Security research firm Rhino Security Labs found a vulnerability in the Amazon Key in-home delivery service’s security procedures that could allow either the courier or even a savvy and malicious bystander to enter your home undetected after the delivery is completed. Amazon has promised to change how Key works in order to make it easier for you to tell when something unusual is happening in this event, but the changes proposed by Amazon don’t necessarily resolve the vulnerability.
Amazon Key is available to Amazon customers who have bought and installed Amazon’s own Cloud Cam security camera and installed it at their front door. If you’re one of those customers, you can select “in-home delivery” as a delivery method when purchasing something on Amazon. Amazon couriers can then authenticate themselves with your Cloud Cam to unlock the door and enter your home to leave the package. However, they can only do this at a home to which they’re assigned to make a delivery and only at the scheduled time. They are recorded by your security camera as they make the delivery, and they must lock the door when they leave. Amazon also tracks which courier is assigned to the delivery, and only that courier has access.
Rhino Labs discovered that a courier equipped with a simple program can use their laptop to fake a command from your Wi-Fi router to disconnect the Cloud Cam from your network. This causes the camera to stop functioning by freezing the image at the last frame. At that point, the courier could re-enter your home, do whatever it is that they want there, and then exit, reactivate the camera, and lock the door as usual. This re-entry would be undetectable by the resident, and it would appear like a normal delivery in Amazon’s data.
In theory, a bystander could also do this as a courier is leaving, but this is less likely for a few reasons. First, the bystander would have to know that delivery was scheduled and that it was to be an in-home delivery. Second, they’d have to do it before the courier locked the door, but the hack prevents the door from locking, and the courier is instructed not to leave until they’ve locked up.
Amazon’s response
Camera functionality is a critical part of Amazon’s security pitch for Key. The company issued the following statement in response to reports about this issue:
We currently notify customers if the camera is offline for an extended period… Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.
This could help Amazon Key customers know when something is amiss, but it doesn’t prevent the event from happening to begin with. Of course, the Amazon courier would likely be the prime suspect if a robbery or other crime was discovered, but small thefts might not be noticed soon enough to correlate them with the delivery.
Customers and lawyers had already raised concerns about using Amazon Key before Rhino Labs discovered this camera flaw. Rhino Labs founder Ben Caudill told Wired that fully fixing the loophole would need to involve caching video locally even if the camera is disconnected from the network. The Cloud Cam doesn’t currently cache video locally.
Those reports from the summer that Volvo’s parent company had snapped up flying car startup Terrafugia? They were true. Geely has officially completed its acquisition of Terrafugia, turning it into a fully-owned subsidiary of the Chinese automotive giant. Terrafugia will remain based in the US and will continue working on flying cars, but it will have Geely’s deep pockets and automotive experience to back it up. It’s also taking on a new board of directors that includes a mix of veteran Terrafugia backers, Geely execs and Bell Helicopter’s managing director for China.
Terrafugia is quick to address concerns that this could hurt the US economy, however slightly. It received the green light from the Committee on Foreign Investment in the United States, and says it "tripled" its engineer count to nearly 100 in anticipation of Geely’s cash. Terrafugia might not be US-owned, but it’ll contribute to the workforce.
The real question is whether or not this will give Terrafugia the spark it needs. The company promises to have its first flying car on the market in 2019, and its electric TF-X vehicle (above) should be ready by 2023. However, the company’s efforts have been stuck in a seeming limbo: we’ve been talking about its Transition aircraft for years. Geely’s funding and know-how could finally turn those promises into a reality, but it’s far from guaranteed. Also, there’s the not-so-small matter of establishing a market for flying cars. Right now, they’re largely sci-fi fantasies that few people can justify, let alone afford. You may be more likely to see taxi drones than piloted hybrid vehicles.
Most people still don’t know who or what Teenage Engineering is. But, those that do probably think of them as a music company — the iconic OP-1 synthesizer, OD-11 speaker and line of tiny Pocket Operator synths have earned Teenage Engineering that reputation. But more than that, the company is made of of people who love getting weird with hardware design; pushing the boundaries of what can be created is in Teenage Engineering’s DNA.
Two new products Teenage Engineering designed in partnership with Raven Tech were just unveiled at the Baidu World conference in Beijing, China, and they most definitely fit with that ethos. Simply referred to by the single letters "H" and "R," the easiest way to identify devices is to call them smart speakers. But they don’t in any way resemble what Amazon and Google have trained us to think of when we think of speakers that you talk to.
Of the two products, the R is easily more striking. The prototype brings to mind Apple’s iMac G4 with its pivoting arm and screen floating on top of a white dome. In this case, though, the entire construction is much smaller — there’s a speaker base, a six-axis gimbal "arm" and a touch-sensitive, LED screen, all packed into a tiny frame. But unlike the iMac G4, the R can move all on its own. It’s not ready for production yet, but the R uses a combo of motors and software to make the R’s display look at you when you speak to it. Or, it’ll just dance along to music you play.
Teenage Engineering
The H is a bit less ambitious, but no less distinctive. It essentially looks like a stack of colorful drink coasters, and you can even remove the top layer. Just as on the R, that top piece is a touch-sensitive LED array with built-in microphones; it also functions as a remote when you remove it from the rest of the H. Below the screen, the the H houses a speaker, more microphones and a rechargeable battery so it can be moved around the home. When it’s connected, you can tilt the screen up so it faces forward when not being used as a remote.
As with everything Teenage Engineering builds, having personality is just as important as having a functional product. "In my head, [the R] is a mix between a plant and a pet," CEO and founder Jesper Kouthoofd told Engadget. "When I was doing the first sketches for the H, I was thinking of fruit. That’s why it’s so colorful. With the R, I thought of flowers."
That personality extends to the display itself. Kouthoofd said that its primary purpose is more for emotional connection and feedback rather than displaying information. It’ll light up and respond to your voice or music that it plays; it can also show small bits of info like the time. But like the Google Home or Amazon Echo, voice feedback is the primary interaction.
While the H responds to users with visuals and sound, the R will add in motion; as such, Teenage Engineering is thinking of the R as its first foray into robotics. "Other robotics companies focus so much on having the unit move around, they don’t really care about the interaction between the man and the machine," Kouthoofd said. "Teenage Engineering believes it has to give something back to the user, at an emotional level." Kouthoofd said. An example of that is how the R will respond to music. Teenage Engineering wrote custom software so that it’ll analyze what’s being played, divide up the beat and dance along, in time. It’ll even recognize when there’s a breakdown in a song and change things up.
Unsurprisingly, building the arm and its motors was the most challenging part of the process, particularly given that the team went from 3D-printed models to a working prototype in about six months. But despite the high level of engineering here, Kouthoofd hopes the speaker will be affordable — relatively speaking. "Hopefully the end product will not be a $2,000 robot," he said, "it’ll hopefully be around $500 or $600." That’s a lot more expensive than an Amazon Echo, but Teenage Engineering isn’t afraid of charging premium prices. The OP-1 synthesizer still sells for $899, while the OD-11 speaker costs $999.
How exactly these products will work remains a bit of a mystery, largely due to the fact that both products are initially only launching in China. Most of the software and AI will be provided by Baidu and digital assistant company Raven Tech, which Baidu purchased earlier this year. Kouthoofd says it’ll essentially do all the smart speaker things that devices from Google and Amazon are doing — it’ll answer questions, play music, let you order food, control smart home devices and generally connect to Baidu’s knowledge graph and servers to pull down info.
Kouthoofd admits that he’s not 100 percent sure how the H will work in use, because his team has been so focused on the hardware side of things. But Raven had already built something similar for China; this new model will likely work the same way, just with Teenage Engineering’s distinctive design language.
Teenage Engineering
Teenage Engineering expects to bring these new products out of China, but it’s not going to be easy. Baidu operates only in China, and its services won’t work with other languages right now — a pretty big requirement for a voice-activated speaker. Kouthoofd casually mentioned the potential of working with Amazon or Google to get their robust voice services on Teenage Engineering products in the future, but it’s not the main focus at the moment.
Besides, Kouthoofd is currently a lot more enamored with the technology coming out of China than what’s going on in Silicon Valley. "Everything comes from Silicon Valley… they dictate what’s cool in the tech world," he said. "I’ve been thinking for two years that it’s a little bit boring, it’s just one voice." But the Teenage Engineering crew looks at China as an opportunity to bring their unique perspective to a massive marketplace. "We bet on China instead of Silicon Valley because that’s where we can make a change," he said. "We can’t really do that in Silicon Valley, it has a really strong voice, but we can be part of China’s voice."
The first step in building that voice starts today: The simpler H model is available for pre-order now, with delivery expected in late December. But the R model is still in the prototype phase. Between that and the new market Teenage Engineering is trying to enter, it’s hard to say how successful the company will be at jumping into China.
But Kouthoofd looks at this as just the beginning of Teenage Engineering’s move to robotics. "We thought about what we can deliver on today, not in a year," he said. "So we built a robot in the home with a face: that’s the H, with its display and voice. The R is like giving it a body… maybe for the next phase we’ll do the legs."
We’ve heard rumblings that Amazon might be ready to take on Blue Apron with "prepared food kits," and now it looks like it’s finally here. Today, AmazonFresh and Allrecipes.com announced a new partnership that will allow for meal preparation delivery. Top recipes on the site will now have an embedded option allowing users to purchase the ingredients for same-day delivery through Amazon Fresh.
To use the service, you should first select AmazonFresh as your grocery retailer of choice in your Allrecipes.com account. Then, find the recipe you want to make and locate the option to send the ingredients to your AmazonFresh shopping cart. This option will only be available on the site’s most popular recipes.
You’ll then be sent to AmazonFresh to check out. While Allrecipes will choose recommended food brands for you, you will have the option to swap them out for your preference in the AmazonFresh cart. You can then select a delivery time, whether the same day or the next, before checking out on Amazon. A spokesperson confirmed to Engadget that this service would only be available in the markets that AmazonFresh currently operates in.
There’s a few notable things here. First, this isn’t exactly a Blue Apron analogue. While specific meal ingredients will indeed be delivered to your door, the service does not choose the dishes for you. On the front end, you’ll have to do a little more work, but the flip side is that you can actually choose the dishes you make. In traditional services, you’re locked into a very limited choice of meals per week. The ability to choose your meals (a big complaint amongst subscribers to services like Blue Apron) is really key with this partnership, and likely why it will do well, but the restricted AmazonFresh geography means that it’s not a true Blue Apron competitor.
The end of Verizon’s CDMA network is something that unlocked phone enthusiasts have dreamed about for years. We have all tried to envision a world where Verizon’s lengthy and expensive CDMA testing would no longer be a requirement for phone makers and all of the phones that didn’t previously support that portion of Big Red’s network would soon just work without interference, assuming they were able to attach to Verizon’s LTE network. I hate to drop in on this Wednesday and crush your dreams, but Verizon supposedly has other plans for us.
According to PCMag who attended a roundtable at Verizon’s New Jersey HQ, come 2020 when Verizon shuts down their old 3G network, they aren’t about to let us all hangout on their network with whichever unlocked phone we happen to be interested in at the moment. Verizon still plans try and stop unapproved phones that haven’t been tested or certified for its network.
Verizon says that in order to pass its network-compatibility testing, phones have to pass a 3-4 week process that involves “friendly users†in the real world, labs, drivers, and global roaming tests. Once a phone finishes that process, a Verizon SIM will supposedly then work or at least allow the phone to activate.
Verizon told attendees at this meeting that the 3G CDMA network actually hasn’t been a hurdle in recent years for phone makers as they have transitioned to a mostly LTE experience. In other words, they are still putting phone makers through the extensive testing I just described for LTE devices as they prepare for CDMA death in 2020.
So wait, can Verizon actually stop you from slapping an unlocked phone on their network? If history provides us with anything, that depends. For one, I don’t know that I fully believe that Verizon is going to stop unlocked phones from working as they transition to an LTE-only experience. I say that because phones like the Essential Phone went weeks without receiving Verizon certification, yet you could slap in an active Verizon SIM and get service out of the box from day 1. I know because I tried it. The same thing happened with the Nexus 5X and 6P and Nexus 7 LTE and others. There may also be some Block C rules in there that Verizon has to follow when it comes to being open to accepting all phones.
What Verizon will do is make it difficult or impossible to walk into a store with an unlocked phone that hasn’t been certified and get it activated on a fresh SIM. This is how they have operated for years. The trick here is to have an active SIM, which I know, isn’t a situation that everyone is in.
In the end, just because CDMA is going away in the Verizon world, don’t expect it to be open season for your unlocked obsession.
Every year there will be one or two new cars that generate a whole lot of buzz. Cars that generate hype. Cars that people who post on Internet forums salivate over. I’m not talking hand-built exotica with 600 horsepower and six-digit price tags; that kind of unobtanium might make for good desktop wallpaper or bedroom posters but few of us will ever be lucky enough to meet that kind of four-wheeled superstar. No, the kind of machine I’m talking about needs to be within reach of your average working stiff, but still far enough from the default to quicken the pulse. A car like the new Kia Stinger.
We first saw the Kia Stinger at this year’s North American International Auto Show in Detroit in January. Since then it has been a regular on the auto show circuit, as well as popping up at various other events—and a whole load of Kia dealerships—but we’ve had to wait until now to get behind the wheel. In the meantime, it’s built up quite a degree of hype. It’s Kia’s foray into the performance domain, the Korean OEM having concentrated until now on things like build quality and value for money. Those attributes will certainly win sales, but Kia wanted something with a little more passion, a halo car to get people excited. As you’ll find out shortly, it was worth the wait.
Sportbacks are in now
The Stinger first began back in 2011 as the GT Concept, a four-door gran turismo inspired by vintage metal like the Maserati Ghibli, the sort of four-wheeled conveyance that could carry four adults and their luggage across a continent. It’s a four-door sportback (my favorite!) design, styled by Gregory Guillaume at Kia’s German design studio. As the man himself described it, “a true gran turismo, a car for spirited long-distance driving, is not about outright power, hard-edged dynamics and brutal styling, all at the expense of luxury, comfort and grace.â€Â It’s something of a golden age for the performance sportback, what with Audi’s S5 and Buick’s Regal GS also available for similar money. I’m not quite sure why this design convergence has happened, but I hope it continues.
Up front is a recognizably Kia face, but one that has spent some time working out at the gym. Those scoops and vents are functional—the shape funnels air through the front wheel arches to cool the brakes and reduce eddies to ease its passage through the air. The chassis is fashioned from high-strength steel, with some added strength via structural adhesives that bolster the various welds to keep things nice and rigid. (That’s doubly important because one downside to the sportback bodystyle is the large opening at the rear where you’d normally want things nice and buttressed for stiffness.) The attention to airflow extends around the car, with flat underbody panels that lead to a rear diffuser (with a couple of NACA ducts along the way) and rear spoiler to provide downforce at speed. The suspension is a MacPherson strut up front and a multilink arrangement at the rear.
The Stinger’s front is all about managing air flow, sending cool air to the engine and brakes.
It’s not a small car—the 114.4-inch wheelbase means expect Audi A7-class room inside. Shades of the Tesla Roadster in the C-pillar, perhaps?
Is it just me or do those rear lights look a lot like they came from Maserati?
Jonathan Gitlin
The interior is well-appointed and, in GT2-spec, trimmed with Nappa leather.
Kia
The G90’s 3.3L twin-turbo V6. The same engine is in the new Kia Stinger, but that car has a lot less mass to move.
Jonathan Gitlin
If the stock look is too boring, Kia has approved a bolt-on aftermarket body kit, seen here.
Jonathan Gitlin
Tested at the ’Ring
There are two choices of engine for the Stinger. The base model—which starts at just $31,900—gets a 2.0L (single-scroll) turbo direct-injection four-cylinder engine, which makes 255hp and 260ft-lbs. The hotter variant (which we drove) is the Stinger GT. This starts at $38,350 and replaces the four-cylinder engine with a 3.3L twin-turbo direct-injection V6. It’s the same engine found in the Genesis G90 which we tested recently, but in this application it’s carrying around almost 1,000lbs less mass, which makes for a much more performance-oriented experience.
In both cases, the Stinger uses an eight-speed automatic transmission, a bespoke Korean gearbox common to other Kias, Hyundais, and Genesises rather than the ubiquitous ZF 8HP. And you can have a choice between rear- and all-wheel drive. As we discovered, you’ll want to save the $2,200 and go for the RWD variant—rather spend that money on some dedicated snow tires if you live somewhere where winter weather is a serious concern. If you do opt for AWD, the car is rear-biased by default, but can send up to 50 percent of its torque to the front wheels.
Further underlining the Stinger’s performance credentials—honed with over 6,000 miles on the Nürburgring Nordschliefe, you know—are dedicated oil coolers for the engine and transmission, an optional limited-slip differential for the RWD models (from GKN), and the fact that it comes equipped with Michelin’s latest Pilot Sport 4 tire (a Stinger-specific variant developed with the car’s engineers).
A proper gran turismo?
A good GT car shouldn’t just be fast, it needs to be somewhat luxurious. After all, there’s no point driving across Europe in a day to get to Monte Carlo if you emerge from your car looking like a sweaty, crumpled mess. There is plenty of room thanks to the car’s 114.4-inch wheelbase; even the rear seats get more than 36 inches of legroom and two adults could happily sit back there for hours without complaints. The materials are all of a quality you might not expect of Kia, particularly the GT2-trim level cars, although even the cheapest Stinger is wrapped in leather on the inside.
Forgive the use of Kia’s photos for the interior, but they came out better than mine.
Kia
Rear legroom is more than adequate. Two adults could happily sit back here for hours at a time without complaining.
Kia
Sportbacks are practical, as the folding rear seat shows. Despite the large opening in the body the Stinger GT manages to feel rigid, thanks to plenty of high-strength steel.
Kia
Want multicolored mood lighting? You got it.
Kia
Bum heaters, bum coolers.
Kia
Apple CarPlay and Android Auto are available.
Kia
The GT2 spec cars really are fully loaded; on top of upgraded Nappa leather trim and a 16-way adjustable driver’s seat (versus just 12-way seats in other GTs or 8-way seats in the four-cylinder car) you also get seat coolers (all versions get seat heaters), a suite of advanced driver assistance systems (these are options on the other cars), and a heads-up display. But expect to pay for the privilege—so equipped, a GT2-spec Stinger GT will set you back $49,500. That’s a lot of money for Kia, but you do get a lot of Kia for your money.
But what I imagine you really want to know is what it’s like to drive. After all, so did I, which is why Ars flew me all the way out to Los Angeles. In the morning, my drive partner and I picked an AWD Stinger GT, and I must confess that even after half an hour on the Angeles Crest Highway, I was feeling a little underwhelmed. The car is certainly capable, with plenty of grip for the conditions and an ability to gather speed deceptively, but it didn’t quicken my pulse (in either a good or bad way). Had I come all this way for nothing? Everything was very stable and predictable, although with the traction control turned off it was possible—just about—to provoke the car to break loose.
So, so good to drive
A lunch stop in the shadow of Magic Mountain threw out those first impressions, for it was here that I got my first taste of the RWD version. What a difference! Kia had laid out an autocross course on which we could push the car’s limits. (Kia also brought along some of the rival cars it benchmarked the Stinger against, including the Porsche Panamera, Audi A5 and A7, and BMW 440i Gran Coupe, reflecting plenty of confidence on its part. Although Kia says it doesn’t expect anyone to actually cross-shop a $90,000 Porsche against the Stinger GT, it wanted to show the car could hold its own.)
After just my first run through the cones in a RWD Stinger GT, the past year’s hype all suddenly made sense. The stolid nature of the AWD variant was gone—here is a car that is playful and energetic. This was further confirmed with another run through the canyons on the way back to North Hollywood. The RWD Stinger GT is so much more eager and it flows down the road effortlessly. There’s more grip than you’d think from the front, thanks to the Pilot Sport 4s. Even with traction control on the rear is a little playful, you get that lovely mid-corner yaw that delivers a micro jolt of adrenalin as the limited-slip differential makes its presence known, reminding you that yes, this is a driver’s car.
With TC turned off the rear tires can be lit up with the judicious application of the throttle, and it’s easy to catch and drift. One piece of advice: rather than putting the car in Sport, choose Custom instead, and turn the steering setting back to Comfort. In Sport the steering weights up, but you don’t get any added feel, and the lighter help in the Comfort setting makes for a less tiring drive. (Your options are Smart, Eco, Comfort, Sport, and Custom, and these will remap the throttle, steering, ESC, transmission, suspension, and AWD.)
13.8-inch, four-piston Brembo brakes up front are resistant to fade.
Jonathan Gitlin
This is one of the rear-wheel drive Stinger GTs, and I can promise you this driver is enjoying the road.
Jonathan Gitlin
Curse you, shadow.
Jonathan Gitlin
You have to give automotive journalists something to do during downtime, otherwise they’ll start tearing the place apart.
Jonathan Gitlin
You’ll also be glad to know that the Stinger GT’s brakes are more than up to the job. Up front these are 13.4-inch four-piston Brembos, and they feel more than up to the job of stopping a 4,000lb (1,814kg) car capable of 167mph (269km/h) flat-out. (The other notable performance spec is its 0-60mph time: 4.7 seconds.) Even sitting in the back during some canyon carving proved comfortable. You obviously lose some of the lateral support that the front seat occupants enjoy, but the primary and secondary ride is good even with the suspension in its harder setting. Four-up you probably won’t want to throw the car around like it’s a qualifying lap, but it’s good to know that if you do the results won’t be nauseous passengers.
Other points to note? Oddly enough for a performance car I managed to exceed the car’s stated fuel economy. Kia quotes 19mpg city, 25mpg highway, and 21mpg combined for the V6 (regardless of RWD or AWD.) But with the car set to Smart, I saw more than 30mpg on the freeway legs of our route. Hard driving in the canyons was a little worse as you might expect, at around 13mpg. The infotainment system is adequate—it’s Kia’s latest Uvo3 system which includes some telematics options for your smartphone (diagnostics and geofencing), but the presence of CarPlay and Android Auto is welcome and the optional 15-speaker Harmon Kardon sound system was more than acceptable to my middle-aged hearing.
At the risk of repeating myself, I am glad to report that the Stinger GT is indeed one of those cars that lives up to the hype. If you’re one of those Internet commenters who’ve expressed a desire to put one in your driveway, please do, because this car deserves to succeed in the marketplace. Although we didn’t get a chance to try out the 2.0L version, I’m hoping to remedy that soon as Kia has promised they’re being rolled out to the press fleets shortly. As and when that happens, we’ll keep you informed.
For almost two months in 2014, servers belonging to Moscow-based Kaspersky Lab received confidential National Security Agency materials from a poorly secured computer located in the United States that stored the files, most likely in violation of US laws, company officials said.
The classified source code, documents, and executable binaries were stored on a computer that used an IP address reserved for Verizon FIOS customers in Baltimore, about 20 miles from the NSA’s Fort Meade, Maryland, headquarters, Kaspersky Lab said in an investigation report it published early Thursday morning. Starting on September 11, 2014 and running until November 9 of that year, Kaspersky Lab servers downloaded the confidential files multiple times after the company’s antivirus software, which was installed on the machine, found they contained malicious code from Equation Group, an NSA-linked hacking group that operated for at least 14 years before Kaspersky exposed it in 2015.
The downloads—which, like other AV software, the Kaspersky program automatically initiated when it encountered suspicious software that warranted further inspection—included a 45MB 7-Zip archive that contained source code, malicious executables, and four documents bearing US government classification markings. A company analyst who manually reviewed the archive quickly determined it contained confidential material. Within a few days and at the direction of CEO and founder Eugene Kaspersky, the company deleted all materials except for the malicious binaries. The company then created a special software tweak to prevent the 7-Zip file from being downloaded again.
“The reason we deleted those files and will delete similar ones in the future is two-fold,” Kaspersky Lab officials wrote in Thursday’s report. “We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”
Pushing back
The report is Kaspersky’s latest attempt to refute anonymous allegations, reported last month by The Wall Street Journal, The New York Times, and The Washington Post, that hackers working for the Russian government used Kaspersky AV to locate or steal confidential NSA material stored on a worker’s home computer. The initial WSJ report said the AV program somehow alerted the hackers to the presence of the improperly stored files, but the paper said it wasn’t clear how the program detected the material or whether company employees alerted the Russian government of those files.
The allegations, all attributed to unnamed officials with no supporting documentation, helped explain why the US Department of Homeland Security in September took the unprecedented step of directing all US agencies to stop using Kaspersky products and services. A month earlier, according to Cyber Scoop, members of the FBI quietly briefed US companies in the private sector on threat US officials believed Kaspersky posed to national security. Within weeks of the briefings, retailer Best Buy stopped selling Kaspersky software and offered free removals and credits toward competing packages.
Thursday’s report is Kaspersky Lab’s attempt to fight accusations that could significantly reduce the revenue it generates in the US and potentially US allies. The report expands on preliminary findings it published three weeks ago that challenge the NSA narrative that its highly privileged access to millions of PCs throughout the world helps the Russian government obtain confidential materials from its adversaries.
Smoke Loader backdoor
Thursday’s 13-page report provided more details about a malicious backdoor that infected the Kaspersky customer’s computer when it installed a pirated version of Microsoft Office. The report said that Kaspersky AV first detected the trojan known as Smoke Loader and Smoke Bot on October 4 at 11:38pm EDT. That was 22 days after the AV program first detected the Equation Group files and 15 days after Kaspersky had downloaded the 7-Zip file. For it to have be installed, a user would have to temporarily disable the AV program. Kaspersky Lab officials suspect the user turned off protection when it blocked attempts to install the pirated version of Office and once it was installed, then turned the AV back on.
Smoke Loader came to the attention of security researchers in 2011, when a Russian hacker advertised the Trojan for sale in an underground forum. During the time it infected the computer storing the NSA material, it relied on a command and control domain that was registered to someone using the name Zhou Lou, an address in Hunan, China, and the e-mail address zhoulu823@gmail.com. This analysis, which was published three months before Kaspersky Lab says the Baltimore PC was infected, reports Smoke Loader contained a range of malicious capabilities, including the ability for attackers to remotely control it. There may have been more malware besides Smoke Loader installed on the computer. During the same two-month span, Kaspersky AV provided alerts from 121 alerts for non-NSA software.
“The hygiene of this user on the Internet was not very good,” Brian Bartholomew, a US-based principal security researcher at Kaspersky Lab, told Ars. “All that leads to the possibility that there was potentially someone else on that system at the time” the NSA materials were reported stolen. “We see no indications of that, but there is that possibility.”
Kaspersky Lab has additional information about the backdoor here.
One of the few new pieces of information in the report is the revelation of a detection rule Kaspersky Lab added to its AV in 2015. To better detect a surveillance operation known as TeamSpy, the AV program started scanning files that embedded the word “secret” inside its code. A malware analyst, the report said, added it because TeamSpy malware was designed to automatically collect certain files of interest to the attackers. Specifically, files of interest contained both extensions such as .doc, .rtf, .xls, .mdb, and .pdf and words including “pass,” “secret,” and “saidumlo” (the Georgian translation for secret). The 2015 detection rule searched files for strings including:
*saidumlo*
*secret*
*.xls
*.pdf
*.pgp
*pass*
The rule might explain reporting in the latter WSJ article that, citing unnamed officials, said Kaspersky AV “searched for terms as broad as ‘top secret,’ which may be written on classified government documents, as well as the classified code names of US government programs.”
Plausible deniability
Like the preliminary findings Kaspersky published three weeks ago, Thursday’s report isn’t likely to change the minds of critics who say the company’s ties to the Kremlin pose an unacceptable risk to US security.
“It’s very, very believable,” Dave Aitel, a former NSA analyst and long-time Kaspersky critic said of the information Kaspersky Lab has brought to light. “But my personal perspective is that it does not address whatever the [US government] has on Kaspersky.”
Still, Kaspersky’s version of events raises a variety of inconsistencies and questions in the narrative provided by the unnamed people cited in the October articles. For instance:
Is the computer Kaspersky described the same one that stored the NSA secrets that were stolen by Russian hackers? If it is, why did the news accounts say the data theft occurred in 2015?
If the PCs are the same, do US government investigators have any evidence it was infected by malware at the time it stored those materials? If yes, have investigators ruled out the possibility the infection played a role in the location or theft of the NSA materials?
How can US government investigators be sure Kaspersky AV was modified intentionally to help Russian spies locate the NSA material?
Representatives with the NSA declined to answer the questions and referred Ars to FBI officials. The FBI declined to comment as well.
In fairness to US officials, there are often valid national security reasons for not providing specific pieces of information when disclosing classified information to reporters. What’s more, if Russian President Vladimir Putin were to order Kaspersky Lab to help steal NSA secrets, it’s not at all clear the Moscow-based company would have a legal mechanism to challenge the demand. Such an order would almost certainly require absolute secrecy and the kinds of vigorous denials Kaspersky Lab is publishing now.
This leaves much of the security world in a geopolitical he-said/she-said duel that makes it hard to know which version of events to believe. This stalemate isn’t likely to resolve itself until US officials provide more details.
“I think it’s plausible that Kaspersky Lab has been used to obtain confidential material, but so far we’ve only seen accusations, largely from anonymous sources,” Jake Williams, a malware expert at Rendition InfoSec who worked in the NSA’s elite Tailored Access Operations hacking group until 2013, told Ars. “Credible evidence and/or on the record statements from the US government are needed before we attack a foreign company.”
