 Communications Market report. The full report commenting on key market developments in the country’s communications sector is a meaty, stat and chart-filled read.
The regulator has also produced a 30-slide interactive version this year.
Commenting on the report findings in a statement, Ian Macrae, Ofcom’s director of market intelligence, said: “Over the last decade, people’s lives have been transformed by the rise of the smartphone, together with better access to the Internet and new services. Whether it’s working flexibly, keeping up with current affairs or shopping online, we can do more on the move than ever before.
“But while people appreciate their smartphone as their constant companion, some are finding themselves feeling overloaded when online, or frustrated when they’re not.”
We’ve pulled out some highlights from the report below…

Less than a fifth (17%) of UK citizens owned a smartphone a decade ago; the figure now stands at 78% — and a full 95% of 16-24 year-olds. So, yeah, kids don’t get called digital natives for nothin’
People in the UK check their smartphones, on average, every 12 minutes of the waking day. (‘Digital wellbeing’ tools clearly have their work cut out to kick against this grain… )
Ofcom found that two in five adults (40%) first look at their phone within five minutes of waking up (rising to 65% of the under 35s). While around a third (37%) of adults check their phones five minutes before lights out (again rising to 60% of under-35s). Shame it didn’t also ask how well people are sleeping
Contrary to a decade ago, most UK citizens say they need and expect a constant Internet connection wherever they go. Two thirds of adults (64%) say it’s an essential part of their life. One in five adults (19%) say they spend more than 40 hours a week online, up from 5% just over ten years ago
Three quarters (74%) of people say being online keeps them close to friends and family. Two fifths (41%) say it enables them to work more flexibly

Smartphone screen addicts, much?

Seventy-two per cent of adults say their smartphone is their most important device for accessing the Internet; 71% say they never turn off their phone; and 78% say they could not live without it
Ofcom found the amount of time Brits spend making phone calls from mobiles has fallen for the first time — using a mobile for phone calls is only considered important by 75% of smartphone users vs 92% who consider web browsing on a smartphone to be important (and indeed the proportion of people accessing the Internet on their mobile has increased from 20% almost a decade ago to 72% in 2018)
The average amount of time spent online on a smartphone is 2 hours 28 minutes per day. This rises to 3 hours 14 minutes among 18-24s

Social and emotional friction, plus the generation gap…

On the irritation front, three quarters of people (76%) find it annoying when someone is listening to music, watching videos or playing games loudly on public transport; while an impressive 81% object to people using their phone during meal times
TV is another matter though. The majority (53%) of adults say they are usually on their phone while watching TV with others. There’s a generation gap related to social acceptance of this though: With a majority (62%) of people over the age of 55 thinking it’s unacceptable — dropping to just two in ten (21%) among those aged 18-34
Ofcom also found that significant numbers of people saying the online experience has negative effects. Fifteen per cent agree it makes them feel they are always at work, and more than half (54%) admit that connected devices interrupt face-to-face conversations with friends and family — which does offer a useful counterpoint to social media giant’s shiny marketing claims that their platforms ‘connect people’ (the truth is more they both connect & disconnect). While more than two in five (43%) also admit to spending too much time online
Around a third of people say they feel either cut off (34%) or lost (29%) without the Internet, and if they can’t get online, 17% say they find it stressful. Half of all UK adults (50%) say their life would be boring if they could not access the Internet 
On the flip side, a smaller proportion of UK citizens view a lack of Internet access in a positive light. One in ten says they feel more productive offline (interestingly this rises to 15% for 18-34 year-olds); while 10% say they find it liberating; and 16% feel less distracted

The impact of (multifaceted and increasingly powerful and capable) smartphones can also be seen on some other types of gadgets. Though TV screens continue to compel Brits (possibly because they feel it’s okay to keep using their smartphones while sitting in front of a bigger screen… )

Ofcom says ownership of tablets (58% of UK households) and games consoles (44% of UK adults) has plateaued in the last three years
Desktop PC ownership has declined majorly over the past decade — from a large majority (69%) of households with access in 2008 to less than a third (28%) in 2018
As of 2017, smart TVs were in 42% of households — up from just 5% in 2012
Smart speakers weren’t around in 2008 but they’ve now carved out a space in 13% of UK households
One in five households (20%) report having some wearable tech (smart watches, fitness trackers). So smart speakers look to be fast catching up with fitness bands

BBC mightier than Amazon …

BBC website visitor numbers overtook those of Amazon in the UK in 2018. Ofcom found the BBC had the third-highest number of users after Google and Facebook
Ofcom also found that six in ten people have used next-day delivery for online purchases, but only three in ten have used same-day delivery in 2018. So most Brits are, seemingly, content to wait until tomorrow for ecommerce purchases — rather than demanding their stuff right now

What else are UK citizens getting up to online? More of a spread of stuff than ever, it would appear…

Less general browsing/surfing than last year, though it’s still the most popular reported use for Internet activity (69% saying they’ve done this in the past week vs 80% who reported the same in 2017)
Sending and receiving email is also still a big deal — but also on the slide (66% reporting doing this in the past week vs 76% in 2017)
Social media use is another popular but slightly less so use-case than last year (50% in 2017 down to 45% in 2018). (Though Twitter bucks the trend with a percentage point usage bump (13% -> 14%) though it’s far less popular overall)
Instant messaging frequency also dropped a bit (46% -> 41%)
As did TV/video viewing online (40% -> 36%), including for watching short video clips (31% to 28%)
Online shopping has also dropped a bit in frequency (48% -> 44%)
But accessing news has remained constant (36%)
Finding health information has seen marginal slight growth (22% -> 23%); ditto has finding/downloading information for work/college (32% -> 33%); using local council/government services (21% -> 23%); and playing games online/interactively (17% -> 18%)
Streaming audio services have got a bit more popular (podcasts, we must presume), with 15% reporting using them in the past week in 2017 up to 19% in 2018. Listening to the radio online is also up (13% -> 15%)
However uploading/adding content to the Internet has got a bit less popular, though (17% to 15%)

One more thing: Women in the UK are bigger Internet fans than men.
Perhaps contrary to some people’s expectations, women in the UK spend more time online on average than men across almost all age groups, with the sole exception being the over 55s (where the time difference is pretty marginal)…

Source: Gadgets – techcrunch

JBL’s $250 Google Assistant smart display is now available for pre-order

JBL’s 0 Google Assistant smart display is now available for pre-order
It’s been a week since Lenovo’s Google Assistant-powered smart display went on sale. Slowly but surely, its competitors are launching their versions, too. Today, JBL announced that its $249.95 JBL Link View is now available for pre-order, with an expected ship date of September 3, 2018.
JBL went for a slightly different design than Lenovo (and the upcoming LG WK9), but in terms of functionality, these devices are pretty much the same. The Link View features an 8-inch HD screen; unlike Lenovo’s Smart Display, JBL is not making a larger 10-inch version. It’s got two 10W speakers and the usual support for Bluetooth, as well as Google’s Chromecast protocol.
JBL says the unit is splash proof (IPX4), so you can safely use it to watch YouTube recipe videos in your kitchen. It also offers a 5MP front-facing camera for your video chats and a privacy switch that lets you shut off the camera and microphone.
JBL, Lenovo and LG all announced their Google Assistant smart displays at CES earlier this. Lenovo was the first to actually ship a product, and both the hardware as well as Google’s software received a positive reception. There’s no word on when LG’s WK9 will hit the market.

Review: Lenovo’s Google Smart Display is pretty and intelligent

Source: Gadgets – techcrunch

WhatsApp limits message forwarding in bid to reduce spam and misinformation

WhatsApp limits message forwarding in bid to reduce spam and misinformation

In a bid to cut down on the spread of false information and spam, WhatsApp recently added labels that indicate when a message has been forwarded. Now the company is sharpening that strategy by imposing limits on how many groups a message can be sent on to.

Originally, users could forward messages on to multiple groups, but a new trial will see that forwarding limited to 20 groups worldwide. In India, however, which is WhatsApp’s largest market with 200 million users, the limit will be just five. In addition, a ‘quick forward’ option that allowed users to pass on images and videos to others rapidly is being removed from India.

“We believe that these changes — which we’ll continue to evaluate — will help keep WhatsApp the way it was designed to be: a private messaging app,” the company said in a blog post.

The changes are designed to help reduce the amount of information that goes viral on the service, although clearly this isn’t a move that will end the problem altogether.

The change is in direct response to a series of incidents in India. The BBC recently wrote about an incident which saw one man dead and two others severely beaten after rumors of their efforts to abduct children from a village spread on WhatsApp. Reportedly 17 other people have been killed in the past year under similar circumstances, with police saying false rumors had spread via WhatsApp.

In response, WhatsApp — which is of course owned by Facebook has bought full-page newspaper ads to warn about false information on its service.

Beyond concern about firing up vigilantes, the saga may also spill into India’s upcoming national general election next year. Times Internet today reports that Facebook and WhatsApp plan to introduce a fake news verification system that it used recently in Mexico to help combat spam messages and the spreading of incorrect news and information. The paper said that the companies have already held talks with India’s Election Commission.

Source: Mobile – Techcruch