Login / Register


  • Security risk on in-flight entertainment systems, say researchers

    Aircraft in front of moonImage copyrightREUTERSImage captionIn-flight systems were "totally compromised" said the research

    Air passengers could be subjected to a series of "shocking" incidents if security flaws in cabin entertainment systems were abused, say researchers.

    Security experts said they found flaws that let them take over cabin entertainment systems.

    They said this could allow attackers to switch off lights, change altitude readings, display bogus maps and broadcast messages via the PA.

    But the maker of the systems dismissed the findings as "hypothetical at best".

    Accidental discovery

    The weaknesses were found in the Panasonic Aero in-flight systems by Ruben Santamarta, a researcher at security firm IOActive.

    The Aero in-flight systems are used by many different airlines including Virgin, Emirates, AirFrance, American Airlines and KLM.

    "Security is not one of the system's main strengths," Mr Santamarta told the BBC, adding that the network of seat-back screens and on-board servers would not be able to withstand "solid attacks" from skilled adversaries.

    Mr Santamarta said he started researching the Panasonic systems two years ago when, during a flight to Dubai, he accidentally made the screen for his seat display debug data.

    Via online searches he slowly amassed a trove of information about the Aero system that included code that runs on the seat-back units as well as the on-board computers that keep the whole thing running.

    "I ended up having all the components in my computer so I could emulate the whole system," he said.

    Running a copy of the Aero network let Mr Santamarta winkle out flaws and other bugs that, he said, let him "compromise the entire system".

    Travelling on a flight where attackers got access to the Aero system and turned off the cabin lights, broadcast PA messages and changed maps to make it look like a plane was being diverted or was losing altitude would be "shocking", said Mr Santamarta.

    'Not justified'

    However, in a strongly worded statement, Panasonic said IOActive's conclusions from the copied network were "not based on any actual findings or facts".

    "The implied potential impacts should be interpreted as theoretical at best, sensationalising at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive," said a spokesman for Panasonic Avionics Corporation, a subsidiary of the Japanese electronics giant.

    Panasonic said it had reviewed "all of the claims made by Mr Santamarta" and commissioned tests in 2015 and 2016 to ensure his concerns had been remedied.

    The company rejected claims that credit card information was accessible, saying Mr Santamarta made "incorrect assumptions about where credit card data is stored and encrypted".

    Panasonic also rejected any suggestion that hackers could gain access to flight controls through the in-flight entertainment system.

    In his findings, Mr Santamarta said it did not seem to be possible to cross from the in-flight systems to those that control an aircraft.

    However, he did not rule out the possibility that some airlines had inadvertently joined the two systems giving attackers a route into flight controls.

    "Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible," the Panasonic spokesman said.

    Read more »
  • Google responds on skewed Holocaust search result

    Google logo reflected in a phone screenImage copyrightAFPImage captionGoogle has been criticised for how some search results - on topics such as the Holocaust and ethnic minorities - are ranked

    Google has said it is "thinking deeply" about ways to improve search, after criticism over how some results - including ones discussing the Holocaust - were ranked.

    Searching for "did the Holocaust happen?" returned a top result that claimed it did not, as Guardian journalist Carole Cadwalladr reported.

    Now, the ranking has changed for US users.

    The page - from white supremacist site Stormfront - remains top in the UK.

    "This is a really challenging problem, and something we're thinking deeply about in terms of how we can do a better job," said a Google spokesman.

    "Search is a reflection of the content that exists on the web.

    "The fact that hate sites may appear in search results in no way means that Google endorses these views."

    Danny SullivanImage copyrightDANNY SULLIVANImage captionDanny Sullivan has met Google engineers and executives to discuss controversy over some search rankings

    Regarding the recent change in rankings on the Holocaust query, editor of news site Search Engine Land Danny Sullivan, believes this was due to external parties' attempts to influence the ordering of results.

    Mr Sullivan met Google executives and engineers last week to discuss the issue of questionable result ranking, which also affects other queries about, for example, ethnic minorities.

    "I'm as horrified and disappointed by the results as many people are," he told the BBC.

    However, he said Google - which processes five billion searches a day - was keen to come up with a solution that was broadly applicable across all searches, rather than just those that have been noticed by users.

    "It's very easy to take a search here and there and demand Google change something," explained Mr Sullivan, "and then the next day you find a different search and say, 'why didn't you fix that?' "

    'Hate speech'

    Ms Cadwalladr has accused Google of disseminating "hate speech".

    Other result rankings that she questioned include those for "are women evil?" and "are muslims bad?".

    The BBC has also found that some additional queries, including ones without negative terms, also produce controversial answers.

    For example, searching for "are black people smart?" in the UK returns a "featured snippet" at the top of the results that claims "black people are significantly less intelligent than all other races".

    Google search resultsImage captionSome searches have questionable results at the top

    Mr Sullivan added that it was far more common for users to search for simple terms, such as "Holocaust" rather than "did the Holocaust happen?" and that the phrasing of the question also affected result rankings.

    He added, however, that Bing - Microsoft's search engine - seemed to be doing "a better job" with these sorts of queries, though it was "not immune" to the issue.

    "It seems to be rewarding Wikipedia more than Google does," he said.

    'No neutral algorithms'

    Some of the concern around the impact that Google search results have on people's perceptions and beliefs stems from research that shows young people, in particular, are increasingly trusting of the site.

    An Ofcom report last month found that the proportion of 12 to 15 year-olds turning to Google for "true and accurate information about things that are going on in the world" had shot up to 30% this year, compared to 17% in 2015.

    More than a quarter of eight to 15 year-olds surveyed believed that if Google lists information then it can be trusted.

    It was important to note that there is no such thing as an "impartial" or "neutral" algorithm, according to Prof Mark Graham at the Oxford Internet Institute.

    "There is no correct answer to some issues," he said, but added that Google was still in a position of responsibility.

    Google logo on a signImage copyrightAFPImage captionGoogle has said it is "thinking deeply" about the problem

    "Absolutely they should face scrutiny because they occupy this position of immense power - they mediate a vast amount of the world's digital information," he told the BBC.

    "I don't think it's good enough to just point to their algorithms and say, 'Well, this is the most popular, this gets the most clicks'."

    As for tackling the proliferation of hate speech, Prof Graham pointed out that many countries around the world have guidelines over what is and is not acceptable - guidelines that Google could, potentially, adopt.

    "They don't have to build those ideas from scratch," he said.

    Read more »
  • Safety test proposal for drone users

    a drone with a plane in the backgroundImage copyrightGETTY IMAGES

    Anyone who buys a drone in future in the UK may have to register it and take a safety test.

    That could be the outcome of a government consultation on strict new drone safety rules.

    There could also be tougher penalties for anyone who flies a drone in a no-fly zone, with the possibility of a new criminal offence of misuse of a drone.

    Drone use has become widespread in the past few years, with drones available cheaply in high street shops.

    The government says drones have enormous economic potential and are already being used by everyone from the emergency services and conservation groups to energy and transport firms.

    But the Aviation Minister, Lord Ahmad, said while the vast majority of drone users were law-abiding, "some are not aware of the rules or choose to break them putting public safety, privacy and security at risk".

    Drone caught in netImage copyrightAFPImage captionVarious ways of catching nuisance drones have been trialled - including catching them in nets

    There are already strict regulations for all drone users.

    Any drone with a camera cannot be flown within 50 metres of buildings, vehicles, people or over large crowds.

    Anyone using a drone for commercial purposes has to register with the Civil Aviation Authority (CAA).

    But now leisure users may have to register their drones and perhaps undertake a test similar to the driving theory test.

    This will apply to any drone weighing over 250g (0.55lb) - which covers just about anything more than a toy.

    Simon Dale, of the FPV group for drone pilots, is unhappy about any plan to make leisure users register.

    "It will impact the safe and sensible drone fliers and will not affect criminals or terrorists," he said.

    Drone users could have to pay a hefty fee, Mr Dale fears: "Setting up a drone equivalent of the DVLA is likely to be costly."

    Drone at the inaugural Unmanned Aircraft Association of Ireland (UAAI) Meet the Drones showcase event at Weston AirportImage copyrightPAImage captionThe Civil Aviation Authority said there have been near misses where drones have been flown close to aircraft

    Leisure drone user Peter Galbavy said the regulations were already too complex and badly framed.

    "What really annoys me is the different rules for drones with or without cameras," he said.

    "It's nothing to do with privacy - it's an assumption that the drone will be much heavier and can drop on people's heads - which is no longer true."

    But concerns about safety have risen.

    Jonathan Nicholson, from the Civil Aviation Authority, said: "We do see a rise in the number of near misses reported by airline pilots, and we have had complaints from members of the public about drones being flown too close to them, which the police receive."

    He urged users to familiarise themselves with the CAA's Drone Code.

    The government says the drone industry could be worth billions by 2025.

    But ministers believe it will only be a success if it is done safely, and with the consent of the public.

    Drone developments

    QuadcopterImage copyrightTHINKSTOCK

    The UK's proposed safety test is just one of a flurry of drone-related developments in recent days. Others include:

    • Sweden's government has announced it plans to scrap the need for drone operators to have permits if their aircraft are fitted with cameras - a restriction that had effectively banned their use in the country
    • France's national postal service has been given permission to carry out a drone-based parcel delivery service once a week along a fixed nine mile (14km) route in the south-west of the country
    • The retailer 7-Eleven has said it has made 77 drone-based deliveries to customers' homes in the US since November after it began trialling the service with a dozen select customers
    • The US's Federal Aviation Administration has revealed it has processed 23,818 applications to use drones for commercial purposes since it introduced a registration scheme in August
    • Facebook's July test flight of its Aquila drone ended in a crash landing, the US's National Transportation Safety Board has confirmed. It said that it appears that the Aquila aircraft encountered wind gusts that were about twice as strong as it could handle, which caused damage to one of its wings during its final approach
    Read more »
  • Nokia sues Apple in patent dispute

    A new Nokia 150 phoneImage copyrightREUTERSImage captionA new Nokia 150 phone

    Finland's Nokia says it is suing Apple for breaching 32 technology patents.

    Nokia's law suits have been filed in three courts in Germany and one in Texas.

    The claims cover patents for displays, user interfaces, software, antennas, chipsets and video coding.

    On Tuesday, Apple started legal action against Acacia Research and Conversant Intellectual Property Management, alleging they had conspired with Nokia to extort money from Apple.

    Nokia said: "Since agreeing a license covering some patents from the Nokia Technologies portfolio in 2011, Apple has declined subsequent offers made by Nokia to license other of its patented inventions which are used by many of Apple's products."

    Between 2009 and 2011 the two companies were locked in a series of tit-for-tat legal battles over the patents for the technology they used in their mobile phones.

    At the time Nokia was still the world's leading mobile phone manufacturer, but was being rapidly undermined by the rise of Apple's iPhone.

    In the end the two companies settled, with Apple making an undisclosed one-off payment, and making further royalty payments to use Nokia technology.

    Nokia eventually sold its mobile phone business to Microsoft in 2014, though earlier this year it said it would re-enter the mobile phone business by licensing its technology and brand name to a new Finish firm called HMD, which is making Nokia-branded phones once more.

    Read more »
  • Netflix US Twitter account hacked

    OurMine tweets on the Netflix accountImage captionOurMine is notorious for hacking high-profile Twitter accounts

    The Netflix US Twitter account - with 2.5m followers - has been compromised by a hacker group.

    The group, OurMine, posted tweets promoting its own website and services.

    However, the tweets were removed about an hour after the first one appeared.

    OurMine has hacked several high-profile Twitter accounts this year, including those of Wikipedia co-founder Jimmy Wales, Facebook co-founder Mark Zuckerberg and Google chief executive Sundar Pichai.

    It also hacked the Techcrunch and BuzzFeed websites, as well as the Twitter and Vine accounts of the social media platforms' chief executive Jack Dorsey.

    "Don't worry we are just testing your security," read one of the tweets posted to the Netflix account.

    The hackers told the BBC they still had access to the account, adding that they were still posting tweets, but these were being deleted "by Twitter Support".

    Read more »
  • Smart homes haunted by the cyber-ghost of Christmas future

    Hacked Christmas giftsImage copyrightTHINKSTOCKImage captionThis year's Christmas gifts could become hackers' targets in 2017 and beyond

    This year delivered a chilling warning as we witnessed distributed denial of service (DDoS) attacks on a scale that few thought possible.

    These attacks - where massive volumes of data are thrown at online systems so they can no longer deal with legitimate requests - underwent a step change this year as attackers learned to harness vulnerable devices that constitute parts of the so-called internet of things (IoT).

    One nightmare vision for the future is an internet plagued with DDoS attacks based on IoT devices, including some sitting under your Christmas tree this year.

    Perhaps what we now need is the modern-day equivalent of Dickens's Ghost of Christmas Yet to Come to scare device-makers and the public into changing their ways before it's too late.

    The IoT holds great promise. We have the potential to network a whole new generation of smart devices: everything from fridges, kettles and toasters to the systems that heat your home and keep an eye on your cat.

    The value of being able to control these devices remotely seems obvious, and new forms of convenience will emerge as people think of new ways in which the technology can be used.

    Unfortunately, the technologies that enable these devices to be "smart" can pose a security threat. No one is suggesting that hackers will want to break into your toaster to steal personal data, although some IoT devices will hold data that has value we may not yet understand.

    Santa hackerImage copyrightTHINKSTOCKImage captionHacked IoT kit can cause disruption to others trying to use the internet

    But your white goods could be co-opted by hackers to take part in an onward attack, in which the products send huge amounts of junk data and/or a flood of requests to the target, causing it to be overwhelmed. The DDoS attacks we have seen this year were launched by a zombie army of IoT devices formed into what is called a botnet.

    The more devices that can be recruited into these botnets the larger the volumes of useless data that can hurled. The largest attack of 2016 saw hundreds of thousands of devices being used simultaneously in what became known as the Mirai botnet, mounting what was a frighteningly simple attack.

    A key lesson from Mirai was that default usernames and passwords are not a secret, and if you use the same ones on every instance of a device it is just asking to be hacked.

    Router manufacturers have had to learn this lesson the hard way but many IoT device manufacturers clearly did not hear the story.

    Manufacturers will always struggle to make internet-enabled devices that are secure for several reasons.

    Firstly, these products are sold as commodities and the Scrooge in all of us sees price as an important factor for such purchases. Designing technology to be secure takes money and when you are selling items where pennies matter, security is likely to be the first area for compromise.

    Secondly, even if a security problem is found, the ability to update the software built into the device - known as firmware - is often very limited. Few owners would, or should be expected, to know how to update firmware, and manufacturers will not always do so, again because there is a cost involved.

    It does happen with high-end products, such as smart TVs, as well as IoT kit from big-name tech firms - such as Philips Hue, Amazon, British Gas's Hive division and Google's Nest.

    But some of the cut-price products from the more obscure brands do not get the same treatment.

    Lastly, devices such as those likely to comprise the IoT are often forgotten about once in operation. Unlike phones or laptops, owners don't typically look to buy a newer version until it physically stops working.

    Wi-fi graphicImage copyrightTHINKSTOCKImage captionSome IoT devices automatically update their firmware via wi-fi, but this is not always the case

    As you can expect something like a fridge to last many, many years we have the spectre of an IoT in 10 or even 20 years' time that is populated by devices being bought now, or in the very near future, whose manufacturers may no longer be in business or - even if they are - not interested in updating decades-old kit.

    However, when it comes to DDoS attacks, a partial solution has been available since 2000.

    In that year, a draft standard was issued (with the catchy title BCP 38) that provided network operators with a means to significantly lessen the effects of DDoS attacks. All that was missing was for the providers to co-operate and put it into operation - a situation that may now happen at the prompting of the UK government. Even so, it does not solve this new variant of DDoS attack outright.

    You could take the bah humbug approach and say that you will never buy a device that is either smart or connected, but that won't work. This technology will be present by default.

    Even if you simply try to ignore the smart features you could end up contributing to the problem because owners will need to do a certain amount of checking to ensure they are not unwittingly contributing to online attacks.

    Ghost of Christmas FutureImage copyrightTHINKSTOCKImage captionHacked smart home kit could ruin Christmas - or other days of the year

    So, if you are lucky enough to receive a smart networked device this Christmas the first thing you should do is check to see if it has a default username and password that needs changing.

    Don't assume that the manufacturers have heard the horror stories of Christmas past, and, don't let it become the neglected, dusty box in the corner that is adding to the ever increasing background noise on the internet. Merry Christmas to one and all.

    Read more »
Web Site Hit Counter