A $225 GPS spoofer can send autonomous vehicles into oncoming traffic *

Billions of people—and a growing number of autonomous vehicles—rely on mobile navigation services from Google, Uber, and others to provide real-time driving directions. A new proof-of-concept attack demonstrates how hackers could inconspicuously steer a targeted automobile to the wrong destination or, worse, endanger passengers by sending them down the wrong way of a one-way road.

The attack starts with a $225 piece of hardware that’s planted in or underneath the targeted vehicle that spoofs the radio signals used by civilian GPS services. It then uses algorithms to plot a fake “ghost route” that mimics the turn-by-turn navigation directions contained in the original route. Depending on the hackers’ ultimate motivations, the attack can be used to divert an emergency vehicle or a specific passenger to an unintended location or to follow an unsafe route. The attack works best in urban areas the driver doesn’t know well and assumes hackers have a general idea of the vehicle’s intended destination.

“Our study demonstrated the initial feasibility of manipulating the road navigation system through targeted GPS spoofing,” the researchers, from Virginia Tech, China’s University of Electronic Sciences and Technology, and Microsoft Research, wrote in an 18-page paper. “The threat becomes more realistic as car makers are adding autopilot features so that human drivers can be less involved (or completely disengaged).”

Read 10 remaining paragraphs | Comments

Developer faces prison after admitting admin software was really a RAT

A Kentucky man has pleaded guilty to federal charges he developed, marketed, and provided technical support for software he knew customers used illegally to take control of other people’s computers.

Colton Grubbs used the handle KFC Watermelon to advertise the LuminosityLink administrative tool on Hackforums[dot]net, federal prosecutors alleged in an indictment filed last month. The indictment said the tool provided a variety of malicious capabilities including the ability for purchasers to control others’ computers, surreptitiously record users’ activities, and to view their files, login credentials, and personal information. The defendant, prosecutors said, also used the hacker forum and a website located at luminosity[dot]link to teach users how to conceal their identities and prevent antivirus programs from detecting the tool.

On Monday, Grubbs signed a plea agreement that admitted that from 2015 to 2017 he designed LuminosityLink and sold it for $40 apiece to more than 6,000 individuals, knowing that some of them were using it maliciously. While previously claiming the software was a legitimate tool for system administrators, Monday’s plea agreement admitted he knew some customers were using it to control computers without owners’ knowledge or permission. The document, which was signed by Grubbs, stated:

Read 4 remaining paragraphs | Comments

Dangerous plutonium stolen from rental car in a hotel parking lot

Two workers from the Department of Energy’s Idaho National Laboratory lost an undisclosed amount of plutonium and cesium from a rental car parked overnight in a San Antonio, Texas, hotel parking lot in a neighborhood known for car break-ins and other crimes, according to an article published Monday by the Center for Public Integrity.

The loss of the highly radioactive material occurred in March 2017 and was discovered when the two workers awoke the next morning to find the window of their Ford Expedition had been smashed. Missing were radiation detectors and small samples of plutonium and cesium used to calibrate them. The workers were transporting the equipment and materials during an assignment to retrieve dangerous nuclear materials from a nonprofit research lab in San Antonio when the theft occurred. The vehicle had been parked in the lot of a Marriott hotel in a San Antonio neighborhood where car break-ins are common.

More than a year later, state and federal officials still don’t know where the substances are. No public announcement of the March 21 incident was ever made by either the San Antonio Police Department or by the FBI, which police consulted. Officials have declined to say how much plutonium and cesium were taken. A spokeswoman with the Idaho lab told reporters Patrick Malone and R. Jeffrey Smith that the amount of plutonium taken wasn’t enough to create a so-called dirty bomb and that there’s little or no danger from either sources being in the public domain.

Read 4 remaining paragraphs | Comments

Alaska’s last two Blockbusters are shutting down, leaving one in US

On Thursday, Blockbuster Alaska announced that the rental chain’s last two Alaskan stores will shut down on Monday, with liquidation sales to follow. The news means that only one Blockbuster store will remain in the United States, in Bend, Oregon.

“We hope to see you at our stores during the closing, even if it’s just to say ‘Hello,'” the final two shops’ managers posted in a Facebook announcement on Thursday. “What a great time to build your media library and share some Blockbuster memories with us.”

In its report, the Anchorage Daily News confirmed with Border Entertainment, a Texas-based holding company that operated all of Alaska’s Blockbuster stores, that closure plans had been in the works since before the end of 2017. At that time, Border decided to stop renewing any Blockbuster store leases, resulting in a series of closures across the state over the past nine months.

Read 3 remaining paragraphs | Comments

Smart TVs are invading privacy and should be investigated, senators say

Two Democratic US senators have asked the Federal Trade Commission to investigate privacy problems related to Internet-connected televisions.

“Many Internet-connected smart TVs are equipped with sophisticated technologies that can track the content users are watching and then use that information to tailor and deliver targeted advertisements to consumers,” Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) wrote in a letter yesterday to FTC Chairman Joseph Simons. “Regrettably, smart TV users may not be aware of the extent to which their televisions are collecting sensitive information about their viewing habits.”

The letter asked the FTC to “launch an investigation into the privacy policies and practices of smart TV manufacturers.” When contacted by Ars, an FTC spokesperson confirmed that the agency received the letter from Markey and Blumenthal, but the FTC offered no further comment.

Read 7 remaining paragraphs | Comments

Hyper-targeted attack against 13 iPhones dropped malicious apps via MDM

In what appears to be a case of highly focused social engineering against a small group of iPhone users, malicious actors managed to get 13 iPhones registered on their rogue mobile device management (MDM) servers and then pushed out applications that allowed the hackers to track the locations of the phones and read victims’ SMS messages.

The attacks, reported by Cisco’s Talos, used the “BOptions” sideloading technique to modify versions of legitimate applications, including WhatsApp and Telegram. The initiative inserted additional libraries into the application packages, and the modified applications were then deployed to the 13 victim iPhones via the rogue mobile device management systems.

“The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user’s photos, SMS, and Telegram and WhatsApp chat messages,” wrote Talos researchers Warren Mercer, Paul Rascagneres, and Andrew Williams in a post on the attack. “Such information can be used to manipulate a victim or even use it for blackmail or bribery.”

Read 2 remaining paragraphs | Comments

The most ambitious browser mitigation yet for Spectre attacks comes to Chrome

Google’s Chrome browser is undergoing a major architectural change to enable a protection designed to blunt the threat of attacks related to the Spectre vulnerability in computer processors. If left unchecked by browsers or operating systems, such attacks may allow hackers to pluck passwords or other sensitive data out of computer memory when targets visit malicious sites.

Site isolation, as the mitigation is known, segregates code and data from each Internet domain into their own “renderer processes,” which are individual browser tasks that aren’t allowed to interact with each other. As a result, a page located at arstechnica.com that embeds ads from doubleclick.net will load content into two separate renderer processes, one for each domain. The protection, however, comes at a cost. It consumes an additional 10 to 13 percent of total memory. Some of the performance hit can be offset by smaller and shorter-lived renderer processes. Site isolation will also allow Chrome to re-enable more precise timers, which Google and most other browser makers disabled earlier this year to decrease chances of successful attacks.

Site isolation has been available in Chrome as an optional mitigation since early this year, but starting with version 67, it’s being enabled by default for 99 percent of users. Google is leaving it off for the other 1 percent so engineers can monitor and improve performance. The protection is also being enabled in the Chrome desktop. For performance reasons, it isn’t available in Chrome for Android for the time being.

Read 4 remaining paragraphs | Comments

Tech-support scammers know EVERYTHING about my computer, Dell customer says

More than 30 months after surfacing, a tech-support scam targeting Dell computer owners continues to raise questions about how the callers know sensitive information, including PC serial numbers and the names, phone numbers, and email addresses customers gave to the PC maker.

Most tech-support scams are opportunistic. A caller falsely claims she’s calling from Microsoft to warn of a serious, non-existent problem with a person’s Windows computer, even when the person happens to own only a Mac. The goal of the call is to trick the mark into purchasing software or technical support to fix the issue or to install software that gives the caller remote control over the computer. These types of rackets have been targeting owners of Windows computers from a variety of sellers for years.

A scam targeting Dell customers, by contrast, uses sensitive details tied to their specific PC purchase, including the PC model, service tag number, and the contact information the customers provided at the time they made the purchase. Armed with those details, the caller has a much better chance of tricking the person into thinking the call is legitimate and, from there, ceding control of the computer or coughing up hundreds of dollars in fraudulent support costs.

Read 6 remaining paragraphs | Comments