Connect with us

Security

Google replaces its Bluetooth security keys because they can be accessed by nearby attackers

Published

on

  • Google offered free replacements of its Bluetooth Titan Security Keys after it found that nearby attackers could access them.
  • Google said the issue does not impact the tool’s ability to prevent remote phishing attacks.
  • The company advised users to continue using the key until a replacement arrives.
CNBC Tech: Google Titan Key 5

Logging in to Gmail on a phone is a cinch.Magdalena Petrova | CNBC

Google found a security issue that could give an attacker access to a users’ device based on a tool meant to keep it secure, the company disclosedWednesday.

Google is offering free replacements of its Bluetooth Low Energy Titan Security Keys after it found that anyone within about 30 feet could communicate with the key and its paired device while a user tried to activate the key or pair their devices.

The Titan Security Key is meant to provide an additional layer of protection for users hoping to prevent their accounts from being taken over by phishing attacks. While Google said the issue does not interfere with the key’s ability to protect users from a remote phishing attack, it still reveals a significant gap in the device’s security.

The flaw could undermine Google’s recent messaging around privacy and security, which has become a hot issue in Silicon Valley. Google CEO Sundar Pichai penned a New York Times op-ed earlier this month advocating for the democratization of privacy after unveiling a host of new privacy features at Google’s developer conference.

Google recommended continuing to use the affected keys until their replacement arrives. As an extra precaution, users should use the keys when they aren’t near other people who may try to gain access to their devices, then immediately unpair the key after signing on, Google said. However, iOS users who have updated the version 12.3 will not be able to sign into any accounts linked to the key until they receive a replacement, according to Google. The company advised staying logged onto accounts on iOS devices until the new replacement arrives.

Google said that only BLE versions of the keys are affected. Devices with a “T1” or “T2″ on the back are eligible for the free replacement by visiting google.com/replacemykey.

Google’s new security key will protect you from phishing attacks

Source: https://www.cnbc.com/2019/05/15/google-finds-security-issue-with-its-bluetooth-titan-security-keys.html

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Bluetooth Flaw Lets Hackers Track Windows, macOS and iOS Devices

Published

on

By

Bluetooth is found in nearly every modern gadget, which is why a newly discovered flaw in the communication protocol should be taken very seriously.

As ZDNet first reported, David Starobinski and Johannes Becker of Boston University outlined in a research paper how smartphones, laptops and wearables can be tracked through an exploit in Bluetooth technology.

According to the document, there is a flaw in the constantly changing, randomized MAC addresses that are designed to keep Bluetooth devices safe from tracking. This security approach could play into the hand of a bad actor, allowing them not only to track a device but also to gain information about its identity as well as user activity.

“The address-carryover algorithm exploits the asynchronous nature of address and payload change, and uses unchanged identifying tokens in the payload to trace a new incoming random address back to a known device,” the paper reads. “In doing so, the address-carryover algorithm neutralizes the goal of anonymity in broadcasting channels intended by frequent address randomization.”

Perhaps most frightening is that this algorithm doesn’t do any decrypting and is based completely on public, unencrypted advertising traffic, according to the paper. Also concerning is that the exploit was tested on the Bluetooth low-energy (BLE) specification, which is found in the latest Bluetooth 5 standard.

The exploit supposedly works on Windows 10, iOS and macOS devices, which includes iPhones, Surface devices and MacBooks. Android devices advertise their traffic in a completely different way (by scanning for nearby advertising; there is no active, continuous tracking) and are immune to the vulnerability.

Researchers who discovered the Bluetooth flaw listed several rules that could protect affected devices, the crux of which is to synchronize any changes to tracking information with changes to a device’s MAC address. Switching Bluetooth on and off on iOS and macOS devices (sorry Windows users, this won’t help you) is a temporary workaround, but it’s up to manufacturers to push out a more permanent solution. However, the Bluetooth exploit was first disclosed to Microsoft and Apple in November of 2018, suggesting it’s not a high priority to those companies. 

“As Bluetooth adoption is projected to grow from 4.2 to 5.2 billion devices between 2019 and 2022, with over half a billion amongst them wearables and other data-focused connected devices, establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance,” the paper reads.

Although no known cases were cited, researchers warn that if the BLE vulnerability remains unchecked, adversaries could eventually combine purchase transactions, facial recognition and other sensitive info with tracking data to create a profile of an exposed user. 

Source: https://www.tomsguide.com/news/bluetooth-flaw-lets-hackers-track-windows-macos-and-ios-devices

Continue Reading

Security

25 million Android devices hijacked by ‘Agent Smith’ malware

Published

on

By

Agent Smith has taken over more than 25 million Android devices in newly found malware that is rampant

Some new information has come out of some security researchers, according to the researchers a new form of malware called ‘Agent Smith’ has hijacked over 25 million Android units.     The security firm called Check Point has recently released a new press release that details the malware, saying that once the malware is installed it begins to look for common apps and replace them with malicious versions of them. The apps that are infected by Agent Smith begin to display crooked ads designed for financial manipulation and gain.   According to Check Point’s Head of Mobile Threat Detection Research, Jonathan Shimonovich, “The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own.” At the moment, most of the infected devices are located in India and surrounding counters, as the malware is distributed through 9Apps which as third-party app store that is popular within those countries.     The origins of the malware have been linked back to China, and according to the security researchers the developers attempted to get some infected apps on the Google Play Store and actually successfully managed to get 11 apps on there. Since the discovery of Agent Smith, Google has removed these apps.   Jonathan Shimonovich gave a statement on the malware, saying “This application was as malicious as they come. Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith. In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection as third-party app stores often lack the security measures required to block adware loaded apps.”

Read more: https://www.tweaktown.com/news/66572/25-million-android-devices-hijacked-agent-smith-malware/index.html

Continue Reading

Security

Microsoft adds new ‘passwordless’ sign-in option with latest Windows 10 20H1 test build

Published

on

By

Microsoft is continuing to roll out new Windows 10 20H1 test builds with incremental new features regularly. On July 10, the company delivered Windows 10 Build 18936 to 20H1 testers in the Fast Ring

Today’s test build adds a new “Make your device passwordless” sign-in option in Settings. By going to Settings > Accounts > Sign-in options and turning on the passwordless option, users will switch all Microsoft accounts on that Windows 10 device to use Windows Hello Face, Fingerprint, or PIN only. As Microsoft notes in its post on today’s test build, this feature is rolling out to a “small portion” of Insiders and will go to more within a week. 

Speaking of passwordless, Microsoft also made available today a public preview of FIDO2 security keys support in Azure Active Directory, which means users can try out the ability to deliver at scale FIDO2 security keys authenticating a user on a Windows 10 Azure Active Directory-joined device.  

Today’s build also adds a new option to create a quick event from the Taskbar by clicking on the date in the taskbar. Users will see a calendar flyout so they can pick their desired date and set a time and location more quickly this way. 

Microsoft also is expanding the availability of the phone screen feature in its Your Phone companion app to more PCs. This feature will be available on Surface Laptop and Laptop 2; Surface Pro 4, 5 and 6; Surface Book and Surface Book 2 starting with Build 18936. 

Source: https://www.zdnet.com/article/microsoft-adds-new-passwordless-sign-in-option-with-latest-windows-10-20h1-test-build/

Continue Reading
Advertisement

Trending

%d bloggers like this: