thebaldgeek

I’m a little surprised that this hack took so long to find……

Turns out that some bluetooth activity monitors are wide open, making it pretty trivial to inject some code into them.
Here’s the clever bit. The next time your tracker syncs with your computer (to upload your steps taken or activity performed), it will also upload that extra bit of code, from there, well…… all your base are belong to us.

If you are interested in such exploits, you can read a bit more about it on the web in a few places.
One I pulled almost at random;
http://www.engadget.com/2015/10/21/fitbit-tracker-bluetooth-vulnerability/

Fitbit trackers have a whopper of a vulnerability that can let somebody within Bluetooth range quickly hack them, according to security company Fortinet. Worse yet, once the attackers are in, the device will infect any computer that tries to sync with the device.

The really really interesting bit is that you do not need physical contact with the device, you can do this over the air.
So, if you build yourself a nice high gain bluetooth antenna, say using a Pringles can… http://www.seeedstudio.com/recipe/177-pringles-can-antenna-with-a-linkit-one.html (Works with Bluetooth just as well as Wifi)… You could do this code injection into someone’s fitness tracker from so far away that they would never know you are even there……

My point is, I find it interesting to see just how on the edge our tech is.
(Is there an echo in this blog?).

For what ever reason I have always been interested in time. One of the first things I did when we arrived in the States was buy a wrist watch that had an atomic time synchronization feature.
(FWIW I got the CASIO titanium solar tri-sensor).

So it was only a matter of time (heh) till I wrote about NTP/SNPT for the Opto22 blog.
You can read it here.
Really enjoyed writing that blog, it checked all the stuff that I love.. Time, atomic time sources, computers and computer networks…. It does not get much better for a time geek.

Anyway, the thing is, NTP is not really secure. It is pretty old, and has a few gaps. But, its just a time synchronization server right, how much of a problem could that be?

Turns out…. A fair bit.

http://arstechnica.com/security/2015/10/new-attacks-on-network-time-protocol-can-defeat-https-and-create-chaos/

Serious weaknesses in the Internet’s time-synchronization mechanism can be exploited to cause debilitating outages, snoop on encrypted communications, or tamper with Bitcoin transactions, computer scientists warned Wednesday.

The vulnerabilities reside in the Network Time Protocol, the widely used specification computers use to ensure their internal clocks are accurate. Surprisingly, connections between computers and NTP servers are rarely encrypted, making it possible for hackers to perform man-in-the-middle attacks that reset clocks to times that are months or even years in the past.

It’s simply complicated. In short, if you change the time on some select (important) computers you can bypass when their security certificates expire.

Even worse, the attacks can be used to snoop on encrypted traffic or to bypass important security measures such as DNSSEC specification preventing the tampering of domain name system records. The most troubling scenario involves bypassing HTTPS encryption by forcing a computer to accept an expired transport layer security certificate.

Anyway, my point is, it’s interesting to me how close to the edge all our tech is.

Just a selfish smug gloating post here folks……

Turns out, sometime in the last few hours my video on voiding your warranty on your Android Wear Moto360 smartwatch ticked over 11,000 views.

I must admit I had largely forgotten about it.
Some Australian left a comment on it last night (the comment was on the doggy door in the background – go figure) and we geeked out a bit.
That’s when I noticed the view count.

UPDATE. My Smart Car door skin removal video is up at 26,767 views.

The rest of my videos have like 20 views, so I don’t have to worry about making my living by making videos.