Amazon Key: The next thing in smart homes and in-home delivery
Amazon last week introduced Amazon Key, a service that lets Amazon packages securely delivered inside the front door. Amazon Prime members can avail the service, currently available in select cities only, by purchasing Amazon Key In-Home Kit.
The In-Home Kit includes Amazon Cloud Cam which is an indoor security camera and a compatible smart lock from Kwikset or Yale. Customers can use the same system to grant access to family members, friends, dog walker, an out of town guest, or house cleaner.
How it works?
Once the Amazon Key is installed, it can authorize the delivery and unlock the smart lock remotely. Notifications are sent the morning of delivery, just before, and right after the delivery via the accompanying Smartphone app. The indoor security camera, which is 1080p full HD, night vision, and two-way audio, records the delivery video that customers can watch live via the Amazon Key app or a recorded video later.
The Cloud Cam functions as a ‘hub’ connected to the internet via the home Wi-Fi system. It passes the ‘lock’ ‘unlock’ instructions to the smart lock via Zigbee, a wireless protocol used to create personal area networks with small, low-power digital radios, such as for home automation.
The service, which is currently executed through Amazon’s own delivery team will start on November 8 in select cities in the US.
via Tracking the Internet of Things http://ift.tt/2oxdcAf
Docker CEO Ben Golub was asked in a recent interview how his company can make money off of an open source product. A good answer would have been, “If there’s no money in it, why are Microsoft and Oracle interested?” According to one recent survey, over 30 percent of respondents claimed to be spending more than half a million dollars on container licenses and usage. And not coincidentally, Microsoft recently announced Azure Container Instances, which are supposed to make deploying containers a lot easier.
As anyone who goes down the container and microservices architecture road must soon find out, everything is not open source and customized solutions always cost money. One way of looking at it is like airline tickets where the basic community editions and open source versions are your economy tickets and the first-class seats is where all the paid stuff is at. It can obviously get a lot more complicated than first-class and economy seats, especially since a lot of the time with new technology you don’t even know which airline you’re or where you’re supposed to get off at, for that matter.
Microsoft gets on the money train
Everyone agrees containers are great, and everyone wants to be deploying their apps in containers to be cool and hip and highly productive. Microsoft is spending $370,000 a year to be part of the cool-kids club and hang out with all the open source people. As mentioned earlier, if there was no money in it, Microsoft would not be interested. Microsoft has been all over it for a while now and is doing everything to stay on it. Those efforts include declaring love for Linux, becoming a platinum member of the CNCF, which is where that cool $370,000 annual price tag comes into the picture, and not to forget the recent Deis acquisition.
So what’s the big idea about Azure Container Instances? After all, Azure Container Service already exists. The idea is to make deployment even simpler by abstracting away the infrastructure and providing users with a sort of “serverless” deployment of containers. Azure’s product manager for containers described ACI as “the invisible infrastructure and micro billing of serverless without forcing the event-driven programming model.” ACI also uses the Azure command line and comes with an easily scriptable set of commands by which containerized applications can be rapidly created and launched right from the command line.
Azure Container Services (ACS) works by building VMs around your containers, which comes with quite a big resource footprint and effectively eliminates one of the main advantages of containers in the fact that they’re extremely lightweight, fast, and go easy on resources. The funny thing here is that your Azure Container Instances will still run on VMs, except they’re running in the background and not something that you need to look at anymore. There is some speculation that this could indicate Azure Container Instances is using Hyper-V containers, which is funny again because we’re now effectively running Linux images on a feature of Windows Server running on Linux, because it’s supposed to be more secure than running them on Linux itself.
Although this sort of falls into the “VMs for Containers-as-a-Service” and not “Containers-as-a-Service” like a lot of people were probably expecting, startup time is supposed to be quicker than regular VM based containers. In fact, one of the plusses of Azure Container Instances is the speed at which containers start up — Microsoft says ACI containers start within seconds. There’s also another service that lets you deploy containers as Azure Web Apps, and Azure Container Instances is the fastest way to deploy containers on Azure out of all three. That, and the fact that it comes with container management commands and works with Kubernetes, makes it an interesting choice indeed.
The reason that deploying a container from an existing repository happens within seconds in spite of the fact that it’s still running in a VM is because instead of building an underlying host VM, ACI just assigns an existing VM to your container. The beauty of this new offering from Microsoft, apart from the fact that it’s billed per usage, is really that while ACI currently only supports Linux containers, Windows container support is expected in the next couple of weeks.
Can you believe Microsoft releasing something that supports Linux before it does Windows? Times are changing, indeed. With regards to billing per usage, ACI comes with a billing model that’s based on per-second usage, which translates into a lot of savings with regards to paying for the upkeep and maintenance of servers. The billing is bifurcated into memory and cores used per second, so if you’re scaling up it would be a good idea to keep an eye on the meter while it’s running. Additionally, the request used to deploy a container can also include a definition for the number of cores and memory it needs.
A lot Microsoft’s initial documentation for ACI assumes that it’s going to be used as a host for scalable web services and applications, which is probably what it’s going to be used for a lot. It’s also probably going to be used with Kubernetes to burst-scale applications and services.
Azure Container Instances and Kubernetes
You can’t have a container party and not invite Kubernetes, and there’s an ACI connector for Kubernetes that lets you have both ACI and ACS in the same cluster, a sort of hybrid container setup within Azure. This ACI connector for Kubernetes is an open source project hosted on GitHub and lets Kubernetes deploy straight to ACI, where ACI functions like a kubelet gets registered as an unlimited-capacity-node.
Since it’s an open source project, future support for Mesos, Swarm, and others is also expected. The best part about the ACI connector is you don’t even need to be running Kubernetes to run it. Once running, you can use Kubernetes commands from your ACI account to create and destroy containers at will. Microsoft has been all about support for Kubernetes for a while now, and ACI looks like it will be a great tool once production ready.
Promise of PowerShell
Additionally, Microsoft has promised PowerShell will be added to Cloud Shell and the Azure CLI. PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework and .NET Core. There’s a lot of scope for automation here, mainly because PowerShell ensures you’ll have access to the most common automation tools for managing Azure resources from virtually anywhere, and secondly because the Azure CLI is based on Bash, which is extremely well suited for coding.
All in all a great effort from Microsoft to take container technology, which is still intimidating to a lot of folks, and turn it into something user friendly, but with some depth at the same time. With the way things are going, we’re probably going to be seeing a lot of new container-based services from Microsoft built around this one. Who knows, one day they might just do away with the VMs altogether.
How to Enable or Disable “Now Playing” on the Pixel 2
The Google Pixel 2 and 2 XL bring a lot of cool new features to Android users, including an awesome Now Playing utility that actively listens for music in your environment and displays the current track on the ambient display.
While there’s an opportunity to enable this feature during the setup process, there’s a chance you may have missed it. Or, on the other side of that coin, you may have enabled it and now you hate it. Either way, here’s how you can toggle the feature—along with some other cool ways to make the most of it.
So, How Does Now Playing Work?
Here’s the thing: Now Playing does its thing without ever sending any data back to Google. In fact, it will work offline and even in airplane mode. But how?
The answer to that is actually pretty simple: it stores track data locally on the phone. Unlike services like Shazam, SoundHound, or even Google Now’s “What’s this song” feature, it doesn’t have to ping the internet with a sound snippet to see what’s playing—it just knows. It’s so cool.
Of course, since track data is stored locally on the phone, that also means it’s limited. While perhaps every song in existence can be identified online, it would simply take up too much storage to keep that kind of data stored on your phone. So instead, Google stores the digital fingerprints of roughly 20,000 of the most popular songs, according to Google Play Music, on your phone. It’s a constantly revolving list, too, so it’s not something that will quickly get outdated. Smart. If you’re interested, here’s a current list of (maybe) all the songs that are currently supported by Now Playing—17,300 at the time of writing. Not bad!
But how much space does this file take up? Less than 500MB, according to Google. That’s a pretty insane number for that comprehensive of a list, and it’s well worth the storage if you ask me.
The other big question you may have is how this feature affects battery life. In short, it really shouldn’t. It only activates and listens for music every 60 seconds, at which point it identifies the song. If it doesn’t identify any music for more than 60 seconds, it goes into a sort of “passive” mode where it waits for music to once again be detected. So I guess in theory, if you listen to music constantly, if could have a slight impact on battery life, though I haven’t noticed this myself (and I’m one of those people who constantly has something playing).
Of course, there’s the question of whether or not other Android devices will get this kickass feature. The short answer, at least for the time being, is no. Google says it requires a specific combination of hardware and software features, so the chances of it coming to any current Android device is basically null. Sorry guys.
How to Enable or Disable Now Playing
To enable or disable Now Playing, go ahead and pull down the notification shade and tap the gear icon.
From there, tap on Sound, then Advanced.
Scroll to the very bottom of the list and tap on Now Playing.
There are a couple of options in this menu: “Show on Lock Screen” and “Also Show Notifications”. If the service isn’t enabled yet, only the first of the pair will show up—go ahead and slide the toggle to the on position. Unless, of course, it’s already on and you want to disable it.
Once enabled, you can opt to also have song identification show up in the notification tray—it won’t generate an icon, but rather just a passive notification. It’s pretty sweet.
How to Get the Most Out of Now Playing
While we’re talking about the notification, I’ll clue you in on a little tweak some users are making to also get an audible notification when a song is identified. This is useful if you always want to know when it detects something, but don’t want to constantly look at your phone.
In the Now Playing menu (Settings > Sound > Advanced > Now Playing), tap on the “Also Show Notification” option. This will open the Pixel Ambient Services settings menu, where you can get a bit more granular control over the notification.
By using Android Oreo’s notification channels feature, you can take more control over how Now Playing works in terms of notifications. To make it more powerful (but also more intrusive), tap the “Recognized Music Notifications” option.
From there, tap the “Importance” option. By default it’s set to Low, which will prevent it from making a sound or generating any sort of visual interruption. If you want it to show an icon in the notification bar, change this setting to Medium. If you want it to make a sound and display an icon in the notification bar, change the setting to High.
There probably isn’t much reason to change it to Urgent, but if that’s your thing, you can do that too.
Past that, there’s also a cool app in the Play Store called Now Playing History that will, unsurprisingly, keep a running list of Now Playing’s history on your phone. The app will set you back a dolla dolla bill, but I think it’s worth it…even though I really feel like this should be a native function. Alas, it’s not, so someone found a way to capitalize on that. I’m okay with that.
It helps that it’s a good looking app that makes a lot of sense. Instead of just an arbitrary list with no real info outside of the song, it’s broken down by timestamp, which is an exceptionally nice touch. That way, if you’re trying to remember a song that you heard last night, you can thumb through the list until you get to around the time you heard it.
It will also open the song directly in the service of your choice when you tap on it, so you can listen to it right then and there. It’s a decent list of supported apps, too—it should include pretty much all the popular music services on Android.
Now Playing may seem like such a small feature, but it’s actually one of my favorite things about the Pixel 2. I find that, when combined with the always-on ambient display, I passively use this feature all the time. Very cool stuff.
Tenna Joins LoRa Alliance to Accelerate Internet of Things Solution Based Physical Asset Management Deployments – Marketwired (press release)
EDISON, NJ–(Marketwired – Nov 1, 2017) – Tenna, the technology company that empowers construction companies to find more value across their inventory of equipment, vehicles and physical assets, today announced it has become a member of the LoRa Alliance™, one of the fastest growing Internet of Things (IoT) alliances with over 500 members. This membership will help Tenna™ accelerate its IoT solution deployments, using the LoRaWAN™ standard for long range wide area networking for customers’ construction sites, thereby taking a further step in helping customers in the digital transformation from the physical to digital worksites.
The LoRa Alliance™ is a non-profit organization dedicated to promoting the interoperability and standardization of the LoRaWAN™ low-power wide area network (LPWAN) technology that drives the success of the IoT. The LoRaWAN standard is a LPWAN specification intended for wireless battery-operated devices in a regional, national or global network. LoRaWAN technology provides seamless interoperability among smart devices without the need for complex local network installations, and empowers users, developers, and businesses, enabling the seamless rollout of IoT solutions.
Tenna™ will use the LoRaWAN protocol to offer cost effective solutions for the management of information flow in and between construction sites. Tenna’s implementation of LoRaWAN technology will provide wireless connectivity for the sensor-enabled physical asset management devices, LoRaWAN GPS trackers, currently in development by Tenna. Construction sites, operated by Tenna customers, will feature plug-and-play temporary or permanent long distance radio networks — without the need for any training or radio licensing — working completely out of the box. This simplicity enables reduction in radio costs, which translates to savings for Tenna customers. Tenna’s LoRaWAN GPS tracking devices leverage long range, low power wireless platforms to deliver critical information, no matter where assets travel.
“We’re excited to join the LoRa Alliance and to be at the forefront of deploying this new wireless technology,” said Mike Cook, Chief Technology Officer and Head of Product, Tenna. “The LoRaWAN standard unlocks tremendous value at a low cost for Tenna customers and, as a result, we look forward to helping our customers solve the challenges of working with and managing a distributed and variegated fleet of assets — all while unleashing the power of IoT as they embrace their digital transformation.”
Tenna’s LoRaWAN GPS trackers are built to run on emerging LoRaWAN carrier networks, enabling Tenna customers to receive messages from their LoRaWAN trackers when the trackers are far away from their project sites. With LoRaWAN technology, extremely low power budgets are required, allowing customers to deploy Tenna Asset Trackers with batteries that will last over five years.
“As our membership grows, so does our portfolio of LoRaWAN use cases,” said Geoff Mulligan, chairman of the LoRa Alliance. “We’re pleased to welcome Tenna to the Alliance and learn how it is applying the benefits of the LoRaWAN standard to the construction industry. Tenna offers yet another example of the versatility and broad applicability for LoRaWAN LPWAN networking technology.”
About LoRa Alliance™ The LoRa Alliance is an open, nonprofit association that has grown to over 500 members since its inception in March 2015, becoming one of the largest and fastest-growing alliances in the technology sector. Its members closely collaborate and share experiences to promote the LoRaWAN protocol as the leading open global standard for secure, carrier-grade IoT LPWAN connectivity. With the technical flexibility to address a broad range of IoT applications, both static and mobile, and a certification program to guarantee interoperability, the LoRaWAN protocol has already been deployed by major mobile network operators globally, with continuing wide expansion ongoing. For information about joining the LoRa Alliance, please visit http://ift.tt/2xKrzqR.
About the LoRaWAN™ Standard The technology used in a LoRaWAN network is designed to connect low-cost, battery-operated sensors over long distances in harsh environments that were previously too challenging or cost prohibitive to connect. With its unique penetration capability, a LoRaWAN gateway deployed on a building or tower can connect to sensors more than 10 kilometers away, or to water meters deployed underground or in basements. The LoRaWAN standard offers unique and unequaled benefits in terms of bi-directionality, security, mobility and accurate localization that are not addressed by other LPWAN technologies. These benefits are enabling the diverse use cases and business models that continue to grow deployments of LoRaWAN-based IoT networks globally. For more information, please visit http://ift.tt/2ilmcDS.
Tenna™ Asset Management Solutions As an innovative technology company, Tenna uses Internet of Things (IoT) and cloud-based technology to deliver intelligent and autonomous industrial asset tracking and analytics to industrial organizations looking to take control of their inventory’s hidden value.
Tenna’s asset software and tracking devices allow companies to manage the entire inventory on one consolidated system. With Tenna’s comprehensive range of QR code, RFID tracking, cellular and LoRaWAN GPS asset tracking solutions, companies can monitor every kind of tool, machine or vehicle — all on one convenient asset tracker dashboard. Organizations can also find more efficiency by not paying for multiple equipment tracking systems.
About Tenna™ Tenna, www.tenna.com, is an Internet of Things (IoT) technology company that helps industrial organizations find more value from their equipment and physical assets. Tenna delivers comprehensive industrial asset tracking and analytics to clients in construction, equipment rental, logistics, transportation and utilities who seek to control and optimize their business. Clients rely on Tenna solutions to track and manage inventories of critical equipment, vehicles and materials, and gain increased control and maximum efficiency of their physical assets. Follow us on Twitter, join the discussion on the Tenna Blog and connect with Tenna on LinkedInFacebook and YouTube.
Tenna, the Tenna logo and Find More are trademarks of Tenna LLC., registered in the U.S. and/or other countries. All other trademarks are the property of their respective owners.
Apple Patches Dangerous KRACK Wi-Fi Vulnerabilities
Apple on Tuesday released a new set of security patches for its products, including fixes for Wi-Fi vulnerabilities disclosed in mid October.
The security flaws can be exploited as part of a novel attack technique called KRACK, short for Key Reinstallation Attack, which could allow an actor within wireless range of a victim to access information assumed to be safely encrypted. The attacker could exfiltrate sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and more.
The issues were found in the Wi-Fi standard itself, and all correct implementations of WPA2 were assumed to be affected. Industrial networking devices are impacted too, including products from Cisco, Rockwell Automation and Sierra Wireless. Vendors rushed to release patches after being informed on the bugs several months ago.
The KRACK-related vulnerability impacting iOS devices is tracked as CVE-2017-13080 and was addressed in iOS 11.1, for iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later, Apple notes in an advisory.
iOS 11.1 resolves an additional 19 vulnerabilities impacting components such as CoreText, Kernel, Messages, Siri, StreamingZip, UIKit, and WebKit. These bugs could lead to arbitrary code execution, information disclosure, or to the modification of restricted areas of the file system.
WebKit was the most affected component, with 13 vulnerabilities addressed in it (10 of the issues were reported by Ivan Fratric of Google Project Zero). The bugs could lead to arbitrary code execution when processing maliciously crafted web content and were addressed through improved memory handling.
The same KRACK-related vulnerability was addressed in tvOS 11.1 and watchOS 4.1 as well. The former resolves 17 flaws in the platform, while the latter patches only 4 issues.
macOS High Sierra 10.13.1 includes patches for three KRACK-related flaws, namely CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.
The new platform iteration resolves an additional 145 vulnerabilities impacting components such as apache, APFS, AppleScript, Audio, CoreText, curl, Fonts, HFS, ImageIO, Kernel, libarchive, Open Scripting Architecture, Quick Look, QuickTime, Sandbox, and tcpdump.
An attacker exploiting these flaws could execute arbitrary code on the system, modify restricted areas of the file system, read kernel memory, leak sensitive user information, or cause denial of service. Some of the flaws could allow malicious apps to read restricted memory.
The most affected component was tcpdump, with 90 vulnerabilities addressed in it. Other components that saw a large number of issues addressed in them include apache, with 12 bugs, and Kernel, with 11 flaws.
Apple also released Safari 11.1 this week with patches for 14 issues, along with iTunes 12.7.1 for Windows and iCloud for Windows 7.1, each meant to address 13 issues. All three application releases resolve the aforementioned 13 vulnerabilities in WebKit.
Developers, makers and hobbyists looking to create their own open standards Internet of Things Gateway may be interested in a new piece of hardware which has been created by the team of developers at Libelium based in Spain. Agile has been designed to put the world of Internet of Things “within reach of anyone” and offers a modular and adaptive gateway specifically designed for the creation of Internet of Things projects and devices. Watch the demonstration video below to learn how you can create your very own Internet of Things network using the power of the Raspberry Pi mini PC.
AGILE consortium is participating on a crowdfuding campaign presenting its new AGILE Gateway. Libelium, one of the partners is comprised of experienced engineers with many years in the electronics sector. We developed many prototypes to work out bugs and maximize performance. We’ve eliminated many issues present in the early versions. We’ve contacted our current component and PCB manufacturers and they are awaiting our final version. We’re confident that we’ll quickly resolve any issues that might arise during our current phase of testing with the existing prototypes.
Visit the official Kickstarter campaign page by following the link below for a full list of all available pledges which will start shipping during February 2018 enabling you to build your next Internet of Things project.
Wikipedia defines “ambulance chasing” as follows: “Ambulance chasing, sometimes known as barratry, is a professional slur which refers to a lawyer soliciting for clients at a disaster site. The term ‘ambulance chasing’ comes from the stereotype of lawyers that follow ambulances to the emergency room to find clients. The phrase ambulance chaser is also used more loosely as a derogatory term for a personal injury lawyer.”
Unfortunately, it seems to me that we in the security field suffer from a bit of an ambulance chasing problem. Of course, it is not personal injury lawyers I am referring to here, but rather, something else entirely.
From time to time in security, we experience certain high profile incidents. A big breach. A vendor slip-up. A serious vulnerability. A noteworthy attack. This is the ebb and flow of life in the security profession. In and of itself, the fact that these attention-grabbing events happen from time to time isn’t particularly shocking.
What is somewhat alarming, however, is the way in which the community typically reacts. Of course, the practitioners – those toiling day in and day out to defend and protect their organizations, don’t have much of a choice in how they react. They will have enquiries from management, conference calls, investigation, response, and a host of other activities to take care of.
But let’s take a look at how those in the security community who do have a choice in how to respond typically do so. In particular, let’s pay close attention to how those who have either an ability or an obligation to be seen as leaders typically respond.
To the disappointment of many in the security community, there are typically two responses, neither of which is particularly appropriate or helpful:
2. Ambulance chasing
I’ve previously discussed the issues around mocking and how it is detrimental to and impedes our entire profession. I won’t rehash those points in this piece.
Instead, in this piece, I will delve into the topic of ambulance chasing, and how it also does a tremendous disservice to our security community as a whole. As I’m sure you’ve noticed, after every notable breach, slip-up, vulnerability, and attack, out come the ambulance chasers. There are essentially three main forms of ambulance chasing that I see:
● Vendors that pitch the message that “our product is 100% effective against <item du jour>”.
● Consulting companies that claim that “we ensure our customers never fall victim to <item du jour>”.
● Enterprises that run with the message “we take security so much more seriously than our competitor as evidenced by <item du jour>”.
We’ve all seen this type of behavior rampantly, unfortunately. But have we thought about how it harms our industry? Let’s take a look at a few of the ways in which this behavior is harmful:
If you haven’t already heard the term “vendor fatigue”, you will likely come across it soon. Simply put, there are nearly 2,000 vendors in the security space spanning upwards of 50 distinct markets. Besides overlap in functionality, many vendors have nearly identical messaging. So, if you think about it from the perspective of a security leader on the buying side, you quickly see that the onslaught of vendors is exhausting. It’s difficult to keep up with the sheer volume of pitches coming at you. At some point, it all begins to blend together. Ambulance chasing merely worsens vendor fatigue, making it that much harder for a vendor that has a real solution to one of an organization’s problems to get any mindshare.
As I mentioned above, there are nearly 2,000 security vendors in the security space spread across upwards of 50 markets. Even the most seasoned security practitioners have trouble keeping up with the security market. It’s hard to know what’s really what sometimes, and which vendors can solve which problems. All that market confusion makes it difficult for buyers to really hone in on the solutions they are looking for, and also makes it difficult for vendors to articulate the value they’re providing and which problems they’re solving. What effect does ambulance chasing have here? If you employ it as a marketing technique, it might get you labeled as <item du jour> vendor. But are you sure that’s what you really want? Keep in mind that the <item du jour> changes regularly, and that market confusion makes it difficult to change perceptions. Need an example? When was the last time you were in the market for an “anti-APT” solution?
Adrift in a Sea of Hype and Buzz
The state of the security market has more or less caused most security professionals to consider any security marketing pure hype and buzz. Of course, that’s not actually the case — there are some very good vendor products and services out there that address some important challenges. But ambulance chasing is one of the reasons that we find ourselves in this frame of mind. Ambulance chasing is definitely making life a lot harder for those who have something substantive to contribute to the discussion.
If you’re in security marketing, I hope that this piece will give you something to take home with you. The hype and buzz of ambulance chasing may bring you short term attention, leads, and a PR boost. But ambulance chasing seldom results in conversion to real revenue. The people who are drawn to ambulance chasing are not necessarily the same people who make calculated and strategic security buying decisions. In fact, all ambulance chasing really accomplishes is inflicting pain on those serious security professionals that have to deal with its after effects. I encourage you to think long and hard before resorting to ambulance chasing. It’s for your own good, and for the good of the rest of us as well.
. Prior to joining IDRRA, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.
Handoff is a really great feature of iOS and macOS if you’re the only person who uses your devices. It lets you seamlessly move from doing something on your Mac to doing it on your iPhone, and vice versa.
Samsung, Apple, Huawei Phones Hacked at Mobile Pwn2Own
Researchers have managed to hack the Samsung Galaxy S8, the iPhone 7 and the Huawei Mate 9 Pro on the first day of the Mobile Pwn2Own 2017 competition taking place alongside the PacSec conference in Tokyo, Japan.
The prize pool for the event organized by Trend Micro’s Zero Day Initiative (ZDI) exceeds $500,000 and participants have already earned a significant chunk on the first day.
The day started with an attempt from Tencent Keen Security Lab to demonstrate an exploit against the Internet Browser on a Samsung Galaxy S8. The attempt could have earned them $70,000, but it failed.
However, a researcher from the Chinese security firm Qihoo360 did manage to hack the Internet Browser on the Galaxy S8 (with persistence) and take home the $70,000. The expert achieved code execution in the browser and exploited a privilege escalation in a different Samsung app for persistence after a reboot.
As for attacks targeting Apple’s iPhone 7 with iOS 11.1, the Tencent Keen Security Lab team earned $110,000 for a total of four vulnerabilities allowing code execution via Wi-Fi and privilege escalation for persistence through a reboot. The same team earned an additional $45,000 for hacking Safari on the iPhone 7.
Richard Zhu, aka fluorescence, earned $20,000 for a Safari exploit on an iPhone 7 and a sandbox escape.
The Tencent Keen Security Lab team also took a crack at the Huawei Mate 9 Pro. Researchers failed to hack the device’s NFC system, but they did manage to develop an exploit targeting the Android phone’s baseband, which earned them $100,000.
This brings the total earned by participants on the first day of Mobile Pwn2Own 2017 to $345,000.
No one has attempted to hack Google’s Pixel phone or the company’s Chrome browser on the first day, but there are six more hacking attempts scheduled for the second day of the event.
The vulnerabilities exploited at the competition will be disclosed to Apple, Google, Samsung and Huawei, and they will be given 90 days to release a fix before limited details about the flaws are made public by ZDI.
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.