Cybersecurity was the virtual elephant in the showroom at this month's Consumer Electronics Show in Las Vegas. Attendees of the annual tech trade show, organized by the Consumer Technology Association, relished the opportunity to experience a future filled with delivery drones, autonomous vehicles, virtual and augmented reality and a plethora of "Internet of things" devices, including fridges, wearables, televisions, routers, speakers, washing machines and even robot home assistants. Given the proliferation of connected devices--already, there are estimated to be at least 6.4 billion--there remains the critical question of how to ensure their security. The cybersecurity challenge posed by the internet of things is unique. The scale of connected devices magnifies the consequences of insecurity.
WhatsApp has launched an unprecedented lawsuit against a cyber weapons firm which it has accused of being behind secret attacks on more than 100 human rights activists, lawyers, journalists, and academics in just two weeks earlier this year. The social media firm is suing the NSO Group, an Israeli surveillance company, saying it is responsible for a series of highly sophisticated cyber-attacks which it claims violated American law in an "unmistakeable pattern of abuse". WhatsApp said it believed the technology sold by NSO was used to target the mobile phones of more than 1,400 of its users in 20 different countries during a 14-day period from the end of April to the middle of May. In this brief period, WhatsApp believes those who were the subject of the cyber-attacks included leading human rights defenders and lawyers, prominent religious figures, well-known journalists and officials in humanitarian organisations. A number of women previously targeted by cyber-violence, and individuals who have faced assassination attempts and threats of violence, as well as their relatives, were also the victims of the attacks, the company believes.
Cashless payments are all the rage but people in Sweden have been told to squirrel away notes and coins in case of a cyber attack on the nation's banks. Digital payments offer convenience for both buyers and sellers alike and the Scandinavian nation has been an eager adopter of the technology. Now, government experts are concerned that people could be left without any money should its computer networks become victim to an attack. Sweden's Civil Contingencies Agency has issued guidance to every household telling residents to stockpile'cash in small denominations' for use in emergencies. The warning will ring alarm bells around the world as developed nations increasingly make the move to a cashless society.
Calling a product "smart" and "unhackable' does not magically make it so, as two of the largest vendors of car alarms in the world have now found out. Viper -- known as Clifford in the United Kingdom -- and Pandora Car Alarm System, which cater for at least three million customers between them, recently became the topic of interest to researchers from Pen Test Partners. On Friday, the cybersecurity researchers published their findings into the true security posture of these so-called smart alarms and found them falling woefully short of the vendors' claims. Not only could compromising the smart alarms result in the vehicle type and owner's details to be stolen, but the car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised, and the immobilizer to be hijacked. In some cases, cyberattacks could also result in the car engine being killed during use, which in a real-world scenario could result in serious injury or death. As shown in the video below, such bold assertions will only entice cybersecurity experts to prove you wrong. What makes the situation even worse is how easy it was for Pen Test Partners to refute these lofty statements. The discovery of simple, relatively straightforward vulnerabilities in the products' API, known as insecure direct object references (IDORs), permitted the researchers to tamper with vehicle parameters, reset user credentials, hijack accounts, and more. In Viper's case, a third-party company called CalAmp provides the back-end system. A security flaw in the'modify user' API parameter leads to improper validation, which in turn permits attackers to compromise user accounts. The research team found that the same bug could be used to compromise the vehicle's engine system. "Promotional videos from Pandora indicate this is possible too, though it doesn't appear to be working on our car," Pen Test Partners said. "The intention is to halt a stolen vehicle.