Severe WiFi security flaw puts millions of devices at risk

Researchers have discovered a key flaw in the WPA2 WiFi encryption protocol that could allow hackers to intercept your credit card numbers, passwords, photos and other sensitive information. The flaws, dubbed “Key Reinstallation Attacks,” or “Krack Attacks,” are in the WiFi standard and not specific products. That means that just about every router, smartphone and PC out there could be impacted, though attacks against Linux and Android 6.0 or greater devices may be “particularly devastating,” according to KU Leuven University’s Mathy Vanhoef and Frank Piessens, who found the flaw.

Here’s how it works. Attackers find a vulnerable WPA2 network, then make a carbon copy of it and impersonate the MAC address, then change the WiFi channel. This new, fake network acts as a “man in the middle,” so when a device attempts to connect to the original network, it can be forced to bypass it and connect to the rogue one.

Normally, WPA2 encryption requires a unique key to encrypt each block of plain text. However, the hack described in the Krack Attack paper forces certain implementations of WPA2 to reuse the same key combination multiple times.

The problem is made worse by Android and Linux, which, thanks to a bug in the WPA2 standard, don’t force the client to demand a unique encryption key each time. Rather, they allow a key to be cleared and replaced by an “all-zero encryption key,” foiling a key part of the handshake process. In some cases, a script can also force a connection to bypass HTTPS, exposing usernames, passwords and other critical data.

The system takes advantage of a flaw in the “handshake” method to direct users to the malicious network. Neither WiFi passwords nor secret keys can be obtained, the researchers say, as the hack works by forging the entire network. As such, it can’t be used to attack routers, but hackers can still eavesdrop on traffic, making it particularly dangerous for corporations.

As shown above, the researchers did a proof-of-concept attack on Android, and were able to decrypt all the victim’s transmitted data. They point out that this will “not work on a properly configured HTTPS site,” but will work on a “significant fraction” that are poorly set up. Other devices, like those running MacOS, Windows, OpenBSD and other operating systems, are affected to a lesser extent. “When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted,” say the researchers.

After earlier, more limited hacks, the WPA2 protocol has been suspect for a while, so many security folks were already bracing themselves for something bad. If you still doubt the seriousness of it, Alex Hudson, for one, is actually advising Android users to “turn off WiFi on these devices until fixes are applied.” He adds that “you can think of this a little bit like your firewall being defeated.”

As such, you can protect yourself to a great extent by sticking with sites that have solid, proven HTTPS security. And of course, the attack won’t work unless the attacker is nearby and can physically access your network.

The problem should be relatively easy to fix. A firmware change can force routers to require a dedicated certificate for each handshake, instead of relying on the one already generated. And, as the security researchers who discovered it say, “implementations can be patched in a backwards-compatible manner.”

That means if you patch your Android device and not your router, you can still communicate and be safe, and vice-versa. Nevertheless, they also advise to patch all your devices as soon as security updates are available. For more details about the hack, check this very detailed FAQ from Aruba Networks.

Via: Ars Technica

Source: Krack Attacks

Foxconn Ships First Batch of iPhone X Units

Apple manufacturer Foxconn has started shipping the first iPhone X units to countries in Europe and the Middle East, according to a Chinese report on Monday.

China-based Xinhuanet said the first batch of 46,500 units have already been shipped out from Zhengzhou and Shanghai to the Netherlands and the United Arab Emirates, respectively. However, the initial shipments of iPhone X units were much lower than previous iPhone models, according to the Chinese-language Commercial Times.

Although Foxconn has ramped up its output of iPhone X to 400,000 units a week recently from the previous 100,000 units, the increased production still cannot meet market demand, said the report, citing data from Rosenblatt.

Forecasts for iPhone X production have consistently pointed to lower-than-average numbers in the run-up to the smartphone’s launch on Friday, November 3. Last week an analyst with Taipei-based Yuanta Investment Consulting lowered his production estimate for the iPhone X to 36 million units, down from 40 million.

The revised forecast followed earlier warnings that Apple’s TrueDepth camera may be the main production bottleneck of the iPhone X ramp. KGI Securities analyst Ming-Chi Kuo has said the facial recognition system is “far more complex” than those on competing devices, which is making it challenging for Apple to achieve mass production.

Kuo said shipments of iPhone X components will likely ramp up in mid to late October. Meanwhile, customer pre-orders begin October 27, with the potential for them to exceed 40-50 million units, according to Kuo, further suggesting the phone could be hard to come by for some time. Lower adoption of the iPhone 8 and iPhone 8 Plus also indicate that many customers may be waiting for the iPhone X.

(Via DigiTimes.)

Related Roundup: iPhone X
Discuss this article in our forums

Drone collision: Canadian passenger plane suffers damage after direct hit

Why it matters to you

Fly your drone close to an airport or another off-limits location and there may be serious consequences.

A small drone struck a passenger jet in Canada last Thursday in the first incident of its kind in the country.

The Skyjet aircraft was making preparations to land at Jean Lesage airport in Quebec City when it collided with what is believed to have been a drone. The plane suffered minor damage but the incident was deemed so serious that Transport Minister Marc Garneau felt compelled to issue an official statement about it.

“This is the first time a drone has hit a commercial aircraft in Canada and I am extremely relieved that the aircraft only sustained minor damage and was able to land safely,” Garneau said.

The jet, which was carrying eight passengers on the flight from the city of Rouyn-Noranda, 370 miles north-west of Quebec City, is likely to have been a King Air 100 or King Air 200 model. Reports suggest it was flying at an altitude of 1,500 feet (457 meters) when the drone, model unknown, hit the aircraft. No arrests have yet been made.

The minister noted that while “the vast majority” of drone operators fly responsibly, anyone tempted to fly their machine near an airport is “endangering the safety of an aircraft, [which is an] extremely dangerous and serious offense.”

Growing fears about risky drone flights prompted the Canadian government to issue a set of interim guidelines in March that imposed strict limitations on drone operations near people, animals, and buildings, including airports. Violators could be hit with a $25,000 fine or a prison term. Or both.

Garneau said at the time that the potential for a catastrophic accident involving an airplane is “the kind of nightmare scenario that keeps me up at night.” After last week’s incident, the minister will be sleeping even less easily.

Canadian authorities said that so far in 2017, it has received reports of 1,596 drone incidents, with 131 considered to have been “of aviation safety concern.”

Earlier this month, a helicopter flying over New York City collided with a Phantom 4 drone, a popular consumer model made by drone giant DJI. After landing safely at an airport in New Jersey, parts of the mangled quadcopter were extracted from the body of the helicopter.

Federal Aviation Administration data compiled between February and September 2016 lists 1,274 possible drone sightings by U.S. air traffic facilities, compared to 874 for the same period a year earlier.

Rogue drone flights in off-limits locations is a growing headache for the authorities as the market for consumer machines continues to grow.

The challenge of dealing with rogue drones has spawned a new industry geared toward developing technology that takes control of the drone from the operator to remove it from the sky, while the Pentagon recently approved a policy allowing the U.S. military to shoot down rogue drones flying close to its military installations across the country.

Cooler Cannon is the can-tossing cooler you’ve been waiting for

Why it matters to you

If you’re looking for convenience when it comes to coolers, the Cooler Cannon could be the answer.

If the effort of walking over to the cooler to grab a beer is just too much for you to handle, then this can-tossing cooler is a contraption you’ll definitely want to have at your next party.

The Cooler Cannon looks like a regular cooler save for the hole in the top. It’s from there that the beer flies forth, allowing you to maintain your sitting or standing position as the beer sails through the air toward your waiting hand. Perfect.

Designed by Indiana-based Derek Hoy, the Cooler Cannon made its debut on Kickstarter in 2013, but while 84 expectant partygoers enthusiastically stumped up a total of $17,358 during the campaign, the sum fell well short of its $275,000 goal.

Older, presumably wiser, and possibly having consumed a good many beers flung from the cooler in the intervening years, Hoy is back with a refined design that replaces the Cooler Cannon’s remote controller with a smartphone app, enabling partygoers to summon a beer with a single tap. So now everyone at the party can join in.

Yes, the Cooler Cannon is once again going for glory, aiming to persuade canned-drink consumers (no, it doesn’t have to be beer) that it’s worth every cent of however much it finally goes on sale for, which, according to its website, could be for as little as $195.

The cooler holds up to 18 cans and can throw each one as far as eight feet. Just make sure you know which way it’s going to go before you hit the launch button, or someone could get a nasty surprise. Importantly, it takes just two seconds to reload each can into the firing mechanism, meaning no one will have to wait too long for their beverage (until you have to fill it up again 36 seconds later.)

Like any hefty cooler worth its salt, the Cooler Cannon also features a couple of wheels and a handle, so you can easily take it to your party spot from your car, and back again.

If you’re still of the opinion that the Cooler Cannon isn’t really that cool, then check out DT’s pick of the best alternatives. It’s never too early to start prepping your next summer party, is it?

Cooler Cannon is the can-tossing cooler you’ve been waiting for

Why it matters to you

If you’re looking for convenience when it comes to coolers, the Cooler Cannon could be the answer.

If the effort of walking over to the cooler to grab a beer is just too much for you to handle, then this can-tossing cooler is a contraption you’ll definitely want to have at your next party.

The Cooler Cannon looks like a regular cooler save for the hole in the top. It’s from there that the beer flies forth, allowing you to maintain your sitting or standing position as the beer sails through the air toward your waiting hand. Perfect.

Designed by Indiana-based Derek Hoy, the Cooler Cannon made its debut on Kickstarter in 2013, but while 84 expectant partygoers enthusiastically stumped up a total of $17,358 during the campaign, the sum fell well short of its $275,000 goal.

Older, presumably wiser, and possibly having consumed a good many beers flung from the cooler in the intervening years, Hoy is back with a refined design that replaces the Cooler Cannon’s remote controller with a smartphone app, enabling partygoers to summon a beer with a single tap. So now everyone at the party can join in.

Yes, the Cooler Cannon is once again going for glory, aiming to persuade canned-drink consumers (no, it doesn’t have to be beer) that it’s worth every cent of however much it finally goes on sale for, which, according to its website, could be for as little as $195.

The cooler holds up to 18 cans and can throw each one as far as eight feet. Just make sure you know which way it’s going to go before you hit the launch button, or someone could get a nasty surprise. Importantly, it takes just two seconds to reload each can into the firing mechanism, meaning no one will have to wait too long for their beverage (until you have to fill it up again 36 seconds later.)

Like any hefty cooler worth its salt, the Cooler Cannon also features a couple of wheels and a handle, so you can easily take it to your party spot from your car, and back again.

If you’re still of the opinion that the Cooler Cannon isn’t really that cool, then check out DT’s pick of the best alternatives. It’s never too early to start prepping your next summer party, is it?

Samsung’s cellular smart tag lasts for a week on one charge

Smart products have given us the tools we need to track personal items, and even loved ones. Want to know where your kids are? Buy them a custom smartwatch. Worried about losing your suitcase? Grab some connected luggage. Looking to keep a watchful eye over your pet? Get a webcam-integrated smart toy. But, as useful as they may be, they’re still restricted by their category. Sensing a gap in the market for a versatile product that can do all of the above, Samsung is releasing the Connect Tag.

The manufacturer claims the device is the first of its kind to use narrowband tech (NB-IoT, Cat.M1) — essentially a low-power network for smart products. That means it can last a whole week on a single charge. The square-shaped tag measures in at 4.21cm, and is 1.19cm thick — making it compact enough to clip on to your keys, kids’ backpacks, or dog collars.

The waterproof device boasts a geo-fence feature that alerts you when an item or person has left a set virtual zone. Of course, it also syncs with smart home appliances, allowing you to carry out simple controls, like turning the TV or lights on. However, it does have a few caveats: It only works with an Android app, with no mention of iOS support. Plus, it may not arrive in this part of the world till next year. And, there’s also no mention of price, which could prove critical for those looking to buy several. Its first stop will be South Korea, with Samsung promising to release the tag in more countries soon.

Source: Samsung

Artificial pancreas uses your phone to counter diabetes

If you live with type 1 diabetes, you have to constantly keep track of your blood sugar levels and give yourself just the right amount of insulin. It’s arduous, and more than a little frightening when you know that the wrong dose could have serious consequences. However, researchers might have a way to let diabetics focus on their everyday lives instead of pumps and needles. They’ve successfully trialed an artificial pancreas system that uses an algorithm on a smartphone to automatically deliver appropriate levels of insulin. The mobile software tells the ‘organ’ (really an insulin pump and glucose monitor) to regulate glucose levels based on criteria like activity, meals and sleep, and it refines its insulin control over time by learning from daily cycles. Effectively, it’s trying to behave more like the pancreas of a person without diabetes.

The simulated pancreas isn’t trying to hit a fixed glucose level, we’d add. Rather, it’s trying to keep that level within an acceptable range based on a predictive model.

The trial results were promising. A 12-week test saw “significant” improvements, including reduced levels of a key hemoglobin and less time spent in a hypoglycemic state. And these were already disciplined patients who knew how to take care of themselves — the algorithm was one step ahead of them. This doesn’t mean that diabetics will never have to think about insulin again, and there’s still plenty of testing and approvals necessary before an artificial pancreas like this can reach the market. If it does, though, it could reduce some of the stress in diabetics’ lives.

Source: Harvard, Diabetes Care

Canon’s G1 X Mark III is its first APS-C sensor compact

Canon has unveiled its first-ever APS-C sensor compact zoom camera, the 24.3-megapixel PowerShot G1 X Mark III. It’s much bigger than the last G1 X Mark II model, with a very similar body to the G5 X compact. It also features Canon’s fast and accurate dual-pixel autofocus and an all-new 2.36 million OLED electronic viewfinder (EVF). To get those big-sensor bragging rights, however, Canon had to sacrifice a few key features from the last model and jack up the price significantly.

Gone is the versatile 24-120mm f/2.0-3.9 zoom lens of the last model (which had a smaller 1.5-inch sensor), replaced with a slower and shorter 24-72 mm f/2.8-5.6 model. It’s easy to understand why Canon did this — with a larger image circle, an equivalent lens would likely have been too large and heavy.

During a call, company engineers pointed out that with a larger sensor, the f/2.8-5.6 lens will still be capable of shallow depth-of-field, and is (a bit) faster than its DSLR or mirrorless kit lenses. Photographers will now have to decide, however, whether they want a big sensor or faster lens, like the one on the (cheaper) Sony RX100 V or the stellar f/1.4-2.8 model on the Panasonic LX10.

The 2.36 million dot EVF was a much-requested feature by owners of the last model, and the G1 X Mark III now has a 3.0-inch vari-angle touch display with touch and drag autofocus. With the dual-pixel autofocus and a Digic 7 image processor, the compact can now shoot at 7 fps with continuous AF tracking or 9 fps with fixed tracking. It also has five-axis optical stabilization and a new type of shutter release that Canon calls “more DSLR-like.”

The dual-pixel AF improves focus speed for both still and video images, but with a serious caveat next to its competition. As with other recent Canon models like the M100 mirrorless, the G1 X Mark III is limited to 1080p 60fps video, while rivals like Panasonic and Sony have cheaper compacts (the RX100 V and LX10) that can shoot 4K/30 fps and 1080p at 120 fps.

Other features include a new panoramic mode that can stitch up to seven photos together, either horizontally or vertically. There’s now WiFi, NFC and Bluetooth, making for easy pairing, photo transfers and remote live-view shooting of stills and video. Finally, there’s a new time-lapse mode that can automatically determine intervals and exposure.

The biggest pain-point for potential G1 X Mark III buyers is the price. It’s available in November 2017 for a stunning $1,299, a good $300 more than the RX100 V which, other than the sensor size, offers better specs across the board. If you really want an APS-C compact zoom, however, the G1 X Mark III is currently the only one in the world.

Dutch car ‘Nuon’ wins the World Solar Challenge for the third time in a row

Why it matters to you

Solar power has come a long way in the last 30 years, as the innovative designs of these race cars proves.

The World Solar Challenge is a grueling race through the Australian outback that runs more than 1,860 miles. It can last up to a week, and competitors can only use the power of the sun to propel their cars. This year is the 30th anniversary of the World Solar Challenge, which is held every two years, and the Flying Dutch team “Nuon” racked up their third straight victory in the Challenger class, finishing two hours ahead of their closest rival. Their winning time was 37 hours, 10 minutes, and 21 seconds, with an average speed of 55 miles per hour.

The University of Michigan Solar Car Team placed second, and the Belgian Punch Powertrain Solar Team came in third.

Started in 1987, the World Solar Challenge course stretches from Darwin on the north coast of Australia, all the way to the city of Adelaide on the southern coast. The cars race from 8 a.m. to 5 p.m. each day, and there are seven checkpoints along the route where the cars must stop for half-hour intervals. The teams can store a small amount of energy, but the majority has to come from solar power and the vehicle’s kinetic energy.

As the New Atlas noted, this year’s challenge was particularly difficult, with clouds and rain and occasional 60-mph winds. The drivers were advised by the team aerodynamics expert to position their solar car in a way that could take advantage of the winds just like a sailing ship.

In addition to the Challenger class, a Dutch team also took first place in the Cruiser class, which features a more practical blend of high-end technology and everyday functionality. Although the German team HS Bochum was first to finish, the Dutch team Eindhoven took first place due to a point system taking design, efficiency, innovation, and practicality into account.

Their five-seat family car “Stella Vie” had an average speed of 43 mph during the event. “These incredible solar cars have been designed with the commercial market in mind and have all the features you’d expect in a family, luxury or sporting car,” event director Chris Selwood told Phys.org. “This is the future of solar electric vehicles. When your car is parked at home it can be charging and supplying energy back to the grid.”

Someday, we may all be driving electric cars that get all their power from the sun and never need charging.

End of the headphone jack, rise of the audiophile

The end of the headphone jack has spurred an interest in high-quality audio components, but where does the madness stop?

Everything I do revolves around music. It’s always been this way — as a kid I would sit on the floor in my carpeted living room creating hours of mix tapes from my father’s classic rock cassettes, returning to my bed to close my eyes and exist between two worlds.

As a teenager, I spent nearly all of my money on headphones, poring through the Head-Fi forums to discover the best possible combination of music source, headphone brand, and emotional state. I amassed a collection of over-the-ear closed headphones and in-ear monitors, of custom amplifiers, DACs and cables. I paid attention to everything, and nothing was good enough. As I approached college and moved into a tiny dorm room, my headphone collection got sold to pay for textbooks and expensive coffee, for first dates and, inevitably, other technology. Though the iPod certainly catalyzed my regression to lower-quality portable audio, it was a confluence of factors that caused me to leave that addictive, expensive world behind.

I spent a long time building a collection of expensive audio equipment only to sell it and start all over again 15 years later.

That itch stayed dormant until a couple of years ago. I re-purchased a pair of headphones, the Beyerdynamic DT770, that I had worn so much as a teenager, the damn things had fallen apart; to push them, I dusted off a solid-state headphone amplifier that had been sitting in storage for over a decade.

But like the multitudinous reasons I left behind audiophilia in the early 2000s, the itch that caused me to re-up on a devastatingly expensive hobby has its roots in my current job, in reviewing phones. For so long — and I largely blame Apple for this — it was the “headphones in the box” appeal that made it useful to plug those recognizable white earbuds into the standard 3.5mm jack. The thin sound wasn’t necessarily good, but unless someone was curating a collection of high-quality MP3s, either ripped from an increasingly-ignored CD collection, or downloaded legitimately (or otherwise) from a trusted site, the returns on spending much more than a few dollars on a pair of nice headphones were largely wasted.

I’m not going to pretend that no one used good headphones between the years of 2001 and 2016 — that would be absurd. Of course high-quality equipment was popular and, in many cases, ubiquitous in the right circles. Lossless music files offset the potential inconveniences in leaving behind physical media for the digital. And wireless headphones, an expensive pipe dream when I was growing up, began sounding pretty good, even at prices 15-year-old me wouldn’t have balked at.

The iPod made it easy to carry thousands of songs in your pocket, and just as easy to forget what music was supposed to sound like.

But, ironically, the slow death of the headphone jack has, if not facilitated a resurgence in high-end equipment itself, brought the importance of quality components back into the conversation. Phones like the LG V30, Sony Xperia XZ1 and HTC U11 emphasize high-quality DACs and powerful amps as they would impressive cameras and multi-day battery life. The market is also being divided into those companies retaining the classic 3.5mm (Samsung, LG, Sony) and those that aren’t (Apple, Google, HTC).

For the most part, I use wired headphones at home and wireless on the go. Given how often I change devices, I can’t take for granted that a favorite pair of earbuds will work with the phone in my pocket, nor that I can remember to stuff one of the dozen dongles I’ve accumulated since the Moto Z shipped with one in the summer of 2016.

I also don’t stress too much about sound quality when I’m mobile; as I’ve grown older, I’ve come to accept that, unless I am actively reviewing a composition, music is for listening, not scrutinizing. As long as the Bluetooth connection is solid, the seal in my ears good, and the quality good enough to keep me engaged, I don’t much care if they’re $24 Ankers or $350 Sonys. Of course, the more expensive they are, the more I’m able to appreciate the subtleties in my favorite recordings, and the better the sound displacement, the less I am distracted by the outside world.

One of those great expensive headphones is from a Chinese company trying to compete with Sony and Bose in North America. The $350 FIIL IICONs (pronouned “Feel Icons”) are big, plastic, and unabashedly simple, but they have some of the best sound I’ve ever heard from a pair of wireless headphones. An accompanying app lets you tweak equalizer settings and adjust the intensity of the excellent active noise cancellation, too, which is nice, and a gesture area on the right earcup can adjust volume and switch tracks.

These days, I care more about how easy it is to listen to music for a long time than how good that music sounds.

I’ve also discovered — and stay with me here — neckbuds. I had largely dismissed the design after receiving and immediately hating a pair of LG Tone headphones from the G4 launch event in 2015, but I heard such good things about the 2017 refresh that I picked up a pair of the sub-$100 Tone Infinims and immediately fell in love. Neckbuds take the pressure off your head and ears by resting most of the equipment around the neck. They sound great, have easy-to-use controls and, most importantly, are incredibly comfortable to wear for long periods.

I’ve also thoroughly enjoyed testing and comparing the $129 Fitbit Flyer and Jaybird X3 headphones, which I’ve employed during my workouts to great effect. Unfortunately, I seem to have a weirdly-shaped left ear and can’t get a solid seal with either of them despite multiple sizes of tip, wing, and flange.

There’s also the V-Moda Crossfade 2 Wireless, which are currently my favorite wired and wireless headphone alike. At home, they stay in my solid-state amp hooked into my MacBook Pro, and are superb on trips and in places active noise cancellation isn’t necessary.

And, finally, I just indulged and bought myself a pair of dream headphones: the Sennheisher HD600s. Sort of. These are a custom-built version of those venerable open-back headphones from Massdrop, a company that works with brands to deliver improved or modified versions of existing audiophile products. Back when I was 15, all I wanted was a pair of HD600s, but they were way too expensive, and I didn’t have the equipment necessary to drive them properly. Now, a bit older with a fuller bank account — well, here goes nothing.

Here are a couple other things to keep in mind this week.

• The Pixel 2 and Pixel 2 XL launch on Thursday — can’t believe it’s only four days away. These phones intrigue me, and I can’t wait to see whether they live up to their lofty expectations.
• The hardware bug that led to the permanent disabling of the Google Home Mini’s top touch area is unfortunate, but won’t hurt sales. It’s just a silly, silly thing that could have been avoided.
• I think I’m finally getting closer to thinking about maybe kind of buying a VR headset.
• This, from Disney, is an amazing accomplishment. Kudos.
• You’ll be able to read about it tomorrow, but I really, really like the Sony Xperia XZ1. So does Andrew.
• This week’s podcast was really good, and addresses a number of important topics around privacy, security, and beer.
• 🙄
• 🤔

👋

-Daniel