How to hack a buttplug

❝ Voting machines weren’t the only thing getting penetrated at DEF CON this year.

When most people think of the Internet of Things, they think about light switches, voice controllers, and doorbell cameras. But over the past several years, another class of devices has also gained connectivity — those used for sexual pleasure. One such device, the Lovense Hush, advertised as the “world’s first teledildonic buttplug,” became the subject of a Sunday morning DEF CON talk this year after a hacker named “smea” managed to exploit not only the device and its associated computer dongle, but software used with it for social interaction (read: people remotely playing with each other’s buttplugs)…

❝ The talk in Las Vegas’ Paris Hotel & Casino drew hundreds of largely hungover conference-goers who couldn’t help but chuckle at every mention of the word “buttplug.” But the implications for the sex toy industry are obviously quite serious, especially if exploiting a device enables an attacker to compromise the computer they’re linked to or spread malware via the buttplug’s accompanying social software — all of which smea demonstrated was possible live on stage.

That’s about as far as I let my curiosity wander on this topic. :-]

Hack your Roomba – with DOOMBA!

❝ The Roomba’s most sinister-sounding feature—recording maps of your home that iRobot CEO Colin Angle swears he will totally never sell to advertisers—can now be used for more overtly hellish purposes thanks to Doomba, a tool that converts Roomba maps for use in the 1993 shooter Doom…

❝ “I soon realized that there was a clear opportunity to serve the Dark Lord by conceiving a plethora of unholy algorithms in service to one of the finest works ever created in his name,” Rich Whitehouse wrote in a blog post. “Simultaneously, I would be able to unleash a truly terrible pun to plague humankind. Now, the fruit of my labor is born. I bring forth DOOMBA, a half-goat, half-script creature, with native binary backing for the expensive parts, to be offered in place of my firstborn on this fine Christmas Eve.”

Double Har.

There’s an Obvious Way to Hack Your Voice-Controlled Buddy

❝ Siri and Alexa can hear more than you can—and that’s a problem.

You may have thought that you’d be able to hear any rogue attempts to control your increasingly powerful voice assistant. But it turns out that the hardware and algorithms used to control devices like Amazon’s Echo speaker or Apple’s Siri can actually hear commands issued via ultrasound, which is above the range of human hearing.

❝ Researchers at Zhejiang University in China have shown that they can encode commands in high frequency sound that are still recognized by voice assistants. They take a regular human voice and use it to modulate an ultrasound signal—much like the way music can be encoded onto radio waves. Turns out, the mic on devices like an iPhone or Amazon Echo speaker can still detect the sound, and their signal-processing software also picks up the voice signals encoded on the wave.

❝ The researchers say that they have been able to activate Siri to initiate a FaceTime call on an iPhone, command Google Now to switch a phone to airplane mode, and even control the navigation system of an Audi. The same trick also works on Cortana and Alexa, too.

So, erm, those of us who have decided to cover the camera on our computing devices whenever we’re doing something we want kept private had better find easy and portable methods of keeping our devices from eavesdropping on us as well. Something simpler than carrying around a pillow.

Thanks, @SmartAlix

Feds Drop a Child Porn Case Rather Than Give Up a Hack


FBI Headquarters

❝ The Department of Justice filed a motion in Washington State federal court…to dismiss its indictment against a child porn site. It wasn’t for lack of evidence; it was because the FBI didn’t want to disclose details of a hacking tool to the defense as part of discovery. Evidence in United States v. Jay Michaud hinged at least in part on information federal investigators had gathered by exploiting a vulnerability in the Tor anonymity network.

In other words, the feds are letting an alleged child pornographer free so that officials can potentially catch other dark-web using criminals in the future…

❝ For years now, federal investigators have used hacking tools to undermine the Tor anonymity network and identify suspects attempting to conceal their identities and actions. These Tor exploits help federal law enforcement agencies investigate serious crimes, particularly child porn rings on the dark web, that would otherwise be difficult to prosecute. But the DOJ will apparently go to extreme lengths to protect the disclosure of those exploits, raising new questions about the boundaries of investigative hacking…

❝ All that’s certain is that the feds have dropped a case against an alleged child pornographer, with some unknowable trade-off down the road.

Actually a tough question for law enforcement. Beyond the boundaries of the usual prosecutor. Interesting to see where this leads. If anywhere.

Computer scientists expose security flaw suppressed by Volkswagen

A major security flaw in more than 100 car models has been exposed in an academic paper that was suppressed by a major manufacturer for two years.

Flavio Garcia, a computer scientist at the University of Birmingham, and two colleagues from a Dutch university were unable to release the paper after Volkswagen won a case in the high court to ban its publication.

The research team discovered car manufacturers including Audi, Citroën, Fiat, Honda and Volvo, as well as Volkswagen, had models that were vulnerable to “keyless theft” because a device designed to prevent the vehicles from being stolen could be disabled easily.

After years of formal and informal negotiations, Volkswagen has agreed to the publication of the paper after accepting the authors’ proposal to remove one sentence from the original manuscript.

Garcia and his colleagues Roel Verdult and Bariş Ege, from Radboud University in Nijmegen, said they found several weaknesses in the Swiss-made immobiliser system, called Megamos Crypto. The device works by preventing the engine from starting when the corresponding transponder – embedded in the key – is not present.

But the researchers showed it was possible to listen to signals sent between the security system and key, making the vehicles vulnerable to “close-range wireless communication” attacks

The RAC said electronic security systems have improved car security as vehicle theft has fallen 70% in 40 years. However, the overall decrease hides a rise in electronic hacking of vehicles, which featured in four out of 10 car thefts in London last year.

The point of any hack like this is lies with manufacturers revising their security. Sounds like VW was more interested in trying to keep the hack quiet instead of a fix.

Republican hack gets 2 years for directing Super Pac fund$ for candidate


One of his regular appearances on Fox News

A former Republican political operative was sentenced Friday to two years in prison and another two years of probation in the first criminal case of illegal coordination between a campaign and a purportedly independent political ally.

The reason for “former”, of course, is that he got caught.

Tyler Harber, convicted in February, told the court he knew he was guilty when he created and helped arrange for the super Pac National Republican Victory Fund to buy $325,000 in ads to help Republican Chris Perkins’ 2012 House campaign. He received $9,100 for setting up the deal. He had pleaded guilty to one count of coordinated federal election contributions and one count of making false statements to the FBI…

Prosecutors said he used an alias and other means to deflect inquiries by a political party official. He also admitted that he told multiple lies when interviewed by the FBI.

Federal prosecutor said Harber’s guilty plea and sentencing was “an important step forward in the criminal enforcement of federal campaign finance laws.”

It’s also the only conviction for a crime as common as white bread. The laws were re-written by rightwing flunkies on the Supreme Court. Existing standards for the Federal Election Commission are so wimpy as to hardly exist.

Getting rid of the Citizens United decision is one of the many tasks Congressional conservatives consider unimportant. Not that they work very hard at anything an American citizen might consider dutiful.

The response from leading Republicans like, say, Jeb Bush, is a call to set aside that portion of the law that calls for separation from anonymous donors and candidates for elected office.

Tyler Harber’s PAC? The National Republican Party Victory PAC.