Connect with us


If you haven’t updated your ThroughTek DVR since 2018 do so now, warns Mandiant as critical vuln surfaces • The Register

Voice Of EU



A critical vulnerability affecting tens of millions of digital video recorders powering baby monitors and CCTV systems across the world has been uncovered by Mandiant, which claims the vuln allows for unauthorised viewing of live camera footage.

The vuln exists in Chinese IoT vendor ThroughTek’s Kalay communication protocol, the researchers claim, adding that malicious users could exploit the vuln to remotely access victims’ DVRs.

Exploiting the vuln for real, however, involves carrying out a man-in-the-middle attack: meaning the attacker needs to first obtain your home or office Wi-Fi password, or for the user to do something like open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network.

While the vulnerability is bad, and potentially affects up to 83 million DVRs using the Kalay protocol worldwide, there are some straightforward controls on network access (mostly implementing strong passwords) anyone can carry out to help make it less likely.

“Unlike the vulnerability published by researchers from Nozomi Networks in May 2021 (also in coordination with CISA), this latest vulnerability allows attackers to communicate with devices remotely,” warned Mandiant Threat Intelligence today. “As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution.”

Tracked as CVE-2021-28732, the vuln is rated 9.6 out of 10 on the CVSSv3.1 severity scale. ThroughTek boasts 83 million active users – though the company said it had been aware of this flaw, encouraging customers to patch it since 2018.

How does the attack work?

ThroughTek’s Kalay protocol is “implemented as a Software Development Kit (‘SDK’) which is built into client software (e.g. a mobile or desktop application) and networked IoT devices, such as smart cameras”, said Mandiant in a blog post.

Kalay requires only a device unique identity number (UID) to provision a new DVR on a network. An attacker who obtains that UID can maliciously register their own device in place of the original, meaning all connection requests intended for the original go to the attacker instead.

When the user tries to access the DVR through the Kalay protocol (say, via a mobile app management interface), the DVR’s username and password are transmitted to the registered UID. By MITM’ing these details, the attacker can forward on the connection request and examine the device’s video and audio feed at their leisure.

With the access credentials for the DVR in the attacker’s hands, that device could potentially be used for further attacks – but their severity depends whether the DVR vendor did something silly such as reusing admin credentials across all its devices. ThroughTek is a software vendor, meaning these potential attacks become a study in case-by-case compromise rather than a blanket attack vector.

Kalay UIDs are obtained from an API hosted by ThroughTek, said Mandiant, and reverse engineering these was so non-trivial the company didn’t attempt that. Discovering the vuln required reverse-engineering the entire Kalay protocol, it added.

ThroughTek PSIRT member Yi-Ching Chen told The Register the company had “assisted the customers who used the outdated SDK to update the firmware of the devices with a patch fix released in late 2018.”

“For the past three years, we have been informing our customers to upgrade their SDK,” he added. “Some old devices lack OTA function which makes [firmware] upgrades impossible. In addition, we have customers who don’t want to enable DTLS because it would slow down the connection establishment speed, therefore are hesitant to upgrade.”

Mandiant advised users to upgrade the Kalay SDK to version or above and to enable DTLS (datagram transport layer security; TLS for video streams, basically) and Kalay’s Authkey technology.

DVRs have long been known as juicy targets for the maliciously inclined; in 2017 the SANS Institute warned that DVRs were a specific target for spray-and-pray login attempts using known lists of default credentials. ®

Source link


NFT trader OpenSea bans insider trading after employee rakes in profit | Non-fungible tokens (NFTs)

Voice Of EU



A non-fungible token (NFT) marketplace has introduced policies to ban insider trading, after an executive at the company was discovered to be buying artworks shortly before they were promoted on the site’s front page.

OpenSea, one of the leading sites for trading the digital assets, will now prevent team members buying or selling from featured collections and from using confidential information to trade NFTs. Neither practice was previously banned.

“Yesterday we learned that one of our employees purchased items that they knew were set to display on our front page before they appeared there publicly,” said Devin Finzer, the co-founder and chief executive of the site.

“This is incredibly disappointing. We want to be clear that this behaviour does not represent our values as a team. We are taking this very seriously and are conducting an immediate and thorough third-party review of this incident so that we have a full understanding of the facts and additional steps we need to take.”

NFTs are digital assets whose ownership is recorded and traced using a bitcoin-style blockchain. The NFT market boomed earlier this year as celebrities including Grimes, Andy Murray and Sir Tim Berners-Lee sold collectibles and artworks using the format. But the underlying technology has questionable utility, with some dismissing the field as a purely speculative bubble.

The insider trading came to light thanks to the public nature of the Ethereum blockchain, on which most NFT trades occur. Crypto traders noticed that an anonymous user was regularly buying items from the public marketplace shortly before they were promoted on the site’s front page, a prestigious slot that often brings significant interest from would-be buyers. The anonymous user would then sell the assets on, making vast sums in a matter of hours.

One trade, for instance, saw an artwork called Spectrum of a Ramenification Theory bought for about £600. It was then advertised on the front page and sold on for $4,000 a few hours later.

One Twitter user, ZuwuTV, linked the transactions to the public wallet of Nate Chastain, OpenSea’s head of product, demonstrating, using public records, that the profits from the trades were sent back to a wallet owned by Chastain.

While some, including ZuwuTV, described the process as “insider trading”, the loosely regulated market for NFTs has few restrictions on what participants can do. Some critics argue that even that terminology demonstrates that the sector is more about speculation than creativity.

“The fact that people are responding to this as insider trading shows that this is securities trading (or just gambling), not something designed to support artists,” said Anil Dash, the chief executive of the software company Glitch. “There are no similar public statements when artists get ripped off on the platform.

“If Etsy employees bought featured products from creators on their platform (or Patreon or Kickstarter workers backed new creators etc) that’d be great! Nobody would balk. Because they’d be supporting their goal,” Dash added.

Source link

Continue Reading


British home computer trailblazer dies aged 81 • The Register

Voice Of EU



Sir Clive Sinclair died on Thursday at home in London after a long illness, his family said today. He was 81.

The British entrepreneur is perhaps best known for launching the ZX range of 8-bit microcomputers, which helped bring computing, games, and programming into UK homes in the 1980s, at least. This included the ZX80, said to be the UK’s first mass-market home computer for under £100, the ZX81, and the trusty ZX Spectrum. A whole generation grew up in Britain mastering coding on these kinds of systems in their bedrooms.

And before all that, Sir Clive founded Sinclair Radionics, which produced amplifiers, calculators, and watches, and was a forerunner to his Spectrum-making Sinclair Research. The tech pioneer, who eventually sold his computing biz to Amstrad, was knighted during his computing heyday, in 1983.

“He was a rather amazing person,” his daughter, Belinda Sinclair, 57, told The Guardian this evening. “Of course, he was so clever and he was always interested in everything. My daughter and her husband are engineers so he’d be chatting engineering with them.”

Sir Clive is survived by Belinda, his sons, Crispin and Bartholomew, aged 55 and 52 respectively, five grandchildren, and two great-grandchildren. ®

A full obit will follow on The Register.

Source link

Continue Reading


UN human rights chief raises concerns over AI privacy violations in report

Voice Of EU



‘AI tech can have negative, even catastrophic, effects if they are used without sufficient regard to how they affect people’s human rights.’

The UN’s human rights chief Michelle Bachelet called for a moratorium on the sale and use of artificial intelligence technology until safeguards are put in place to prevent potential human rights violations.

Bachelet made the appeal on Wednesday (15 September) to accompany a report released by the UN’s Human Rights Office, which analysed how AI systems affect people’s right to privacy. The violation of their privacy rights had knock-on impacts on other rights such as rights to health, education and freedom of movement, the report found.

“Artificial intelligence can be a force for good, helping societies overcome some of the great challenges of our times. But AI technologies can have negative, even catastrophic, effects if they are used without sufficient regard to how they affect people’s human rights,” Bachelet said.

“Artificial intelligence now reaches into almost every corner of our physical and mental lives and even emotional states,” Bachelet added.

Japanese multinational Fujitsu caused a stir when it announced plans to implement AI facial recognition technology to monitor employees’ concentration levels during meetings.

Support Silicon Republic

The report was critical of justice systems which had made wrongful arrests because of flawed facial recognition tools. It appealed to countries to ban any AI tools which did not meet international human rights standards. A 2019 study from the UK found that 81pc of suspects flagged by the facial recognition technology used by London’s Metropolitan Police force were innocent.

Earlier this year, Canada banned Clearview’s AI facial recognition technology after the company violated Canadian privacy laws by collecting facial images of Canadians without their consent.

Bachelet also highlighted the report’s concerns on the future use of data once it has been collected and stored, calling it “one of the most urgent human rights questions we face.”

The UN’s report echoes previous appeals made by European data protection regulators.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) called for a ban on facial recognition in public places in June. They urged EU lawmakers to consider banning the use of such technology in public spaces, after the European Commission released its proposed regulations on the matter.

The EU’s proposed regulations did not recommend an outright ban. The commission instead emphasised the importance of creating “trustworthy AI.”

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!