Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Submission + - Consumer Groups Push New Law To Reign In Zombie Devices (substack.com)

chicksdaddy writes: You bought a smart refrigerator with cool new AI features (https://www.ces.tech/ces-innovation-awards/2025/4-door-refrigerator-with-ai-home-and-ai-vision-inside-20/). The hardware that keeps your food from spoiling has a useful life that is measured in decades. But 6 months after you buy it, the manufacturer declares that it is ending support for the fridge's software and shutting down the cloud services that power its smart features — a big reason you purchased the device. What can you do? Currently, not a thing. But that may soon change. A group of consumer advocacy groups on Thursday introduced model legislation to address the growing epidemic of “zombie” Internet of Things (IoT) devices that have had software support cut off by their manufacturer, Fight To Repair News reports https://open.substack.com/pub/...

The Connected Consumer Product End of Life Disclosure Act (https://advocacy.consumerreports.org/press_release/consumer-reports-us-pirg-and-secure-resilient-future-foundation-propose-connected-consumer-products-end-of-life-disclosure-act-to-address-iot-security-risks/) is a collaboration between Consumer Reports (https://consumerreports.org/), US PIRG (https://pirg.org/), SRFF, the Secure Resilient Future Foundation (https://secure-resilient.org/) and the Center for Democracy and Technology (https://cdt.org/). It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.

“Consumers deserve to know how long their connected devices will be supported,” said Justin Brookman, director of technology policy for Consumer Reports in a statement. “Currently, it’s nearly impossible for most people to figure out if their devices are still receiving critical updates. This lack of transparency leaves consumers vulnerable and creates significant security risks.”

Submission + - Software Flaw Exposes Millions of Subarus, Rivers of Driver Data

chicksdaddy writes: Vulnerabilities in Subaru's STARLINK telematics software enabled two, independent security researchers to gain unrestricted access to millions of Subaru vehicles deployed in the U.S., Canada and Japan, The Security Ledger is reporting. (https://securityledger.com/2025/01/more-of-the-shame-software-flaw-exposes-millions-of-subarus-rivers-of-driver-data/)

In a report published Thursday (https://samcurry.net/hacking-subaru) researchers Sam Curry (zlz.bsky.social) and Shubham Shah revealed a now-patched flaw in Subaru’s STARLINK connected vehicle service that allowed them to remotely control Subarus and access vehicle location information and driver data with nothing more than the vehicle’s license plate number, or easily accessible information like the vehicle owner’s email address, Zip code and phone number. (Note: Subaru STARLINK is not to be confused with the Starlink satellite- based high speed Internet service.) Curry and Shah downloaded a year's worth of vehicle location data for Curry's mother's 2023 Impreza (Curry bought her the car with the understanding that she'd let him hack it. :-) ). The two researchers also added themselves to a friend's STARLINK account without any notification to the owner and used that access to remotely lock and unlock the friend's Subaru.

The details of Curry and Shah’s hack of the STARLINK telematics system bears a strong resemblance to hacks documented in his 2023 report Web Hackers versus the Auto Industry (https://samcurry.net/web-hackers-vs-the-auto-industry/ ) as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners’ personal information and take control of their KIA vehicle.(https://securityledger.com/2024/09/kia-ko-web-hackers-vs-the-auto-industry-round-2/)

In each case, publicly accessible connected vehicle infrastructure intended for use by employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication.

Submission + - Senator calls out John Deere for frustrating repair, violating federal law (substack.com)

chicksdaddy writes: The Fight to Repair Newsletter is reporting that U.S. Senator Elizabeth Warren is calling out agricultural equipment giant John Deere for possible violations of the federal Clean Air Act and a years-long pattern of thwarting owners’ ability to repair their farm equipment.

Deere “appears to be evading its responsibilities under the Clean Air Act to grant customers the right to repair their own agricultural equipment.” That is costing farmers an estimated $4.2 billion annually “causing them to miss key crop windows on which their businesses and livelihoods rely,” Warren wrote in a letter (https://www.theverge.com/2024/10/3/24260513/john-deere-right-to-repair-elizabeth-warren-clean-air-act) dated October 2nd.

The letter from Warren, a Senator from Massachusetts and strong repair advocate, is just the latest volley lobbed at Illinois-based Deere, an iconic American brand and the largest supplier of agricultural equipment to farms in the U.S. Deere controls an estimated 53 percent of the U.S. market for large tractors and 60 percent of the U.S. market for farm combines.
In recent weeks, Deere faced criticism, including from Republican presidential candidate Donald Trump, after laying off close to 2,000 U.S. based employees at facilities in Iowa and Illinois, moving many of those jobs to facilities in Mexico. (https://www.dtnpf.com/agriculture/web/ag/equipment/article/2024/07/24/deere-lays-undisclosed-number) The company has also been repeatedly called out for complicating repair and service of its farm equipment — often relying on software locks and digital rights management to force farmers to use Deere dealers and authorized service providers for even the simplest repairs. (https://pirg.org/arizona/resources/deere-in-the-headlights-ii-2/)

Submission + - Precision Agriculture Has Its Cassandra. His Name Is Kevin. (substack.com) 1

chicksdaddy writes: Farming in the United States is in the midst of a major transformation — the biggest since the arrival of mechanized agriculture more than a century ago.The transformative technology back then was the internal combustion engine, which allowed farmers to power a wide range of new machines and mechanize previously manual implements from tractors and reapers to combine harvesters.The transformative technology now? Precision agriculture, a catch-all term that describes a constellation of technologies that includes Internet- and GPS connected agricultural equipment, highly accurate remote sensors, “big data” analytics and cloud computing.

Once it is broadly adopted, precision agriculture technology promises to further reduce the need for human labor to run farms even more than the combustion engine did. (Autonomous equipment means you no longer even need drivers!) But the risks it poses to small farms and farming communities are much bigger than that. First, as the USDA notes on its website (https://www.nifa.usda.gov/grants/programs/precision-geospatial-sensor-technologies-programs/adoption-precision-agriculture): the scale and high capital costs of precision agriculture technology tend to favor large, corporate producers over smaller farms. Then there are the systemic risks to U.S. agriculture of an increasingly connected and consolidated agriculture sector, with a few major OEMs having the ability to remotely control and manage access to- and maintenance of vital equipment on millions of U.S. farms. That includes the risk of disruption due to cyber attacks on precision farming hardware, software and services — an issue that agricultural equipment makers are scrambling to address (https://www.forbes.com/sites/paulfroberts/2021/06/20/under-scrutiny-big-ag-scrambles-to-address-cyber-risk/), but reluctant to discuss.

The biggest risk, however, comes from the reams of valuable and proprietary operational data that precision agriculture equipment generates and collects about the operation of a farm — from soil quality to the application of fertilizers and other agents, to crop yields. For centuries, such information resided in farmers’ heads, or on written or (more recently) digital records that they owned and controlled exclusively, typically passing that knowledge and data down to succeeding generation of farm owners. Precision agriculture technology wrests it from the farmer’s control and shares it with equipment manufacturers and service providers — often without the explicit understanding of the farmers themselves, and almost always without monetary compensation to the farmer for the data. Over time, this massive transfer of knowledge from individual farmers or collectives to multinational corporations risks beggaring farmers by robbing them of one of their most vital assets: data, and turning them into little more than passive caretakers of automated equipment managed, controlled and accountable to distant corporate masters.

That’s a dark view of the future — and one that its hard to hear over the “rah rah rah!” of precision agriculture’s (corporate funded) boosters. But its not like nobody sees the writing on the wall, or is sounding the alarm bell. The blog Fight to Repair News (http://fighttorepair.news) recently interviewed Kevin Kenney an Alternative Fuel Systems Engineer at Grassroots Energy in Nebraska and one of the loudest voices warning about the dangers posed by precision agriculture technologies, including the wholesale theft and monetization of proprietary farmer data.

Submission + - Citing danger of "ink spills" Epson programs printers to stop operating (substack.com)

chicksdaddy writes: Printer maker Epson has programmed some models of its inkjet printers to "stop operating" at a pre-determined time, citing the risk of property damaged linked to "ink spills," the Fight to Repair newsletter reports. (https://fighttorepair.substack.com/p/citing-danger-of-ink-spills-epson).

Epson printer owners have complained (https://twitter.com/marktavern/status/1550605262700122112?s=20&t=8AjU1bZ_f9o-r37VkJn8Ig) that their functioning printers have suddenly stopped working, displaying an error message declaring that a component of the printer has "reached the end of its service life" and that the device needs to be serviced. According to Epson's website (https://epson.com/Support/wa00369), the message is linked to ink pads, which Epson describes as “porous pads in the printer that collect, distribute, and very importantly contain the ink that is not used on printed pages.” Over time, these pads become saturated with ink though generally not “before the printer is replaced for other reasons” (??!)

“Like so many other products, all Epson consumer ink jet products have a finite life span due to component wear during normal use... The printers are designed to stop operating at the point where further use without replacing the ink pads could create risks of property damage from ink spills or safety issues related to excess ink contacting an electrical component,” the company said on its website.

Rather than measure the saturation of the ink pads to determine when that point is reached, however, Epson appears to have programmed a counter on its printers that disables the device when a threshold has been reached. For printer owners who use Windows, Epson makes a reset utility that can reset the counter though it can "only be used once and will allow printing for a short period of time.” For Mac users, or Windows users who have already run the reset utility once, Epson urges them to have the printer serviced by an Epson authorized service shop or — preferably — to replace the printer with a new printer. “Repair may not be a cost-effective option for lower-cost printers because other components may also be near the end of their usable life," the company said. Despite the company's claims about the unfixability of the ink pad issue, YouTube videos suggest that the ink pads are, in fact, simple to replace, as this video illustrates. https://youtu.be/EocI_8awj38

Legal experts say that Epson's hard coding an end of life for its printers may be illegal — an example of "Deceptive trade practices," unless it is clearly disclosing the existence of the programmed end of life to consumers prior to purchase.

“Without some very clear warning to consumers, it wouldn’t surprise me to see some pushback along the lines of the FTC’s intervention in the Revolv bricking incident a few years back,” said Aaron Perzanowski of University of Michigan Law School, referring to Nest’s “smart home hub,” which the company decided to stop supporting in 2016 after purchasing Revolv in 2014. (https://www.perzanow.ski/blog/2016/7/14/ftcs-revolv-investigation)

The decision to shut down servers supporting the Revolv devices effectively “bricked” the devices. That, the FTC decided, caused “unjustified, substantial consumer injury that consumers themselves could not reasonably avoid.” The FTC ultimately refrained from an enforcement action against Nest noting, in a letter, that the company had already offered full refunds to affected customers (after the outcry, it should be noted), but reserved the right to “take further action as the public interest may warrant.”

Comment Re:They all do it on the cheap (Score 1) 48

Yes. 35 open recs at John Deere that contain “cyber security” in the job description. Prior to these stories coming to light, the company had hardly any embedded device security and cyber talent on staff - and most of the Deere employees with infosec in their title had been at the company for decades (that is: maybe looked at things through tinted lenses) and didn’t have ‘traditional’ infosec backgrounds. https://jobs.deere.com/search/...

Submission + - DEF CON: Security Holes in Deere, Case IH Spotlight Agriculture Cyber Risk (securityledger.com)

chicksdaddy writes: A lot has changed in the agriculture sector in the last decade. And farm country’s cybersecurity bill has come duein a big way. A (virtual) presentation (https://www.youtube.com/watch?v=zpouLO-GXLo) at the annual DEF CON hacking conference (https://defcon.org/) in Las Vegas on Sunday described a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case IH, The Security Ledger reports. (https://securityledger.com/2021/08/def-con-security-holes-in-deere-case-ih-shine-spotlight-on-agriculture-cyber-risk/) Together, the security flaws and misconfigurations could have given nation-state hackers access to Deere’s global product infrastructure, sensitive customer and third party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain.

The talk is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws (https://sick.codes/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade/) in the company’s public-facing web applications set off a scramble by Deere and other agricultural equipment makers (https://www.forbes.com/sites/paulfroberts/2021/06/20/under-scrutiny-big-ag-scrambles-to-address-cyber-risk/) to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent.

In addition to a slew of common web flaws like Cross Site Scripting- and account enumeration bugs linked to Deere’s web site and public APIs, the researchers discovered a vulnerability (CVE-2021-27653) in third party software by Pega Systems, a maker of customer relationship management (CRM) software that Deere uses. A misconfiguration of that software gave the researchers administrative access to the remote, back end Pegasystems server. With wide ranging, administrative access to the production backend Pega server, the researchers were able to obtain other, administrative Pegasystems credentials including passwords, security audit logs, as well as John Deere’s OKTA signing certificate for the Pegasystems server, according to the presentation.

In an email statement to The Security Ledger, a John Deere spokesperson said that “none of the claims – including those identified at DEF CON — have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information,” though data included in the presentation as well as prior, public disclosures make clear that sensitive data on Deere employees, equipment, customers and suppliers was exposed.

Submission + - Developer Workstation Exposed State Dept. Network Data, Researchers Find (forbes.com)

chicksdaddy writes: Sensitive systems and data for the U.S. Department of State could have been exposed by a third party development workstation running the eXide software (https://exist-db.org/exist/apps/eXide/index.html), according to researchers for the hacking crew Sakura Samurai (https://sakurasamurai.pro/). According to a report in Forbes (https://www.forbes.com/sites/paulfroberts/2021/08/05/new-vuln-disclosure-policy-pays-dividends-for-federal-agencies/?sh=59a0cdc125be), the researchers took advantage of a new State Department Vulnerability Disclosure Program (https://www.state.gov/vulnerability-disclosure-policy/) to look for security flaws in one of 8 wild-carded State Department domains included in the program. Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.

After reporting their findings to the State Department on April 27th, researcher Jackson Henry (https://www.twitter.com/JacksonHHax) and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. Henry and Sakura Samurai then began working with the State Department on public disclosure of the vulnerabilities, while also communicating with the developers responsible for the open source project to get the flaws fixed, according to communications shared with Forbes.

The discovery of flaws buried in an open source development tool underscores the risks that federal agencies face as more and more government business shifts to the web. “The State Department can’t audit every open source package it uses,” Henry said. “That’s why the VDP is such a big thing (and) a step in the right direction.”

It is also an endorsement of the benefits of a quiet security revolution within the federal government in recent months, as agencies have responded to Binding Operational Directive 20-01 (https://cyber.dhs.gov/bod/20-01/), a new requirement from the CISA, the Cybersecurity and Infrastructure Security Agency, that Executive Branch agencies publish and maintain public vulnerability disclosure programs, or VDPs — a kind of front door for bug hunters and “white hat” cybersecurity professionals.

Submission + - Flaws in John Deere's Website Provides a Map to Customers, Equipment (securityledger.com)

chicksdaddy writes: Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate, The Security Ledger reported. (https://securityledger.com/2021/04/deere-john-researcher-warns-ag-giants-site-provides-a-map-to-customers-equipment/)

The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning about the flaws in the myjohndeere.com web site and the John Deere Operations Center web site and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. (https://www.cisa.gov/food-and-agriculture-sector) The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California’s CCPA or the Personal Information Protection Act in Deere’s home state of Illinois. However, the national security consequences of the company’s leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn.

The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report released by Department of Homeland Security (https://www.dhs.gov/sites/default/files/publications/2018%20AEP_Threats_to_Precision_Agriculture.pdf) concluded that the “adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities” (and that) “potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers.”

Submission + - IPv4 Parsing Flaw in NPM Netmask Could Affect 270,000 Apps 1

chicksdaddy writes: Independent security researchers analyzing the widely used open source component netmask have discovered security vulnerabilities that could leave more than a quarter million open source applications vulnerable to attack, according to a report released Monday, The Security Ledger reports. (https://securityledger.com/2021/03/critical-flaws-found-in-widely-used-netmask-open-source-library/)

According to a report by the site Sick Codes (https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/) the flaws open applications that rely on netmask to a wide range of malicious attacks including Server Side Request Forgeries (SSRF) and Remote- and Local File Includes (RFI, LFI) that could enable attackers to ferry malicious code into a protected network, or siphon sensitive data out of one. Even worse, the flaws appear the stretch far beyond a single open source module, affecting a wide range of open source development languages, researchers say.

Netmask (https://www.npmjs.com/package/netmask) is a widely used package that allows developers to evaluate whether a IP address attempting to access an application was inside or outside of a given IPv4 range. Based on an IP address submitted to netmask, the module will return true or false about whether or not the submitted IP address is in the defined “block.” According to the researcher using the handle “Sick Codes,” (https://www.twitter.com/sickcodes), the researchers discovered that netmask had a big blind spot. Specifically: it evaluates certain IP addresses incorrectly: improperly validating so-called “octal strings” rendering IPv4 addresses that contain certain octal strings as integers. For example, the IP4 address 0177.0.0.1 should be evaluated by netmask as the private IP address 127.0.0.1, as the octal string “0177” translates to the integer “127.” However, netmask evaluates it as a public IPv4 address: 177.0.0.1, simply stripping off the leading zero and reading the remaining parts of the octal string as an integer.

The implications for modules that are using the vulnerable version of netmask are serious. According to Sick Codes, remote attackers can use SSRF attacks to upload malicious files from the public Internet without setting off alarms, because applications relying on netmask would treat a properly configured external IP address as an internal address. Similarly, attackers could also disguise remote IP addresses local addresses, enabling remote file inclusion (RFI) attacks that could permit web shells or malicious programs to be placed on target networks. But researchers say much more is to come. The problems identified in netmask are not unique to that module. Researchers have noted previously that textual representation of IPv4 addresses were never standardized (https://blog.dave.tf/post/ip-addr-parsing/), leading to disparities in how different but equivalent versions of IPv4 addresses (for example: octal strings) are rendered and interpreted by different applications and platforms.

Submission + - Flaws in Zoom's Keybase App Kept Chat Images From Being Deleted

chicksdaddy writes: The Security Ledger reports (https://securityledger.com/2021/02/exclusive-flaws-in-zooms-keybase-app-kept-chat-images-from-being-deleted/ ) that a flaw in Zoom’s Keybase (https://keybase.io/blog/keybase-joins-zoom) secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted, according to researchers from the group Sakura Samurai. (https://sakurasamurai.pro/)

The flaw in the encrypted messaging application, CVE-2021-23827(https://johnjhacking.com/blog/cve-2021-23827/) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. It comes as millions of users have flocked to apps like Keybase, Signal and Telegram in recent months.

Sakura Samurai researchers Aubrey Cottle (@kirtaner), Robert Willis (@rej_ex) and Jackson Henry (@JacksonHHax) discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, researcher John Jackson told Security Ledger.

In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.”

“We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said.

In most cases, the failure to remove files from cache after they were deleted would count as a “low priority” security flaw. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote.

“An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently. A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues.”

Submission + - Researchers Test UN's Cybersecurity, Find Personal Data on 100k Employees

chicksdaddy writes: Independent security researchers testing the security of the United Nations were able to compromise public-facing servers and a cloud-based GitHub development account used by the U.N. and lift data on more than 100,000 staff and employees, according to a report by The Security Ledger (https://securityledger.com/2021/01/researchers-test-uns-cybersecurity-find-data-on-100k/).

Researchers affiliated with Sakura Samurai (https://sakurasamurai.pro/) a newly formed collective of independent security experts, exploited an exposed GitHub repository belonging to the International Labour Organization and the U.N.’s Environment Programme (UNEP) to obtain “multiple sets of database and application credentials” for UNEP applications, according to a blog post by one of the Sakura Samurai researchers, John Jackson, explaining the group’s work.(https://johnjhacking.com/blog/unep-breach/)

Specifically, the group was able to obtain access to database backups for private UNEP projects that exposed a wealth of information on staff and operations. That includes a document with more than 1,000 U.N. employee names, emails; more than 100,000 employee travel records including destination, length of stay and employee ID numbers; more than 1,000 U.N. employee records and so on.

The researchers stopped their search once they were able to obtain personally identifying information. However, they speculated that more data was likely accessible.

Comment Re:brand loyalty (Score 3, Interesting) 85

As the author of the story, not sure what you mean by Betteridge Law-my headline doesn't pose a question. As to "what bad thing they would do" might depend on who you are. If you're a research scientist or a senior executive at a corporation involved in R&D or mining and exploration, the back-doored TCL set is basically a surveillance node with both camera and mic. With access to a global network of similar devices, plus ML and AI to sort out the interesting bits of data from the uninteresting bits, the PRC and PLA could do _a lot_ - a lot of espionage, a lot of data mining, a lot of mischief. When you have Alibaba advertising "Uighur detection features" in its platform, its pretty clear we're not dealing with business as usual with China-based, government controlled firms.

Submission + - DHS Is Looking Into Backdoors in Smart TVs by China's TCL 2

chicksdaddy writes: The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets, The Security Ledger reports. (https://securityledger.com/2020/12/dhs-looking-into-cyber-risk-from-tcl-smart-tvs/)

Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.” (https://www.dhs.gov/news/2020/12/21/acting-secretary-chad-f-wolf-remarks-prepared-homeland-security-and-china-challenge)

“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”

As reported last month (https://securityledger.com/2020/11/security-holes-opened-back-door-to-tcl-android-smart-tvs/), independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets and would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.

Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.

In a statement to The Security Ledger, TCL disputed that account. (https://securityledger.com/2020/11/tv-maker-tcl-denies-back-door-promises-better-process/) By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.

In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).

This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.

“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.

Submission + - Researchers: Security Holes Opened Back Door To TCL Android Smart TVs (securityledger.com)

chicksdaddy writes: Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation (https://www.tcl.com/) contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set’s owners.

The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission, according to a report published on Monday by two security researchers. (https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/)
The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.

That flaw, CVE-2020-27403 (https://nvd.nist.gov/vuln/detail/CVE-2020-27403), would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.

Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055. (https://nvd.nist.gov/vuln/detail/CVE-2020-28055)

The researchers, John Jackson (@johnjhacks), an application security engineer for Shutter Stock, and the independent researcher known by the handle “Sick Codes,” (@sickcodes) said the flaws amount to a “back door” on any TCL Android smart television.

“Anybody on an adjacent network can browse the TV’s file system and download any file they want,” said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.

Slashdot Top Deals

The number of arguments is unimportant unless some of them are correct. -- Ralph Hartley

Working...