$199 Wink Lookout Home Security Pack Bundles All-Wink Products for the First Time

Connected smart home company Wink on Tuesday announced its first home security bundle featuring all its own-brand products, rather than including compatible products made by other companies.

The Wink Lookout set includes two open/close sensors for use on doors and windows, a motion sensor with pet sensitivity for placement anywhere in the home, a siren and chime alarm with built-in flashlight, and the unifying Wink hub.


No subscription is required to use the products, which communicate through the hub and can be monitored using an updated Wink iOS app that features sensor-trip alerts, siren control, and an emergency services/trusted contact call option.

The new Wink home security bundle costs $199, which is significantly cheaper than the similar Nest Guard at $499. The Wink Lookout set will be available from October 31 at Home Depot and on Amazon. Sensors can be picked up individually for $29, as can the home motion sensor and siren, which cost $39 each. The set includes free shipping in the U.S. backed by a 30-day return policy.

(Via Engadget.)

Tags: security, Wink

Discuss this article in our forums

FBI Unable to Retrieve Encrypted Data From 6,900 Devices Over the Last 11 Months

The United States Federal Bureau of Investigation was unable to retrieve data from 6,900 mobile devices that it attempted to access over the course of the last 11 months, reports the Associated Press.

FBI Director Christopher Wray shared the number at an annual conference for the International Association of Chiefs of Police on Sunday.

During the first 11 months of the current fiscal year, Wray says the 6,900 devices that were inaccessible accounted for half of the total devices the FBI attempted to retrieve data from. Wray called the FBI's inability to get into the devices a "huge, huge problem."
"To put it mildly, this is a huge, huge problem," Wray said. "It impacts investigations across the board -- narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation."
Wray did not specify how many of the 6,900 devices the FBI could not access were iPhones or iPads running a version of Apple's iOS operating system, but encryption has been an issue between Apple and the FBI since last year when the two clashed over the unlocking of an iPhone 5c owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

The FBI took Apple to court in an attempt to force Apple to create a version of iOS that would disable passcode security features and allow passcodes to be entered electronically, providing the FBI with the tools to hack into the device.

Apple refused and fought the court order, claiming the FBI's request could set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple ultimately did not capitulate and the FBI enlisted Israeli firm Cellebrite to crack the device.

Following the incident, there was a push for new encryption legislation, but it largely fizzled out after it was described by tech companies as "absurd" and "technically inept." Apple's fight with the FBI is far from over, though, as there was no final resolution following the San Bernardino dispute.

At the conclusion of the FBI lawsuit, Apple said the case "should never have been brought" and vowed to continue to increase the security of its products.

"Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one or the other only puts people and countries at greater risk," Apple said in a statement.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Apple Says ‘KRACK’ Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.

The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

A KRACK attack proof-of-concept from security researcher Mathy Vanhoef

Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.

Using a key installation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.

Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.

Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.

Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.

Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.


Discuss this article in our forums

Major Wi-Fi Vulnerabilities Uncovered Put Millions of Devices at Risk, Including Macs and iPhones

Mathy Vanhoef, a postdoctoral researcher at Belgian university KU Leuven, has discovered and disclosed major vulnerabilities in the WPA2 protocol that secures all modern protected Wi-Fi networks.


Vanhoef said an attacker within range of a victim can exploit these weaknesses using so-called KRACKs, or key reinstallation attacks, which can result in any data or information that the victim transmits being decrypted. Attackers can eavesdrop on network traffic on both private and public networks.

As explained by Ars Technica, the primary attack exploits a four-way handshake that is used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

As a result, attackers can potentially intercept sensitive information, such as credit card numbers, passwords, emails, and photos. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

Note that the attacks do not recover the password of any Wi-Fi network, according to Vanhoef. They also do not recover any parts of the fresh encryption key that is negotiated during the four-way handshake.

Websites properly configured with HTTPS have an additional layer of protection, as all communications between the browser and the website are encrypted, but Vanhoef warned many can still be bypassed.

Since the vulnerabilities exist in the Wi-Fi standard itself, nearly any router and device that supports Wi-Fi is likely affected, including Macs and iOS devices. Android and Linux devices are particularly vulnerable since they can be tricked into installing an all-zero encryption key instead of reinstalling the real key.
This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time. When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key.
As a proof-of-concept, Vanhoef executed a key reinstallation attack against an Android smartphone. In the video demonstration below, the attacker is able to decrypt all data that the victim transmits.


iOS devices are vulnerable to attacks against the group key handshake, but they are not vulnerable to the key reinstallation attack.

Fortunately, the vulnerabilities can be patched, and in a backwards-compatible manner. In other words, a patched client like a smartphone can still communicate with an un-patched access point like a router.

Vanhoef said he began disclosing the vulnerabilities to vendors in July. US-CERT, short for the United States Computer Emergency Readiness Team, sent out a broad notification to vendors in late August. It is now up to device and router manufacturers to release any necessary security or firmware updates.

Despite the vulnerabilities, Vanhoef says the public should still use WPA2 while waiting for patches. In the meantime, steps users can take to mitigate their threat level in the meantime include using a VPN, using a wired Ethernet connection where possible, and avoiding public Wi-Fi networks.

Vanhoef is presenting his research behind the attack at both the Black Hat Europe and Computer and Communications Security conferences in early November. His detailed research paper (PDF) is available today.


Discuss this article in our forums

Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

A new research paper from Duo Security, shared by Ars Technica, reveals that a significant number of Macs are running out-of-date EFI versions, leaving them susceptible to critical pre-boot firmware exploits.


The security firm analyzed 73,324 Macs used in production environments and found that, on average, 4.2 percent of the systems were running the incorrect EFI version relative to the model and version of macOS or OS X installed.

The percentage of incorrect EFI versions varies greatly depending on the model. The late 2015 21.5" iMac had the highest occurrence of incorrect EFI, with 43 percent of systems running incorrect versions.

EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS. EFI operates at a lower level than both the operating system and hypervisors, providing attackers with a higher level of control.
Successful attack of a system's UEFI implementation provides an attacker with powerful capabilities in terms of stealth, persistence, and direct access to hardware, all in an OS and VMM independent manner.
Duo Security found that 47 models capable of running OS X Yosemite, OS X El Capitan, or macOS Sierra, for example, did not have an EFI security patch for the Thunderstrike exploit publicly disclosed nearly three years ago.

The research paper noted that there seems to be something interfering with the way bundled EFI updates are installed alongside macOS, while some Macs never received EFI updates whatsoever, but it doesn't know exactly why.
There seems to be something interfering with the way bundled EFI firmware updates are getting installed, leading to systems running old EFI versions. We are not able to give an exact reason why, but there are significant discrepancies between the firmware version that is actually running on real world production systems and the version that is expected to be running, given the OS build. This means that even if your Mac is still receiving security patch support, there is a non-trivial chance that your system is not running the latest version, even though you thought it was installed.
While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

In response to the research paper, Apple said it appreciates the research on the industry-wide issue and noted that macOS High Sierra automatically validates a Mac's EFI on a weekly basis to ensure it hasn't been tampered with.
We appreciate Duo's work on this industry-wide issue and noting Apple’s leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.
In a related blog post, Duo Security said users should check if they are running the latest version of EFI on their Macs, and it has released a tool to help do so. It also recommends updating to the latest version of macOS High Sierra.


Discuss this article in our forums

Apple’s Latest Transparency Report Shows Jump in National Security Requests

Apple this week released its latest transparency report [PDF] outlining government data requests received from January 1, 2017 to June 30, 2017.

In the United States, Apple received 4,479 requests for 8,958 devices and provided data 80 percent of the time (in 3,565 cases). Worldwide, Apple received 30,814 requests for data from 233,052 devices and provided data 80 percent of the time (in 23,856 cases).

Overall demands for data were slightly down compared to requests during the same time period last year, but Apple disclosed a much higher number of national security requests that include orders received under FISA and National Security Letters. According to Apple, to date, it has not received any orders for bulk data.

Apple says it received 13,250 - 13,499 National Security Orders affecting 9,000 to 9,249 accounts. That’s up from 2,750 - 2,999 orders affecting 2,000 to 2,249 accounts received during the first half of 2016.


Though Apple attempts to be as transparent as possible in its reports, the government does not allow the company to release specific details when it comes to the number of National Security requests received, instead requiring a number range to be provided to customers. Apple uses the narrowest range permissible by law.

Apple lately has been making more of an effort to be clearer about the type of information governments around the world have asked for, and its last two reports, this one included, have been highly detailed.

Along with the total number of device requests and National Security Orders, Apple also provides data on a range of categories covering government requests for emergencies such as missing children, requests related to stolen devices, fraud requests, account deletion/restriction requests, civil non-government cases and account preservation requests, all of which can be viewed directly in the report.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

macOS High Sierra Automatically Performs Security Check on EFI Firmware Each Week

Mac users who upgrade to macOS High Sierra will benefit from a significant new security feature that works in the background.


macOS High Sierra automatically checks a Mac's EFI firmware against Apple's database of "known good" data to ensure it hasn't been tampered with, according to a series of tweets from an Apple engineer.

The tweets have since been deleted, but a summary remains available on the Mac blog The Eclectic Light Company.
The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac's firmware against Apple's database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple.
If the check fails, a prompt will appear with options to "Send to Apple" or "Don't Send." The selection is remembered in subsequent weeks.


The "eficheck" tool sends the binary data from the EFI firmware, and preserves user privacy by excluding data which is stored in NVRAM, according to The Eclectic Light Company. Apple will then be able to analyze the data to determine whether it has been altered by malware or anything else.

The database's library will be automatically and silently updated so long as security updates are turned on.

macOS High Sierra will be publicly released on the Mac App Store later today.

Related Roundup: macOS High Sierra
Tag: security

Discuss this article in our forums

Hacker Releases Firmware Decryption Key for Apple’s Secure Enclave

A hacker released what he claimed to be a firmware decryption key for Apple's Secure Enclave on Thursday, initially sparking fears that iOS security had been compromised.

Apple's Secure Enclave Processor (SEP) handles all cryptographic operations for the Apple Watch Series 2, the A7 processor that powers the iPhone 5s, the iPad Air, the iPad mini 2 and 3, and subsequent A-series chips. The encrypted SEP is completely isolated from the rest of the system and handles Touch ID transactions, password verifications, and other security processes on a separate OS to maintain data protection integrity even if the kernel has been compromised.

One of the ways the SEP does this is by generating a Unique ID (UID) for each device for authentication purposes. The UID automatically changes every time a device is rebooted and remains unknown to other parts of the system, further enhancing its security.

Beyond that, little is known about how the SEP actually works outside of Apple, but that's by design – the enclave's isolation serves to obfuscate it from the rest of the system, preventing hackers from rifling through its code to make it as secure as possible.


The decryption key posted on GitHub yesterday would not enable hackers to access data stored inside the Secure Enclave, but it could allow hackers and security researchers to decrypt the firmware that controls it and potentially spot weaknesses in the code.

Speaking to TechRepublic, the hacker that released the key claimed that Apple's effort to obfuscate the code was itself cause for concern.
"The fact that the SEP was hidden behind a key worries me," said xerub. "Is Apple not confident enough to push SEP decrypted as they did with kernels past iOS 10?" He added that while SEP is amazing tech the fact that it's a "black box" adds very little, if anything to security. "Obscurity helps security — I'm not denying that," he said, but added that relying on it for security isn't a good idea.

"I think public scrutiny will add to the security of SEP in the long run," xerub said, noting that was also his intention with releasing the key.
Xerub claimed it's theoretically possible that the decryption key could be used to watch the SEP do its work, which could potentially allow hackers to reverse-engineer its process and gain access to its contents, including passwords and fingerprint data. However, he admitted that a lot of additional work would need to go into exploiting the decrypted firmware.

It's still unclear what the longer term repercussions could be, but an Apple source who wished to remain anonymous told TechRepublic that the release of the SEP key doesn't directly compromise customer data.
"There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information," they said. "It's not an easy leap to say it would make getting at customer data possible."
More accurately, it makes research into the structure of the SEP possible, which could allow hackers to find flaws in its workings. Apple said it did not plan to roll out a fix at this time.


Discuss this article in our forums

‘Real People’ Don’t Need Encrypted Messaging Services, Claims U.K. Home Secretary

The U.K. home secretary Amber Rudd has argued that "real people" do not want secure end-to-end encryption on messaging platforms and are more concerned with usability and features than unbreakable security (via Yahoo News).

Rudd made her case in a newspaper article, published ahead of a meeting today with technology companies in San Francisco, where she will warn tech giants that their services are being misused by terrorists. Writing in The Daily Telegraph, Rudd said:
"Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?

"So this is not about asking the companies to break encryption or create so-called 'back doors'.

"Companies are constantly making trade-offs between security and 'usability', and it is here where our experts believe opportunities may lie.

"Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."
Rudd's comments were immediately criticized by privacy campaigners, with civil liberties organization Big Brother Watch calling her viewpoint "at best naïve, at worst dangerous".

"Suggesting that people don't really want security from their online services is frankly insulting," said Renate Samson, chief executive of BBW. "What of those in society who are in dangerous or vulnerable situations, let alone those of us who simply want to protect our communications from breach, hack or cybercrime."

"Once again the government are attempting to undermine the security of all in response to the actions of a few. We are all digital citizens, we all deserve security in the digital space."

Rudd is due to give her speech to tech companies like Twitter, Facebook, and Microsoft, in which she will urge them to do more to remove extremist content online or face new laws forcing them to do so.

Speaking to the BBC, Rudd said she wanted to work more closely with companies on encryption so that "where there is a particular need, where there is a targeted need" the government should be given access to metadata and encrypted content.

But Facebook's chief operating officer, Sheryl Sandberg, pushed back against that argument, and warned about pushing criminals into even harder to reach parts of the internet.

"If people move off those encrypted services to go to encrypted services in countries that won't share the metadata, the government actually has less information, not more," she said.

Tuesday's summit is the first gathering of the Global Internet Forum to Counter Terrorism, an organization set up by the major tech companies following recent terror attacks. Organization members are likely to resist any action that would result in compromised encryption, however.

In a joint statement, the companies taking part said they were co-operating to "substantially disrupt terrorists' ability to use the internet in furthering their causes, while also respecting human rights".

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Encrypted Chat App Telegram to Remove Terrorist Content Following Ban Threat in Indonesia

Telegram is to form a team of moderators to remove terrorist-related content from the encrypted messaging platform in Indonesia, after the country's government threatened to ban the app.

Indonesia's Ministry of Communications and Information Technology has already blocked access to the web version of the chat platform, citing concerns that it was being used to spread "radical and terrorist propaganda" in the country, according to Reuters.

"This has to be done because there are many channels on this service that are full of radical and terrorist propaganda, hatred, ways to make bombs, how to carry out attacks, disturbing images, which are all in conflict with Indonesian law," the communications ministry said in a statement on its website.
Telegram co-founder Pavel Durov said on Sunday that the service had blocked channels reported by the government and that it would take further action to remove the illegal content.
"We are forming a dedicated team of moderators with knowledge of Indonesian culture and language to be able to process reports of terrorist-related content more quickly and accurately," Durov said in a Telegram post quoted by Associated Press.
Telegram has been criticized by governments before for its use by terrorist groups to spread propaganda and recruit members. Last month Telegram agreed to provide basic information about the company to Russia after authorities threatened to block access to the service.

Despite pressure from governments, Telegram's founders have refused to bow to demands for backdoors into the platform for authorities to access encrypted messages, arguing that security and privacy are central tenets of the service.

Speaking to The Wall Street Journal on Sunday, Durov said Telegram is "heavily encrypted and privacy-oriented, but we're no friends of terrorists – in fact, every month we block thousands of ISIS-related public channels".

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums