Filed under: Misc. Gadgets

If you’re American, it’s nearly time to do your civic duty and pick the lesser of two evils for the greater good… and then to wonder if that vote actually got counted. With Diebold admitting its own machines are utterly insecure, competitor Sequoia is now under the microscope and, after a little quality time with the company’s machines, Princeton researchers have filed a 158 page report on the ease of replacing their ROMs and winning yourself an election. Okay, we know what you’re thinking: “Hacking hardware isn’t exactly easy when the computer is in a locked box.” Amazingly, it is. A researcher was able to bypass the physical security mechanisms in 13 seconds, despite never having picked a lock before. Now you’re thinking: “But you’d need to do that on hundreds of them!” Not so; once infected that malicious code can spread itself to others, and, with no paper trail and an easily bypassed internal audit system, you’re well on your way to whatever dark corner of Washington, D.C. you care to occupy!

[Via Ars Technica]

Read | Permalink | Email this | Comments

Filed under: Misc. Gadgets

Just as the world’s landfills could soon see an influx of unwanted televisions, many American warehouses are packed with e-voting machines that once held promise for a better way to vote. Instead, they turned into a multi-year fiasco, with hackers figuring out how to do everything save for their income taxes on ‘em and states reverting back to less vulnerable methods. Now, many states are scrambling for ways to recoup costs, even for outlets that will take them in for recycling. Oddly, Ohio cannot ditch the systems it purchased until a couple of related lawsuits get dealt with. The result? Buckeyes will probably still be using e-voting machines come November.

[Via Slashdot, image courtesy of BradBlog]

Read | Permalink | Email this | Comments

Filed under: Cellphones, Misc. Gadgets

digg_url = ‘http://digg.com/security/How_to_reveal_blocked_caller_ID_info’; Let’s say for some reason someone has his or her caller ID blocked and is calling you all the time. Let’s then say you really want to know who that person is for, you know, whatever reason — not that we’d know anything about that. Some crafty phreaker types have come up with a way to do this using an enterprise-spec asterisk box and a SIP trunk provider. In a demonstration video, a hacker tweaks said asterisk box with some new configurations to strip out privacy flags, forward the call to another number, and ultimately reveal caller ID information which, surprisingly, is still available. This isn’t meant to be easy, but if the terms “prepend,” “SIP trunk,” and “asterisk box” don’t scare you away, go ahead and watch the video after the break. Big disclaimer: we’re not responsible for your broken gear, jail time, or restraining orders.

Continue reading How to reveal blocked caller ID info: a video guide to risky behavior

Read | Permalink | Email this | Comments

Filed under: Gaming

Here in the US, we’ve heard some pretty terrifying experiences about selling modchips, but it seems as if higher-ups in the UK are being a bit more reasonable about the whole thing. Reportedly, UK-based MrModchips was cleared of all 26 counts against him for his role in importing and selling console modchips, as the Court of Appeal Criminal Division (Judge Justice Jacobs, in particular) ruled that said chips do not circumvent copyright protection. Better still, the defendant was “awarded full costs as a result of his successful appeal,” and we can only assume he was smiling all the way out of the crowded courtroom. Chalk one up for the little guy.

[Via Slashdot]

Read | Permalink | Email this | Comments

Filed under: HDTV, Home Entertainment

Ah, bugger. Just days after Apple Core began offering its aTV Flash on a foolproof USB stick, the outfit has officially pulled the software. Apparently there have been a few “questions arising regarding the fair use of a particular file present on the aTV Flash, and conflicting opinions as to whether or not it falls under the fair use category.” In order to keep itself off of the hot seat, it has “proactively” (and voluntarily) discontinued offering the product “until further notice.” Not all hope is lost, however, as Apple Core is currently working with the party in question to resolve the dilemma, and it should be keeping us all in the loop as discussions progress. Oh, and in case you’re curious — all current orders were canceled and refunded.

[Thanks to everyone who sent this in]

Read | Permalink | Email this | Comments

Filed under: HDTV, Home Entertainment

Engineering souls have been hacking up the Apple TV for a good while now, but those too scared of completely ruining their box have had to sit patiently on the sidelines waiting for someone else to do their dirty work. Enter aTV Flash, a USB flash drive which enables your Apple TV (Take 2 included) to do all sorts of fancy new tricks without any fuss. Those with the drive simply plug it in and watch as new file formats become supported, UPnP media streaming opens up and Safari-based web browsing becomes a reality (among other things). Granted, the convenience will cost you $59.95, but that’s the price you pay for making your life easier (and your Apple TV a little more useful).

[Via TUAW]

Read | Permalink | Email this | Comments

Filed under: Misc. Gadgets, Networking

You know all that network hardware that runs quietly 24 hours a day in server rooms around the world? What if black-hats could exploit remote firmware flashing utilities to take over — or completely destroy — vulnerable gear? Though still theoretical, PDOS — permanent denial-of-service — attacks will be demonstrated by researchers from HP Security Labs at the EUSecWest security conference in London this week. “Phlashing”, as it’s being referred to, focuses on exploiting network-enabled firmware updates, making use of a fuzzing tool that tricks hardware into flashing anything from back-door access to a corrupt image, causing complete and permanent hardware failure. There’s no reason to panic just yet (especially not when it comes to consumer devices, which typically don’t support remote firmware updates), but given the amount of unattended and relatively dormant enterprise network hardware out there, this could be something for admins to seriously think about.

[Via Slashdot]

Read | Permalink | Email this | Comments

Filed under: Laptops

After a week full of Red Bulls, Fruit by the Foot and dreams of In-N-Out, the mighty Sony VAIO loaded with Linux stood as the only machine unhacked by the end of the PWN 2 OWN hacking contest at CanSecWest. As you’re well aware by now, the MacBook Air on display was seized in two minutes by the presumably well prepared Charlie Miller, and after two full days of work, Shane Macaulay and a few of his 1337 associates managed to crack the Vista rig on Friday. Reportedly, Shane and his pals weren’t expecting to do battle with the extra protected SP1 version of Vista, and while the exact loophole won’t be divulged, we are told that it was a cross-platform bug that “took advantage of Java to circumvent Vista’s security.” In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them “didn’t want to put the work into developing the exploit code that would be required to win the contest.”

[Image courtesy of TippingPoint]

Read | Permalink | Email this | Comments

Filed under: Misc. Gadgets

While it should hardly come as a surprise given the near constant stream of hacking fears we hear about these days, researchers are now warning about a possible vulnerability to an especially important bit of technology: medical devices that control the human heart. As The Wall Street Journal reports, the concerns are mostly centered around so-called “programmers,” which are devices used to wirelessly communicate with the implanted defibrillator or pacemaker. Those devices are obviously only sold directly to physicians by a select group of companies but, as the researchers warn, it is at least conceivable that hackers could transmit the same radio signals using another device, allowing them to shut down the defibrillator or deliver a shock, or possibly even obtain a patient’s medical information. The researchers are quick to point out, however, that this is “theoretical risk, not an actual risk,” and they’re not recommending that anyone consider deferring an implantation or removing a defibrillator.

[Image courtesy of Medtronic]

Read | Permalink | Email this | Comments

Filed under: Cellphones

Callers, your worst nightmare is coming true… maybe. According to a report, a group of hackers at the Black Hat conference in Washington D.C. claim that they’re able to hack GSM calls with equipment costing about $1,000. If you believe the team (and we’re inclined to at least have a listen), they can decrypt GSM phone conversations and text messages on a network using inexpensive tools called field programmable gate arrays. Until now, the cost of the technology required to hack GSM transmissions has been prohibitively expensive for all but your government and large-scale snooping operations, but that’s beginning to change. Not only can this technique allow access to calls, but some of the tech demonstrated at the conference might also enable a user to pinpoint a phone’s distance from the surveillance hardware, and find out what type of device is being used. There was no mention of CDMA hacking, so you might want to move over to Sprint for all your seedy activities. Er, we mean stay on Sprint.

Read | Permalink | Email this | Comments

Filed under: Misc. Gadgets

Attention voters: if you’re casting your ballot for a special someone on this Super Duper Tuesday, you might want to hear what the folks over at Common Cause have to say. The nonpartisan, nonprofit voting machine watchdog wants you to know that six out of the 24 states involved in the presidential primaries today are using voting machines that are at “high risk” for malfunction or tampering. In all, 17 states have some risk factor — based on the advocacy group’s rating system — though the machines in Arkansas, Delaware, Georgia, New Jersey, New York, and Tennessee are the most likely to give the votes to Darth Vader, Dr. Evil, or Lord Voldemort. You have been warned.

Read | Permalink | Email this | Comments

Filed under: Misc. Gadgets

In yet another “innocent prank” that turned out to have very real-world effects, a 14-year-old Polish boy has admitted to modifying a TV remote in order to manipulate the junction-switching devices on the Lodz tram system, resulting in four derailed trains and 12 injuries. According to reports, the teenager snuck onto tracks to study the switching mechanisms, and used the resulting knowledge to re-direct trains “like any other schoolboy might a giant train set,” as a police spokesman put it. The young man now faces charges in juvenile court for endangering public safety.

Read | Permalink | Email this | Comments

Filed under: Transportation, Networking

Boeing’s still in the final stages of production on its 787 Dreamliner mid-sized jet, but the FAA has already spotted what looks to be a serious security vulnerability in the plane’s IT infrastructure. Apparently the computers that provide the 787’s passenger area with in-flight internet access and other amenities are physically networked with the main plane computers, including control, navigation and communication systems, which could theoretically provide a path for a hacker to screw with the plane, and even go as far as take full control of the 787. Boeing says that it’s aware of the issue and is prepping a solution that will be tested shortly, but we’re not sure what sort of “solution” can beat separating the two systems entirely — which seems like what should’ve been done in the first place. Boeing has more than 800 advance orders for the plane, and should start delivering in November of 2008, but the FAA is requiring that the company demonstrate a fix for this issue before the planes hit the skies.

Read | Permalink | Email this | Comments

Filed under: Transportation

It’s always interesting when electronic billboards, kiosks, and other installations go haywire and show you the dark heart of Windows lurking underneath, but it’s even more fun when you can actually start poking around — and it looks like there’s a fair bit of poking to do in all those NYC taxis with backseat screens. According to Billy Chasen, dismissing the error message with allow you to get to the Start menu, from which it’s trivial to run the Windows Connection Wizard, set up the Sprint broadband card, and start surfing away. Billy could also browse the filesystem — which may or may not contain credit card data — and it looks like he even had enough access to install any software he could find online. Hmmm, looks like there’s 1000 experience points waiting here for the first person to send in a photo of Engadget on one of these screens — with a 5000 point bonus if it’s in Firefox.

Read | Permalink | Email this | Comments

Filed under: Misc. Gadgets

In a terrifically unsurprising blow to electronic voting fans everywhere, Colorado’s Secretary of State has declared the machines unreliable — and apparently in need of a software patch. While not as harsh as some rulings on the systems, Secretary Mike Coffman decertified three out of four machines which had been tested. Why the bad grade? Apparently the machines failed on accuracy and security, two sort-of-crucial components to dependable voting solutions, and two components which have been lacking in many systems. Coffman believes Colorado’s findings could have a larger impact, stating, “What we have found is that the federal certification process is inadequate.” Clearly another blow for the Diebolds (er, we mean Premier Election Solutions) of the world, but hopefully a sign that we can expect tough love for suspect voting machines.

Read | Permalink | Email this | Comments

Filed under: Peripherals, Wireless

Well as usual, with the benefits of wireless technology come detriments in the form of security holes, and now a pair of researchers from Dreamlab have proven just how easy it is to sniff out the transmissions broadcast by RF keyboards. According to their whitepaper, “27MHz keyboard insecurities,” Max Moser and Philipp Schrödel claim that keystroke signals sent from Microsoft’s Wireless Optical Desktop 1000 and 2000 are encrypted with a simple one-byte offset cipher — meaning that there are only 256 possible keys, with less than 50 sample strokes needed for decryption. And in case you thought you were safe with a non-Microsoft board, think again: Team Dreamlab is busy hacking Logitech’s “Secure Connect” protocol as we speak. [Warning: PDF link]

[Via Hack-A-Day]

Read | Permalink | Email this | Comments

Office Depot Featured Gadget: Xbox 360 Platinum System Packs the power to bring games to life!

Filed under: Misc. Gadgets, Robots

Lying somewhere between the roboflusher and LEGO car-producing LEGO factory on the practicality scale, José Pino’s Mindstorms NXT gramophone brings together all the fun and tinny sound of this antiquated music system with today’s modern DIY sensibilities. Using little more than an off-the-shelf NXT kit running at 25% power, and, um, a fast food beverage cup, Pino was able rig together a very basic platform for spinning his vinyl, although scratching is probably not recommended on this rather delicate setup. Keep reading for a quick video walkthrough accompanied by those old-timey tunes so popular among today’s seniors.

[Via Hacked Gadgets]

Continue reading The Mindstorms NXT gramophone, or, If Edison played with LEGOs

Read | Permalink | Email this | Comments

Office Depot Featured Gadget: Xbox 360 Platinum System Packs the power to bring games to life!

Filed under: Cellphones, Portable Audio

Now that the Zune has upped the ante by including WiFi syncing out of the box, it looks like owners of other devices are starting to rig up solutions of their own — and the iPhone setup developed by eddanx seems to come closest to the ease of the Zune. The system relies on the WinAmp plugin ml_ipod, which supports syncing to shared folders, and requires a jailbroken iPhone and a little SSH / SFTP softshoe. Of course, by giving up iTunes, you give up contact, calendar, movie, and phone syncing as well, but who cares — you’re wireless now, baby. Check the read link for the full instructions.

PS: We’d imagine this would also work on an iPod touch — anyone care to try?

Read | Permalink | Email this | Comments

Office Depot Featured Gadget: Xbox 360 Platinum System Packs the power to bring games to life!

Filed under: Cellphones

We’re not really certain why anyone’s surprised by the iPhone libtiff exploit at this point — it’s the entire basis of the 1.1.1 jailbreak, after all — but apparently Fast Company didn’t get the memo, because it just posted up this video of “self-employed security consultant” Rik Farrow using the ’sploit to surreptitiously install a voice recorder on an unpatched 1.1.1 iPhone. That would have been huge news when the iPhone first came out, obviously (and look at that — it was) but FC and Rik are a little late, here: the libtiff exploit has already been patched, first by the Jailbreakme 1.1.1 web-jailbreak and then by Apple in the 1.1.2 update. There’s no doubt that it’s a serious vulnerability — and Rik’s confidently paranoid tone in this video makes it a must-watch — but it’s funny to see people get all worked up over a patched security hole hackers have been exploiting on a variety of devices for some time now.

Continue reading Debunk: Yes, Virginia, the iPhone libtiff exploit can also be used for mischief

Read | Permalink | Email this | Comments

Office Depot Featured Gadget: Xbox 360 Platinum System Packs the power to bring games to life!

Filed under: Cellphones, Desktops

Joining a growing crowd of people to complain about the general lack of openness in the iPhone is none other than Steve Wozniak, co-founder of the company. Woz has a reputation for being critical of the company he helped create, although no-one would argue that his views are unreasonable: in an interview he calls into question Apple’s treatment of the iPhone as an appliance, and not as a computer platform designed to allow users to install their own apps at will (”I’m really for the unlockers, the rebels trying to make it free.”) He also took a dig at Leopard, saying that OSes aren’t what sell computers these days, and that OS updates today are nothing more than slow improvements, rather than a procession towards a UI that works “for someone who knows nothing about the computer.” Personally, we think these are fair viewpoints: as much as we may hate to say it, a lot of new technology these days requires a compromise. Isn’t it about time compromise took a back seat?

[Thanks, Jame]

Read | Permalink | Email this | Comments

Office Depot Featured Gadget: Xbox 360 Platinum System Packs the power to bring games to life!