My Weekly RoundUp #121
After a brief pause, my WeeklyRoundup begin again! So, below, something I saw on the internet last week:
Exploiting Wi-Fi Stack on Tesla Model S
In the past two years, Keen Security Lab did in-depth research on the security of Tesla Cars and presented our research results on Black Hat 2017 and Black Hat 2018. Our research involves many in-vehicle components. We demonstrated how to hack into these components, including CID, IC, GATEWAY, and APE. The vulnerabilities we utilized exists in the kernel, browser, MCU firmware, UDS protocol, and OTA updating services. It is worth noting that recently we did some interesting works on Autopilot module, we analyzed the implementation details of autowipers and lane recognition function and make an example of attacking in the physical world.Keen Security Lab Blog
To understand the security of Tesla’s on-board system more comprehensively, we researched the Wi-Fi module (aka Parrot on Model S) and found two vulnerabilities in the Wi-Fi firmware and Wi-Fi driver. By combining these two vulnerabilities, the host Linux system can be compromised.
Hackers Bypass the 2-step Verification to Invade Government Systems and Industries
2-step verification is an extra security measure that an application uses when connecting to a service or a device. But the 2-step authentication was avoided by a group of hackers from China known as APT20. The government, industries, and various corporations across the world are concerned about the issue. This is disturbing news for the world of cybersecurity. APT 20, a criminal hacking organization from China was able to avoid the important 2-step verification, that is used as a safety precaution by vast services on the internet such as Google, Whatsapp, Instagram, etc. But above all this, this issue is a major concern for banking institutions that rely on internet services for their conduct.E Hacking News
Starbucks Devs Leave API Key in GitHub Public Repo
Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.
JumpCloud is an Active Directory management platform billed as an Azure AD alternative. It provides user management, web app single sign-on (SSO) access control, and Lightweight Directory Access Protocol (LDAP) service.
Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated “significant information disclosure” and that it qualified for a bug bounty.
Starbucks took care of the problem much sooner, though as Kumar noted on October 21 that the repository had been removed and the API key had been revoked.BleepingComputer
“Cache issue” causes Xiaomi cameras to show other people’s camera feeds
Chinese electronics maker Xiaomi has shut down the Google Home Hub integration of its security cameras after a cache issue caused some of Xiaomi’s camera streams to go to the wrong people. The bug was first reported by Reddit user Dio-V, with a post titled “When I load the Xiaomi camera in my Google home hub I get stills from other people’s homes!!”
Dio-V posted a video showing that pressing the “camera” button on a Google Home paired with a Xiaomi camera would, after a long wait, show a corrupted, distorted image. Dio-V says this feed isn’t from one of their cameras. The user also posted several stills from other random camera feeds that would pop up on his smart display.ArsTechnica
ProtonMail takes aim at Google with an encrypted calendar
Encrypted email provider ProtonMail has officially launched its new calendar in public beta. The move is part of the Swiss company’s broader push to offer privacy-focused alternatives to Google’s key products.
ProtonMail has been talking about its plans to launch an encrypted calendar for a while. But starting from today, all ProtonMail users on a paid plan will be able to access ProtonCalendar, and it will be opened to everyone when it exits beta in 2020.VentureBeat
Ethics of ai: how should we treat rational, sentient robots – if they existed?
Imagine a world where humans co-existed with beings who, like us, had minds, thoughts, feelings, self-conscious awareness and the capacity to perform purposeful actions – but, unlike us, these beings had artificial mechanical bodies that could be switched on and off.
That brave new world would throw up many issues as we came to terms with our robot counterparts as part and parcel of everyday life. How should we behave towards them? What moral duties would we have? What moral rights would such non-human persons have? Would it be morally permissible to try to thwart their emergence? Or would we have a duty to promote and foster their existence?
Intriguing ethical questions such as these are raised in Ian McEwan’s recent novel, Machines Like Me, in which Alan Turing lives a long successful life and explosively propels the development of artificial intelligence (AI) that leads to the creation of “a manufactured human with plausible intelligence and looks, believable motion and shifts of expression”.Universal-Sci
Apple now lets you engrave a poop emoji on your AirPods case
Apple has long offered the option to engrave text on select products purchased through its online store. And now, you’re able to engrave emoji onto the company’s AirPods cases, too (via MacRumors).
Apple only lets you engrave a limited set of emoji, but there are some pretty fun options, including the fist bump, all of the Zodiac animals, and the poop emoji.The Verge
One of NASA’s exoplanet hunters has gone quiet
NASA has a lot of high-tech hardware cruising around in space right now, but one of the space agency’s pint-sized exoplanet hunters appears to have gone dark. In a post by NASA’s Jet Propulsion Laboratory, the group explains that its ASTERIA satellite has been failing to return attempts to contact it for about a month now.
ASTERIA is a tiny satellite capable of observing some very big things. The spacecraft was sent into Earth orbit in late 2017, and it spent several months studying nearby stars for changes in their brightness. These brightness dips are the telltale signs that a planet is orbiting those stars.BGR
No Dark Energy? No Chance, Cosmologists Contend
Dark energy, mysterious as it sounds, has become part of the furniture in cosmology. The evidence that this repulsive energy infuses space has stacked up since 1998. That was the year astronomers first discovered that the expansion of the universe has been speeding up over time, with dark energy acting as the accelerator. As space expands, new space arises, and with it more of this repulsive energy, causing space to expand even faster.
Two decades later, multiple independent measurements agree that dark energy comprises about 70% of the universe’s contents. It is so baked into our current understanding of the cosmos that it came as a surprise when a recent paper published in the journal Astronomy & Astrophysics questioned whether it’s there at all.QuantaMagazine
This electronic album was made for the SNES and you can buy it as a cartridge
German musician Remute has made and released music on a variety of old mediums, but his newest effort marks a quirky milestone: The Cult Of Remute is claimed to be the first music album made entirely for the Super Nintendo’s sound chip and released on an SNES cartridge.
Creating within severe restraints is nothing new for Remute. In the past, he’s released music on a floppy disk and programmed an album using the sound chip for ‘90s game console Sega Genesis. But he tells The Verge that creating this new album with the SNES’s limitations was more difficult than previous projects because of the system’s “merciless” filesize limit.The Verge
Star Trek Picard – NFL Teaser
The Moon Theme from DuckTales Performed on an Electric Toothbrush
Moon Theme from DuckTales played by an electric toothbrush, a credit card machine, and a typewriter, all with tiny arms. The electric toothbrush also wears a top hat and has a red walking stick. The credit card machine has a wig that is actually a doll scalp.Device Orchestra