For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.
Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader—rather than swipe or insert it—to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash—though that “jackpotting” hack only works in combination with additional bugs he says he’s found in the ATMs’ software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors.
“You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you’re paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here,” says Rodriguez of the point-of-sale attacks he discovered. “If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM—like cash out, just by tapping your phone.”
Rodriguez says he alerted the affected vendors—which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor—to his findings between 7 months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don’t regularly receive software updates—and in many cases require physical access to update—mean that many of those devices likely remain vulnerable. “Patching so many hundreds of thousands of ATMs physically, it’s something that would require a lot of time,” Rodriguez says.
As a demonstration of those lingering vulnerabilities, Rodriguez shared a video with WIRED in which he waves a smartphone over the NFC reader of an ATM on the street in Madrid, where he lives, and causes the machine to display an error message. The NFC reader appears to crash, and no longer reads his credit card when he next touches it to the machine. (Rodriguez asked that WIRED not publish the video for fear of legal liability. He also didn’t provide a video demo of a jackpotting attack because, he says, he could only legally test it on machines obtained as part of IOActive’s security consulting to the affected ATM vendor, with whom IOActive has signed an NDA.)
The findings are “excellent research into the vulnerability of software running on embedded devices,” says Karsten Nohl, the founder of security firm SRLabs and a well-known firmware hacker, who reviewed Rodriguez’s work. But Nohl points to a few drawbacks that reduce its practicality for real-world thieves. A hacked NFC reader would only be able to steal mag-stripe credit card data, not the victim’s PIN or the data from EMV chips. And the fact that the ATM cashout trick would require an extra, distinct vulnerability in a target ATM’s code is no small caveat, Nohl says.
At its “What’s next for Windows event” today, Microsoft unveiled its latest operating system, complete with a new look and updated features. One of the greatest disadvantages for Microsoft’s app Store is a dearth of compatible apps, which made things like Windows on ARM hard to love. Today, the company announced that Android apps will work on Windows 11.
This means they’ll not just be limited to emulator windows on the software — the integration means you’ll find them in the Start menu, show up with individual dedicated icons on the taskbar and launch with desktop shortcuts, too. They’ll start to appear in the Microsoft Store, but you can also install them via the Amazon app store.
Panos Panay said during the keynote that Microsoft is using “Intel bridge technology” to bring this integration, making it “seamless and smooth.” With the plethora of Android apps currently available, Windows 11 looks like it’ll be a much more inviting OS for mobile, touch-centric workflows.
We’re expecting early builds of Windows 11 to be released through the Insider program as soon as next week, as is typical Microsoft behavior. You can of course, play with the unofficial release at your own risk, but a full, stable version with all the features announced today is most likely to be available to the public this holiday season.
This story is developing, please refresh for updates.
For over a week now, a corner of YouTube frequented by Kazakh dissidents and close observers of human rights in Xinjiang has been only intermittently available.
On June 15, the YouTube channel Atajurt Kazakh Human Rights went dark, its feed of videos replaced by a vague statement that the channel had been “terminated for violating YouTube’s community guidelines.” A few days later, it was reinstated without public explanation. Then, several days after that, 12 of the channel’s earliest videos disappeared from its public feed.
Atajurt collects and publishes video testimonies from family members of people imprisoned in China’s internment camps in Xinjiang. To ensure the credibility of these video statements, each public testimony shows proof of identity for the person testifying and the detained relatives. This also underscores the organization’s integrity, says Serikzhan Bilash, a prominent Kazakh activist and the owner of the channel.
Atajurt has collected thousands of video testimonies from family members of Turkic Muslims who have disappeared in Xinjiang. Witnesses show their identification to prove they are real people.
Accuracy is especially important not just because so little information is coming out of Xinjiang, but also because testimonies often face criticism from supporters of the Chinese Communist Party—who, Bilash says, are looking for any excuse to deny what the United Nations has called “grave human rights abuses” in the province.
After being published by Atajurt, the information in the videos is then used by other organizations such as Human Rights Watch and Xinjiang Victims Database, which documents where detentions are occurring, which communities are most affected, and who has disappeared. One representative of Xinjiang Victims Database told MIT Technology Review that the project linked to the Atajurt videos “thousands of times.”
For years, these videos—which date back as far as 2018—have not been a problem, at least not from YouTube’s perspective. That changed last week.
“A thorough review”
“We have strict policies that prohibit harassment on YouTube, including doxing,” a YouTube representative told MIT Technology Review on Friday, later adding, “We welcome responsible efforts to document important human rights cases around the world. We also have policies that do not allow channels to publish personally identifiable information, in order to prevent harassment.”
Some videos, like this one, were forcibly turned private by YouTube after being reported for violating its “violent criminal organizations” policy.
This was likely a reference to Atajurt’s display of identity documents, which it uses to confirm the veracity of people’s testimonies.
Nevertheless, shortly after MIT Technology Review sent a list of questions about the June 15 takedown, and its content moderation policies more broadly, YouTube reversed its position. “After thorough review of the context of the video,” it reinstated the channel “with a warning,” a company representative wrote in an email. “We … are working closely with this organization so that they can remove Personally Identifiable Information from their videos to reinstate them.”
As Atajurt was still considering whether, or how, to comply with these community guidelines, on Tuesday, June 22, YouTube took additional action, locking a dozen of Atajurt’s earliest video testimonies and making them private, saying they were in potential violation of its violent criminal organizations policy, which prohibits content produced by or in praise of criminal groups or terrorist organizations.
It’s unclear why YouTube considers video testimonies from family members of detained Chinese Muslims to be potentially pro-violent criminal or terrorist, or how this relates to YouTube’s earlier statements that Atajurt was inappropriately sharing personally identifiable information. YouTube representatives said in an email that its action was the result of “automated messaging that in this case is not related to this creator’s content.”
But it not the first time that Atajurt and Bilash, its founder, have come under attack.
A battle over YouTube, a battle for narrative
In 2019, Bilash was arrested for his vocal criticism of the Kazakh government’s close ties to China, which he blames for its weak stance in support of ethnic Kazakhs caught up in China’s camps. As a result, he faced seven years in jail for “inciting inter-ethnic tensions” and was released only after being forced to agree to stop his activism—an agreement that he ignored once freed.
Then, in September 2019, after multiple attempts to register Atajurt as a nonprofit in Kazakhstan met with failure, a pro-government group registered a different organization with a similar name and tried to gain control of the YouTube channel. This would have given it access to thousands of unpublished video testimonies that the group keeps private on YouTube at the request of the witnesses.
In 2020, Bilash fled Kazakhstan for Turkey. Today, he is in exile in Texas, where he thought the channel and its video testimonies would be safe.
But that was before his videos caught the attention of YouTube community guidelines.
Before the back-and-forth with YouTube this past week, Atajurt had already received two “strikes” in the past two months for “harassment and cyberbullying”—for including identity cards in videos posted in 2018. Appeals were denied. According to YouTube policy, channels are permanently removed if they receive three strikes within 90 days.
But supporters say that the strikes were not evidence of a pattern of bad behavior on Bilash and Atajurt’s part, but rather the result of continued mass reporting campaigns by actors affiliated with the Chinese and Kazakh governments.
Another Atajurt representative showed MIT Technology Review screenshots of what he said were instructional videos shared on WhatsApp, in Kazakh, teaching viewers how to flag Atajurt’s videos en masse to force YouTube to take them down. Earlier this year, similar attacks had caused Atajurt’s Facebook accounts to be temporarily removed.
A common playbook
While there is no definitive proof that either the Chinese or Kazakh government was behind the effort to remove Atajurt’s channel, it follows a playbook that is becoming increasingly common across the world. From the government of Ecuador to the Vietnamese military to US police departments, organizations that do not like critical content are using copyright law and standard social media policies to force—or simply trick—platforms into takedowns
Hiding behind standard policies and laws that apply to all users is “a way to lend an air of legitimacy to arbitrary political censorship, and it also creates plausible deniability for the censor,” says Nick Monaco, the director of China research at Miburo Solutions and a researcher on state disinformation campaigns.
“It’s also about finding a way to hide from security teams at these companies—the more reports you have against a targeted piece of content, the more legitimate the complaint looks, and the more incentive the companies have to remove that content,” he adds. “As long as you cover your tracks well, you can use a team of humans and bots to convincingly make it seem like a piece of content is genuinely offending diverse audiences, when in reality all the complaints are coming from one place.”
Deborah Brown, a digital rights researcher at Human Rights Watch, adds that Atajurt’s experience underscores how poorly equipped YouTube is to handle this kind of coordinated action. Her organization had alerted YouTube that the channel had probably been removed in error, she says. But this was not HRW’s job. YouTube could do better, she says, if it had “more contextual knowledge” and built “in-house human rights expertise.”
And weaponizing content moderation is not the only way state actors are trying to control the narrative. Recent reporting by the New York Times and ProPublica found evidence of a coordinated propaganda campaign in which thousands of residents of Xinjiang speak out, following similar scripts, about their rosy lives as a counter to the growing proof of mass detentions and human rights abuses in the Western province.
What next?
Bilash says he and his team were still considering whether to blur out the personally identifying information in order to comply with YouTube policy when they received the notifications that 12 more videos had been locked for supporting “violent criminal organizations.”
He had already been skeptical of the company’s stated reasons for his channel’s removal: “Nobody cares about the documents. It is just an excuse from YouTube,” he says.
Whatever Atajurt decides, being forced to make the decision at all presents the organization with a difficult choice: change its long-standing methods of documenting abuses in Xinjiang and risk being attacked by the Chinese and Kazakh governments for propagating false information—or keep the information up and risk being taken offline by YouTube.
The strikes, takedowns, and reinstatement may have been intended to deliver a message to Atajurt, but in fact YouTube may be sending an even clearer message to bad actors looking to silence Kazakh dissidents and other human rights organizations: if you want to get rid of critical content, just use YouTube’s own community guidelines as a weapon.
Do you have an experience with unclear content moderation policies to share? Contact the reporter with tips on Signal at +1 626.765.6589 or email eileen.guo@technologyreview.com.
via Technology Review Feed – Tech Review Top Stories https://ift.tt/1XdUwhl
He just wants to axe you a question.Screenshot: Games Workshop
It’s a big plus, you might say.
Games Workshop, the tabletop maestro that’s been slowly building up plans to turn its venerable Warhammer 40,000 and Age of Sigmar properties into transmedia behemoths in recent years, revealed that it too was getting into the oddly large, yet oddly specific “Only Streaming Content Subscription Service Named Something+” a few months ago, to perhaps rightful skepticism. What could the game company possibly offer to sustain a service like that, when its dreams of new animated and potentially live-action projects were still significantly far off?
Now, we have an answer, and it turns out the company actually has quite a bit for Warhammer fans, especially those sucked into the ecosystem already. Revealed as part of a recent livestream, Warhammer+ will debut this summer for $6-a-month, $60-a-year subscription, tying together various previously established digital systems for Games Workshop’s titles—specifically the paid versions of the Warhammer 40K and Warhammer: Age of Sigmar apps, giving players updated access to digital copies of rules, faction-specific supplements, and army list builders—as well as access to digital copies of the company’s monthly magazine White Dwarf and Warhammer fiction from the Black Library imprint.
On top of this, Warhammer+ will feature original content from the company, both in the form of new shorts like lore explainer series, battle reports of recording tabletop games, and painting guides, as well as previously teased animated series like Space Marine horror Angels of Death, anthology series Hammer and Bolter, or Astartes II, a sequel to the viral fan-made sensation by Syama Pederson, who has been brought in-house to work on the followup.
There will also be physical bonuses to subscribing, which makes sense given Games Workshop’s primary focus is selling you lots of very pretty, very physical models. As well as premium access to the company’s events like the annual Warhammer Fest (when those are, of course, allowed to happen in-person again), subscribers will be able to choose one of two exclusive miniatures for free as part of their subscription, with the opportunity to purchase the other. Warhammer 40K fans can get an Imperial Vindicare Assassin, perched in a ruined Sister of Battle statue taking a shot with their rifle:
Both are very cool and quite dynamic, but there’s nothing like a big, armored orc with an eyepatch, brandishing the head of his foe in one hand and an axe the size of multiple torsoes in the other. Who needs access to Baby Yoda when you can get that?
Warhammer+ is set to launch in the UK and multiple international markets starting August 25.
Several apps will give you a working environment in VR.Screenshot: vSpatial
Think of the Oculus Quest 2 and you naturally think gaming: flying through virtual reality worlds, shooting down virtual reality enemies, and so on. But Oculus has been updating its software recently and new features suggest it’s keen to help you get some work done, too—even if we’re still in the early stages of that potential being realized.
The main appeal of a virtual reality environment for work is that you can set up as many screens as you like, of whatever size you like. You can at last get the triple 32-inch monitor setup of your dreams, and your VR desk will always be clean. You’ve got a number of options for setting this up on your Oculus Quest 2, and we’ll take you through them here.
Add a Keyboard and Mouse
There’s an ideal hardware setup for the Oculus Quest 2 when it comes to working, and that’s to buy and install the $60 Logitech K830 keyboard, which has an integrated trackpad. Right now, it’s the only keyboard that you’ll actually be able to see in front of you in full, glorious VR, though we’re expecting more keyboards and more software options to arrive in the future.
You can actually add any keyboard and mouse combination you like right now, though the feature is still marked as “experimental” inside the Oculus Quest 2 settings. Open up Settings via the apps list, then choose Experimental Features. Click Pair and then Pair a new device, put your mouse or keyboard into pairing mode, and you should be able to link the two.
Keyboard, mouse and VR desk support is still being tested.Screenshot: Oculus
G/O Media may get a commission
You’ll see there are also Bluetooth mouse and trackpad and Tracked Keyboard settings, if you happen to have the Logitech K830 (or some other compatible device, once we see more of them). There’s also a Bring Your Desk Into VR option: select Add/Remove next to this and you can tell the headset where your desk is. When you get close to it, you can use this as an alternative to your standard playing area, so you’ll see your controllers sitting on the desk, for example.
The fact that this is all labeled as experimental, and only one keyboard is currently supported, tells you that it’s early days. We should see plenty of improvements in the future, and no doubt plenty of tweaks to the settings and options we’ve mentioned so far. Facebook is apparently working on a pass-through window to see any keyboard, though it’s not here yet.
Work With Apps
Unless you’re using the Logitech K830 or are a very gifted typist, you’re probably going to want to see your keyboard. You can do this by replacing the virtual background behind your apps with the pass-through view from the cameras on the Quest 2. Open Quick Settings (from the left of the home menu), then select the Pass-through Home option.
The obvious place to start to get some work done is the built-in browser—it’s at the top of the main apps panel—which can get to you Google Docs, Outlook on the web, or wherever you need to be. Select the three dots up in the top right of the browser interface and you can change the size of the window you’re looking at; above the browser is a + (plus) button for opening up adjacent windows.
Facebook thinks working in VR might look something like this one day.Image: Facebook
For perhaps an even better option, give Firefox Reality a try. It’s more flexible and versatile than the bundled browser, and it can also open up multiple windows side by side for that really immersive feel (you can surround yourself with web apps, if you want). Unfortunately, for the time being at least, Firefox Reality doesn’t support the VR desk or pass-through background features.
The productivity apps you’ll find in the Oculus Quest 2 library at the moment are mostly related to virtual meetings and graphic design, and we’ll have to wait for the productivity features that we’ve mentioned to be fully integrated and supported before office and messaging apps start showing up. That definitely seems to be the way Facebook wants to go in the future, though, as this demo video shows.
Work From Your Computer
There’s another option here, which is to have whatever’s happening on your Windows or macOS computer beamed over to a VR space that you access through your Oculus Quest 2. Your hardware setup stays pretty much exactly as it already is, but you can access it (from the same room or the other side of the world) through your virtual reality headset. You get to play around with multiple displays and more.
You’ve got a few choices to pick from. Immersed is one of the most impressive, and it’s free if you stick to two virtual monitors, with plenty more options (like a shared whiteboard and customizable workspaces) available for $15 per month and up. You need a desktop client on your laptop or desktop, and the app on your Oculus Quest 2, and then you’re ready to mirror whatever’s on your computer in a VR space.
Immersed is one app that gives you remote access to your computer in VR.Screenshot: Immersed
Virtual Desktop runs along similar lines, and is also available for Windows and macOS. You only get one screen to work with at a time, but you can resize and position it however you like, and choose from a wide variety of scenarios and backgrounds. Both the apps for your computer and your Oculus Quest 2 are simple to set up and use, and Virtual Desktop will set you back $20.
Finally there’s vSpatial, which packs in a whole host of features to help you collaborate with others, including screen sharing, chat functions, and plenty more. Like the other two tools, you need to run one program on your headset and one program on your computer to start the remote desktop access on your local wifi network, and you can take it from there. You can get started with vSpatial for free, with features like group meetings and remote access over the internet costing from $10 a month.
