Bug allows Hackers to open locked Biometric Fingerprint Doors


Researcher has uncovered various flaws in a Taiwan-based Chiyu Technology's fingerprint access controller which could allow hackers to easily open the locked doors.

The researcher, Maxim Rupp has said that the vulnerabilities allow the attacker to view and modify the existing configuration of the device without authentication by directly accessing known paths. 


The path (CVE-2015-2871) varies slightly depending on model and services available.

According to an advisory published on July 31, the paths for accessing communications, fingerprint and other setup pages vary depending on the model and the services that are available, CERT/CC.

“It has identified models BF-660C, BF-630, BF-630W as being vulnerable; other models may also be vulnerable. The CERT/CC has been unable to verify this information with the vendor. The CVSS score below is based on CVE-2015-2871,” the advisory read.

According to a story published in SecurityWeek, the researcher said that by gaining access to the controller’s fingerprint setup page, an attacker could modify settings, such as “security level” and “sensitivity,” to make it easier to open the door protected by the device. An attacker can also change the device’s network settings and disconnect it from the targeted organization’s network.

“The researcher has also found that some of the vulnerable biometric devices are accessible via the Internet, which allows an attacker to exploit the weakness remotely. An attacker might be able to carry out other actions as well once he gains access to the controller’s configuration pages, but the expert says he hasn’t conducted further tests,” the report read.

The researcher said that there were several other companies that which sold the same devices under a different brand.

The flaws were reported by the researcher to Chiyu Technology via CERT/CC on May 29. CERT/CC. However, the company concerned has not managed to get in touch with the manufacturer.

It is still unclear that when the company will fix the flaws in the fingerprint access controller.

Attackers can crash Your Android Device, says Trend Micro

 
Researchers from TrendLabs Security Intelligence have discovered a vulnerability in Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop) that could help an attacker to turn a phone “dead silent, unable to make calls, with a lifeless screen”.

Researchers have said that the flaw would cause phones to have no ring, text or notification sounds and be unable to make calls.

According to a post in its blog, “This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.”

The researchers said that the vulnerability was similar to the recently discovered Stagefright vulnerability. Both vulnerabilities were triggered when Android handles media files, although the way these files reached the user differs.

Researchers from Zimperium Mobile Security, a security firm, had discovered Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

 “The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” said the company. “The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data,” the blog post read.

Although, the flaw was reported to the Google in May, the company concerned has been able to fix the issue.

Valve fixes a bug which allowed hackers to access its users account

Valve’s Steam, an American video game development and digital distribution company headquartered in Bellevue, Washington, United States which has millions of accounts all over the world, has fixed a loophole which could allow an attacker easily take over an arbitrary account by using account's username.

According to a report published in Master Herald, a flaw in the Steam’s password recovery feature was the reason behind the exploitation. As per a demonstration in a video posted on YouTube, the feature sends a recovery code to the registered e-mail address linked with the account. The code needs to be entered on a form through the Steam website.

However, the attacker could skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog. Although, the company has fixed the loophole, the vulnerability had done a lot of damages many users’ account.

“Now, the users, who actively trade on the Steam Market, are worried as they think their accounts have been compromised.

However, it is said that the Valve hasn’t commented on the situation yet.

The company has urged its users to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.

It is important to note that the information contained in the e-mail itself is not necessary to carry out the attack.


“Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them,” the report added.

Your life is in the hands of the hackers, they can remotely hijack your Jeep


Image Credits: Wired
When we think of a term ‘hacking’, computers, bank accounts and websites are the things which come in our mind. One can barely think of hacked vehicles. However, a recent case in which a car was hijacked by hackers has shown that the hackers have left nothing safe in our life.

According to a report published on Wired, zero-day exploit for Chrysler vehicles allow hackers to control everything from the engine to the air-conditioning over the Internet, overriding the driver at the dashboard.

It has been found out that the Uconnect software, which manages the vehicle’s entertainment and navigation systems, provides a Wi-Fi hotspot, and allows drivers to make phone calls. It is said that if anyone who knows the car's IP address can hijack the car.

In the report, Andy Greenberg, senior writer, explained that he signed up to be a guinea pig for security researchers Charlie Miller and Chris Valasek. He was strapped into a Jeep and directed to head onto the highway. From 10 miles away, Miller and Valasek proceeded to hack into his car's software, toggling the windshield wipers, blasting the radio, and, eventually, cutting the transmission.

“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun,” Greenberg said.

After that, the hackers successfully took over the jeep’s brakes as a result it went into a ditch.

“Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route,” he explained.

According to the news report, on Tuesday Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) announced legislation that would ensure automobile companies to meet privacy measures to protect against cyber attacks.

In order to prevent the car hacking, Miller and Valasek reported about the flaw in the vehicles to the company concerned, months ago.

The Chrysler has come up with an updated version of the software however, the company has to manually download it and upgrade their cars through a USB drive.

United Airlines awards hackers millions of miles for reporting bugs

United Airlines  has awarded “millions of frequent flier miles” to hackers who have found out gaps in the carrier's web security, in a first for the U.S. airline industry, according to a report published on Reuters.

However, some tweets from those hackers have said that they have got small awards than the company had announced.  

“Well that answers that question. Found out which of my two bugs was worth a million because the other is apparently worth 250k,” one of the tweets posted by Jordan Wiens @psifertex.

It is also said that some terms of the agreement does not allow Wiens from disclosing the bug he had discovered.

On the other hand, the company concerned confirmed with Reuters that it has paid out two awards worth 1 million miles each, worth dozens of free domestic flights on the airline.

 "We believe that this program will further bolster our security and allow us to continue to provide excellent service," the United said on its website.

“It has hoped to trailblaze in the area of airline web security by offering "bug bounties" for uncovering cyber risks. Through the program, researchers flag problems before malicious hackers can exploit them. The cost can be less than hiring outside consultancies,” the news report read.

The Trade group Airlines for America said in a statement that all the United State carriers should conduct tests to make sure, if their systems are secure.

Beyond the Bug bounty program, the company also has tested systems internally and engaged cyber security firms to keep its websites secure.


Software bug affects cars, opens doors without warning

A software bug has been discovered by Land Rover in two of its cars. The issue is about a bug in the system that can unlock the doors of the car without warning to the driver.

The company will recall vehicles and do the necessary repairs without any charge to the customers.

The bug affects two models of Land Rover, the Range Rover and Range Rover Sport. 65,000 vehicles have been recalled due to this.

The company has placed ads in newspapers and is contacting the owners to call them in for the recall.