Election Systems Are Even More Vulnerable Than We Thought

Credit to Author: Louise Matsakis| Date: Sat, 10 Aug 2019 13:00:00 +0000

Hacker summer camp is here again! You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where we’re digging into the latest and greatest hacks on display. First, let’s talk about iPhones. A researcher found it’s possible to break into one just by sending a text message. To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties.

Moving on to planes. Boeing’s 787 jets might not be very secure, it turns out—Andy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the plane’s components. (The 787 is distinct from the 737 MAX plane grounded earlier this year, although a recent test flight of that jet had its ups and downs, as WIRED’s transportation desk reports.)

That’s not all that’s happening in Vegas. Safecrackers can unlock an ATM in minutes without leaving a trace. Apple pay buttons can make websites less safe. Have you heard of DDOS attacks? Kindly meet their cousin, the DOS attack. Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm. Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose.

Last weekend, a gunman killed 22 people and injured 24 others when he opened fire at a Walmart store in El Paso, Texas. Police are investigating whether he published a white supremacist manifesto to the social media site 8chan shortly before the attack, as several previous mass shooters have this year. Earlier this week, internet infrastructure company Cloudflare pulled its support for 8chan, sending the site offline. Here’s the story of how 8chan came to be, and what scientists say can be done to prevent gun violence.

Facial recognition is suddenly everywhere. Should you be worried? Probably! WIRED also dug into court documents to tell the story of a Pakistani man who allegedly paid AT&T employees more than $1 million to “unlock” two million cellphones. The man has now been extradited to the United States, according to a DOJ indictment unsealed this week.

And there’s more. Every Saturday, we round up the security and privacy stories that we didn’t break or report on in depth, but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Election officials have long claimed that crucial voting systems never connect to the internet—and, therefore, that they're safe from hacking. But a group of security researchers told Motherboard this week they found what look like election infrastructure online in 10 states, including swing states like Wisconsin, Michigan, and Florida. The voting systems are made by Election Systems & Software, the top voting machine company in the US. Some of the equipment is used to transmit preliminary results on the night of an election, while other backend systems tabulate the official outcomes. ES&S claims the systems aren't connected to the public internet, but the research demonstrates how little federal election authorities understand about how voting technology actually works.

HYP3R was supposed to be one of Instagram’s “preferred marketing partners.” But according to a report in Business Insider, the San Francisco company was siphoning off data to create detailed consumer profiles, which included people’s locations, photographs, and more. Instagram has now taken HYP3R off its platform, and sent the firm a cease and desist notice. HYP3R disputes that it broke any of Instagram’s rules. The social media app, which is owned by Facebook, told Business Insider it also made a product change to prevent other companies from similarly scraping data in the future. But more than one year after the Cambridge Analytica scandal broke, the incident indicates that Facebook still needs to work to stop third parties from taking user data.

The cybersecurity firm Check Point Software Technologies says it’s identified a series of nasty bugs inside WhatsApp, according to a report in Bloomberg. The firm reportedly found three ways to covertly alter conversations, allowing someone to trick the person they're messaging. In one, which has been fixed, a person could send a fake private message to one member of a group chat disguised as a public message. When the person responded, their message would be shown to the entire group, instead of just the sender. The other two flaws have not been patched. WhatsApp disputes the issues amount to a security vulnerability, and said in a statement to Bloomberg that they’re “merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write.”

https://www.wired.com/category/security/feed/