Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World (arstechnica.com)

Posted by msmash on from the pick-doors-like-no-one's-watching dept.

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.

77 comments

  1. All your house... by npslider · · Score: 1

    ... are belong to us!

    1. Re:All your house... by jellomizer · · Score: 1

      To be fair, for most homes, they can be broken into rather easily. There is undoubtedly a door or window which is unlocked, or a Lock that isn't properly set up so you can open it with a credit card. Even with alarms, if the person gets overzealous with their home security people are too use to hearing the alarm, So the crook can go in get stuff and out until the neighbor complain about the noise.

      Locking your doors is really just saying, I am not home and please don't come in.

      The home security industry really just plays on people's fear about getting broken into than actually offering any real benefit.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:All your house... by npslider · · Score: 1

      The home security industry really just plays on people's fear about getting broken into than actually offering any real benefit.

      Speaking of that, my wife and I keep seeing the same 'home security guy" prowling the street like a cat deciding which mice to pounce on. Makes me think of the movie Home Alone; a crook in a cop uniform... I love that movie.

      To top it off the insensitive clod knocks on the door at 9 pm... Perhaps it's time to drop the hot heating coil on the door knob...

    3. Re:All your house... by Gilgaron · · Score: 1

      One of the door to door sales guys even admitted to me that a dog was a better security system than a security system. I looked it up after he left and apparently due to false alarms home security alarm calls are lowest priority for police, so the thieves know they have a good 10 minutes at worst to grab your TV and jewelry before they split, but few want to risk a dog bite. The article had also said that the security system sign, on the other hand, is about as good a deterrent as actually having the system since some will pass on by just to be on the safe side.

    4. Re:All your house... by JaredOfEuropa · · Score: 1

      That was my thought as well. High-tech attacks are becoming more prevalent with car thieves; they use replacement ECUs, devices to hack into the car's electronic locks, and GPS / GSM jammers to disable Lojack-type protection. They go to such lengths because car security got to the point where a low-tech attack is likely to get you nowhere. But low tech attacks are still enough to get you into most homes. Hackers fiddle with lockpicks, create fake master keys or keys for lock bumping, explore weaknesses of specific brands and types of locks. Regular burglars will just brute-force their way in or exploit typical weaknesses in windows and doors. Even disregarding more "advanced" techniques like flipping a lock with a credit card, or the "Bulgarian method" (snapping a Eurocilinder lock with a wrench), a lot of homes are amazingly easy to get into.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re:All your house... by npslider · · Score: 1

      Or just a sign that says "Beware of Dog".

    6. Re:All your house... by JaredOfEuropa · · Score: 3, Insightful

      That's where a typical home automation setup may give you an advantage over a regular alarm system. You can have it set up so that it will warn *you* instead of the cops, and let you check out the house on your cell phone using security cameras. You can then call the cops: over here they will try to respond quickly if you tell them that your house is being burgled right this minute.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    7. Re:All your house... by Anonymous Coward · · Score: 0

      I always says, for most people a door lock is to make family and neighbors knock. A burglar can easily break a window, or take a crow bar to a door. Insurance takes care of everything else. Even for home monitoring that is cloud connected or uses a phone back up, cutting a single family home off the internet is as easy as cutting a few low voltage wires on the side of the house.

    8. Re:All your house... by BarbaraHudson · · Score: 3, Funny

      Beware of BIG Dog.
      (He likes people ... preferably with ketchup)

      FTFY

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    9. Re:All your house... by Anonymous Coward · · Score: 0

      I don't have a dog, but I have a .45 and a cat, will that do?

    10. Re:All your house... by jellomizer · · Score: 1

      Not much if you are away from your home.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    11. Re:All your house... by npslider · · Score: 1

      Who doesn't like ketchup.

      Anything can taste good with enough Ketchup!

    12. Re:All your house... by HornWumpus · · Score: 1

      You just acknowledged that _you know_ your dog is a hazard.

      Hope he doesn't bite anyone, because you just volunteered to pay punitive damages. Thanks shysters.

      The only sign you want is 'No Trespassing'.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    13. Re:All your house... by BarbaraHudson · · Score: 1
      Even beans. Human beans. :-)

      I would make an exception for liver - nothing makes that tasty.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    14. Re:All your house... by Gilgaron · · Score: 1

      That's a good point and use case! Although apparently with the security of those things someone in Romania is going to ransom me for Bitcoins not to SWAT me while I'm eating breakfast.

    15. Re:All your house... by TWX · · Score: 1

      Can confrm. Got wife a t-shirt that says, "I put ketchup on my ketchup" because it's true.

      --
      Do not look into laser with remaining eye.
    16. Re:All your house... by npslider · · Score: 1

      Just as having a security sign w/o the system can be a potential deterrent, so can the "Beware of Dog" sign, minus the sign.. after all maybe there is a dog, but he's just always on break.

    17. Re:All your house... by TWX · · Score: 1

      In theory if you have a monitorable camera system, a competent security company will check the camera feeds soon after the alarm notification. Obviously this requires that their access to the cameras works properly, and that they respond to alarms quickly, but it's still doable.

      For a security system to work best you need all points of entrance except for one to be instant-trip, as in, if someone attempts to enter through any door other than a particular one, the alarm immediately goes off and trips the notification. If door has a grace-period to deactivate the system then a quick smash-and-grab may be over before security company even gets the notice that there's an alarm.

      Lastly, even though some may argue against it from a fire safety perspective, use double-cylinder locks, so that a key is necessary to open the door from either side. if a thief breaks-in through a window on the backside of the house to avoid attracting too much attention they won't be able to just open the front door from the inside to run off with your stuff.

      --
      Do not look into laser with remaining eye.
    18. Re:All your house... by npslider · · Score: 1

      *Minus the DOG rather...

      I'd blame auto-correct, but i'm on a windows box this time,

    19. Re:All your house... by Anonymous Coward · · Score: 0

      But the cat graduated top of his class in the Navy Seals, and he's been involved in numerous secret raids on Al-Quaeda, and has have over 300 confirmed kills. He is trained in gorilla warfare and he's the top sniper in the entire US armed forces. Thieves are nothing to him but just another target. He will wipe them the fuck out with precision the likes of which has never been seen before on this Earth, mark my fucking words. They think they can get away with stealing my shit? Think again, fucker.

    20. Re:All your house... by jellomizer · · Score: 1

      But does the cat care enough about you to go thru the effort?
      Or just glare at the burglar if he eyed the food dish.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    21. Re:All your house... by DaveMikulec · · Score: 1

      Beware of dragons. For you are crunchy and taste good with ketchup.

      --
      "Shall we play a game?" -W.O.P.R.
    22. Re:All your house... by silas_moeckel · · Score: 1

      The insecurity of the security company's camera monitoring is pretty bad. They wanted basic port forwarding and couldn't even give me IP ranges it would be coming from. Mind you I hear reports of some large towns like austin wont even respond to a house alarm unless the monitoring company verifies via CCTV all but requiring internal CCTV that accessible remotely.

      --
      No sir I dont like it.
    23. Re:All your house... by Anonymous Coward · · Score: 0

      The thing that makes the dog more effective than the alarm system sign is that it barks before they actually defeat the door.

      A sign could be lying, but if you hear a deep bark then you have a good reason to expect their actually is a big dog, and you haven't actually broken in yet so it;s a good time to bail.

    24. Re:All your house... by FatdogHaiku · · Score: 1

      There's really not much mechanical connection between the inside and outside doorknobs anymore. It used to be there was an iron shaft connecting the two but that made the lock vulnerable to a pipe wrench attack. On a modern door, if you hung a charcoal starter on a doorknob you would set the inside of the door (normally urethane or wood) on fire. At that point the outside would be getting hot but also smoking or bursting into flames. I wonder what would happen if you wired a large capacitor to a metal door knocker... everyone loves to use those things...
      https://www.youtube.com/watch?v=XTw1lzxTAis

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    25. Re:All your house... by sjames · · Score: 1

      Or just drop hot heating oil on the creep.

    26. Re:All your house... by sjames · · Score: 1

      He is announcing that his dog is a known hazard to people who break and enter. It says nothing about the dog's behavior when someone is invited in.

    27. Re:All your house... by zugmeister · · Score: 1

      Maybe... How loud can your cat bark?

    28. Re:All your house... by HornWumpus · · Score: 1

      It says your dog is a hazard and you know it.

      If the dog subsequently bites someone, you have already lost the civil case.

      'Beware of Dog' signs are much rarer than they were when I was a kid. Because lawyers.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    29. Re:All your house... by TWX · · Score: 1

      That's pretty bad, about the alarm response.

      Only rule here is that if you have an alarm, you have to register it with the municipality. Alarm doesn't even have to be monitored. The fee is low enough that it doesn't seem like a cash-grab either, like $10/year if I remember right. I think the main purpose is so that they know who to contact if an alarm goes-off and no one is home.

      --
      Do not look into laser with remaining eye.
    30. Re:All your house... by sjames · · Score: 1

      lawyer, Liar, same thing. Anyone who knows anything about dogs that they behave much differently for the cases of master present/master absent and in territory/not in territory.

      In sane jurisdictions (rare, I know) someone who breaks and enters surrenders all expectation of safety.

      Of course, I see a lot more "Never mind the dog, beware of owner" signs with the silhouette of a gun.

    31. Re:All your house... by PCM2 · · Score: 1

      The home security industry really just plays on people's fear about getting broken into than actually offering any real benefit.

      I'm sure homeowner's insurance premiums play a role, too.

      --
      Breakfast served all day!
    32. Re:All your house... by PCM2 · · Score: 1

      One of my friends has a wind chime hanging on his front porch.

      Made of shotgun shells.

      --
      Breakfast served all day!
  2. Wrong Assessment by EmagGeek · · Score: 2

    "The one posing the biggest threat was the remote lock-picking attack"

    No, the one posing the biggest threat is the false fire alarm, which could divert firefighting resources from a real fire, causing the loss of life.

    1. Re:Wrong Assessment by npslider · · Score: 1

      Houses are broken into the old-fashioned way all the time. This is not a new thing. Doing it remotely sounds more scary, and provides new attack vectors and ways to take advantage of such a form of entry, but there are plenty of ways into a place one wants to get into.

      It also depends on what else is connected and how that could factor in. Running a home out of fuel by running the heat non-stop and allowing it to freeze up, just screwing with the neighbors by putting on a light show, for kicks, or like said above triggering a false fire alarm. This vulnerability does present some interesting possibilities.

    2. Re:Wrong Assessment by Lab+Rat+Jason · · Score: 1

      Clearly, you're not thinking selfishly enough...

      --
      Which has more power: the hammer, or the anvil?
    3. Re:Wrong Assessment by TWX · · Score: 3, Interesting

      The issue now is that with these vulnerable systems, depending on what a burglar is after, there may be no sign that the house was entered until long after the crime.

      The best crime is the one where no one realizes that a crime was committed. The second best crime is when, on discovery, no one knows when the crime was committed. Before, a burglar usually had to actually break something to get in, such that the evidence of the crime was discovered within hours or days. Now, if the burglar can open their phone and use and application to unlock the door, if they're after something specific and not obvious (like stored jewelery that isn't daily-wear for example) they can come and go without someone realizing until they discover said items missing.

      --
      Do not look into laser with remaining eye.
    4. Re:Wrong Assessment by dpidcoe · · Score: 1

      If all you're considering is people breaking in and stealing your TV, then sure, this is nothing special. The thing is that this gives the attackers the same access as if they were a legitimate user. Having unlimited and undetectable (as compared to breaking the locks or smashing a window) access opens up a whole world of possibilities for things other than just stealing stuff.

      Imagine a hacker having a list of compromised homes that he sells to criminals, along with a list of times the access codes are used so that they can be sure of breaking in when the house is unoccupied. Now instead of saying "please try the neighbors house first", your security system has become a giant flashing neon "please come rob me" sign (and you'd probably get cleaned out by the sorts of people who knew what they were doing, rather than the sorts who take the tv and the fake jewelry without realizing the IT equipment in the closet is worth 10x as much). Lists of compromised credit cards are traded all the time, so a list of compromised houses isn't far off at all.

      Or say someone wanted to use your house as a drop point for criminal activity. They've got the access codes and know you work 9-5, they could drop some drugs off inside after you leave for work and leave the access code with the buyer for pickup before you get home. You'd never know it was happening unless your neighbors said something or the DEA kicked down your door in a 2am no-knock raid.

      I could sit here all day listing other scenarios that would take advantage of this kind of access over the more traditional lockpicking or window smashing.

    5. Re:Wrong Assessment by Lumpy · · Score: 2

      Whereas in reality....

      Thieve wants to break in. he kicks in the door and takes your stuff. No need to buy anything as his size 12 was all he needed. 99% of all homes have completely shit for door strength and the locks and deadbolts are worse.

      then there are those pesky glass things all over houses that are easily broken that doesnt slow them down.

      --
      Do not look at laser with remaining good eye.
    6. Re:Wrong Assessment by Anonymous Coward · · Score: 0

      Except that's not how most home thefts happen.

      Thefts are opportunistic. Open window, bad latch, easily jimmied patio door. The whole kicking down the door thing is in your head from the movies. People don't kick down doors, and it's a lot more difficult than you think. Ever kicked in a door? I have. Deadbolts don't offer any stregnth on their own, the only time they are useful is if there is a plate. The door is often more fragile than the bolt, and if you're ballsy and stupid, sure, you can bust off the front face of the door and pop the lock.

      Or drill it out. Again, this isn't the movies. Thieves aren't into really making noise.

      The danger of the smart locks/smart homes is that people can easily monitor when you're coming and going, and enter and exit with nobody knowing. Thefts could happen over MULTIPLE days. Homes could easily be cased in advance. Identity documents could be found, duplicated, and replaced. This happens in the real world, not the movies.

    7. Re:Wrong Assessment by pr0fessor · · Score: 1

      I purchased a house and they didn't have a key to the garage... My wife accidentally locked the car in the garage before I had changed the locks and after my son tried to pick the lock and use a credit card etc... for about 30 minutes, I just kicked the door in, it only took about five really good loud kicks and caught the attention of the neighborhood had the dead bolt been locked it would have taken even more. The garage door is steel it was fine but the door jamb I had to replace it has a steel plate now.

    8. Re:Wrong Assessment by vux984 · · Score: 1

      Here's a scenario... just for example.

      Find an attractive women, or man... or maybe your into kids. Walk in their front door when they aren't home; install some stealthy cameras. You can even return to re-position or recharge them or simply retrieve them. With no breakin, the occupants don't suspect a thing.

      Or install a USB keylogger on their computer; and wait for their bank info, or all sorts of other snooping / information targeted theft etc. Get what you need for identity theft. etc.

      Or kidnapping... ex-husband just walks into a home in the middle of the night and walks out again with the baby he lost custody of.

      Or assassination... deliver poison, or bombs, or whatever. Far fetched, yeah... i don't expect a rash of assassinations to go down... but you take away the obstacle of actually having to "break in" and it does become a lot easier. An ex can just walk in put something in the orange juice and walk out again.

      Or maybe it stops at harassment. An ex shows up looks through your stuff, leaves you notes etc. Police aren't taking it too seriously because there's no evidence of forced entry... etc.

      The fact that your in and out without leaving a broken door, lock, or window enables all sorts of stuff beyond theft.

      I would assume that the systems in theory logs unlocks etc; but you may not think to look at the logs until WAY too late. And if we assume the systems are easily hacked, it may be trivial to avoid leaving logs behind as well, or to wipe them, or falsify them. or if you can't remove the reocrd of your entry spam them with thousands of unlocks so your entry is lost in the noise...

    9. Re:Wrong Assessment by dpidcoe · · Score: 1

      Apparently you didn't read my post. I was specifically talking about the possibilities this opens up that don't involve a typical smash-n-grab (which, short of a gated community with armed guards, you'd still be vulnerable to regardless of security system).

    10. Re:Wrong Assessment by KGIII · · Score: 1

      If they were smart, they'd not even take the cards - they'd just run them through a skimmer (I imagine you could hook one to a cell phone) and you'd never know when it happened. Best of all, they could keep coming back once they found a victim. When "their" new card comes working, they just come back and skim the replacement. Hell, if they had the balls they could do it at night while the victim was asleep.

      --
      "So long and thanks for all the fish."
    11. Re:Wrong Assessment by Anonymous Coward · · Score: 0

      Except it is... Been broken into twice. they simply busted the window on the back door, reached in and unlocked it.

      Come on back when you have ACTUAL EXPERIENCE and are not just pulling shit from your ass.

  3. round up the usual suspects! by Anonymous Coward · · Score: 0

    I'm shocked! SHOCKED!

    this shit is not funny any more, in the sense that it's embarrassing to be a computer programmer now. I've been coding for dozens of years and the shit we churn out now is worse than it ever was.

    1. Re:round up the usual suspects! by Anonymous Coward · · Score: 0

      You're right, because all programming is these days is "leveraging" someone else's undocumented library, and building your shit "on top of" somebody else's shit.

    2. Re:round up the usual suspects! by BarbaraHudson · · Score: 1

      What, as a programmer you should have known "smart home" is an oxymoron!

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  4. way to go Samsung by Thud457 · · Score: 1

    goddamn it, CSI:Cyber was right!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    1. Re:way to go Samsung by npslider · · Score: 1

      I'm pretty sure poor Samsung ain't the only ones with weaknesses. Ever know of a system that was completely secure? Perhaps a Linux box, stuck in the center of a black hole perpetually moving itself to /dev/null, but short of that. Nope.

    2. Re:way to go Samsung by Lumpy · · Score: 1

      Yep. ALL of this cloud based shit has the exact same problems.

      If your security or automation is cloud based, you have already failed.

      --
      Do not look at laser with remaining good eye.
  5. Flaws? by ArhcAngel · · Score: 1

    You call them flaws the NSA calls them government mandated back doors.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:Flaws? by npslider · · Score: 1

      Now there's a thought... self encrypting houses. Conversations in there would be mighty weird, forget to pass the token to your wife and., wait... now that's a good excuse..

      "I did not hear your encrypted request to take out the trash", must have an old cipher key.

      Worth a try!

      The NSA doesn't need a back door, they already bugged every 2x4, light fixture and most of all the TV remote.

  6. Welcome to my house... by evolutionary · · Score: 1

    Oh, wait, I didn't say that, wait...it was a hacker, stay out of my house..... It's amazing how people don't seem to get the fact that if you make a keyhole everyone can access, regardless of distances, it's so much easier (and fun) to pick the lock.Plus these things weren't exactly designed to be all that secure as much as cheap/convenient. From harded coded passkeys in firmware and up, the IOT things are not security they are convenience...at the price of security.

    --
    "Imagination is more important than knowledge" - Einstein
    1. Re:Welcome to my house... by npslider · · Score: 1

      Just put a fingerprint sensor on everything, from the coffee pot to the garage door opener. Everyone knows those things are foolproof.

  7. Nothing to see, move along... by Anonymous Coward · · Score: 0

    All of this requires spoofing the Smart Things website which is no different than someone spoofing your bank website. In other words, absolutely nothing new or scary about it. Less than 0.1% of people using Smart devices will ever, if ever, be affected by this. More Millenials trying to spread FUD for pageviews and ego stroking.

    1. Re:Nothing to see, move along... by Anonymous Coward · · Score: 0

      "millenials"

      This is becoming the new "white male".

    2. Re:Nothing to see, move along... by Noah+Haders · · Score: 1

      If the Donald wins the White House, then we'll all be talking about Melanials.

    3. Re:Nothing to see, move along... by rhodium_mir · · Score: 1

      If the Donald wins the White House, then he will be impeached within the first two weeks

      --
      You can't spell "oneiromancy" without "roman".
    4. Re:Nothing to see, move along... by Noah+Haders · · Score: 1

      by whom? the politicians? if donaldo wins, it will be because a majority of americans voted for him. congresscritters are going to stick their feet in the air and smell which way wind is blowing.

  8. What? Read this again! by ScentCone · · Score: 3, Informative

    The flaw is that users who click a link that takes them to some OTHER web site, where they then provide their credentials, are then vulnerable to OTHER people using their credentials? How is this even news?

    --
    Don't disappoint your bird dog. Go to the range.
    1. Re:What? Read this again! by MagicM · · Score: 1

      No. One of the flaws is that users who click a link that takes them to THE SMARTTHINGS LOG-IN SCREEN, where they then provide their credentials, which then sends their credentials to some OTHER web site, are then vulnerable to OTHER people using their credentials. The news is that Samsung's API happily sends log-in results to any arbitrary third party. That's bad, although "the OAuth mechanism has recently been fixed."

      By posting this here as "news" we can all feel smug and laugh at them and learn from their mistake.

    2. Re:What? Read this again! by ScentCone · · Score: 1

      No, the story clearly states that users who click a link that takes them to a site that LOOKS LIKE the Samsung screen but which is really another web site - where they then give up their credentials to a phony back-end system that IS NOT SAMSUNG - suddenly find themselves at the mercy of the person to whom they just handed over their credentials while not bothering to check which web site they were on. Simple phishing attack.

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re:What? Read this again! by MagicM · · Score: 1

      From the article:

      to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page.

      Emphasis mine. Also you can see from the link that that is indeed what it does. Yes it's a phishing attack, but not one that uses a look-alike login page.

  9. overblown by jlv · · Score: 3, Informative

    This "research" is overblown hyperbole based upon tricking the user into falling for a phishing attack or by installing malware. But this big news because this shows that IOT is unsafe!

    Now excuse me, I have email from PayPal telling me to update my account, so I have to go click the link they conveniently sent me.

  10. Flaky by trevc · · Score: 1

    SmartThings is so flaky it doesn't work for authorized users so no worries here.

  11. Ah TLS/SSL ... by Wrath0fb0b · · Score: 2

    It can tell you with cryptographic certainty with whom you are talking to and that no one else can eavesdrop on your conversation. It can't tell jack about whether that's actually the entity that you want to talk to -- that's your job :-P

    I mean, HTTPS://BANKOFAMERlCA.COM looks pretty legit right? And if it's a valid certificate (for the owner of bankofamerLca.com, which is totally legit) then there's not a whole lot a browser can do besides blacklist 'known phishing sites' one at a time.

    1. Re:Ah TLS/SSL ... by Anonymous Coward · · Score: 0

      BR compliant CAs are obliged to check for such shenanigans, and they're not that bad at it, so you may struggle to get someone to issue for bankofamerLca.com

      Assuming you do get it issued (maybe a foreign CA can be sweet-talked into over-riding the automatic systems that warn them it's probably bogus) most CAs CT-log their issued certificates. That means very soon (typically in a few minutes, but always within 24 hours) the log monitors will see this certificate. If Bank of America is monitoring for, let's say things that would look too much like bankofamerica they'll know there's a problem as soon as their log monitor sees it.

      It is hard to capitalise on such a short-lived fraud.

  12. Today's News... by npslider · · Score: 4, Funny

    This just in...

    A man is found trapped in his new Samsung smart-house tied up in a basement closet with two pieces of toast stuffed in his mouth, covered in ice cubes.

    Apparently a burnt toast hacker, found and exploited a security flaw in every electrically powered device in his home. After refusing to pay the ransom his microwave demanded. The microwave ordered the owners toaster to eject the toast into the owners mouth while the Dyson wireless battery powered vacuum cleaner snuck up from behind. The "possessed" cleaning appliance wrapped him up in a magnetically detachable charging cord.

    This new Dyson model, well known for its ability to remove facial hair from across the room made easy prey of the 45 year old computer programmer. The man was literally drug across his own kitchen floor kicking and sobbing, spit on by the ice maker as he frantically willed the fridge to help him, he had never done the fridge wrong. The basement door opened itself and the vacuum quickly went from suck to blow, ejecting him at near critical velocity into the open closet. The closet door self-closed.

    He was only found because the UPS deliverer, heard the commotion while passing this haunted house.

    In other news, Apple Inc. buys Microsoft, settling the largest online debate about which platform is superior...

  13. The Internet of Things by Macdude · · Score: 1

    Explain to me again how the Internet of Things is a good idea?

    --
    "Grab them by the pussy" -- President of the United States of America
    1. Re:The Internet of Things by jheath314 · · Score: 1

      You can't spell "idiotic" without IOT. Maybe I've gone prematurely old, but I have yet to come across an IoT feature or device that doesn't strike me as unnecessary, dangerous, or both.

      At a minimum, who the hell thought the ability to remotely unlock the door was a good idea? (Yes, sure, I know you can construct some hypothetical scenario where such a thing is useful, but weigh that against risks inherent to such a feature.) I could maaaybe see "remotely lock the door" as a good feature, but the system had better be physically constructed in a way that it can only ever engage the lock.

      --
      Procrastination Man strikes again!
    2. Re:The Internet of Things by KGIII · · Score: 1

      Hmm... So, you're saying that IOT is idiot missing the id? Presumably, not the Wizard of Id but the other one... You might be on to something.

      --
      "So long and thanks for all the fish."
  14. Again by Anonymous Coward · · Score: 0

    Leave it to the mods to replace a perfectly explained HelpNet article with a convoluted bullshit ArsTechnica report. You should really stop shoving this site down everyone's throats.

  15. No they dont.... by Anonymous Coward · · Score: 0

    It requires compromising the phone with the app on it.

    So they have to compromise your PHONE first, then they can. that requires a Rooted phone, so they need to convince you to root your phone then install their app.

    Nothing to see here....

    Get it right and stop with the fucking Fox News headlines.

  16. But! It could be haxx0rz! by Anonymous Coward · · Score: 0

    Rilly, it could! Be! Haxx0rz!

  17. not a flaw... by Anonymous Coward · · Score: 1

    working as intended. nothing to see here. move along and keep your damn mouth shut. it took three years to get someone on the inside to do this.

    -nsa/cia/fbi