(Not so) smart buildings
More than 2,300 building access systems could be open to hijacking attacks due to the discovery of a severe vulnerability that has been left without a fix.
Hackers have been targeting Linear eMerge E3 systems, a product of Nortek Security & Control (NSC), in order to carry out DDoS attacks. The access systems are used in corporate headquarters, factories and industrial parks to control which doors and rooms employees and visitors can access.
NSC was alerted to several vulnerabilities that affected their devices in May 2019 but did not issue patches. The vulnerability being used in hijacking attacks is CVE-2019-7256, which is a command injection flaw.
Hackers are actively scanning the internet for exposed devices to hijack. They then take over devices, before downloading and installing malware and launching DDoS attacks on other targets. The flaw is said to be open to attack even by low-skilled attackers without any advanced technical knowledge.
Consumer technology titan, Samsung, has revealed details about its latest product launch, SelfieType. The software uses a device’s front-facing ‘selfie’ camera (either phone, laptop or tablet), to create an invisible keyboard in front of the user. It looks like something out of a Sci-Fi movie – but how does it work?
To use SelfieType, users must angle their device’s camera towards their hands and begin typing. All fingers must be visible in order for the technology to work, as the software’s AI engine analyses finger movements and interprets them as key presses.
The software is pretty innovative, but critics are questioning its practicality in real life. Most digital keyboards have haptic feedback in the form of a vibration or click so that users can be sure that buttons have been pressed.
SelfieType doesn’t seem to have this audio or physical feedback in its initial design, but this functionality may still be added in before its official release. Using an invisible keyboard is certainly one way to raise eyebrows on public transport!
Enterprise networking company, Cisco, has issued patches for five critical vulnerabilities that were discovered in Cisco Discovery Protocol (CDP). Security researchers have said that the easily exploitable vulnerabilities could affect tens of millions of devices.
Four out of the five high-severity bugs are remote code execution issues affecting Cisco routers, switches, and IP cameras, and the fifth vulnerability is a denial-of-service issue affecting Cisco IP phones.
Collectively dubbed CDPwn, the vulnerabilities could allow an attacker to remotely take over a device without any user’s interaction. Public exploits have not been found, but an attacker would simply need to send a maliciously crafted CDP packet to a target device on the network to take advantage of the vulnerability.
Cisco said that they are not aware of any malicious use of any of the five vulnerabilities so far.
The days of frantically searching for lost car keys could be over. Apple has just released a beta version of iOS 13.4 for developers, which contains references to a CarKey API.
The feature could let drivers unlock, lock and start their car with their iPhone or Apple Watch. It looks like the key will work in a similar way to most modern keys, where drivers can unlock, lock and even start the car when in the proximity of the vehicle.
The Apple device would be held near an NFC-compatible car to act as a key. Information found in the API revealed that the CarKey function would be contained in the Wallet App and won’t need to use Face ID to verify after the initial pairing. Drivers may also be able to share their digital car key via the Wallet app to a trusted person’s Apple device.
There has not been an official announcement from Apple yet, so a launch is not entirely certain, but the information contained in the API does look promising.
We’ll be back soon with more tech news!