Author: Zack Whittaker

Thousands of industrial refrigerators can be remotely defrosted, thanks to default passwords

Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost. More than 7,000 vulnerable temperature controlled systems, manufactured by U.K.-based firm Resource Data Management, are accessible from the internet and can be controlled by simply plugging in its default password found in documentation on the company’s website, according to Noam Rotem, one of the security researchers who found the vulnerable systems. Many of these vulnerable units are found in industrial refrigerators in restaurants, hospitals, and supermarkets and grocery stores from the U.K., Ireland, and as far away as Sweden, Germany and China. The researchers also found a pharmaceutical company in Malaysia and a cooling facility in Germany. Defrosting the refrigerators could lead to untold water damage, financial losses, and the destruction of inventory. In the case of high-value industries, that could amount to hefty losses. The web interface of an industrial freezer at a Marks & Spencer in Hong Kong. (Image: TechCrunch) “The systems can be accessed through any browser,” said Rotem in his write-up. shared with TechCrunch before his public disclosure. “All you need is the right URL, which as our tests show, isn’t too difficult to find.” Rotem said defrosting a machine takes only a “click a button and enter the default username and password,” both of which are near-universal across the company’s devices. TechCrunch found several hundred refrigerators...

Read More

Apple tells app developers to disclose or remove screen recording code

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.” “We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added. It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister, and Hotels.com, were using a third-party analytics tool, to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity. Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking. Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it...

Read More

Apple rolls out software fix for Group FaceTime eavesdrop bug

Apple has pushed iOS 12.1.4 to iPhone and iPad users, fixing a security bug that allowed users to eavesdrop on people before accepting a FaceTime call. The software giant moved quickly to disable Group FaceTime on its servers to prevent anyone from exploiting the bug after news of the bug spread quickly on Twitter. After three days of downtime, Apple restored the video video calling feature but promised that a software update would land this week. The update says that it “provides important security updates and is recommended for all users,” without specifically referencing the Group FaceTime bug. But in its usual separate notice detailing security updates, Apple confirmed the bug is fixed. “Today’s software update fixes the security bug in Group FaceTime,” said an Apple spokesperson. “We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.” The bug was initially reported to Apple by 14-year-old Grant Thompson and his mother,...

Read More

Segmented security startup Illumio raises $65M in Series E round

Illumio has raised $65 million in its latest round of funding led by J.P. Morgan Asset Management, the security startup has confirmed. The news comes just weeks after the company was expected to announce a $50 million Series E round, but was delayed after a late addition pushed the figure up. The datacenter monitoring and cloud security company focuses on network segmentation. By isolating critical applications and datacenters from the rest of the network, Illumio makes data leaks and breaches far more difficult to spread. That containment stops hackers from pivoting and navigating through a network in an “Equifax-style”...

Read More

Many popular iPhone apps secretly record your screen without asking

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data. Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers. Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did...

Read More

Justice Department: No evidence of vote hacking during 2018 election

There is “no evidence to date” that any foreign government had a material impact on voting machines or infrastructure during the 2018 midterm elections, according to a new classified report sent to the president. That’s the view from the Justice Department and Homeland Security, which were commissioned to report back following an order from President Trump last year to monitor the elections for foreign interference. According to a brief statement from acting attorney general Matthew Whitaker and Homeland Security secretary Kirstjen Nielsen, there is “no evidence to date that any identified activities of a foreign government or foreign agent...

Read More

Bots are cheap and effective. One startup trolls them into going away

Bots are ruining the internet. When they’re not pummeling a website with usernames and passwords from a long list of stolen credentials, they’re scraping the price of hotels or train tickets and odds from betting sites to get the best data. Or, they’re just trying to knock a website offline for hours at a time. There’s an entire underground economy where bots are the primary tools used in automating fraudulent purchases, scraping content and launching cyberattacks. Bots are costing legitimate businesses money by stealing data, but also hogging system resources and costly bandwidth. Clearly, the existing approach of playing...

Read More

Everything you need to know about Facebook, Google’s app scandal

Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants. Confused about what happened? Here’s everything you need to know. How did all this start, and what happened? On Monday, we revealed that Facebook was misusing an Apple-issued certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules. The app, known simply as “Research,” allowed Facebook access to all the data flowing out of the device it was installed on. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason. It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users. Apple was angry that Facebook was misusing its special-issue certificates to push an app it already banned, and revoked it — rendering the app useless. But Facebook was using that same certificate to sign its other employee-only apps,...

Read More

Right Now in Politics and Business