Stories with Tag IoT Security

• Breaking into apartment buildings in five minutes on my phone

  permalink

  Posted: 2025-02-24 15:48:16

  Verbose tl;dr

  Security researcher Eric Daigle discovered a significant vulnerability in several "smart" apartment intercom systems. By exploiting a poorly implemented API within these systems, he was able to remotely unlock building doors and individual apartment units using only his phone and publicly available information. He accomplished this by crafting specific HTTP requests that bypassed security measures, granting him unauthorized access. Daigle responsibly disclosed the vulnerability to the affected vendors, prompting them to address the issue and improve their security protocols. This highlighted the risk associated with insecure IoT devices and the importance of robust API security in connected building systems.

  In a detailed blog post titled "Breaking into apartment buildings in five minutes on my phone," security researcher Eric Daigle meticulously documents a concerning vulnerability he discovered affecting numerous apartment buildings utilizing a specific access control system. Daigle commences by elucidating the prevalent adoption of smart access control systems in modern residential buildings, emphasizing the shift away from traditional physical keys towards digital solutions involving mobile applications and intercom systems integrated with internet-connected devices. He then proceeds to describe his methodical process of identifying and exploiting a security flaw within one such system, meticulously outlining each step of his research without divulging sensitive technical details that could be misused by malicious actors.

  Daigle's investigation began with casual observation of the system in his own building. He noticed certain peculiarities in the system's behavior that piqued his interest, prompting further exploration. Through careful analysis and experimentation, using only his phone and publicly accessible information, he discovered a vulnerability that permitted unauthorized access to the building's directory – a digital repository containing tenant names and associated intercom codes. This directory, typically protected behind authentication mechanisms, became accessible due to an oversight in the system's design and implementation. Specifically, Daigle identified a logical flaw in the way the system handled user authentication and authorization, allowing him to circumvent these security measures and gain unauthorized access to the directory.

  The implications of this vulnerability are substantial, as it potentially granted Daigle the ability to access not just his own building, but potentially dozens or even hundreds of other buildings employing the same vulnerable access control system. With access to the tenant directory, an individual could potentially impersonate a resident, gaining access to the building and potentially individual apartments. Daigle responsibly disclosed the vulnerability to the vendor responsible for the system, allowing them time to develop and deploy a patch before publicly disclosing the issue on his blog. He carefully details the responsible disclosure process, highlighting the communication exchanges with the vendor and the steps taken to ensure the vulnerability was addressed before being made public. He concludes by emphasizing the importance of robust security practices in the development and deployment of internet-connected devices, especially those related to physical security and access control. Furthermore, he encourages other security researchers to responsibly disclose vulnerabilities they discover to help improve the security posture of these increasingly ubiquitous systems.

  • Physical Security
  • Apartment Security
  • Building Security
  • Vulnerability
  • Exploit
  • Cybersecurity
  • IoT Security
  • Smart Home Security
  • Access Control
  • Penetration Testing
  • Ethical Hacking
  • Security Research
  • Building Management Systems
  • Smart Locks

  Summary of Comments ( 24 )
  https://news.ycombinator.com/item?id=43160884

  Verbose tl;dr

  HN commenters discuss the prevalence of easily-exploitable vulnerabilities in building access control systems. Several highlight the inherent insecurity of relying solely on cellular connections for such critical infrastructure, pointing out the ease with which cellular signals can be intercepted or spoofed. Others note the conflict between convenience and security, acknowledging that many residents prioritize ease of access over robust protection. Some commenters share anecdotal experiences with similar vulnerabilities in their own buildings, while others suggest potential solutions, such as requiring secondary authentication factors or utilizing more secure communication protocols. The ethical implications of publicly disclosing such vulnerabilities are also debated, with some arguing for responsible disclosure while others emphasize the urgent need for awareness and immediate action. A few commenters question the author's decision to reveal specific technical details, fearing it could empower malicious actors.

  The Hacker News post "Breaking into apartment buildings in five minutes on my phone" (linking to an article detailing vulnerabilities in apartment building intercom systems) generated a robust discussion with over 100 comments. Many commenters focused on the widespread nature of this security flaw and the lack of incentive for property managers to address it.

  Several commenters shared anecdotes of similar vulnerabilities they'd encountered or exploited, including using default passwords, easily guessable codes, or simply bypassing the systems altogether. One commenter described manipulating the intercom system of their own building to open the main door from anywhere in the world. These personal stories underscored the real-world implications of the article's findings.

  A recurring theme was the inherent conflict of interest between security and cost for property management companies. Commenters pointed out that the cheapest systems are often the most vulnerable, and that property managers prioritize minimizing expenses over implementing robust security measures. This created a sense of resignation among some, suggesting that these issues would persist until either regulations changed or a significant security breach forced the industry's hand.

  The discussion also delved into the technical aspects of the vulnerabilities, with some commenters speculating on the specific technologies used in these intercom systems and potential solutions. Some suggested implementing multi-factor authentication or using more secure communication protocols. Others noted the challenge of retrofitting older buildings with modern security systems.

  Several comments highlighted the ethical considerations of vulnerability disclosure. While the original article author responsibly disclosed the vulnerabilities to the affected companies, commenters discussed the potential risks of publicly sharing this information, including the possibility of malicious actors exploiting these weaknesses. This sparked a debate about the balance between transparency and security.

  Finally, a number of commenters expressed frustration and disappointment with the state of security in these systems. They criticized the manufacturers for producing insecure products and the property managers for deploying them. Some called for greater consumer awareness and advocacy to push for better security practices in the industry. Overall, the comments painted a picture of a widespread and persistent security problem with limited incentives for change.

• Removing Jeff Bezos from My Bed

  permalink

  Posted: 2025-02-21 16:27:54

  Verbose tl;dr

  The blog post "Removing Jeff Bezos from My Bed" details the author's humorous, yet slightly unsettling, experience with Amazon's Echo Show 15 and its personalized recommendations. The author found that the device, positioned in their bedroom, consistently suggested purchasing a large, framed portrait of Jeff Bezos. While acknowledging the technical mechanisms likely behind this odd recommendation (facial recognition misidentification and correlated browsing data), they highlight the potential for such personalized advertising to become intrusive and even creepy within the intimate space of a bedroom. The post emphasizes the need for more thoughtful consideration of the placement and application of AI-powered advertising, especially as smart devices become increasingly integrated into our homes.

  In a richly detailed and engagingly humorous narrative presented on the Truffle Security blog, the author recounts their somewhat surreal and ultimately frustrating experience with a malfunctioning Amazon Echo Show device. The chronicle begins with the innocent purchase of said device, motivated by the perfectly reasonable desire to have a smart alarm clock and access to readily available information. This initial acquisition leads to the unexpected and rather unsettling discovery of Jeff Bezos, Amazon's founder and former CEO, appearing on the Echo Show's screen. Not as a static image, mind you, but as an animated, almost lifelike presence that the author describes, with a touch of whimsical hyperbole, as "haunting" their bedside.

  The author meticulously details the escalating stages of their attempts to exorcise this digital Bezos from their bedroom sanctuary. Initially, they attempt to resolve the issue through conventional means, meticulously navigating the labyrinthine menus of the device's settings. This proves fruitless, leading to a progressively more desperate series of troubleshooting steps. They unplug the device, only to have the spectral Bezos reappear upon reconnection. They consult online forums, seeking solace and solutions from the collective wisdom of the internet, but find only echoes of their own bewilderment. They even resort to the drastic measure of a factory reset, a digital equivalent of starting from scratch, yet even this fails to banish the persistent presence of the virtual Bezos.

  Throughout this technological ordeal, the author maintains a witty and self-deprecating tone, interspersing their technical frustrations with amusing anecdotes and observations. They describe the absurdity of the situation, highlighting the contrast between the mundane desire for a simple alarm clock and the unexpected intrusion of a tech mogul into their personal space. The narrative culminates in the reluctant acceptance of defeat, with the author conceding to the continued presence of the digital Bezos, albeit with a newfound appreciation for the unexpected quirks and occasional absurdities of modern technology. The post concludes with a lingering sense of unresolved mystery, leaving the reader to ponder the true nature of this peculiar technological encounter. Was it a software glitch, a hardware malfunction, or perhaps something even stranger? The answer, it seems, remains elusive.

  • IoT Security
  • smart home
  • privacy
  • Security Vulnerability
  • connected devices
  • alexa
  • amazon echo
  • voice assistants
  • surveillance
  • Data Collection
  • Cybersecurity
  • Home Automation
  • vulnerability disclosure
  • responsible disclosure
  • Ethical Hacking

  Summary of Comments ( 8 )
  https://news.ycombinator.com/item?id=43129439

  Verbose tl;dr

  Hacker News users generally found the linked blog post humorous and relatable. Several commenters shared similar experiences with unwanted targeted ads, highlighting the creepiness factor and questioning the effectiveness of such highly personalized marketing. Some discussed the technical aspects of how these ads are generated, speculating about data collection practices and the algorithms involved. A few expressed concerns about privacy and the potential for misuse of personal information. Others simply appreciated the author's witty writing style and the absurdity of the situation. The top comment humorously suggested an alternative headline: "Man Discovers Retargeting."

  The Hacker News post "Removing Jeff Bezos from My Bed" (linking to a Truffle Security blog post of the same name) generated a moderate amount of discussion, with a number of commenters focusing on the technical aspects of smart home integrations and the inherent security and privacy risks they present.

  Several commenters echoed the author's concerns about the pervasiveness of smart devices and the potential for unintended consequences, particularly regarding data collection and privacy. One commenter highlighted the irony of adding complexity to simplify life, noting the potential for things to break down and the resulting frustration. This sentiment was shared by others who expressed skepticism about the supposed benefits of smart home technology compared to its potential downsides.

  Discussion also arose around the specific vulnerabilities of connecting disparate systems. One user pointed out the potential dangers of allowing third-party applications, like the sleep tracking app mentioned in the article, access to core home automation systems. They emphasized that even if individual components are secure, the integration points can introduce vulnerabilities. Another user underscored the risk of relying on cloud services for local network device control, potentially exposing the entire system to outside access through vulnerabilities in the cloud infrastructure.

  The technical details of the author's setup and potential solutions were also debated. Some users suggested alternative approaches to achieve similar functionality without relying on cloud-based integration. One commenter specifically recommended using Home Assistant, an open-source home automation platform, highlighting its local control capabilities and flexibility. Others discussed the benefits and drawbacks of different communication protocols like MQTT and the trade-offs between convenience and security.

  While some users found the blog post's tone humorous, others criticized it for being overly dramatic or for implying that the issues described are unique to Amazon's ecosystem. They argued that similar risks exist with other smart home platforms and that the core problem is the inherent complexity of integrating numerous devices and services.

  Finally, a few commenters offered anecdotes of their own experiences with smart home quirks and failures, further emphasizing the potential for unintended consequences when relying on interconnected technology. These personal accounts resonated with the overall theme of the discussion, highlighting the real-world implications of the security and privacy concerns raised in the blog post.

• Hackers are targeting machine identities;Token Security raised $20M to stop them

  permalink

  Posted: 2025-01-27 20:55:58

  Verbose tl;dr

  Token Security, a cybersecurity startup focused on protecting "machine identities" (like API keys and digital certificates used by software and devices), has raised $20 million in funding. The company aims to combat the growing threat of hackers exploiting these often overlooked credentials, which are increasingly targeted as a gateway to sensitive data and systems. Their platform helps organizations manage and secure these machine identities, reducing the risk of breaches and unauthorized access.

  In an increasingly interconnected digital world, where software systems and automated processes communicate constantly, a new cybersecurity threat is emerging: the exploitation of machine identities. This vulnerability, highlighted by TechCrunch in their January 27, 2025 article titled "Hackers are targeting machine identities; Token Security raised $20M to stop them," poses a significant risk to organizations of all sizes. Traditional security measures, often focused on human users and their credentials, are proving inadequate against this evolving attack vector. Machine identities, which encompass the digital certificates, API keys, and other credentials used by non-human entities like applications, servers, and IoT devices to authenticate themselves, are becoming prime targets for malicious actors. As highlighted in the article, the increasing prevalence of cloud computing, microservices architectures, and the Internet of Things has led to an explosion in the number of these machine identities, creating a vastly expanded attack surface for hackers to exploit.

  The article details how compromised machine identities can allow attackers to gain unauthorized access to sensitive data, disrupt critical infrastructure, and even launch large-scale cyberattacks. By stealing or forging these digital credentials, hackers can impersonate legitimate machines, bypass traditional security perimeters, and move laterally within a network, often undetected for extended periods. This represents a substantial shift in the cybersecurity landscape, demanding new and innovative solutions to protect these vulnerable identities. The article underscores the potential consequences of failing to address this issue, painting a picture of a future where increasingly sophisticated attacks targeting machine identities could cripple businesses and compromise critical systems.

  The TechCrunch article also features Token Security, a cybersecurity startup that has developed a platform specifically designed to address the challenges of securing machine identities. This platform, according to the article, offers a comprehensive approach to managing and protecting these credentials, employing advanced techniques such as automated certificate lifecycle management, real-time threat detection, and robust access control mechanisms. The company’s recent successful fundraising round, securing $20 million in Series B funding, underscores the growing recognition of the importance of this emerging security sector. This investment will allow Token Security to further develop its platform and expand its market reach, helping organizations effectively safeguard their machine identities and mitigate the risks associated with this burgeoning threat landscape. The article concludes by suggesting that investing in robust machine identity management solutions is no longer optional but a critical necessity for organizations seeking to maintain a strong security posture in the face of evolving cyber threats.

  • Cybersecurity
  • Machine Identities
  • Token Security
  • hacking
  • funding
  • Series A
  • Venture Capital
  • TechCrunch
  • startups
  • Authentication
  • Authorization
  • Cloud Security
  • IoT Security
  • API Security

  Summary of Comments ( 2 )
  https://news.ycombinator.com/item?id=42845526

  Verbose tl;dr

  HN commenters discuss the increasing attack surface of machine identities, echoing the article's concern. Some question the novelty of the problem, pointing out that managing server certificates and keys has always been a security concern. Others express skepticism towards Token Security's approach, suggesting that complexity in security solutions often introduces new vulnerabilities. The most compelling comments highlight the difficulty of managing machine identities at scale in modern cloud-native environments, where ephemeral workloads and automated deployments exacerbate the existing challenges. There's also discussion around the need for better tooling and automation to address this growing security gap.

  The Hacker News post discussing the TechCrunch article "Hackers are targeting machine identities; Token Security raised $20M to stop them" has generated several comments exploring different facets of the topic.

  Several commenters discuss the confusing and potentially misleading use of the term "Token Security" for the company's name, given its association with the legacy IBM networking technology. This overlap leads to some initial confusion and humorous remarks. One commenter suggests the name choice is either brilliant marketing for capturing attention or a significant oversight. Another wonders if the founders are even aware of the prior technology. The potential for brand confusion and the possibility of attracting the wrong audience are also raised.

  Another thread focuses on the problem itself, with some skepticism about the novelty of machine identity attacks. Commenters point out that securing machine identities has been a long-standing concern, and that existing solutions like HashiCorp Vault and cloud provider offerings already address this space. They question the unique value proposition of Token Security and whether it offers a genuinely new approach or simply repackages existing solutions. One commenter suggests the company might be focusing on a niche within the broader machine identity security landscape.

  The funding amount also draws attention, with some commenters expressing surprise at the $20 million raised given the perceived lack of innovative differentiation. They speculate on the reasons behind this level of investment, suggesting it might be due to the team's experience, a particularly compelling sales pitch, or investor hype around the security space.

  Finally, some commenters offer more technical perspectives. One outlines a specific scenario involving certificate renewal and the potential vulnerabilities therein. Another highlights the challenges of implementing robust security for non-person entities (NPEs), suggesting a need for tools and frameworks dedicated to this area. There's a discussion about the complexity of managing machine identities, particularly in dynamic cloud environments, and the importance of automation in this process.

• Hacking Subaru: Tracking and Controlling Cars via the Starlink Admin Panel

  permalink

  Posted: 2025-01-23 12:22:19

  Verbose tl;dr

  Security researcher Sam Curry discovered multiple vulnerabilities in Subaru's Starlink connected car service. Through access to an internal administrative panel, Curry and his team could remotely locate vehicles, unlock/lock doors, flash lights, honk the horn, and even start the engine of various Subaru models. The vulnerabilities stemmed from exposed API endpoints, authorization bypasses, and hardcoded credentials, ultimately allowing unauthorized access to sensitive vehicle functions and customer data. These issues have since been patched by Subaru.

  This blog post by Sam Curry details a significant vulnerability discovery within the Subaru Starlink connected car service. The author, through meticulous exploration of exposed application programming interfaces (APIs) and diligent reverse engineering, uncovered a plethora of unauthorized access points that allowed for remote control and tracking of a wide range of Subaru vehicles. The vulnerability stemmed from weaknesses within the Starlink backend infrastructure, specifically concerning authentication and authorization mechanisms.

  Curry's investigation began with the identification of an exposed administrative panel, seemingly designed for internal use by Subaru employees or dealership personnel. Through systematic experimentation with different API endpoints and HTTP requests, he discovered that this panel was shockingly accessible without proper credentials. This unauthorized access granted him alarming capabilities, encompassing not only the retrieval of sensitive vehicle information but also the ability to execute commands remotely.

  The range of controllable functions spanned multiple critical vehicle systems. He demonstrated the capacity to remotely unlock and lock car doors, activate the horn and lights, remotely locate vehicles with impressive precision through GPS coordinates, and even initiate the remote engine start functionality. Furthermore, access to personal information linked to vehicle owners was also possible, including names, addresses, and internal vehicle identification numbers (VINs).

  The potential implications of this vulnerability were substantial, representing a serious threat to vehicle security and user privacy. An attacker exploiting these weaknesses could have potentially tracked vehicle movements, manipulated vehicle functions for malicious purposes, or gained access to personally identifiable information. Curry responsibly disclosed these vulnerabilities to Subaru, who acknowledged the issue and subsequently took steps to remediate the security flaws. The post meticulously documents the technical steps involved in uncovering the vulnerabilities, providing detailed explanations of the API endpoints exploited and the HTTP requests used. This thorough documentation underscores the complexity of the vulnerability and serves as a valuable resource for security researchers and automotive manufacturers seeking to improve the security posture of connected car services. The case serves as a stark reminder of the potential risks associated with internet-connected vehicles and the importance of robust security practices in their development and deployment.

  • Subaru
  • Starlink
  • hacking
  • Automotive Security
  • Vehicle Security
  • Cybersecurity
  • IoT Security
  • Connected Cars
  • Vulnerability
  • Remote Access
  • tracking
  • Control
  • Admin Panel
  • Automotive Hacking
  • Car Hacking

  Summary of Comments ( 158 )
  https://news.ycombinator.com/item?id=42803279

  Verbose tl;dr

  Hacker News users discuss the alarming security vulnerabilities detailed in Sam Curry's Subaru hack. Several express concern over the lack of basic security practices, such as proper input validation and robust authentication, especially given the potential for remote vehicle control. Some highlight the irony of Subaru's security team dismissing the initial findings, only to later discover the vulnerabilities were far more extensive than initially reported. Others discuss the implications for other connected car manufacturers and the broader automotive industry, urging increased scrutiny of these systems. A few commenters point out the ethical considerations of vulnerability disclosure and the researcher's responsible approach. Finally, some debate the practicality of exploiting these vulnerabilities in a real-world scenario.

  The Hacker News post titled "Hacking Subaru: Tracking and Controlling Cars via the Starlink Admin Panel" generated a moderate amount of discussion, with several commenters focusing on various aspects of the vulnerability and its implications.

  Several comments highlighted the surprising nature of the vulnerability being found in a modern connected car system. One commenter expressed disbelief that such a flaw could exist, stating incredulity at the idea that an entire fleet of cars could be controlled through an exposed admin panel. Another echoed this sentiment, emphasizing the unexpectedness of such a severe vulnerability in a production system.

  A significant thread of discussion revolved around the potential consequences of this vulnerability. Some commenters speculated about the motivations and potential actions of a malicious actor exploiting this flaw. One user humorously suggested the possibility of a disgruntled employee using the access to cause widespread disruption. Others discussed the potential for theft, stalking, and other malicious activities enabled by the ability to track and control vehicles remotely.

  The technical details of the vulnerability also drew attention. Some commenters delved into the specifics of the exposed API endpoints and the lack of proper authentication. One commenter questioned why a simple username and password were used for such a critical system, highlighting the lapse in security practices.

  Several commenters discussed the implications for the automotive industry and the increasing reliance on connected car technology. One user expressed concern about the security of similar systems in other car brands, suggesting that this vulnerability might be indicative of a wider problem. Another pointed out the increasing attack surface presented by connected car features and the need for improved security measures.

  A few commenters praised the researcher for responsibly disclosing the vulnerability and working with Subaru to address the issue. They emphasized the importance of ethical hacking in identifying and mitigating security risks.

  Finally, some commenters offered more lighthearted takes on the situation, imagining scenarios like using the vulnerability to remotely warm up their car on a cold morning.

  Overall, the comments on Hacker News reflect a mixture of concern, surprise, and technical curiosity about the Subaru vulnerability. They highlight the growing importance of security in the connected car landscape and the potential consequences of overlooking critical vulnerabilities.