February 22, 2019
Category archive


Meet the little-known Chinese WiFi startup that rubs shoulders with WeChat and Alipay

in alibaba/Asia/China/Delhi/e-book/India/internet access/OneWeb/Password/Politics/privacy/shanghai/Space/SpaceX/Tencent/WeChat/wi-fi by

A service that connects people to WiFi hotspots for free turned out to be one of China’s most popular apps, nestling in the top ranks with Tencent’s WeChat messenger and Alibaba’s digital wallet affiliate Alipay. According to a report from app tracking service App Annie, WiFi Master Key was China’s fifth-largest app and the world’s ninth largest by monthly active users in 2018, titles it also held in 2017.

Report: The State of Mobile 2019, App Annie

The aptly-named WiFi Master Key, which owns the enviable domain, is the product of a little-known startup called LinkSure in Shanghai that gets people onto the nearest wireless networks without the need for passwords. In addition, the app also recommends news and video content based on users’ past habits to lock them in, a feature similar to that of ByteDance’s algorithm-driven Jinri Toutiao news app.

Like many consumer-facing services in China, the app is free to use and monetizes traffic through advertising. It claims 700 million MAUs in China and another 100 million around the world. WeChat and Alipay, by comparison, each has around 1 billion MAUs worldwide.

The internet connectivity service helped LinkSure secure $52 million from a Series A round and value the parent at $1 billion back in 2015, only two years after the firm had launched. LinkSure has not announced further fundings since then and has kept a relatively low profile, though its founder Chen Danian was a household name from China’s early internet days. Along with his brother Chen Tianqiao, Chen founded Shanda Games, once China’s largest operator of online games before the rise of Tencent.

In November, Chen resigned as LinkSure’s chief operating officer as former Shanda executive Wang Jingying took over the reins to become one of the few prominent female CEOs in China’s tech sector.

Sharing passwords

The idea of freeloading on strangers’ networks strikes one as dodgy (or too good to be true), but the reality is more nuanced. WiFi Master Key keeps a database of passwords while encrypts and hides them from users, the company explains on its site. How does it collect all the credentials in the first place? Well, every time someone uses it to key in a login, the internet access app transmits that piece of information to the cloud. When people use it to, say, enter the WiFi passcode a barista just gave them, the data gets stored and shared to whoever at the cafe that uses the app.

wifi master key

Aside from bringing connectivity, WiFi Master Key also provides news, e-book and video content to lock users in. Screenshot: TechCrunch

Those inner workings enable the app to bill itself as a WiFi “sharing” service and distance itself from anything that’s remotely a hack. But its data practice still draws concerns over user privacy. Last April, the Chinese state television broadcaster ran a 25-minute feature lambasting the app for “stealing passwords.” That was followed by an industry-wide crackdown from the state’s cybersecurity watchdog on all WiFi crowdsourcing services with lacklustre security practices.

LinkSure rebuked the state report and said it always asked for user consent before gleaning their data. Chances are few people read the lengthy terms of use on any kind of apps in real life, and the less digital savvy may fail to grasp how the app actually works. A major source of debate is when users inadvertently make their house WiFi publicly available after giving the credentials away to a guest who happens to use the data ravenous app to access the host’s network. WiFi Master Key has not responded to emailed questions about its security practices.

Aside from enabling strangers to crowdsource WiFi, LinkSure has also joined hands with two major Chinese telecommunication companies to offer a separate broadband card with appealing data plans. That puts it in competition with Tencent, Alibaba, Baidu and other tech firms that are working with big telcos to provide cheap or unlimited data enticing people to use their in-house apps.

Meanwhile, LinkSure is eying to beam down its own internet connection from the space as SpaceX and OneWeb do. The plan is to target the next few billion rural users who are just coming online and live in areas currently uncovered by terrestrial networks. LinkSure says it’s aiming to provide free satellite network around the world by 2026, with the first out of a constellation of 272 satellites bound to launch later this year.

A government-backed report put the number of people with internet access in China at 802 million in June, leaving nearly 600 million who are still unconnected. 30 million people came online for the first time last year, including an expanding base of elderly users who are increasingly embracing Alipay and WeChat to go about daily lives.

News Source =

Researcher shows how popular app ES File Explorer exposes Android device data

in Apps/computing/Delhi/India/Politics/privacy/Security/smartphones/web server/wi-fi by

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has over 500 million downloads under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

“All connected devices on the local network can get [data] installed on the device,” he said.

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos, and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions and below have the open port.

“It’s clearly not good,” he said.

A script, developed by security researcher , to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”

But most probably don’t realize that the open port leaves them exposed from the moment that they open the app.

News Source =

Comcast debuts a subscription service to protect against threats to smart home devices

in AI/Artificial Intelligence/Battlefield/CES 2019/Comcast/connected devices/Delhi/Hardware/India/Internet of Things/IoT/Politics/Security/Smart Home at CES 2019/TC/wi-fi/xfi/xfinity by

Comcast is putting A.I. to work to protect its customers’ home networks. At the Consumer Electronics Show in Las Vegas, the company announced Xfinity xFi Advanced Security, an A.I.-powered service designed to monitor, block and inform customers about online threats while providing protection for all connected devices in the home – including smart home and “internet-of-things” devices that are often the target of online attacks due to their weaker security.

People’s homes no longer only have computers and phones connecting to the internet. Today, our houses are filled with connected devices, like voice-powered speakers, smart home appliances, security cameras, connected doorbells and thermostats and much more. Even some kids’ toys connect to the internet.

According to data from Cisco, there will be nearly 13 connected devices per person in North America. And the number of attacks across these connected devices is growing – by 600 percent between 2016 and 2017, Symantec reported.

That’s where Comcast’s new subscription service comes in. xFi Advanced Security is available to turn on from within the existing xFi app, where it then begins to monitor and manage the network traffic.

The system analyzes the traffic using A.I. and machine learning technologies, then automatically blocks anything it deems “suspicious activity.”

“We can see traffic coming in that’s not normal – coming from weird IP addresses or known bots, and we can look at the heuristics of the traffic to basically stop it,” explains Fraser Stirling, Senior Vice President of Digital Home, Devices and AI at Comcast. “It’s basically like anomaly detection. We understand that device from all the devices that are connected by brand and model. We can understand what that traffic looks like…so if [the device] starts to do something that’s abnormal to the pattern for your house or for all the people that are using the same thing, we can track that as an anomaly.”

For example, if a device that normally goes to a certain IP address to get its firmware updates is all of a sudden going somewhere else, the service can block the traffic and alert you.

“The most important part of the product is that we tell you,” he says.

Customers will be alerted to these blocked threats in real-time and offered instructions on how to further secure their devices, if need be. For example, if it blocked a suspicious website that was distributing malware, it will provide the URL and explanation. It will later provide the website you visited where that link may have been embedded – helpful in the case of malicious ads, among other things.

A second use case for the product is its proactive scans, which can alert you to other issues – like if a device has all its ports open, for example, which makes it vulnerable to attacks. xFi Advanced Security can close those ports, but it can block the malicious traffic and tell you what’s happening and why through its alerts.

All these alerts can be viewed from the xFi dashboard both online and in the xFi app.

The system is powered in part by the A.I. platform Cujo AI, incidentally a TechCrunch Disrupt NY 2016 Battlefield finalist. Comcast won’t detail the specifics of its arrangement with Cujo, which it refers to as “ingredient technology partner.” However, it hasn’t made a strategic investment, the way it had done with Plume, the maker of what are now called the xFi Pods.

Beyond enabling the subscription, the new security service doesn’t require set up on the customer’s part. Customers just plug in their various connected devices and turn them on. Afterwards, xFi Advanced Security identifies the device and allows to add them to a user profile – like mom, dad, or child or to the general “household” profile, which covers smart home devices or those used by all.

The service, once enabled, immediately begins to scan and protect the home network – including devices plugged in through Ethernet as well as those connected wirelessly.

In a later version, the company is considering offering more information about the threats it detects and blocks, as well as information about potential security issues – like if a device needs a firmware update, for instance.

While xFi Advanced Security sounds good in theory, security experts tend to be unimpressed until they’re able to put a product through its paces. So it’s too soon to give it a recommendation on that front.

After all, many of today’s smart home devices – especially the cheaper ones – weren’t built with a security-first mindset, and are riddled with flaws. A threat-scanning service can’t actually fix their issues – like their use of default passwords, UPnP left on by default, root passwords in the firmware, or a telnet port left open, for example. xFi Advanced Security can alert you to those issues, however, in some cases.

But people could protect their network if they’d just close UPnP on the router itself, and change the default passwords on the smart devices they connect. And they could do so without a subscription. But most people don’t know how to do these things.

For Comcast, xFi Advanced Security presents an opportunity to generate revenue from xFi customers through services that expand the capabilities of its existing xFi platform. It’s the first subscription-based offering to live on top of xFi, in fact.

Launched in 2017, xFi lets customers control their home networks from a dashboard to do things like set parental controls, pause the Wi-Fi and receive alerts about home network activity, among other things.

The new xFi Advanced Security integrates here, and customers can choose to sign up within the xFi app.

The service is $5.99 per month and is available to any customer who rents an xFi Gateway – meaning, some 15 million homes, notes Comcast. In some markets, it will also be sold as part of package deal, the company says.

The cost of the Gateway ranges from $11 to $13 per month, as prices vary by market. The xFi app is free and available both on Android and iOS.

Additional reporting: Zack Whittaker

News Source =

Google sat on a Chromecast bug for years, now hackers could wreak havoc

in Amazon/chromecast/computing/Delhi/echo/Gadgets/Google/Hack/Hardware/India/iPad/media streamer/Politics/Security/smart devices/smart home devices/spokesperson/Technology/wi-fi by

Google was warned of a bug in its Chromecast media streaming stick years ago, but did not fix it. Now, hackers are exploiting the bug — and security researchers say things could get even worse.

A hacker, known as Hacker Giraffe, has become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hacker hijacked thousands of Chromecasts, forcing them to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like himself.

Not one to waste an opportunity, the hacker also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As Hacker Giraffe says, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the years-old bug that gives anyone with access to a Chromecast the ability to hijack the media stream and display whatever they want, because Chromecast doesn’t check to see if someone is authorized to change the video stream. (Google did not respond to our follow-up question.)

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found the bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch.

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

Hacker Giraffe is the latest to resort to “Good Samaritan security,” by warning users of the issues and providing advice on how to fix them before malicious hackers take over, where tech companies and device makers have largely failed.

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.

News Source =

Google’s Project Fi gets an improved VPN service

in Android/Delhi/Google/India/mobile/Politics/project fi/Security/virtual private networks/vpn/wi-fi/wireless/wireless service by

Google’s Project Fi wireless service is getting a major update today that introduces an optional always-on VPN service and a smarter way to switch between WiFi and cellular connections.

By default, Fi already uses a VPN service to protect users when they connect to the roughly two million supported WiFi hotspots. Now, Google is expanding this to cellular connections as well. “When you enable our enhanced network, all of your mobile and Wi-Fi traffic will be encrypted and securely sent through our virtual private network (VPN) on every network you connect to, so you’ll have the peace of mind of knowing that others can’t see your online activity,” the team writes in today’s announcement.

Google notes that the VPN also shields all of your traffic from Google itself and that it isn’t tied to your Google account or phone number.

The VPN is part of what Google calls its “enhanced network” and the second part of this announcement is that this network now also allows for a faster switch between WiFi and mobile networks. When you enable this — and both of these features are currently in beta and only available on Fi-compatible phones that run Android Pie — your phone will automatically detect when your WiFi connection gets weaker and fill in those gaps with cellular data. The company says that in its testing, this new system reduces a user’s time without a working connection by up to 40 percent.

These new features will start rolling out to Fi users later this week. They are off by default, so you’ll have to head to the Fi Network Tools in the Project Fi app and turn them on to get started. One thing to keep in mind here: Google says your data usage will likely increase by about 10 percent when you use the VPN.

News Source =

1 2 3 4
Go to Top