Alexa can be hacked–by chirping birds?

Scientists at the Ruhr-Universitaet in Bochum, Germany, have discovered a way to hide inaudible commands in audio files – commands that, while imperceptible to our ears, can take control over voice assistants. According to the researchers behind the technology, the flaw is in the very way AI is designed.

It’s part of a growing area of research known as “adversarial attacks,” which are designed to confuse deep neural networks–usually visually, as Co.Design has covered in the past–leaving them potentially vulnerable to attacks by bad-faith actors on the technology and infrastructure in our world that depends on AI to function.

In this case, the system being “attacked” by researchers at the Ruhr-Universität Bochum are personal assistants, like Alexa, Siri, or Cortana. According to Professor Thorsten Holz from the Horst Görtz Institute for IT Security, their method, called “psychoacoustic hiding,” shows how hackers could manipulate any type of audio wave–from songs and speech to even bird chirping–to include words that only the machine can hear, allowing them to give commands without nearby people noticing. The attack will sound just like a bird’s call to our ears, but a voice assistant would “hear” something very different.

Attacks could be played over an app, for instance, or on a TV commercial or radio program, to hack thousands of people–and potentially make purchases with or steal their private information. “[In] a worst-case scenario, an attacker may be able to take over the entire smart home system, including security cameras or alarm systems,”

“An Amazon spokesperson told Co.Design that they take security issues seriously, and that the company is “reviewing the findings by the researchers.” Another way to look at this problem? Whenever possible–and unfortunately, it’s not always possible–don’t use unsecured smart speakers for sensitive information until they deliver on the promise of a secure and safe user experience.”

Sources/Further Reading:

Fast Company: Alexa can be hacked–by chirping birds

Adversarial Attacks Against ASR Systems via Psychoacoustic Hiding

Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, and Dorothea Kolossa, Ruhr-Universität Bochum,  Technical Paper



Most Home Routers Are Full of Vulnerabilities

Research conducted by the American Consumer Institute Center for Citizen Research indicates that the routers commonly found in homes are huge security vulnerabilities for consumers and their employers. The center’s analysis shows that of 186 sampled routers, 155 (83%) were found vulnerable to potential cyberattacks.

The routers samples were from 13 different manufacturers, including Linksys, Belkin, Netgear, and D-Link. While 17% of the routers scanned were vulnerability-free, the report says that the remaining 83% of routers examined had, on average, 172 vulnerabilities.

Most of the vulnerabilities were in router firmware, according to the researchers, with the sheer number of vulnerabilities caused by a combination of a reliance on open source projects for code and a lack of vigorous patching and update policies on the part of the vendors.


Dark Reading:

Most Home Routers Are Full of Vulnerabilities


ThreatList: 83% of Routers Contain Vulnerable Code


9 million Xiongmai cameras, DVRs wide open to attack

SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology. Source: Help Net Security

The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.

And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.

Xiongmai-manufactured devices were among those that were conscripted into Mirai IoT botnets in 2016, as they offered high-privileged shell access over TCP ports 23 and 9527 using hard-coded credentials.

How to Hack a Smart Meter and Kill the Grid

Nick Hunn, WiFore: “I have always been concerned about the vulnerability of the British smart meters to hacking at the manufacturing stage. The reason for that concern is that these meters contain an OFF switch which allows power to be disconnected by the energy supplier. This is a convenience for them, as they no longer need to send someone round to gain access to a building. However, if it were ever hacked, the hackers could turn off millions of meters at the same time. That could be used to destroy the electricity grid.”

Nick gives a quick tutorial on how to hack a smart meter and kill the grid:

How to Hack a Smart Meter and Kill the Grid



The Weakest Security Links in the Blockchain

“Despite the technology’s promise to transform how business is done, there are significant limitations and potential risks at the intersection of the digital and physical worlds……..The problem with migrating blockchain outside of financial services and into distributed edge computing applications — especially, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) — is that data can be corrupted before it’s added to the blockchain. If corrupt data infiltrates the blockchain, the benefits are lost.”. Source: Drew Peck & Tim Butler, DarkReading.

“Fundamentally, blockchain technology enables the recording of events or transactions on a distributed ledger. This ledger is shared and accessible to all participants, not owned by any, and records data securely, immutably, and permanently. Essentially, a blockchain is a constantly growing set of interdependent blocks containing data, with each block recording an event or transaction. The game changer is that those blocks are distributed across a decentralized network, and every member of the network has his or her own copy of the entire blockchain.

If blockchain essentially is a digital record keeper, then blockchain is only valuable if those records can be trusted. Blockchain is trustworthy becauseof the decentralized nature of the network and the new database structure. The broad distribution of many copies of the blockchain provides an unprecedented level of trust because no single party controls the data and there is no single point of failure or tampering risk.

In the real world, the ends of the blockchain are the physical assets — i.e., in commercial, industrial, supply chain, IoT, and IIoT applications — for the data and records to get into the blockchain, companies need an interface and physical data storage for the data related to those assets.

Most hardware isn’t secure — whether it’s the storage or the interface, there is frequently a direct trade-off between security and usability. Additionally, the most common memory architectures used today are specifically designed to allow simple access and reprogramming, almost inviting tampering by bad actors. Data manipulated before being added to the blockchain would be unreliable, rendering the entire chain of trustworthy transmission and recording useless.”

Full Dark Reading article here:

The Weakest Security Links in the (Block)Chain


Fast, Furious and Insecure: Modern Supercars

A team of researchers at the KU Leuven university in Belgium demonstrated how Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob. High-end vehicles are often equipped with a Passive Keyless Entry and Start (PKES) system. These PKES systems allow to unlock and start the vehicle based on the physical proximity of a paired key fob; no user interaction is required.

Researchers have already shown these systems to be particularly vulnerable to relay attacks. In this type of attack two adversaries relay the short-range communication over a long-range communication channel. Recent news reports and home security videos have shown that relay attacks are frequently used to steal luxury vehicles. Distance bounding mechanisms are gradually being deployed to preclude relay attacks.

The goal of the research was to evaluate the resistance of a modern-day PKES system to attacks other than relay attacks. They have completely reverse engineered the PKES system used in the Tesla Model S. The research shows that this system is using the outdated proprietary DST40 cipher.

Researchers link tools used in NotPetya and Ukraine grid hacks

New research provides evidence linking some of the most impactful cybersecurity incidents on record – the 2015 and 2016 attacks on the Ukrainian power grid and the 2017 NotPetya  malware outbreak – to the same set of hackers that Western governments say are sponsored by the Russian government. Researchers from cybersecurity company ESET say they have laid out the first concrete, public evidence of that link, citing a pattern of “backdoors” — or tools for remote access — used by the hackers.
See Cyberscoop Article:

Researchers link tools used in NotPetya and Ukraine grid hacks


The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources – according to a Bloomberg Report.

Excerpts from this report:

“During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

“How the Hack Worked:”

1.  A Chinese military unit designed and manufactured microchips as small asa a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.

2. The microchips were inserted at Chinese factories that supplied Supermicro, one of the world’s biggest sellers of server motherboards.

3. The compromised motherboards were built into servers assembled by Supermicro.

4.  The sabotaged servers made their way inside data centers operated by dozens of companies.

5. When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

See also TechCrunch Article:

Chinese chip spying report shows the supply chain remains the ultimate weakness

Securing industrial IoT passwords

If the networked kit needs to work for 10 years, you need to think policy. Operations technology (OT) is the term given to all those environments in industry, transport, automotive, city and utilities that – before industrial IoT – had been largely isolated from the outside world and, thus, protected from intruders.

Brexit or no Brexit,  the UK is implementing an EU policy on the security of such systems via the Networks and Information Systems Directive, so securing OT is a necessity.

Privileged access management provider Osirium has partnered with aviation, rail and car cyber-security specialist Razor Secure to build and deliver a range of systems targeting industrial IoT applications including unattended operations, power and water plants, weather stations, manned and unmanned vehicles and other systems that could themselves be used as a gateway for “bad stuff” to hop onto a network.

The target market for this partnership is systems “designed well before deployment” and “required to operate for 10 years or more.”

The pair said Razor Secure’s machine learning algorithm would be used to hunt for process anomalies in endpoint security together with Osirium’s system administrator Privileged Access Management (PAM) for secure passwords, workflow and robotic process task automation.

See The Register Article