Category: TECH

New 5G flaws can track phone locations and spoof emergency alerts

5G is faster and more secure than 4G. But new research shows it also has vulnerabilities that could put phone users at risk.

Security researchers at Purdue University and the University of Iowa have found close to a dozen vulnerabilities, which they say can be used to track a victim’s real-time location, spoof emergency alerts that can trigger panic or silently disconnect a 5G-connected phone from the network altogether.

5G is said to be more secure than its 4G predecessor, able to withstand exploits used to target users of older cellular network protocols like 2G and 3G like the use of cell site simulators — known as “stingrays.” But the researchers’ findings confirm that weaknesses undermine the newer security and privacy protections in 5G.

Worse, the researchers said some of the new attacks also could be exploited on existing 4G networks.

The researchers expanded on their previous findings to build a new tool, dubbed 5GReasoner, which was used to find 11 new 5G vulnerabilities. By creating a malicious radio base station, an attacker can carry out several attacks against a target’s connected phone used for both surveillance and disruption.

In one attack, the researchers said they were able to obtain both old and new temporary network identifiers of a victim’s phone, allowing them to discover the paging occasion, which can be used to track the phone’s location — or even hijack the paging channel to broadcast fake emergency alerts. This could lead to “artificial chaos,” the researcher said, similar to when a mistakenly sent emergency alert claimed Hawaii was about to be hit by a ballistic missile amid heightened nuclear tensions between the U.S. and North Korea. (A similar vulnerability was found in the 4G protocol by University of Colorado Boulder researchers in June.)

Another attack could be used to create a “prolonged” denial-of-service condition against a target’s phone from the cellular network.

In some cases, the flaws could be used to downgrade a cellular connection to a less-secure standard, which makes it possible for law enforcement — and capable hackers — to launch surveillance attacks against their targets using specialist “stingray” equipment.

All of the new attacks can be exploited by anyone with practical knowledge of 4G and 5G networks and a low-cost software-defined radio, said Syed Rafiul Hussain, one of the co-authors of the new paper.

CONTINUE @ TECH DIRT

Mark Zuckerberg says TikTok is a threat to democracy, but didn’t say he spent 6 months trying to buy its predecessor

Facebook once tried to buy Musical.ly, the Chinese lip-syncing app which was eventually acquired by Chinese social media giant ByteDance and merged with its app Douyin to form viral video app TikTok, according to reports from BuzzFeed and Bloomberg.

Three sources familiar with the talks told BuzzFeed’s Ryan Mac that Facebook spent the second half of 2016 trying to buy the Shanghai-headquartered Musical.ly in an attempt to break into the Chinese market. These sources said that while the talks were “serious” they never came to frutition with Facebook unable to close the deal.

ByteDance bought Musical.ly in 2017.

Bloomberg’s reporting differs, with a source saying that Facebook walked away out of “concern about the app’s young user base and Chinese ownership.”

The reports add a slightly different tenor to Mark Zuckerberg’s recent remarks about TikTok and China.

The Facebook CEO has been sounding the alarm against TikTok, criticizing the platform for censoring its users and scrubbing content that might displease the Chinese government. TikTok has denied censorship.

At the same time US senators are starting to scrutinise ByteDance and TikTok more closely. Earlier this month the company skipped a senate hearing on China and big tech, and were consequently “empty-chaired.”

CONTINUE @ BI

Google: You can trust us with the medical data you didn’t know we already had

Google now has access to detailed medical records on tens of millions of Americans, but the company promises it won’t mix that medical data with any of the other data Google collects on consumers who use its services.

Google provided this statement yesterday shortly after The Wall Street Journal reported that Google is partnering with Ascension, the country’s second-largest health care system, “on a project to collect and crunch the detailed personal-health information of millions of people across 21 states.”

“To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data,” Google said in a blog post. That would mean Google won’t use the medical data to target advertisements at users of Google services.

Google also said that its work with Ascension “adheres to industry-wide regulations (including HIPAA) regarding patient data, and come[s] with strict guidance on data privacy, security, and usage.”

“We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care,” Google said. “This is standard practice in health care, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care.”

What can Google see? Pretty much everything

Patient data shared with Google includes names, birth dates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, “and some billing claims and other clinical records,” according to a followup article in the Journal. The partnership “covers the personal health records of around 50 million patients of Ascension,” the Journal wrote.

The Journal said that “Neither doctors nor patients have been formally notified of the arrangement” and that Google and Ascension began the project “in secret last year.”

Google seems to be correct that the partnership doesn’t violate HIPAA (the Health Insurance Portability and Accountability Act). As the Journal noted, that law “generally allows hospitals to share data with business partners without telling patients, as long as the information is used ‘only to help the covered entity carry out its health care functions.'” An expert quoted by the Journal noted that Google would be at risk of violating the law “if it uses the health data to perform independent research outside the direct scope of patient care.”

CONTINUE @ ARS

Facebook is secretly using your iPhone’s camera as you scroll your feed

iPhone owners, beware. It appears Facebook might be actively using your camera without your knowledge while you’re scrolling your feed.

The issue has come to light after a user going by the name Joshua Maddux took to Twitter to report the unusual behavior, which occurs in the Facebook app for iOS. In footage he shared, you can see his camera actively working in the background as he scrolls through his feed.

The problem becomes evident due to a bug that shows the camera feed in a tiny sliver on the left side of your screen, when you open a photo in the app and swipe down. TNW has since been able to independently reproduce the issue.

Here’s what this looks like:

Maddux adds he found the same issue on five iPhone devices running iOS 13.2.2, but was unable to reproduce it on iOS 12. “I will note that iPhones running iOS 12 don’t show the camera (not to say that it’s not being used),” he said.

CONTINUE @ TNW

Vape-Marketing Is Blackmailing Websites To Purchase Their Products

vape-marketing.com
Vape-marketing.com is blackmailing websites…

I love threatening emails, luckily, I get my fair share since I also publish an anti-establishment website governmentslaves.news.

Arriving this morning was a rather humorous blackmail attempt from the website vape-marketing.com. The sender Aleida Cazaly (info@vape-marketing.com) warned me that if I don’t purchase an overpriced product from his website he will start spamming my website with backlinks.

Continue reading “Vape-Marketing Is Blackmailing Websites To Purchase Their Products”