Hacker cracks smart gun to shoot it without approval

Smart guns are supposed to be safer than traditional weapons. They’re designed to only fire when paired with a second piece of technology that identifies the shooter, like an electronic chip or a fingerprint.

Supporters say they could stop accidental shootings or misfires. And they’ve been lauded by law enforcement to prevent criminals from using stolen or misplaced guns.

However, like any technology, they’re not unhackable.

A hacker known by the pseudonym Plore doesn’t want to put a stop to smart guns, but he wants the firearm industry that’s increasingly manufacturing these devices to know that they can be hacked.

The model Plore hacked is called the Armatix IPI. It pairs electronically with a smart watch so that only the person wearing the watch can fire it. The devices authenticate users via radio signals, electronically talking to each other within a small range.

Plore broke the security features in three different ways, including jamming radio signals in the weapon and watch so the gun couldn’t be fired, and shooting the gun with no watch nearby by placing strong magnets next to the weapon.

“Future smart guns might use different authorization mechanisms,” Plore said. “But you’d want to make future smart guns robust against interference, intentional or unintentional, even if it doesn’t use radio signals.”

One hack involved breaking the gun’s range restrictions. The gun is only supposed to work if it’s within a foot of the watch. But Plore extended the range by using radio devices to trick the gun into thinking the watch was closer than it was.

Another hack involved stopping the gun from firing. Plore created a device that emits the same 900 megahertz frequency of the gun and watch — devices like baby monitors or cordless phones use this frequency, too. His device simulated interference, effectively confusing the gun and watch and rendering them useless.

Related: Mac malware caught silently spying on computer users

The main reason people are interested in smart guns is to ensure only the owners can control them. But it’s possible to fire the weapon without the watch around, Plore found.

The hacker placed strong magnets next to the body of the gun. That simple solution allowed the gun to be fired.

The company has not yet responded to CNN Tech’s request for comment. It previously told Wired the hacks were possible under specific situations with particular equipment.

The spokesman for Armatix also said the company was aware of the gun’s vulnerabilities.

“Our experiences with the strengths and weaknesses of the iP1 system will flow into the next generation of [the] smart gun system,”he said.

Plore is presenting his findings at the Defcon security conference this week. He says that while the instruments he used to study the problem cost thousands, the tools he created to execute the three attacks cost less than $50.

It’s not the first time magnets have been used to hack smart devices. A similar tactic was used to hack into a safe.

“You see the same mistakes repeated,” he said. “Safes and guns aren’t the same devices, but conceptually it was the same attack.”

There are many smart-gun skeptics. Two Arizona lawmakers recently said the technology is still too new and could be dangerous. The NRA has said that while it’s not against smart guns, it does not support legislative restrictions on acquiring non-smart guns.

Smart guns are not yet widespread, and the Armatix IPI was the only weapon of its type easily accessible to Plore, he said. So while it’s cheap to execute these hacks, a real-world scenario is relatively unlikely.

Plore wants to make sure manufacturers are aware of these flaws in order to make future smart guns safer.

“If you’re going to buy one, you should get what’s on the label,” he said. “You should be able to really get something that provides meaningful security.”

from Business and financial news – CNNMoney.com http://ift.tt/2tNMNlG

Iranian Hackers Used a Fake Persona Named ‘Mia Ash’ To Ensnare Victims

Mia Ash is a 30-year-old British woman with two art school degrees, a successful career as a photographer, and plenty of friends—more than 500 on Facebook, and just as many on LinkedIn. A disproportionate number of those friends happen to be Middle Eastern men, and when she posts coy selfies to Facebook, they shower her with likes. Her intriguing relationship status: “It’s complicated.” No kidding. Mia Ash doesn’t exist.

Instead, she’s a persona, her biography fabricated and her photos stolen from another woman’s online profiles, according to researchers at the security firm SecureWorks. They believe Ash is the elaborate creation of Iranian state-sponsored hackers who have targeted dozens of organizations around the Middle East in a massive, years-long campaign of espionage and possibly even data destruction.

A Phish Called Mia

In February, as SecureWorks helped a Middle Eastern company diagnose an attempted spyware infection, the security analysts found that one of that company’s employees had been communicating with the Ash persona for more than a month. The conversation had begun on LinkedIn, where Ash had approached the staffer with questions about photography. The discussion had moved to Facebook, and the scope broadened to work, photography, and travel.

Eventually, Ash sent the staffer an email with a Microsoft Excel attachment for a photography survey. She asked him to open it on his office network, telling him that it would work best there. After a month of trust-building conversation, he did as he was told. The attachment promptly launched a malicious macro on his computer and attempted to install a piece of malware known as PupyRAT, though the company’s malware defenses prevented the installation.

After digging further into Mia Ash, SecureWorks found that hackers have cultivated the persona as a lure for staffers at target companies for over a year, with the endgame of infecting computers with spyware, and getting an initial foothold into a victim company’s network.

Social engineering, or using human lies and pretenses as a means to lull victims into security slip-ups, is a well-worn page of the hacker playbook. But rarely do hacker groups go to the trouble of building such a long-running, fleshed out persona as Mia Ash, says Allison Wikoff, one of the SecureWorks researchers who led the analysis, which SecureWorks presented at the Black Hat security conference. She points to Ash’s well-populated Facebook, LinkedIn, Blogger, and WhatsApp accounts, as well as two email addresses, as evidence of the hackers’ persistence and planning. “This is one of the most well-built fake personas I’ve seen,” says Wikoff. “It definitely worked, and worked for well over a year.”

Fake Friend

Examining Ash’s friends on Facebook and Linkedin, SecureWorks found she had two distinct sets. First, she seems to have befriended prominent photographers to bolster her profile as a bona fide shutterbug. The second group comprised men aged 20 to 40, mostly in Middle Eastern and Asian countries including Saudi Arabia, Iraq, Iran, and Israel, as well as some Americans, who worked as mid-level technicians, software developers, and administrators at tech, oil and gas, aerospace, consulting, and healthcare companies.

‘This is probably like a well-oiled machine.’ – Allison Wikoff, SecureWorks

Examining the would-be target list in Ash’s friend group, SecureWorks linked her with a hacker group known as OilRig or Cobalt Gypsy, widely believed to be working for the Iranian government in a widespread cyberespionage campaign. (According to at least one analysis from McAfee, that group also collaborated on a more destructive campaign to plant data-destroying Shamoon malware on the networks of more than a dozen Saudi Arabian targets, and SecureWorks’ analysis of the group’s methods also matches a description of Shamoon-planting hackers tracked by IBM.)

In late 2016, SecureWorks spotted that group launching a broad phishing campaign that used PupyRat as well. A month later, Mia Ash kicked into action at the company SecureWorks aided. Wikoff suggests that means the Ash persona may be used as a secondary tactic: If a specific company’s staff doesn’t fall for more traditional phishing emails, a persona like Ash approaches a specific target there, initiating a professional conversation over LinkedIn, and then building trust via Facebook or WhatsApp before sending the victim a malware payload via email. Based on the time put into the Ash persona, she believes it was likely used repeatedly against the Iranian hackers’ targets. “This is probably a well-oiled machine,” Wikoff says.

Ash to Ashes

After well over a year online, Ash’s LinkedIn profile mysteriously disappeared earlier this month. SecureWorks alerted Facebook to the persona, and the company removed her profile there, too.

SecureWorks also identified the real-life woman whose photos hackers used to assemble Mia Ash’s profiles. But when WIRED reached out to her she declined to speak on the record, and asked not to be identified. Wikoff points to her case as an example of how publicly posting personal photos can have unexpected, creepy consequences. “If you don’t lock down your social media accounts, they can be used in ways that might not directly harm you, but are nonetheless nefarious,” Wikoff says.

But Mia Ash offers a more serious lesson to possible victims of state-sponsored hackers, Wikoff says: Digital honey traps can be highly sophisticated, with personas that appear to have long histories and convincing personalities. And that attractive new Facebook friend may not actually be into your vacation photos.

from Wired Top Stories http://ift.tt/2u1vBnY

An A-ha ‘Take On Me’ Music Video Augmented Reality App

This is a video demonstration of the ‘Take On Me’ augmented reality app developed by Trixi Studios. It puts users right in the middle of the pencil-drawn world of A-ha’s classic 1985 music video. And who hasn’t always dreamed of that? Hanging out with a hunk, evading dudes that want to clobber you with monkey wrenches — that’s a solid fantasy. At least in my opinion, and I practically wrote the book on fantasies. "This is all Jurassic Park erotic fan fiction." Read me some before bed.
Keep going for the video.

Thanks to Andy, who can’t wait for the inevitable Peter Gabriel ‘Sledgehammer’ augmented reality app.

from Geekologie – Gadgets, Gizmos, and Awesome http://ift.tt/2uGEs0j