105446578
submission
chicksdaddy writes:
Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product.
The company said in an email to Blur users that some of their information was “potentially exposed.” Customers were advised to change their Blur password and the password for any other online accounts that share that password, backup their data and enable multi-factor authentication on their Blur account, according to a copy of the email obtained by The Security Ledger. (https://securityledger.com/2019/01/abine-says-blur-password-manager-user-information-exposed/)
In a blog post (https://www.abine.com/blog/2018/blur-security-update/), Abine said that a file containing information about Blur users who registered prior to January 6th, 2018 was “potentially exposed.” The file contained users’ email addresses, first and last names, password hints (for some users), IP-addresses associated with user logins and bcrypt-encrypted password values. Abine did not disclose how many Blur users were affected. The company claims that it sports “millions” of active users each month on Blur.
Security Ledger reports that the leak was the result of an exposed Amazon Web Services container on which Abine had stored customer data for use in reporting and maintenance. The company said it did not know whether the exposed data had been accessed. Insecure cloud containers have become a frequent source of data leaks.
105425176
submission
chicksdaddy writes:
Customers who use the Blur secure password manager ([spam URL stripped]) by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product.
The company said in an email to Blur users that some of their information was “potentially exposed.” Customers were advised to change their Blur password and the password for any other online accounts that share that password, backup their data and enable multi-factor authentication on their Blur account, according to a copy of the email obtained by The Security Ledger. ([spam URL stripped])
In a blog post ([spam URL stripped]), Abine said that a file containing information about Blur users who registered prior to January 6th, 2018 was “potentially exposed.” The file contained users’ email addresses, first and last names, password hints (for some users), IP-addresses associated with user logins and bcrypt-encrypted password values. Abine did not disclose how many Blur users were affected. The company claims that it sports “millions” of active users each month on Blur.
Security Ledger reports that the leak was the result of an exposed Amazon Web Services container on which Abine had stored customer data for use in reporting and maintenance. The company said it did not know whether the exposed data had been accessed. Insecure cloud containers have become a frequent source of data leaks.Link to Original Source
104825268
submission
chicksdaddy writes:
Nearly a week after Marriott disclosed a massive breach of its Starwood room reservation system (https://securityledger.com/2018/12/massive-marriott-breach-underscores-risk-of-overlooking-data-liability/), customers complain that the company has not communicated with them to tell them whether they are affected.
Customers of the company's Starwood hotel chain complained in online forums that they had heard nothing from the company about whether their information was stolen by the hackers, who are believed to have lurked on Starwood's network for more than four years. An informal poll of some 30 Starwood customers by Security Ledger found just two who had been contacted by the company by Thursday — nearly a week after Marriott announced the breach.
A Marriott spokesperson told The Security Ledger (https://securityledger.com/2018/12/days-after-massive-breach-marriott-customers-await-details/) that the company communicated about the breach "through multiple channels" and says it began sending emails "on a rolling basis" November 30 to affected guests.
By Thursday, almost a full week after disclosing the breach, the rolling emails hadn't reached Tom Williams of Athol, Massachusetts, who said he had received "nothing" from Marriott or Starwood, where he has been a member since 2016. "Nothing. Pretty lame," wrote Brian Colker, of Santa Monica, California. Colker said he changed his Starwood password only after receiving an alert about the breach from password management software he uses.
Marriott’s spokesman declined to say how many customers had been notified as of Thursday. The company said it “engaged leading security experts” after learning of the breach to “help determine what occurred,” the spokesman said.
The company also shared a copy of the letter it is sending to customers (https://securityledger.com/wp-content/uploads/2018/12/Guest-Letter-Copy.pdf). Signed by Marriott CEO Arne Sorenson, it is mostly a rehash of the company’s public statement on the incident. It also contains advice on preventing identity theft and, for U.S. residents, links to credit bureaus and state attorneys general offices. The company said it is “working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center.”
Whatever the cause, the delays could be expensive. Under the EU General Data Privacy Regulation (GDPR) Article 51, breached firms are required to notify “supervisory authorities” within their country within 72 hours of discovering the leak. The guidelines for notifying affected individuals are less specific, but also unequivocal. GDPR Article 34 requires breached firms to notify victims “without undue delay” when the stolen data is “likely to result in a high risk to the rights and freedoms of natural persons.”
102987404
submission
chicksdaddy writes:
Security Ledger reports (https://securityledger.com/2018/09/in-boston-exercise-election-hackers-bypass-voting-machines/) on an election hacking exercise involving public safety officials that demonstrated how determined hackers could sway the outcome of voting in a swing state without even bothering to target election systems.
From the article: It’s election day in Nolandia, an imaginary, mid-sized U.S. city in a key “swing” state, and things are not going as planned – at least for government officials. A day that started with snarled traffic and a suspicious outage of the 9-1-1 emergency call center that has put the public and first responders on edge. Already, the city’s police force was taxed keeping tabs on protests tied to a meeting of the International Monetary Fund.By afternoon, the federal Emergency Alert System (EAS) was warning Nolandia residents of massive natural gas leaks in neighborhoods in the north and west part of the city, prompting officials to order evacuations of the affected areas.
Later, bomb threats are called in to local television stations shut down a bridge linking the northern and southern halves of the city – a major artery for vehicles. Then, cyber attacks on a smart traffic light deployment in Nolandia snarl traffic further and sow chaos during the evening commute. The EAS warnings turn out to be a hoax. But, by then, the “Broken Eagle Task Force” (or BETF), a shadowy hacking collective protesting the ‘global order,’ has taken to social media to take credit for the mayhem.
This is election hacking 2018 style: a highly successful operation in which no voting machines or voting infrastructure were compromised, attacked or even targeted.
“A lot of press and scrutiny have been given to the voter rolls and the voting machines since 2016 as a result of what the Russians did,” said Ross Rustici of Cybereason (https://www.cybereason.com), who was the mastermind of the tabletop exercise. “We wanted to expand that scope and demonstrate that the threat landscape is actually much broader than those very specific vulnerabilities.”
100665908
submission
chicksdaddy writes:
Add sonic attacks to the list of threats to critical IT systems.
Security Ledger is reporting (https://securityledger.com/2018/05/researchers-use-sonic-attacks-to-crash-hard-drives/) on a presentation at the recent IEEE Security & Privacy Symposium in San Francisco (https://www.ieee-security.org/TC/SP2018/) during which researchers from The University of Michigan and and Zhejian University in China demonstrated how targeted sonic interference from commodity acoustic devices can both disrupt and cause damage to magnetic hard disk drives.
In controlled experiments, researchers used ultrasonic attacks to manipulate the "resonant frequency" of the drives, causing them to vibrate outside of accepted ranges and malfunction. While such vibrations aren't huge, even small alterations in the operation of the physical drive can have large consequences in the operation of the applications that use it.
In other experiments, researchers used sound waves to trigger the piezo shock sensors or MEMS capacitive accelerometers that are common in most modern HDDs to prevent them from being damaged when accidentally dropped. By fooling the accelerometers with sonic attacks, the researchers activated the shock sensor and induced a total loss in read/write capability on the affected hard drive.
The sonic attacks are merely proof of concept, but researchers warn that the could be easily reproduced and without the need of specialized equipment.
"We just used a $20 speaker and a Sony speaker amplifier that you might see in your home," said Connor Bolton, a graduate research assistant at University of Michigan, and one of the team of researcher who conducted the acoustic attack research.
The sonic attacks won't work on newer, solid state drives. However, older magnetic disk drives are still common in legacy IT environments, including hospitals and in industry. The sonic attacks could be exploited by sophisticated adversaries who wished to cause disruptions on a large scale inside a data center or other sensitive IT environment, researchers warned.
100244826
submission
chicksdaddy writes:
Kremlin linked news sites like RT and Sputnik figure prominently in an online disinformation campaign portraying Syrian humanitarian workers (“White Helmets”) as terrorists and crisis actors, according to an analysis by researchers at University of Washington and Harvard. (http://faculty.washington.edu/kstarbi/Starbird-et-al-ICWSM-2018-Echosystem-final.pdf)
An online “echosystem” of propaganda websites including Russia backed news outlets Sputnik and RT is attacking the credibility of humanitarian workers on the ground in rebel occupied Syria, according to a new analysis by researchers at The University of Washington and Harvard University.
Online rumors circulated through so called “alternative” media sites have attacked the Syrian Civil Defence (aka “White Helmets”) as “crisis actors” and Western agents working on behalf of the U.S. and NATO. Statistical analysis of the online rumors reveal a tight network of websites sharing nearly identical content via Twitter and other social media platforms, wrote Kate Starbird, (https://medium.com/@katestarbird). Starbird is an Assistant Professor of Human Centered Design & Engineering at University of Washington and a leading expert on so-called “crisis informatics.”
In activity reminiscent of the disinformation campaigns that roiled the U.S. Presidential election in 2016 (https://democrats-intelligence.house.gov/facebook-ads/social-media-advertisements.htm), articles by what Starbird describes as “a few prominent journalists and bloggers” writing for self described “alternative” news sites like 21stCenturyWire, GlobalResearch, MintPressNews, and ActivistPost are picked up by other, smaller and more niche web sites including both left- and right-leaning partisan news sites, “clickbait sites” and conspiracy theory websites.
Government funded media outlets from Syria, Iran, Hezbollah and Russia figure prominently in the Syrian disinformation campaign, Starbird’s team found. In particular, “Russian government-funded media outlets (i.e. SputnikNews and RT) play a prominent and multi-faceted role within this ecosystem,” she wrote.
98846935
submission
chicksdaddy writes:
Will the death of a pedestrian in Tempe, Arizona derail the self-driving car initiatives of firms like Uber, General Motors and Tesla? The answer greatly depends on the public’s perception of the risks posed by autonomous vehicles – something that the fatal accident is unlikely to help.
49-year-old Elaine Herzberg was struck and killed by a self-driving Uber Volvo XC90 SUV as she walked her bicycle across a Tempe street Sunday night (https://techcrunch.com/2018/03/19/uber-self-driving-test-car-involved-in-accident-resulting-in-pedestrian-death/). Within hours, Uber responded by pulling autonomous vehicles from the streets of Tempe, Pittsburgh, Toronto and other cities where they are operating as the authorities and the company investigate the Tempe incident. It’s CEO, Dara Khosrowshahi issued a statement of condolence for Herzberg’s family and promised cooperation with the police investigation. (https://twitter.com/dkhos/status/975778435455995905)
But a bigger risk looms: the specter of growing public concern and anger prompting a backlash against autonomous vehicles in the name of safety. Herzberg’s death was the first known death of a pedestrian in the U.S. linked to a fully autonomous vehicle. Early and unofficial reports suggest that neither driver error nor errant technology played a role in the accident.
Autonomous and computer assisted driving may be the only solution to fast-worsening safety conditions on US roads. Government data suggests that U.S. roads are becoming more deadly, after decades of steady improvement in driver and vehicle safety. In 2016 there were 37,461 traffic fatalities in the US, a more than 15% increase from 2011 (PDF). The vast majority of those fatalities were attributable to human error– from speeding to distracted driving.
“Most if not all of those could have been avoided if we had something like autonomous vehicles,” said Beau Woods of the Atlantic Council. That type of calculation makes it understandable that policy makers want to move quickly to adopt autonomous driving technology, he said.
But Woods warns that automakers, technology firms and law makers need to be careful not to move more quickly than public trust merits. More incidents of an autonomous vehicle or a driver in auto pilot mode having a fatal accident could put a chill on the public’s support for the technology – even if data suggests that the technology will make roads safer over all.
While rapid prototyping and “failing fast” may be the mantra of Silicon Valley, that thinking doesn’t apply well when the consequences of failure are matters of life and death. “You can’t reboot life, so you have to be thoughtful and intentional about testing and developing autonomous vehicles,” he said.
98178675
submission
chicksdaddy writes:
Technology developed by researchers at the State University of New York can create a smartphone “fingerprint” from a single photo captured by the device, according to a new study (http://www.buffalo.edu/content/dam/www/news/photos/2017/12/ndss18-paper99.pdf).
The technology, developed by researchers at SUNY Buffalo, exploits a known but obscure flaw in the smartphone’s digital imaging features, which acts as a “fingerprint”for each device. The unique smartphone identifier, when used like a PIN number, could help protect people from identity theft according to Professor Kui Ren, who led a team that developed the new method.
Ren told the Security Ledger (https://securityledger.com/2018/03/single-photo-uniquely-identifies-smartphone-that-took-it/) that manufacturing imperfections in digital cameras create tiny variations in each camera’s sensors. Those imperfections cause some of the sensors’ millions of pixels to project colors that are slightly brighter or darker than they should be. Unnoticeable to viewers, these flaws are detectable on the captured digital images produced by the camera and form a systemic distortion in the photo, dubbed “photo-response non-uniformity” (PRNU), that is unique to each camera.
A smartphone’s image sensor is often tens of times smaller than the image sensor of a conventional digital camera, increasing the likelihood that the unique pattern of a smartphone camera in a captured image is more pronounced.
“We suspected that small pixels will exhibit stronger non-uniformity, and hence introduce a stronger fingerprint in a captured image,” said Ren, a SUNY Empire Innovation Professor in the Department of Computer Science and Engineering in the university’s School of Engineering and Applied Sciences. “We then tested this guess experimentally and observed that one image alone can uniquely identify a smartphone.”
97889301
submission
chicksdaddy writes:
Consumer advocates and proponents of right to repair laws in 17 states have a new enemy to worry about. The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers.
The group released a survey last week (https://securityinnovationcenter.com/2018/02/) warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics- and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members.
Almost two thirds American consumers surveyed said that the explosive growth of Internet-connected products is making them more concerned about their privacy and security, according to the organization’s survey of 1,015 Americans. 84 percent told survey takers that they value the security of their data over convenience or speed of service.
In an interview with The Security Ledger (https://securityledger.com/2018/02/new-lobbying-group-fights-right-repair-laws/), Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center’s main purpose is to push back on efforts to pass right to repair laws in the states.
He said the group thinks such measures are dangerous, citing the “power of connected products and devices” and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves.
Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety.
“People say ‘It’s just my washing machine. Why can’t I fix it on my own?’ But we saw the Mirai botnet attack last yearThose kinds of products in the wrong hands can be used to do bad things.”
Other surveys have found strong interest among consumers in do-it-yourself repair and independent repair of electronic devices. A survey of 164 independent repair shops nationally conducted by CALPIRG found a 37% increase in weekly battery replacement service requests in the month from December 20 2017 to January 22 2018. The same survey cited a big jump in searches for iPhone repair from California residents during the same period.
“We should be free to fix our stuff,” said CalPIRG Director Emily Rusch in a statement (https://calpirg.org/news/cap/after-apple-slows-phones-interest-repair-spikes-california). “But companies use their power to make things harder to repair. This survey shows that people are clearly looking for more options to repair their phones.”
97359116
submission
chicksdaddy writes:
The NotPetya wiper malware took a bite out of candy maker Mondelez International’s 2017 earnings, the company has reported.
Mondelez, which was hit by the outbreak in June, said that it spent $84 million in “incremental costs” to investigate the incident, remove the malware and restore systems infected by the so-called “wiper” malware. In addition, the disruptions caused by NotPetya shaved %.4 off Mondelez’s 2017 net revenue of $25.9 billion, due mostly to disrupted shipments of candy and other treats following the malware outbreak in the second quarter, putting the full cost of the incident at closer to $180 million for Mondelez, The Security Ledger reports (https://securityledger.com/2018/02/sour-patch-notpetyas-cost-mondelez-tops-80-million/)
The revelation, which was included in Mondelez’s annual 10-K filing with the U.S. Securities and Exchange Commission (SEC) (http://secfilings.com/searchresultswide.aspx?link=1&filingid=12531786) is just the latest evidence of the cost of the NotPetya outbreak, which began in the Ukraine, but affected a wide range of other firms including Federal Express, Merck Pharmaceuticals and the shipping firm Maersk.
97245073
submission
chicksdaddy writes:
The Electronic Frontier Foundation (EFF) is asking the Library of Congress to give owners of voice assistant devices like Amazon’s Echo, Google Home and other voice assistants the right to “jailbreak” the devices: freeing them from content control features designed to prevent users from running unauthorized code on those platforms, The Security Ledger is reporting. (https://securityledger.com/2018/02/eff-seeks-right-jailbreak-alexa-voice-assistants/)
The EFF filed a petition (https://www.eff.org/document/eff-1201-exemption-comments-2017-jailbreaking-0) with the United States Copyright Office on behalf of owners, small repair shops and parts dealers. EFF is seeking an exemption under the Digital Millennium Copyright Act (DMCA) along the lines of the exemption that allows owners to disable content protection features (or “jailbreak”) their smart phones.
“In addition to smartphones and other mobile devices, the jailbreaking exemption should apply to voice assistant devices such as the Amazon Echo, Google Home, and Apple HomePod,” the petition reads.
In a blog post (https://www.eff.org/deeplinks/2018/02/eff-vs-iot-drm-omg), Cory Doctorow of EFF said that a DMCA exemption will give owners the right to put their own software on voice assistants as well as open the devices to security researchers. In addition to probing the devices for security holes that could be exploited by a malicious actor, researchers might also gain an understanding of how voice assistants manage the reams of audio and other sensor data they collect from their immediate surroundings.
"These gadgets are finding their way into our living rooms, kitchens—even our bedrooms and bathrooms. They have microphones that are always on and listening (many of them have cameras, too), and they're connected to the Internet. They only run manufacturer-approved apps, and use encryption that prevents security researchers from investigating them and ensuring that they're working as intended," Doctorow wrote.
97039769
submission
chicksdaddy writes:
Strava's heatmap privacy meltdown continued this week, after a team of journalists at the Dutch publication NRK gamed Strava's Flyby feature to re-identify 18 soldiers from seven countries from their workouts on bases in Iraq and Afghanistan. (https://www.nrk.no/urix/how-soldiers-from-norway_-denmark-and-usa-disclose-who-they-are-and-where-they-exercise-in-war-zones-1.13892695)
Strava’s Flyby feature allows Strava users to see other users whose workouts overlap with theirs. The feature has long been a privacy and safety concern for some users, who worried about the creep-o factor of strangers being able to view their name and workouts anonymously on Strava. (See this 2015 article from Total Womens Cycling: https://totalwomenscycling.com...)
Henrik Lied (@henriklied), a journalist at Norway’s NRKbeta told The Security Ledger that last week's heatmap controversy inspired him to delve a bit further into what other sensitive information could be revealed by making some tweaks to Strava. “Anonymization is hard, especially at this scale. It is virtually impossible to fully be able to say that data is anonymized when you use all data as input for your aggregations.” (https://securityledger.com/2018/01/privacy-meltdown-strava-tricked-into-revealing-soldiers-names/)
After learning of the existence of “Flyby” from his editor, Lied and his coworkers figured out a way to insert "ghost" workouts into the application that corresponded to known bases in Afghanistan and Iraq.
By inserting hundreds of fake workouts for each location at times that were likely to be used by others to workout ("most people don’t go out jogging mid-day in areas where the temperature easily reaches 40 Celsius") , the team generated a record of hundreds of Strava Flyby maps which they reviewed manually looking for other users. The result was 20 individuals from seven countries: Norway, Denmark, the United States, France, the Netherlands, Italy and England. 18 of them used their full name and NRK was able to confirm that they were members of the military.
Lied said people are to blame for divulging the sensitive information. But its worth considering whether Strava might do more to protect its users privacy. Although the application has sophisticated features for protecting the privacy of users' workouts, the default privacy for Strava is no privacy at all. Or, as Strava writes on its blog:
“The basic level is to choose to not use any privacy controls and make your info available publicly, like it would be on Twitter, for example.”
That means public sharing of Strava users’ full name and any shared photos. Other Strava users can follow you and view your activities. The Flyby feature must be specifically opted out of, though Strava said it would be reviewing its privacy policies and settings. (https://blog.strava.com/press/a-letter-to-the-strava-community/)
96901555
submission
chicksdaddy writes:
Billions of sensors that are already deployed lack protections against attacks that manipulate the physical properties of devices to cause sensors and embedded devices to malfunction, researchers working in the U.S. and China have warned.
In an article in Communications of the ACM (https://cacm.acm.org/opinion/articles/224627-risks-of-trusting-the-physics-of-sensors/fulltext) researchers Kevin Fu of the University of Michigan and Wenyuan Xu of Zhejiang University warn that analog signals such as sound or electromagnetic waves can be used as part of “transduction attacks” to spoof data by exploiting the physics of sensors. Researchers say a “return to classic engineering approaches” is needed to cope with physics based attacks on sensors and other embedded devices, including a focus on system-wide (versus component-specific) testing and the use of new manufacturing techniques to thwart certain types of transduction attacks.
“This is about uncovering the physics of cyber security and how some of the physical properties of systems have been abstracted to the point that we don’t have a good way to describe the security of the system,” Dr Fu told The Security Ledger in a conversation last week (https://securityledger.com/2018/01/researchers-warn-physics-based-attacks-sensors/). That is particularly true of sensor driven systems, like those that will populate the Internet of Things.
Cyber attacks typically target vulnerabilities in software such as buffer overflows or cross site scripting. But transduction attacks target the physics of the hardware that underlies that software, including the circuit boards that discrete components are deployed on, or the materials that make up the components themselves. Although the attacks target vulnerabilities in the hardware, the consequences often arise as software systems, such as the improper functioning or denial of service to a sensor or actuator, the researchers said.
Hardware and software have what might be considered a “social contract” that analog information captured by sensors will be rendered faithfully as it is transformed into binary data that software can interpret and act on it. But materials used to create sensors can be influenced by other phenomenon – such as sound waves. Through the targeted use of such signals, the behavior of the sensor can be interfered with and even manipulated.
“The problem starts with the mechanics or physics of the material and bubbles up into the operating system,” Fu told The Security Ledger.
96600153
submission
chicksdaddy writes:
Somebody deserves a spanking after personal information on thousands of users of an adult virtual reality game were exposed to security researchers in the UK by a balky application.
Researchers at the firm Digital Interruption on Tuesday warned (https://www.digitalinterruption.com/single-post/2018/01/09/Attention-SinVR-users) that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. (https://securityledger.com/2018/01/adult-vr-application-spills-data-on-thousands/)
Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.
SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on.
The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named “downloadallcustomers“. That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.
96401067
submission
chicksdaddy writes:
Security researchers say that serious security vulnerabilities linger in a GPS software by the China-based firm ThinkRace more than two years after the hole was discovered and reported to the firm, The Security Ledger reports. (https://securityledger.com/2018/01/two-years-later-dangerous-vulnerability-lays-bare-gps-data/)
Data including a GPS enabled device’s location, serial number, assigned phone number and model and type of device can be accessed by any user with access to the GPS service. In some cases, other information is available including the device’s location history going back 1 week. In some cases, malicious actors could also send commands to the device via SMS including those used to activate or deactivate GEO fencing alarms features, such as those used on child-tracking devices.
The vulnerabilities affect hundreds of thousands of connected devices that use the GPS services, from smart watches, to vehicle GPS trackers, fitness trackers, pet trackers and more. At issue are security holes in back-end GPS tracking services that go by names like amber360.com, kiddo-track.com, carzongps.com and tourrun.net, according to Michael Gruhn, an independent security researcher who noted the insecure behavior in a location tracker he acquired and has helped raise awareness of the widespread flaws. (https://0x0.li/trackmageddon/#advisories)
Working with researcher Vangelis Stykas, Gruhn discovered scores of seemingly identical GPS services (https://0x0.li/trackmageddon/0x0-20171222-gpsui.net.html), many of which have little security, allowing low-skill hackers to directly access data on GPS tracking devices.
Alas, news about the security holes is not new. In fact, the security holes in ThinkRace’s GPS services are identical to those discovered by New Zealand researcher Lachlan Temple in 2015 and publicly disclosed at the time (https://www.zxsecurity.co.nz/presentations/201607_Unrestcon-ZXSecurity_Vechile-Tracking.pdf). Temple’s research focused on one type of device: a portable GPS tracker that plugged into a vehicle’s On Board Diagnostic (or OBD) port. However, Stykas and Gruhn say that they have discovered the same holes spread across a much wider range of APIs (application program interfaces) and services linked to ThinkRace.
