A group of security researchers recently demonstrated on video that they have successfully gained root access to the QNX-based operating system found on Research In Motion’s BlackBerry PlayBook tablet. The PlayBook jailbreak and related “mack truck” security hole these hackers identified could have some serious implications for future BlackBerry devices, but RIM says users should not get ahead of themselves. “Research In Motion (RIM) is aware of a claim made on Twitter by security researchers working together that suggests the ability to ‘jailbreak’ a BlackBerry PlayBook tablet,” RIM said in a statement, noting that no BlackBerry smartphone users are affected. RIM also said it will begin working on a patch for the claimed security hole if its investigation determines the hackers’ claims are genuine, and it will also investigate any PlayBook jailbreaking tool released to the public. RIM’s full statement follows below, along with a video demonstration of security researcher “neuralic” gaining root access to a BlackBerry PlayBook.
There has been word for the past few days that Research In Motion’s PlayBook has been jailbroken. What this means is that, for the first time ever in RIM’s history, root access has been gained into a BlackBerry operating system. Why is this a big deal? Well, of RIM’s few remaining strengths, one of them was security, both in terms of encrypting and securing the messages you send over the RIM network, and device security. It’s why BlackBerry products became so popular with enterprises and governments — security. That device is so secure, that even the President of the United States uses one. Read on for more. More →
Many of us wondered why Google’s new flagship Galaxy Nexus doesn’t support Google Wallet, an NFC-based payment service that the company introduced a few months back. Since Google Wallet is only available in the United States at the moment, it makes sense that it isn’t supported on the HSPA+ Galaxy Nexus. Google Wallet also will not be supported on Verizon Wireless’ version of the smartphone, however, which is set to launch early next month. While Verizon wouldn’t comment specifically on the Galaxy Nexus’ lack of support, the carrier did tell BGR that it is working toward some kind of mobile wallet service as Verizon is a member of ISIS along with T-Mobile and AT&T. Hit the break for more. More →
Are pornographic images invading your Facebook news feed? We have yet to see it here at BGR, but ZDNET recently reported that “gory, violent pictures” and “hardcore pornography” are spreading across the social network. Facebook says it is getting to the bottom of the problem, but hasn’t yet revealed a solution or how the fiasco started. “Protecting the people who use Facebook from spam and malicious content is a top priority for us and we are always working to improve our systems to isolate and remove material that violates our terms,” Facebook spokesperson Andrew Noyes said. “We have recently experienced an increase in reports and we are investigating and addressing the issue.” It is unclear who is behind the attack. As The Washington Post points out, the flood could be a trick played by the now infamous hacker group Anonymous, in celebration of Guy Fawkes Day, which occurred on November 5th, but the group typically stakes its claim on major attacks. The images, which are apparently spreading like a wild fire, could also be the result of unsuspecting users having been tricked into clicking malicious links. Updated with statement from Facebook. More →
A group of developers from Applidium posted a story recently that explains how the group was able to crack Siri so that they could run the virtual assistant on any device. Basically, the group was able to get Siri to analyze voice inputs that were never spoken through an iPhone. It turns out Siri uses TCP to speak to a server at 220.127.116.11 using port 443. Applidium then logged on to a desktop computer, entered in that IP address, and realized that Apple was returning a server named “guzzoni.apple.com” and that Siri was using HTTPS as its protocol. Putting it simply, the group then created a fake guzzoni.apple.com address and tricked Siri into sending commands there instead of to Apple’s own server. Applidium discovered that Siri sends Apple a time stamp for each word spoken, as well as a reply confidence score, and described the software as “very, very chatty.” It is possible to get the software working on an Android device, or any similar gadget, but you’ll need at least one iPhone 4S identifier and some coding know-how. The hackers published a set of tools that it says can be used by anyone to create Siri-enabled applications and is encouraging fellow hackers to try the tools out and see what they can develop. “And let’s see how long it’ll take Apple to change their security scheme,” the group jested.
Apple is working on solutions that will help to improve the text input experience on its iOS devices. The Cupertino, California-based company has been discovered to be building an enhanced version of its autocorrect feature, the beginnings of which are currently hidden within the publicly available version of iOS 5, that adds suggested words above the iOS keyboard as users type. The functionality works much like the solutions currently found in Android or Microsoft’s Windows Phone platform, and it is viewed by many as a much-needed addition to Apple’s mobile OS. Read on for more. More →
A major security flaw in Apple’s iOS operating system that could allow hackers to remotely gain unauthorized access to an iPhone, iPod touch or iPad has been uncovered by a security expert. Described by Forbes as a “serial Mac hacker,” Accuvant LABS computer security researcher Charlie Miller has uncovered a security flaw that allows hackers to build apps that look legitimate and pass through Apple’s App Store approval process. Using a code-signing vulnerability, however, the malicious apps will automatically connect to a remote server following installation and download new unapproved code that might grant hackers access to system files, personal data and a host of unauthorized functionality. Read on for more. More →
Siri, secure yourself. If only that command worked; as it turns out, the popular virtual assistant feature on the iPhone 4S that allows users to schedule appointments, search the web, check the weather and more, may be a security threat to users who want to keep private information away from prying eyes — and ears. CNET discovered that Siri’s default security setting allows users to access the iPhone 4S feature even when the phone is locked. That means if you leave your iPhone in a cab, for example, a thief could easily access your address book, appointments and other personal information. Thankfully, there is an easy way to turn the setting off. Simply visit Settings and click General, then click Passcode Lock and toggle the option for “Allow access to Siri when locked with a passcode” to Off. The iPhone 4S will now require the the phone to be unlocked before it allows access to Siri. More →
Following a period of peace after weeks of cyberattacks launched against various Sony-run online networks, Sony has confirmed that hackers are once again targeting the company’s digital properties. The electronics giant said on Wednesday that it discovered a “large number” of sign-in attempts on its PlayStation Network, Sony Online Entertainment and Sony Entertainment Network between October 7th and the 10th. According to Sony, approximately 93,000 accounts were compromised when valid log-in details were verified during what appears to have been a brute force attack. The company says it has locked the affected accounts and that credit card data tied to the compromised accounts was not at risk. More →
A report was recently published by Android Police that suggests HTC’s Sense user interface has several major security flaws that provide HTC with access to SMS data, phone numbers, system logs, location information and much more. Worse, the flaw could potentially allow any third-party application to access the same private information without having permission from the user to do so. The security issue has been identified on the HTC ThunderBolt, EVO 4G and EVO 3D. “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible,” HTC said in a statement. “We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.” HTC addressed a browser privacy issue in June and also commented on another report in early September which suggested the Sensation and EVO 3D were spying on users. HTC responded to the browser issue with a fix and said the “spying” allegations were a result of an HTC “opt-in” feature that allows HTC to collect data so that it can improve its phones. More →
BGR has uncovered a major security flaw on AT&T’s version of the Samsung Galaxy S II that renders Android’s security lock feature completely useless. Using a simple workaround, the security hole allows anyone to bypass the unlock pattern, which normally denies users access to an Android device unless a preset pattern is drawn on a grid of nine dots spread across the device’s lock screen. The same flaw allows users to bypass PIN security as well. We have confirmed that the flaw exists on AT&T’s Galaxy S II and not on Sprint’s Galaxy S II, Epic Touch 4G, though it is currently unclear if other phone models are affected. Hit the break for details on the flaw.
Updated with statement from Samsung. More →
A breach of Dutch SSL certificate authority DigiNotar is reportedly much bigger than initially thought, with more than 200 digital certificates having been stolen in July by hackers who breached the company’s network. Using the stolen certificates, hackers can potentially intercept and even alter data Internet users believe to be secure and encrypted. “About 200 certificates were generated by the attackers,” Dutch security expert Hans Van de Looy told Computerworld, citing anonymous sources. Van de Looy says certificates for mozilla.com, yahoo.com and torproject.org were among those obtained by the hackers. Mozilla’s Johnathan Nightingale, director of Firefox development, confirmed the breach on Thursday. “DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,” Nightingale said in a statement. BGR reported on Wednesday that the Iranian government has allegedly been using one of the stolen certificates to spy on Gmail users, and at that time the full extent of the DigiNotar breach was unknown. The compromised certificates have all revoked by DigiNotar, but not all Web browsers check for revoked certificates so the impact of this breach will likely be ongoing for some time. More →
A security expert at Italian security firm AIR Sicurezza Informatica claims to have found a security flaw in Google’s new social network that allows hackers to potentially use Google+ servers to execute DDoS attacks. Simone Quatrini explained the flaw on the IHTeam Security Blog, and he wrote a script that can perform the attack, repeatedly prompting Google’s server to send requests to the target site. DDoS attacks, or distributed denial-of-service attacks, flood a web server with requests in an effort to prevent it from functioning. Such attacks require appropriate resources and bandwidth to execute, and Google servers would obviously have more than enough of these resources to launch a significant attack. More →