There are plenty of things that can go wrong when you dock a boat, and if they do, the consequences can be expensive. It's a problem that Volvo Penta claims to have solved after building a "self-docking yacht" that can park itself in spaces no sailor...
Google in the coming weeks is expected to fix a location privacy leak in two of its most popular consumer products. New research shows that Web sites can run a simple script in the background that collects precise location data on people who have a Google Home or Chromecast device installed anywhere on their local network.
Craig Young, a researcher with security firm Tripwire, said he discovered an authentication weakness that leaks incredibly accurate location information about users of both the smart speaker and home assistant Google Home, and Chromecast, a small electronic device that makes it simple to stream TV shows, movies and games to a digital television or monitor.
Young said the attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
It is common for Web sites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.
This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smart phone and see how well navigation apps like Google’s Waze can still figure out where you are].
“The difference between this and a basic IP geolocation is the level of precision,” Young said. “For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”
Young said a demo he created (a video of which is below) is accurate enough that he can tell roughly how far apart his device in the kitchen is from another device in the basement.
“I’ve only tested this in three environments so far, but in each case the location corresponds to the right street address,” Young said. “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”
Beyond leaking a Chromecast or Google Home user’s precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings, Young notes.
“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
When Young first reached out to Google in May about his findings, the company replied by closing his bug report with a “Status: Won’t Fix (Intended Behavior)” message. But after being contacted by KrebsOnSecurity, Google changed its tune, saying it planned to ship an update to address the privacy leak in both devices. Currently, that update is slated to be released in mid-July 2018.
According to Tripwire, the location data leak stems from poor authentication by Google Home and Chromecast devices, which rarely require authentication for connections received on a local network.
“We must assume that any data accessible on the local network without credentials is also accessible to hostile adversaries,” Young wrote in a blog post about his findings. “This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible. Until we reach that point, consumers should separate their devices as best as is possible and be mindful of what web sites or apps are loaded while on the same network as their connected gadgets.”
Earlier this year, KrebsOnSecurity posted some basic rules for securing your various “Internet of Things” (IoT) devices. That primer lacked one piece of advice that is a bit more technical but which can help mitigate security or privacy issues that come with using IoT systems: Creating your own “Intranet of Things,” by segregating IoT devices from the rest of your local network so that they reside on a completely different network from the devices you use to browse the Internet and store files.
“A much easier solution is to add another router on the network specifically for connected devices,” Young wrote. “By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices. Although this does not by default prevent attacks from the IoT devices to the main network, it is likely that most naïve attacks would fail to even recognize that there is another network to attack.”
For more on setting up a multi-router solution to mitigating threats from IoT devices, check out this in-depth post on the subject from security researcher and blogger Steve Gibson.
Google launched its data-tracking app Datally for Android last year, giving users more insight into how and where they're using their phone plan data as well as more control over that usage. Now, Google has released a handful of new features for the...
Hang on to your data, dear Facebook friends. Cambridge Analytica—the political consultancy that collapsed into bankruptcy in May after a scandal about its nefarious information-collection methods—is apparently metamorphosing.
The company that Marc Zuckerberg admitted targeted 87 million Facebook users’ data, and whose work could well have influenced elections in the US and UK, may be currently disgraced. But it also appears to be putting a new face on its same old data-gathering gig. The Associated Press (AP) on June 15 reported that top staffers from the fallen consultancy are back on the job at a newly-formed company with a name that’s eerily reminiscent of the last place they worked—Data Propria.
As the name implies, the new company is similarly preoccupied with gathering information, specifically to target voters and consumers. Basically, it’s the same mission that Cambridge Analytica had. Matt Oczkowski—head of product at the predecessor firm—is leading Data Propria, which also employs Cambridge Analytica’s former chief data scientist, David Wilkinson, and others from the scandal-ridden company.
Quartz’s research shows the new company was incorporated in Nevada in February 2018 by Andrew Van Noy, who is the Chief Executive Officer at Cloud Commerce. It happens that Cloud Commerce last year bought out the media marketing company of Donald Trump’s 2020 election campaign manager Brad Parscale, which is all the more reason to be wary of this new entity.
In fact, the president’s campaign manager may already be angling for Americans’ votes in 2020. The AP writes that its reporters overheard a “conversation in a public place” between Oczkowski and an unnamed person in which the Data Propria chief claimed that he and Parscale were busy “doing the president’s work for 2020.”
When speaking directly to the news agency, however, Oczkowski denied that he is involved with the next presidential campaign. He admits to having a contract with the Republican National Committee to work on 2018 midterm campaigns but calls this contract “modest.” Still, he says he is “obviously open to any work that would become available,” and notes that he and Parscale worked together closely during Trump’s 2016 campaign.
Similarly, Parscale tells the AP he is “laser-focused” on the Senate in 2018 and hasn’t yet begun to hire for the 2020 election campaign, though he himself was hired to manage it in March. In any case, it seems he’ll have his close contacts lined up when the time to hire comes.
I’ve noticed that many defenders of the hateful policy of separating families at the US border claim that this is “necessary” if they are going to be detained.
That’s straightforwardly false.
When Japanese-Americans were (utterly immorally, and utterly hatefully) “detained” in internment camps during the Second World War there was no deliberate policy of breaking up families; they were interned together. (In appalling conditions.) There is thus nothing preventing the families who are currently crossing the border from similarly being detained together. To separate them is thus a choice, not a necessity.
When you defend a policy that is in one respect worse than the atrocious forcible internment of Japanese-Americans you should pause to consider what sort of a person you are.
Google this week began barring Chrome users from installing add-ons offered by third-party websites, the last steps toward making the company's own market the only available source for browser extensions.
"We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly - and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites (emphasis in original)," James Wagner, the extensions platform product manager, wrote in a post to a company blog.