Blog of the website «TechCrunch» Прогноз погоды

People

John Smith

John Smith, 49

Joined: 28 January 2014

Interests: No data

Jonnathan Coleman

Jonnathan Coleman, 32

Joined: 18 June 2014

About myself: You may say I'm a dreamer

Interests: Snowboarding, Cycling, Beer

Andrey II

Andrey II, 41

Joined: 08 January 2014

Interests: No data

David

David

Joined: 05 August 2014

Interests: No data

David Markham

David Markham, 65

Joined: 13 November 2014

Interests: No data

Michelle Li

Michelle Li, 41

Joined: 13 August 2014

Interests: No data

Max Almenas

Max Almenas, 53

Joined: 10 August 2014

Interests: No data

29Jan

29Jan, 32

Joined: 29 January 2014

Interests: No data

s82 s82

s82 s82, 26

Joined: 16 April 2014

Interests: No data

Wicca

Wicca, 37

Joined: 18 June 2014

Interests: No data

Phebe Paul

Phebe Paul, 27

Joined: 08 September 2014

Interests: No data

Артем Ступаков

Артем Ступаков, 93

Joined: 29 January 2014

About myself: Радуюсь жизни!

Interests: No data

sergei jkovlev

sergei jkovlev, 59

Joined: 03 November 2019

Interests: музыка, кино, автомобили

Алексей Гено

Алексей Гено, 8

Joined: 25 June 2015

About myself: Хай

Interests: Интерес1daasdfasf, http://apple.com

technetonlines

technetonlines

Joined: 24 January 2019

Interests: No data



Main article: Mobile security

<< Back Forward >>
Topics from 1 to 10 | in all: 94

A ‘stalkerware’ app leaked phone data from thousands of victims

21:00 | 20 February

A spyware app designed to “monitor everything” on a victim’s phone has been secretly installed on thousands of phones.

The app, KidsGuard, claims it can “access all the information” on a target device, including its real-time location, text messages, browser history, access to its photos, videos and app activities, and recordings of phone calls.

But a misconfigured serve meant the app was also spilling out the secretly uploaded contents of victims’ devices to the internet.

These consumer-grade spyware apps — also known as “stalkerware” — have come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission from their victims. Although many of these apps are marketed toward parents to monitor their child’s activities, many have repurposed the apps to spy on their spouses. That’s prompted privacy groups and security firms to work together to help better identify stalkerware.

KidsGuard is no different. Its maker, ClevGuard, pitches the spyware app as a “stealthy” way to keep children safe, but also can be used to “catch a cheating spouse or monitor employees.”

But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.

ClevGuard’s website, which makes the KidsGuard phone spyware (Image: TechCrunch)

TechCrunch obtained a copy of the Android app from Till Kottman, a developer who reverse-engineers apps to understand how they work.

Kottman found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottman’s findings.

The app, which has to be bought and downloaded from ClevGuard directly, can be installed in a couple of minutes. (ClevGuard claims it also supports iPhones by asking for iCloud credentials to access the contents of iCloud backups, which is against Apple’s policies.) The app has to be installed by a person with physical access to a victim’s phone, but the app does not require rooting or jailbreaking. The Android app also requires that certain in-built security features are disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, which helps to prevent malicious apps from running.

Once installed, ClevGuard says its app works in “stealth” and isn’t visible to the victim. It does that by masquerading itself as an Android “system update” app, which looks near-indistinguishable from legitimate system services.

And because there’s no app icon, it’s difficult for a victim to know their device has been compromised.

KidsGuard is designed to look like an Android app (Image: TechCrunch)

Because we only had the Android app and not a paid subscription to the service, we were limited in how much we could test. Through our testing, TechCrunch found that the app silently and near-continually siphons off content from a victim’s phone, including what’s stored in their photos and video apps, and recordings of the victim’s phone calls.

The app also gives whomever install the app access to who the victim is talking to and when on a variety of apps, such as WhatsApp, Instagram, Viber and Facebook Messenger, and the app also boasts the ability to monitor a victim’s activities on dating apps like Tinder. The app secretly takes screenshots of a victim’s conversations in apps like Snapchat and Signal to capture the messages before they are set to disappear.

The spyware app maker can also record and monitor the precise location of a device, and access their browsing history.

Although the app says it can access a victim’s contacts, the uploaded data stored in the exposed bucket did not include contact lists or easily identifiable information on the victim, making it difficult for TechCrunch to notify victims in bulk.

But one victim we spoke to said she found out just a few days earlier that spyware had been installed on her phone.

“It was my husband,” said the victim. The two had been separated, she said, but he was able to access her private messages by secretly installing the spyware on her phone. “I gave him the choice to show me how he was doing it or I was getting a divorce, so he finally showed me last night,” she said.

ClevGuard shut down the exposed cloud storage bucket after we contacted the company. We also contacted Alibaba, which also alerted the company of the exposure.

“This is evidence that not only are spouseware and stalkerware companies morally bankrupt, they are also often failing to protect their stolen user data once they have it,” said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, who also examined the app.

“The fact that this also includes the data of young children is both alarming and sickening,” said Quintin. “This one tiny company had around 3,000 infections worldwide, which lays bare the massive scope of the spouseware and stalkerware industry.”

It’s the latest in a long stream of spyware companies that have either had data breaches or exposed systems. Vice tech news site Motherboard has reported on many, including mSpy, Mobistealth and Flexispy. The Federal Trade Commission also launched legal action against one spyware app maker, Retina-X, which had two data breaches involving sensitive victim data.

If you think you are a victim of KidsGuard, this is how you can identify and remove the malware.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.

 


0

Radar, a location data startup, says its “big bet” is on putting privacy first

17:00 | 12 February

Pick any app on your phone, and there’s a greater than average chance that it’s tracking your location right now.

Sometimes they don’t even tell you. Your location can be continually collected and uploaded, then monetized by advertisers and other data tracking firms. These companies also sell the data to the government — no warrants needed. And even if you’re app-less, your phone company knows where you are at any given time, and for the longest time sold that data to anyone who wanted it.

Location data is some of the most personal information we have — yet few think much about it. Our location reveals where we go, when, and often why. It can be used to know our favorite places and our routines, and also who we talk to. And yet it’s spilling out of our phones ever second of every day to private companies, subject to little regulation or oversight, building up precise maps of our lives. Headlines sparked anger and pushed lawmakers into taking action. And consumers are becoming increasingly aware of their tracked activity thanks to phone makers, like Apple, alerting users to background location tracking. Foursquare, one of the biggest location data companies, even called on Congress to do more to regulate the sale of location data.

But location data is not going anywhere. It’s a convenience that’s just too convenient, and it’s an industry that’s growing from strength to strength. The location data market was valued at $10 billion last year, with it set to balloon in size by more than two-fold by 2027.

There is appetite for change, Radar, a location data startup based in New York, promised in a recent blog post that it will “not sell any data we collect, and we do not share location data across customers.”

It’s a promise that Radar chief executive Nick Patrick said he’s willing to bet the company on.

“We want to be that location layer that unlocks the next generation of experiences but we also want to do it in a privacy conscious way,” Patrick told TechCrunch. “That’s our big bet.”

Developers integrate Radar into their apps. Those app makers can create location geofences around their businesses, like any Walmart or Burger King. When a user enters that location, the app knows to serve relevant notifications or alerts, making it functionally just like any other location data provider.

But that’s where Patrick says Radar deviates.

“We want to be the most privacy-first player,” Patrick said. Radar bills itself as a location data software-as-a-service company, rather than an ad tech company like its immediate rivals. That may sound like a marketing point — it is — but it’s also an important distinction, Patrick says, because it changes how the company makes its money. Instead of monetizing the collected data, Radar prices its platform based on the number of monthly active users that use the apps with Radar inside.

“We’re not going to package that up into an audience segment and sell it on an ad exchange,” he said. “We’re not going to pull all of the data together from all the different devices that we’re installed on and do foot traffic analytics or attribution.”

But that trust doesn’t come easy, nor should it. Some of the most popular apps have lost the trust of their users through privacy-invasive privacy practices, like collecting locations from users without their knowledge or permission, by scanning nearby Bluetooth beacons or Wi-Fi networks to infer where a person is.

We were curious and ran some of the apps through a network traffic analyzer to see what was going on under the hood, like Joann, GasBuddy, Draft King and others. We found that Radar only activated when location permissions were granted on the device — something apps have tried to get around in the past. The apps we checked instantly sent our precise location data back to Radar — which was to be expected — along with the device type, software version, and little else. The data collected by Radar is significantly less than what other comparable apps share with their developers, but still allows integrations with third-party platforms to make use of that location data. Via, a popular ride-sharing app, uses a person’s location, collected by Radar, to deliver notifications and promotions to users at airports and other places of interest.

The company boasts its technology is used in apps on more than 100 million device installs.

“We see a ton of opportunity around enabling folks to build location, but we also see that the space has been mishandled,” said Patrick. “We think the location space in need of a technical leader but also an ethical leader that can enable the stuff in a privacy conscious way.”

It was a convincing pitch for Radar’s investors, which just injected $20 million into its Series B fundraise, led by Accel, a substantial step up from its $8 million Series A round. Patrick said the round will help the company build out the platform further. One feature on Radar’s to-do list was to allow the platform to take advantage of on-device processing, “no user event data ever touches Radar’s servers,” he aid Patrick. The raise will help the company expand its physical footprint on the west coast by opening an office in San Francisco. Its home base in New York will also expand, he said, increasing the company’s headcount from its current two-dozen employees.

“Radar stands apart due to its focus on infrastructure rather than ad tech,” said Vas Natarajan, a partner at Accel, who also took a seat on Radar’s board.

Two Sigma Ventures, Heavybit, Prime Set, and Bedrock Capital participated in the round.

Patrick said his pitch is also working for apps and developers, which recognize that their users are becoming more aware of privacy issues. He’s seen companies, some of which he now calls customers, that are increasingly looking for more privacy-focused partners and vendors, not least to bolster their own respective reputations.

It’s healthy to be skeptical. Given the past year, it’s hard to have any faith in any location data company, let alone embrace one. And yet it’s a compelling pitch for the app community that only through years of misdeeds and a steady stream of critical headlines is being forced to repair its image.

But a company’s words are only as strong as its actions, and only time will tell if they hold up.

 


0

No pan-EU Huawei ban as Commission endorses 5G risk mitigation plan

18:57 | 29 January

The European Commission has endorsed a risk mitigation approach to managing 5G rollouts across the bloc — meaning there will be no pan-EU ban on Huawei. Rather it’s calling for Member States to coordinate and implement a package of “mitigating measures” in a 5G toolbox it announced last October and has endorsed today.

“Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures,” it writes in a press release.

It adds that Member States have agreed to “strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors”.

The move is another blow for the Trump administration — after the UK government announced yesterday that it would not be banning so-called “high risk” providers from supplying 5G networks.

Instead the UK said it will place restrictions on such suppliers — barring their kit from the “sensitive” ‘core’ of 5G networks, as well as from certain strategic sites (such as military locations), and placing a 35% cap on such kit supplying the access network.

However the US has been amping up pressure on the international community to shut the door entirely on the Chinese tech giant, claiming there’s inherent strategic risk in allowing Huawei to be involved in supplying such critical infrastructure — with the Trump administration seeking to demolish trust in Chinese-made technology.

Next-gen 5G is expected to support a new breed of responsive applications — such as self-driving cars and personalized telemedicine — where risks, should there be any network failure, are likely to scale too.

But the Commission take the view that such risks can be collectively managed.

The approach to 5G security continues to leave decisions on “specific security” measures as the responsibility of Member States. So there’s a possibility of individual countries making their own decisions to shut out Huawei. But in Europe the momentum appears to be against such moves.

“The collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks,” the EU writes. “This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.”

The next deadline for the 5G toolbox is April 2020, when the Commission expects Member States to have implemented the recommended measures. A joint report on their implementation will follow later this year.

Key actions being endorsed in the toolbox include:

  •     Strengthen security requirements for mobile network operators (e.g. strict access controls, rules on secure operation and monitoring, limitations on outsourcing of specific functions, etc.);
  •     Assess the risk profile of suppliers; as a consequence,  apply relevant restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks – for key assets defined as critical and sensitive in the EU-wide coordinated risk assessment (e.g. core network functions, network management and orchestration functions, and access network functions);
  •     Ensure that each operator has an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier (or suppliers with a similar risk profile), ensure an adequate balance of suppliers at national level and avoid dependency on suppliers considered to be high risk; this also requires avoiding any situations of lock-in with a single supplier, including by promoting greater interoperability of equipment;

The Commission also recommends that Member States should contribute towards increasing diversification and sustainability in the 5G supply chain and co-ordinate on standardization around security objectives and on developing EU-wide certification schemes.

 


0

Plenty of Fish app was leaking users’ hidden names and postal codes

20:37 | 23 December

Dating app Plenty of Fish has pushed out a fix for its apps after a security researcher found they were leaking information that users had set to “private” on their profiles.

The app was always silently returning users’ first names and Zip postal codes to the app, according to The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog.

The leaking data was not immediately visible to app users, and the data was scrambled to make it difficult to read. But using freely available tools designed to analyze network traffic, the researcher found it was possible to reveal the information about users as their profiles appeared on his phone.

In one case, the App Analyst found enough information to identify where a particular user lived, he told TechCrunch.

Plenty of Fish has more than 150 million registered users, according to its parent company IAC. In recent years, law enforcement have warned about the threats some people face on dating apps, like Plenty of Fish. Reports suggest sex attacks involving dating apps have risen in the past five years. And those in the LGBTQ+ community on these apps also face safety threats from both individuals and governments, prompting apps like Tinder to proactively warn their LGBTQ+ users when they visit regions and states with restrictive and oppressive laws against same-sex partners.

A fix is said to have rolled out for the information leakage bug earlier this month. A spokesperson for Plenty of Fish did not immediately comment.

 


0

More than 1 million T-Mobile customers exposed by breach

03:25 | 23 November

T-Mobile has confirmed a data breach affecting more than a million of its customers, whose personal data (but no financial or password data) was exposed to a malicious actor. The company alerted the affected customers but did not provide many details in its official account of the hack.

The company said in its disclosure to affected users that its security team had shut down “malicious, unauthorized access” to prepaid data customers. The data exposed appears to have been:

  • Name
  • Billing address
  • Phone number
  • Account number
  • Rate, plan, and calling features (such as paying for international calls)

The latter data is considered “customer proprietary network information” and under telecoms regulations they are required to notify customers if it is leaked. The implication seems to be that they might not have done so otherwise. Of course some hacks, even hacks of historic magnitude, go undisclosed sometimes for years.

In this case however it seems that T-Mobile has disclosed the hack in a fairly prompt manner, though it provided very few details. When I asked, a T-Mobile representative indicated that “less than 1.5 percent” of customers were affected, which of the company’s approximately 75 million users adds up to somewhat over a million.

The company reports that “we take the security of your information very seriously,” a canard we’ve asked companies to stop saying in these situations.

The T-Mobile representative stated that the attack was discovered in early November and shut down “immediately.” They did not answer other questions I asked, such as whether it was on a public-facing or internal website or database, how long the data was exposed, and what specifically the company had done to rectify the problem.

The data listed above is not necessarily highly damaging on its own, but it’s the kind of data with which someone might attempt to steal your identity or take over your account. Account hijacking is a fairly common tactic among cyber-ne’er-do-wells these days and it helps to have details like the target’s plan, home address, and so on at one’s fingertips.

If you’re a T-Mobile customer, it may be a good idea to change your password there and check up on your account details.

 


0

New 5G flaws can track phone locations and spoof emergency alerts

19:30 | 12 November

5G is faster and more secure than 4G. But new research shows it also has vulnerabilities that could put phone users at risk.

Security researchers at Purdue University and the University of Iowa have found close to a dozen vulnerabilities, which they say can be used to track a victim’s real-time location, spoof emergency alerts that can trigger panic or silently disconnect a 5G-connected phone from the network altogether.

5G is said to be more secure than its 4G predecessor, able to withstand exploits used to target users of older cellular network protocols like 2G and 3G like the use of cell site simulators — known as “stingrays.” But the researchers’ findings confirm that weaknesses undermine the newer security and privacy protections in 5G.

Worse, the researchers said some of the new attacks also could be exploited on existing 4G networks.

The researchers expanded on their previous findings to build a new tool, dubbed 5GReasoner, which was used to find 11 new 5G vulnerabilities. By creating a malicious radio base station, an attacker can carry out several attacks against a target’s connected phone used for both surveillance and disruption.

In one attack, the researchers said they were able to obtain both old and new temporary network identifiers of a victim’s phone, allowing them to discover the paging occasion, which can be used to track the phone’s location — or even hijack the paging channel to broadcast fake emergency alerts. This could lead to “artificial chaos,” the researcher said, similar to when a mistakenly sent emergency alert claimed Hawaii was about to be hit by a ballistic missile amid heightened nuclear tensions between the U.S. and North Korea. (A similar vulnerability was found in the 4G protocol by University of Colorado Boulder researchers in June.)

Another attack could be used to create a “prolonged” denial-of-service condition against a target’s phone from the cellular network.

In some cases, the flaws could be used to downgrade a cellular connection to a less-secure standard, which makes it possible for law enforcement — and capable hackers — to launch surveillance attacks against their targets using specialist “stingray” equipment.

All of the new attacks can be exploited by anyone with practical knowledge of 4G and 5G networks and a low-cost software-defined radio, said Syed Rafiul Hussain, one of the co-authors of the new paper.

Given the nature of the vulnerabilities, the researchers said they have no plans to release their proof-of-concept exploitation code publicly. However, the researchers did notify the GSM Association (GSMA), a trade body that represents cell networks worldwide, of their findings.

Although the researchers were recognized by GSMA’s mobile security “hall of fame,” spokesperson Claire Cranton said the vulnerabilities were “judged as nil or low-impact in practice.” The GSMA did not say if the vulnerabilities would be fixed — or give a timeline for any fixes. But the spokesperson said the researchers’ findings “may lead to clarifications” to the standard where it’s written ambiguously.

Hussain told TechCrunch that while some of the fixes can be easily fixed in the existing design, the remaining vulnerabilities call for “a reasonable amount of change in the protocol.”

It’s the second round of research from the academics released in as many weeks. Last week, the researchers found several security flaws in the baseband protocol of popular Android models — including Huawei’s Nexus 6P and Samsung’s Galaxy S8+ — making them vulnerable to snooping attacks on their owners.

 


0

Huawei calls hackers to Munich for secret bug bounty meeting

19:25 | 5 November

Chinese tech giant Huawei has asked some of the world’s best phone hackers to a secret meeting in Munich later this month as the company tries to curry favor with global governments, TechCrunch has learned.

Sources with knowledge of the November 16 meeting said Huawei will privately present its new bug bounty program, which would allow researchers to get financial rewards for submitting security vulnerabilities. The sources said the bug bounty will be focused on past and future mobile devices, as well as its new mobile operating system, HarmonyOS, Huawei’s Android competitor.

Other phone makers, including Apple, Google, and Samsung, also have bug bounties.

The move comes at a time of increased pressure on Huawei over its links to the Chinese government. Huawei has denied U.S.-led claims that it could be forced to spy on behalf of Beijing. But that hasn’t stopped the federal government from imposing sanctions and obstacles from operating in the United States. That pressure has led companies like Google from pulling its support for Android, which Huawei relies on for its phones, prompting the tech giant to find or build alternatives.

One source described the event as similar to a secret meeting hosted by Apple in August, in which the tech giant handed its most prized security researchers special “dev” iPhones to hack and find security weaknesses.

The source said that Huawei’s bug bounty meeting was likely a way to show governments that it’s willing to work with hackers and security researchers to bolster the security of its products.

Huawei, which also makes networking equipment for telecom networks, came under fire by U.K. authorities earlier this year for failing to address “serious and systematic defects” in its software at a time it’s trying to prove it’s technologies are do not pose a national security threat.

Chase Skinner, a spokesperson for Huawei, did not respond to a request for comment.

 


0

NHS pagers are leaking medical data

11:30 | 30 October

An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time of medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities.

The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist’s computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig’s computer display.

Daley Borda, a security researcher and bug bounty hunter, was at home in Florida when he stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display.

“You can see details of calls coming in — their name, address, and injury,” he told TechCrunch.

TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services.

One message said a 98-year-old man had fallen at his home address. A few moments later, another message said 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents, medical emergencies, often including their home addresses.

benz app 2 2

Several screenshots of the amateur radio decoding software, revealing unencrypted pager messages from nearby NHS trusts. (Image: TechCrunch)

Borda spends much of his time scouring the internet for things that shouldn’t be online. He looks for exposed databases and devices and, like most other security researchers, privately reports them to their owners. If he’s lucky, the owner takes action. Better yet, they pay out a bug bounty for his efforts.

But he could not figure out who the rig belonged to. TechCrunch contacted the hobbyist’s internet provider to warn of the data exposure.

“Last night we contacted the customer to make them aware that there was a live webcam broadcasting on the open web from their household,” said a spokesperson from the internet provider. “The customer was unaware of the nature of the information being shown so has said that they will stop the feed on that particular camera.”

The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust.

“With some cheap, relatively basic, software it is possible for hobbyists to access these frequencies and decode the information being sent, which appears is what has occurred here,” the spokesperson said.

Old but reliable

Pagers — or beepers — may be a relic of the past, but remain a fixture in U.K. hospitals.

These traditionally one-way communication devices allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network. But pagers still offer benefits where newer technologies, like cell phones, fall down. Because they work a low frequency, pager radio waves are able to travel further and deeper inside large buildings — particularly hospitals — which have thickened walls to protect others from X-rays and other radiation. Pagers also work across long distances, including in cell service dead-spots.

But few were thinking about message security when pager use was at its peak.

“They aren’t secure,” Andy Keck, an electronics and amateur radio hobbyist, told TechCrunch. Keck said messages sent over the pager network are encoded when they are converted into a burst of radio waves and broadcast over the air.

“But people don’t necessarily understand the difference between encryption and encoding,” he said.

Because the two widely used pager protocols — POCSAG and FLEX — are not encrypted, it’s easy to understand what messages are broadcast over the airwaves using free and open-source software.

For years one of the largest barriers to intercepting and decoding pager messages — or any other radio waves — was that hobbyists needed custom, often expensive hardware. But with the advent of software-defined radios, most hobbyists can get by with a $20 plug-in dongle and an antenna.

“It’s just enter the command to start the application, sit back, and start decoding in real time on the screen,” he said.

130,000 NHS pagers

Although the number of pagers has dropped to near-zero from their height in the 1980s, pagers still carry a considerable amount of information every day.

Pager messages can travel over a large distance, said Keck, depending on how high the transmitter is located. Most major cities are covered with some pager service. Given the geography of the U.K., amateur radio hobbyists can often pick up pager messages from different sources.

The NHS still uses about 130,000 pagers, according to the U.K. government’s latest count, or about 10 percent of the world’s current pagers in use. But the NHS has been told to stop using pagers altogether by 2021.

But it’s not clear how many trusts are exposing medical information — if at all.  According to NHS spokesperson Oliver Michelson, “each NHS organization is responsible for its own IT equipment and security.”

GettyImages 128243077

Pagers receive encoded, but not encrypted messages. (Image: Getty Images)

One NHS trust we spoke to said they had around 1,600 pagers and are managed by the trust. (We are not naming the trust, as it would expose their communications.) When asked if the trust was aware that pager messages are not encrypted and can be intercepted by amateur radio hobbyists, the spokesperson responded: “Yes.”

Another trust we spoke to said they were “aware” that the handful of pagers it operates do not encrypt their messages. The trust said their pagers were managed by a third-party.

PageOne, the last remaining pager network in the U.K., says in a brochure that its pager service can deliver “real-time messaging cost effectively and securely to their staff.”

But a spokesperson told TechCrunch: “PageOne ensures customers are aware of the ability to intercept messages in its terms and conditions” and that encrypted services “are available if required.”

The company said the majority of NHS pagers are operated on private pager networks operated by the trusts themselves.

‘Trivially interceptable’

Amateur radio hobbyists know all too well the risks posed by unencrypted pagers.

Over the years there have been numerous headlines of hobbyists picking up signals from nearby hospitals, including patients’ names and medical information. Some have even turned eavesdropping on hospital pagers into an art project.

Last month, hospitals in Vancouver were found broadcasting unencrypted patient medical data across the city.

Sarah Jamie Lewis, executive director at Open Privacy, who first revealed the issue, said the hospital pager messages were “trivially interceptable” by anyone nearby.

“It tends to be pretty common knowledge in the amateur radio community that these kind of broadcasts are going on but it’s only recently that we started seeing a culture of disclosure,” said Lewis.

In the U.K., it’s legal for amateur radio hobbyists to scan the airwaves but unlawful to disclose the contents of messages. That’s put some security-focused hobbyists who disclose exposed sensitive messages in a tough legal spot.

“You get this horrible situation where not disclosing is bad, but people have a right to know that their health data is being breached,” said Lewis.

But the penalties could be far steeper for organizations that expose sensitive health data. Exposing personally identifiable and health information violates GDPR, the Europe-wide data protection laws that came into force last year. Organizations can be fined heavily for breaching the rules.

With more than a year on the clock before the NHS pager ban comes into effect, it’s not a problem that can be easily fixed.

The obvious solution would be not to send sensitive health or medical data over pager messages. Clearly, as seen by the amateur hobbyist’s radio rig, that message isn’t getting through.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

 


0

Samsung confirms glaring S10 fingerprint reader flaw, promises fix

16:58 | 17 October

Galaxy S10 users should be turn on some alternative security features as Samsung works to address a major flaw with the device’s in-screen fingerprint sensor. The consumer electronics giant noted the issue today after a British user reported the ability to unlock her device with unregistered fingerprints.

The flaw was discovered after placing a $3.50 screen protector on the device, confirming earlier reports that adding one could introduce an air gap that interfered with the ultrasonic scanner. The company noted the issue in a statement, telling the press that it was, “aware of the case of S10’s malfunctioning fingerprint recognition and will soon issue a software patch.”

Third party companies including Korean bank KaKaoBank have suggested users turn off the reader until the issue is addressed. That certainly appears to be the most logical course of action until the next software update.

When it hit the market back in March, the company touted the technology as one of the industry’s most secure biometric features, noting that it was, “engineered to be more secure than a traditional 2D optical scanner, the industry-first Ultrasonic Fingerprint ID, with sensors embedded in the display, reads the 3D contours of your physical fingerprint to keep your phone and data safe. This advanced biometric security technology earned the Galaxy S10 the world’s first FIDO Alliance Biometric Component certification.”

Samsung has warned against the use of screen protectors previously, but the ability to fool the product with a cheap off the shelf mobile accessory clearly presents a major and unexpected security concern for Galaxy users. We’ve reached out to Samsung for further comment.

 


0

SimShine raises $8 million for home security cameras that use edge computing

10:19 | 10 September

SimShine, a computer vision startup based in Shenzhen, has raised $8 million in pre-Series A funding for SimCam, its line of home security cameras that use edge computing to keep data on-device. The funding was led by Cheetah Mobile, with participation from Skychee, Skyview Fund and Oak Pacific Investment.

Earlier this year, SimShine raised $310,095 in a crowdfunding campaign on Kickstarter. It will use its pre-Series A round for product development and hiring.

SimShine’s team started off developing computer vision and edge computing software, spending five years working with enterprise clients before launching SimCam.

The company plans to release more smart home products that use edge computing with the ultimate goal of building a IoT platform to connect different devices, co-founder and chief marketing officer Joe Pham tells TechCrunch. SimCam currently integrates with Amazon Alexa and Google Assistant, with support for Apple Homekit in the works.

Pham says edge computing protects users’ privacy by keeping data, including face recognition data, on device, while also decreasing latency and false alarms, because calculations are performed continuously on the device (cameras connect to Wi-Fi so customers can watch surveillance video on their smartphones). It also means customers don’t have to sign up for the subscription plans that many cloud-based home security cameras require and reduces the price of each device since SimCam does not have to maintain cloud servers.

 


0
<< Back Forward >>
Topics from 1 to 10 | in all: 94

Site search


Last comments

Walmart retreats from its UK Asda business to hone its focus on competing with Amazon
Peter Short
Good luck
Peter Short

Evolve Foundation launches a $100 million fund to find startups working to relieve human suffering
Peter Short
Money will give hope
Peter Short

Boeing will build DARPA’s XS-1 experimental spaceplane
Peter Short
Great
Peter Short

Is a “robot tax” really an “innovation penalty”?
Peter Short
It need to be taxed also any organic substance ie food than is used as a calorie transfer needs tax…
Peter Short

Twitter Is Testing A Dedicated GIF Button On Mobile
Peter Short
Sounds great Facebook got a button a few years ago
Then it disappeared Twitter needs a bottom maybe…
Peter Short

Apple’s Next iPhone Rumored To Debut On September 9th
Peter Short
Looks like a nice cycle of a round year;)
Peter Short

AncestryDNA And Google’s Calico Team Up To Study Genetic Longevity
Peter Short
I'm still fascinated by DNA though I favour pure chemistry what could be
Offered is for future gen…
Peter Short

U.K. Push For Better Broadband For Startups
Verg Matthews
There has to an email option icon to send to the clowns in MTNL ... the govt of India's service pro…
Verg Matthews

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short