L. Reese



When is the Cost of Convenience too High?




When is the Cost of Convenience too High?

There’s a Bluetooth hack afoot, and it’s devious. It only needs Bluetooth to be on to end up take pictures of you from your phone without you knowing it. This is based on a Bluetooth BlueBorne demo on YouTube from Armis.com. All you have to do is have Bluetooth on and be in the vicinity of another Bluetooth device that’s under the control of a hacker. You do not have to be in Discovery mode (trying to pair a new device), you only have to have it on. Bluetooth doesn’t have a WEP key like Wi-Fi; you just have to consent to a pairing to a device. Consent to pairing your phone with a Bluetooth device hasn’t required a password. I suppose the point was that to hack into a smartphone via Bluetooth; you would need to actively consent from the smartphone to pair with a hacked Bluetooth device. BlueBorne doesn’t need a pairing attempt; it just needs Bluetooth to be turned on.

The latest attack vector uses Bluetooth with a very broad path of potential destruction. BlueBorne™ exposes Linux, iOS, Android, and  Windows on mobile, desktop, and IoT platforms. According to a recently released report from Armis, “BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode.” Apparently, 8.2 billion devices are at risk.

I know, you’re saying, “Not another one!” But this, my friends, is the price of technology. The same devices that allow unprecedented productivity and access to instant information can also be exploited. What’s funny, and I don’t mean ha-ha funny, is that I just recently adopted Bluetooth when I got a new car that automatically connects my Android phone to my car speaker system. My early foray into Bluetooth-land ended in disgust as it failed to connect on a random basis. Five years later, I gave it another shot and was quite impressed. Now I am wondering how the car’s Bluetooth works; is it a peripheral like a headset, or is it more like a smartphone? And how can I turn it off? Is my car vulnerable to anyone in a parking lot with a laptop? Yes. Is there a firewall between my infotainment center and the other numerous ECUs in the car (e.g., steer-by-wire, ABS, airbag, etc.)? Can you even buy a new car that doesn’t have Bluetooth anymore?

Most mechanics don’t know how to do anything with the infotainment system; they’re a fire-and-forget kind of feature that gets upgraded when you buy a new model. The software in a car can run into a million lines of code or more and isn’t really a car manufacturer’s core competency. As one example, check out the car acceleration issue that Professor Phil Koopman of Carnegie Mellon U. covers in the Bookout v. Toyota case where stack overflow caused unintended acceleration. The unintended acceleration caused by millions of lines code and software that lacks hardware safety overrides is “definitely a thing,” according to Koopman per a Consumer Affairs article, although the acceleration is quite rare. The level of cybersecurity hacks afoot in our hyper-connected modern times shows the ugly side of humanity on a new level. As highway robbers were common to  stagecoaches, we now have hackers in common with anything that is connected. The internet puts us in reach of tools that are maintained halfway around the world, but it also puts crooks within touching distance of our online lives. What’s online? Finances, healthcare records, school and property records, a lifetime of photos and correspondence, a multitude of applications, and the Internet of Things (IoT). Last July, hackers hacked 143 million people’s identities on Equifax. Bluetooth is hackable, too.

How does BlueBorne work?

There’s a vulnerability in the implementation of the Bluetooth protocol that the hacker exploits. A hacker just needs to locate an active Bluetooth connection near him. The hacker can then find Bluetooth devices even if they are not in pairing or “discovery” mode; they only need to have Bluetooth turned on. The hacker uses Bluetooth to get the MAC address for the device and find out which operating system that it’s using to match the exploit to the OS. Hackers can go on to make a Man-in-The-Middle attack (with total control over communication) or take total control of the device to do anything from taking surreptitious photos to key-logging.

For now, the solution is to turn off Bluetooth when out in public until there’s an update that plugs the hole. For phones, one can try using an iPhone with the iOS 10 operating system, which is purportedly immune.



How Secure is Android?




Android is used in over 1.4 billion devices today. Android versions are named after treats in alphabetical order. The treat code names began with release C for “Cupcake,” after two previously unnamed releases had so many builds that people were getting confused between version 1.0 and version 1.1 builds. (Petit Four was an internal name). The codenamed versions are as follows: Cupcake (1.5), Donut (1.6), Éclair (2.0-2.1), Froyo (2.2), Gingerbread (2.3), Honeycomb (3.0), Ice cream sandwich (4.0), Jellybean (4.1 – 4.3), Kit Kat (4.4), Lollipop (5.0), Marshmallow (6.0), and Nougat (7.0). The latest version is Android 8.0, code named Oreo.

Code named versions of the Android OS began (in alphabetical order) once numbered builds started getting confusing. Shown, from left to right, is the numbered version, name, and release date.

The Android team at Google is constantly updating new security features by collaborating with researchers, device manufacturers, and the Android ecosystem. Potentially Harmful Apps (PHAs) can put devices at risk, so Verify Apps was introduced in Jelly Bean 4.2. Verify Apps checks Android software against a database of exploits, malware, and viruses. If you have an Android phone, you can see when your apps were last scanned: Open Settings, select Google, and then Security. It tells you which apps were scanned and when (if you have a recent version of the operating system). Google claims it scanned “750 million daily checks in 2016, up from 450 million the previous year,” checking more than 6 billion apps for malware worldwide. Google Play Services is not just related to downloading stuff on Google Play; it needs to be turned on in order for Verify Apps to run.

 

In 2016, as compared to the year before, the Verify Apps reduced Trojans by 51.5% and backdoors by 30.5%. At the end of 2016, only 0.05% of devices that only downloaded apps from the Google Play store contained some kind of PHA (e.g., trojans, backdoor, phishing). Apple is not immune. In September 2015, the iOS App Store had 85 legitimate iPhone apps infected with malware, according to Reuters.

If you do get a PHA on your Android phone, Google Play Services might warn you in a notification or remove the app automatically for you and notify you. The Google Play Protect feature is turned on by default, but you can make sure it’s turned on by opening Google Play Store on your phone, tapping the hamburger menu, and selecting Play Protect.

Another nice feature of Android phones is that you can erase all data on your phone remotely if necessary. Open android.com/find and sign into your Google account. Login using your password and your phone will ring for 5 minutes, even if it was previously set to silent. You can lock your phone and set it to display a message like “Please call xxx-xxx-xxxx to return,” or erase all content on the device.

Don’t forget that the best protection is to have a very long password for your Google account and to lock your phone with a password.



Digital Signage Computing Platforms Go Modular




You may have noticed that many food menu boards, health club schedules, and signs in convention centers, hospitals, and even churches are now on large digital displays rather than permanent signs. It’s easier to change the content, but it’s about to get easier. Digital signage has a new tool in a modular-minded computing platform. Traditionally, if software outgrows computing power, you get a whole new system. But what if you could swap out the computing platform like a game cartridge?

Earlier in 2017, Intel announced a family of Compute Cards, each of which has a processor, onboard storage, memory, wireless connectivity, flexible I/O. Upgrading performance means a new Compute Card, not a whole new computing platform, which also means less for the landfill. An Intel Compute Card is a bit longer than a small stack of credit cards at 95mm x 55mm x 5mm, but it’s got all of the elements of a full computer. Companies can make docks for all kinds of application-specific products, since Compute Cards bring the entire computing platform in as a single component.

Meanwhile, Intel has created a 19V dock with an HDMI® v1.4 port, Mini DisplayPort® 1.2, a LAN RJ-45 port with 10/100/1000 Mbps Ethernet controller, and three USB 3.0 ports. Some will wonder how this is much different from a USB stick. You can boot to an operating system from a USB stick, but USB sticks don’t have processors. Imagine going to a library with your personal computer card; your desktop and software settings are there, you don’t have to clean the browser cache when you leave, and your applications are all there and run as expected. This is one of those “why didn’t I think of that” products.

The Intel Compute Card and Dock. (Credit: Intel)

Figure 1: The Intel Compute Card and Dock. (Credit: Intel)

Digital signs with cumbersome existing physical installations will find upgrading easier. Imagine updating the digital signage systems in New York Times Square to accommodate new software in various layers of the stack that enable revolutionary new programming features. The display would stay, and the Compute Card would be changed out for one that can handle the increased performance requirements. In an Intel press release dated May 30, 2017, Intel stated that there were a large number of “partners currently working on [dock] solutions” that include Dell, HP, and Lenovo.

A whole range of products can be offered, allowing end users to start at the low end and buy up to higher performance later on. Guaranteed effective upgrades can be shipped on a slim Compute Card, negating the need to negotiate perceived failures due to inadequate platforms with customers who might be better at managing retail than managing an upgrade to their chic electronic displays.

Applications don’t stop at digital signs and kiosks. The Compute Card is proposed for use with Internet of Things (IoT), tablet-based systems, interactive whiteboards, intelligent vending machines, mobile video production, smart TVs, robotics automation, security systems, point-of-sale systems, and all-in-one PCs that are easily upgraded. Successful applications always get upgraded with more sophisticated software that pushes the performance envelope. Can Intel patent the concept of a compute-platform-as-a-cartridge? Will motherboards, in general, shrink to small modules worldwide? As of this writing, the Intel Compute Card has not yet been officially released, but should be out soon, as advance demonstration models have been sent out.

Table 1: The Intel Compute Card presently features four levels of performance (see Table 1 below). Intel is also releasing the Compute Card Device Design Kit, a set of guides and reference designs that are available via Intel’s Classified Design Information (CDI) portal for any customer under NDA.

Intel's four Compute Cards provide various levels of performance.