How about using proper security instead
Public keys? Cryptography? Or anything that actually has been proven to work?
For f*** sake we are talking people's lives here and they decide to use an ugly hack as a subsitute for security.
Researchers are looking to ultrasound waves as a way to prevent attacks on radio-controlled pacemakers. The plan - floated by doctors from the Swiss Federal Institute of Technology in Zurich and the French National Institute for Research in Computer Science and Control - uses ultrasound waves to determine the precise distance …
It's the same problem faced by battery powered gas meters, which must resist fraudulent communication (intended either to alter the stored measurements or to stop measurement by provoking unnecessary communication and hence flattening the battery).
The solution isn't rocket science and it doesn't need ultrasound or the combined intellect of the Swiss Federal Institute of Technology in Zurich and the French National Institute for Research in Computer Science and Control, unless their staff are especially incompetent.
From the Medical Device Link web site, "Devices more than 10 meters away would have to complete a series of authentication procedures. Other than in emergency situations (in which any device in close proximity would be granted access), devices trying to access personal data or give commands would basically have to be in the same room with the implantable device user."
10 meters, I'd have issues with authentication farther than 10 mm. 10 meters puts the attacker still two rooms away with full access.
"They found the devices were susceptible to ... remote attacks that drained the batteries"
So with their new solution whenever the device receives a correct rf signal, a microphone has to be used to determine the distance away the reader is - how does this help as it will still drain the battery with constant rf requests?
Whenever obscurity is used for security rather than good cryptography it almost always fails
WTF is this about? Why all this 'research'?
I mean, yeah, a trip down to any international airport will reveal legions of would be murderers with laptops packing 'anti-pacemaker' software, won't it? I mean, they're everywhere, aren't they, the murderous bastards. You can usually spot them, since they have a 12 foot antenna poking out of their rucksack.
Why, I was only walking to the shop the other day to get some varruca powder, when a backwards cap wearing gap toothed yoof jumped out from from behind a lamp post.
I tell you. He was fuckin' packin' serious heat man. He had an iPhone fully deathed-up with "I pwn u bitch (V1.1)". That wasn't the bad part though. He also had 'UR ASS IZ GRASS V2.0" - fully service packed.
I nearly shit myself.
Then I remembered - I don't have a pacemaker. So I told him to fuck off.
His face. The poor lad.
If you read the linked article, it's still a little confusing, but it's clear that proximity would be an additional safeguard, not the only form of authentication. Except if the device detects the patient is in trouble, then it would grant access to anyone *really* close (about 3 cm, it says). That sounds alot better than the impression I first got from reading this article.
"10mm? They have to stick a probe pretty far up your arse to get within 10mm of the device......."
Now that would be a peculiar way to get there - and even if you were to go all the way up and come out of the other end, you'd probably never get within 10mm. Normally pacemakers are implanted just under the skin below the left collar bone. 10mm sounds about in the right ball-park for a transmitter placed on the skin just above the pacemaker.
Interesting paper here: http://www.secure-medicine.org/icd-study/icd-study.pdf
Some research into the potentially exploitable low-power state of iPhones has sparked headlines this week.
While pretty much no one is going to utilize the study's findings to attack Apple users in any meaningful way, and only the most high-profile targets may find themselves troubled by all this, it at least provides some insight into what exactly your iOS handheld is up to when it's seemingly off or asleep. Or none of this is news to you. We'll see.
According to the research, an Apple iPhone that goes asleep into low-power mode or is turned off isn't necessarily protected against surveillance. That's because some parts of it are still operating at low power.
End-to-end encryption (E2EE) has become a global flashpoint in the ongoing debate between the security of private communications versus the need of law enforcement agencies to protect the public from criminals.
The Register has written at length about this increasingly strident back-and-forth that is seeing proponents of both sides more entrenched in their beliefs.
London-based think tank the Royal United Services Institute (RUSI) released a report [PDF] this week laying out the contours of the privacy-vs-safety debate, weighing the needs and exploring possible solutions.
A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.
RATs are typically used by cybercriminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble.
"The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.
A Russian national was indicted in the US on Tuesday for allegedly running an online marketplace selling access to credit card, shopping, and web payment accounts belonging to tens of thousands of victims.
Igor Dekhtyarchuk, 23, who is on the FBI's Cyber's Most Wanted list, is suspected to be the mastermind of an underground cyber-souk dubbed "Marketplace A" by the US Department of Justice. The site, launched in 2018 and known as a carding shop in the cyber-security industry, sold login details for people's internet banking and retail accounts so that fraudsters could, for instance, go on spending sprees on a stranger's dime.
Marketplace A functioned like any other online store, and even had bundle deals, such as an offer to buy access to two online retail accounts and get some credit card information thrown in, for the same victim, it was claimed. The credentials were priced according to a victim's account balances; miscreants allegedly had to pay more for data associated with accounts with more money to steal from.
Three former US intelligence and military operatives broke America's weapons export and computer security laws by, among other things, helping the United Arab Emirates hijack and siphon data from people's iPhones, it emerged on Tuesday.
US citizens Marc Baier, 49, and Ryan Adams, 34, and ex-citizen Daniel Gericke, 40, were charged [PDF] with using "illicit, fraudulent, and criminal means, including the use of advanced covert hacking systems that utilized computer exploits obtained from the United States and elsewhere, to gain unauthorized access to protected computers in the United States and elsewhere and to illicitly obtain information ... from victims from around the world."
They also, according to the rap sheet, obtained and used people's passwords and authentication tokens to break into accounts and systems in the US and beyond. And they did all that "while evading the export control supervision of the United States government."
Register debate Last week, we argued over whether or not the media, including El Reg, should stop using the word hacker as a pejorative.
This debate came about after infosec pro Alyssa Miller and a few others from the Hacking Is Not A Crime movement politely asked Register vultures on Twitter to quit using the h-word as a lazy shorthand for criminal.
We said we'd think about it. And we thought about it, and we thought about it some more. And in the end, since we're writing for you, we decided to put it to the audience: we published an article for and an article against the proposal, and let everyone vote for whichever side they agreed with.
An expert penetration tester working for the notorious cyber-crime gang FIN7 was sent down for seven years on Friday and told to cough up $2.5m for breaking into corporate computer systems.
Andrii Kolpakov, 33, a Ukrainian national, was cuffed by authorities in Lepe, Spain, in 2018, and extradited to the US in 2019. He was a high-ranking member of the crew, and served as its penetration tester from 2016 to 2018, looking for ways to exploit security vulnerabilities in businesses.
FIN7 injected malware into the networks of thousands of American food, hospitality, and gaming chains to steal customers' financial details. Millions of credit and debit card numbers were scraped and later sold to other miscreants online, who went on spending sprees.
Fans of 'cyber' flick Hackers can amuse themselves by visiting an exhibition of the characters’ costumes in London – but time is running short if you want to catch a glimpse of Angelina Jolie’s bizarre getups.
“Back in the future of 1995, the teen techno-thriller Hackers (directed by Iain Softley) burst onto cinema screens with its cyber phreak aesthetics, video game visuals and mind-bending techno soundtrack. For many, it was the vibrancy of the cartoon-like, surreal costumes that gave the film its unique identity, cult status and era-defining quality that still resonates today,” burbles the London exhibition’s description.
Hackers is remembered fondly by infosec greybeards for being one of the first mainstream depictions of computer hacking culture, and by film buffs for being Angelina Jolie’s first major role. The 1995 movie didn’t do very well at the box office, but has an endearing appeal among some cyberpunks and computer nerds alike.
The sheriff of a small city in Florida warned on Monday that hackers had tried to poison its water.
Pinellas County Sheriff Bob Gualtieri said Oldsmar's water treatment system, which serves roughly 15,000 people, was broken into by someone, via the internet, who had hoped to flood the supply with levels of sodium hydroxide more than 100 times the normal amount.
The miscreant gained access through remote-control software TeamViewer that was running on a PC at the plant, the sheriff told Reuters, and used that machine to ultimately attempt to jack up the levels of sodium hydroxide.
Biting the hand that feeds IT © 1998–2022