Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks

scooter-hack.PNG

Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.

Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter's firmware, and viewing other real-time riding statistics.

However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.

"During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password," Rani Idan, researcher with Zimperium zLabs, explains in a report shared with The Hacker News.

"The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state."

By exploiting this issue, an attacker can perform the following attack scenarios:

  • Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.

  • Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.

  • Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.


To demonstrate one of the attack scenarios, as shown in the video, researchers developed a specialized proof-of-concept (PoC) app that scans for nearby Xiaomi M365 scooters and locks them by using the anti-theft feature of the scooter, without authentication or victim's knowledge.

"The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 meters away," the researchers say.

The researchers also developed a PoC app for installing malicious firmware capable of accelerating the scooter, but due to the safety concerns of the M365 Electric scooter riders, they will not publish its PoC.

Zimperium already reported their findings to Xiaomi two weeks ago. The Chinese company acknowledged them, saying that its team was aware of the issue and is working on a fix to address it.

Since there is no mitigation that users can deploy at their end, M365 Electric scooter riders are recommended to implement the patches as soon as they become available. Until then, they can not do anything except avoid riding their scooters for a while.

Major iPhone FaceTime bug lets you hear the audio of the person you are calling … before they pick up

hack-apple-facetime.png

A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio. There’s a second part to this which can expose video too …

9to5Mac has reproduced the FaceTime bug with an iPhone X calling an iPhone XR, but it is believed to affect any pair of iOS devices running iOS 12.1 or later.

Here’s how to do the iPhone FaceTime bug:

  • Start a FaceTime Video call with an iPhone contact.

  • Whilst the call is dialling, swipe up from the bottom of the screen and tap Add Person.

  • Add your own phone number in the Add Person screen.

  • You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.

It will look like in the UI like the other person has joined the group chat, but on their actual device it will still be ringing on the Lock screen.

facetime-bug-story.png

The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.

As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.

What we have also found is that if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.)

Apple has said the issue will be fixed in a software update later in the week. Until then, if you are concerned, you should disable FaceTime in iOS Settings.

How to Speed up Mac? — 10 Steps to Improve MacBook Performance

speed-up-your-mac.png

Remember the feeling of a brand new Mac? A Mac without rainbow wheels. A Mac that didn’t cause headaches or frustration. Everything was just perfect! However, with all apps, documents, photos, and a full iTunes library, your Mac starts to act as if it’s hiking 20 miles uphill in the snow. We’ll show you 10 ways to speed up your Mac.

Here’s How to Speed Up Your Mac

These simple steps won't take much time, but will greatly help to improve your Mac's performance. If you do these activities regularly, you won't have to worry about the need to speed up your Mac again.

1. Find resource-hungry processes

Some apps are more power hungry than others and can slow your Mac to a crawl. To see which apps are eating up your system resources, use Activity Monitor. You can open it from the Utilities folder of your Applications folder, or use Spotlight to find it.

Activity Monitor details five different resources: CPU, Memory, Energy, Disk, and Network usage. If your Mac is running slowly, pay special attention to the CPU section. It shows how processes affect CPU (processor) activity. Click a column name, such as % CPU, to list all programs by the amount of CPU they’re using.

speed-up-mac-cpu.png

If you see that some app is using a lot of CPU power, you can close it from here by choosing the app with the mouse and clicking the X in the left-hand corner of the Activity Monitor.

2. Manage your startup items

It goes without saying that a clean startup helps speed up slow Mac. When your Mac launches faster, it takes less time to do anything. No waiting for Safari, Chrome or Firefox to launch — they open instantly. How do you get such speed? Well, when your Mac boots up, it runs a lot of unnecessary apps. But it’s quite easy to take control of it. Go to your System Preferences > Users & Groups and then click on your username. Now click on Login Items and select a program you don’t immediately need when your Mac starts up, and click the “-” button below.

speed-up-mac-login-items.png

3. Turn off visual effects

A great tip to help you when you wonder how to speed up your Mac is to turn off visual effects. Sure, they look pretty, but who cares if your Mac is running slowly? Turning off some of the features can greatly speed up iMac or MacBook.

Here’s how to speed up a Mac by turning off some visual effects:

  1. Click System Preferences > Dock.

  2. Untick the following boxes: Animate opening applications, Automatically hide and show the Dock.

  3. Click on Minimize windows using and change Genie effect to Scale effect.

speed-up-mac-dock-effect.png

4. Repair disk permissions

When you install an app on your Mac, the piece of software arrives as a package of files, including permissions that tell OS which users can do what things with specific files. These permissions are file settings that affect the ability to read, write, or execute (open and run) the file. Over time, these permissions can get changed, and software that uses the file might not work correctly. It results in your Mac lagging. A quick and easy fix is to repair disk permissions.

Follow these steps to repair disk permissions:

  1. Open Disk Utility (Applications > Utilities).

  2. Choose your startup disk.

  3. Click the First Aid tab.

  4. Click Repair Disk Permissions to repair any inconsistent permissions.

Note that beginning from OS X EI Capitan, there is no need to repair disk permissions. System file permissions are automatically protected, so it’s no longer necessary to verify or repair permissions with Disk Utility. But if your Mac runs OS X Yosemite or earlier, repairing disk permissions can help speed up old Mac.

5. Reindex Spotlight

If you recently updated your OS, you would be aware of the slowness that occurs when Spotlight is indexing. This only takes a few hours and then your Mac will be fine. But sometimes the indexing gets stuck, and you need to speed up a Mac. To solve this problem, you need to reindex Spotlight by going to System Preferences > Spotlight and clicking on the “Privacy” tab.

speed-up-mac-spotlight.png

Now drag your hard drive from Finder into the Privacy List. Once added, remove it by clicking the “-” sign. The indexing will start again, but hopefully, after a few hours, it will finish properly and boost your Mac speed.

6. Uninstall applications

Another proven way to speed up MacBook Pro, MacBook Air or iMac is to uninstall the application you don’t need anymore. So how to remove unwanted apps on your Mac? You may be surprised to find out that simply dragging them to a Trash bin is not enough. It leaves gigabytes of junk behind. Dragging documents and movies to Trash works fine but apps should be uninstalled completely.

7. Update your Mac (OS and hardware)

Typically, Macs take care of themselves. Having the latest software from Apple makes speeding up your Mac simple. To check your version of the operating system, click the Apple icon in the top left corner of your screen and then About This Mac. Make sure you have the latest macOS/OS X installed (or the latest you can install since not all Macs upgrade to macOS Mojave).

About this Mac - Mojave.png

As for the hardware upgrade, as you’ve probably guessed, it is costly. But if your OS is the latest possible version and you’ve cleaned up the hard drive, and you still have troubles with speed, this could be your solution. Keep in mind that upgrading some hardware is not possible for certain Macs.

Upgrading to the latest OS and upgrading your hardware will typically solve a bunch of slowness issues.

8. Manage syncing photos to iCloud

You may be surprised by how much of your Mac’s storage is taken up by photos. And syncing them to iCloud may take plenty of time, and as a result, slow down your Mac. You may think that deleting photos from your Mac may resolve the problem. But, unfortunately, that’s not how iCloud Photo Library works. When you remove photos from your computer, they are also deleted from all your devices. So how to speed up your Mac and don’t lose your photos?

One of the possible solutions might be turning off iCloud Photo Library on your Mac. If you still want to back up your photos in the cloud, you may use another device, such as Dropbox or Google Drive. That’s up to you! But note that taking control over syncing your photos to the iCloud may speed up your Mac.

9. Restart your Mac

If your Mac is acting sluggish or some programs are failing to run, try to restart your computer. When you restart your Mac, it closes all running programs and offers to save any files you’re working on. Once you choose to save the file, your Mac will boot up again. The result is a refreshed Mac that should perform better.

To restart your Mac, do the following:

  1. Click the Apple menu button in the top-left corner of your screen.

  2. Click Restart.

  3. Click the Restart button in the pop-up menu to confirm.

If you need to reboot your Mac but want to reopen apps automatically after rebooting, check the Reopen windows when logging back in box in the pop-up menu.

10. Replace your HDD with SSD

You can breathe new life into your Mac by replacing its traditional hard drive with a solid-state drive. Adding an SSD will make your computer boot faster, copy files in the blink of an eye and make the system really fast when multitasking.

A word of caution: it’s recommended that you consult a professional before attempting any hardware upgrades yourself because the process is quite challenging. And don’t forget to make a complete backup of your data before replacing your HDD with SSD, so that you’ll be able to restore all important files if something goes wrong.

This Is What A Social Security Scam Sounds Like

SOCIAL-SECURITY-SCAM.jpg

Earlier this month, the FTP warned about a growing scam: people pretend to be from the Social Security Administration (SSA) and try to get your Social Security number or your money. That scam is now growing exponentially. To compare: in 2017, we heard from 3,200 people about SSA imposter scams, and those people reported losing nearly $210,000. So far THIS year: more than 35,000 people have reported the scam, and they tell us they’ve lost $10 million.

Here’s what one of those scam calls sound like:

Scammers are saying your Social Security number (SSN) has been suspended because of suspicious activity, or because it’s been involved in a crime. Sometimes, the scammer wants you to confirm your SSN to reactivate it. Sometimes, he’ll say your bank account is about to be seized – but he’ll tell you what to do to keep it safe. (Often, that involves putting your money on gift cards and giving him the codes – which, of course, means that your money is gone.)

Oh, and your caller ID often shows the real SSA phone number (1-800-772-1213) when these scammers call – but they’re faking that number. It’s not the real SSA calling.

Here's what to know:

  • Your Social Security number is not about to be suspended. You don’t have to verify your number to anyone who calls out of the blue. And your bank accounts are not about to be seized.

  • SSA will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards. Anyone who tells you to do those things is a scammer. Every time.

  • The real SSA number is 1-800-772-1213, but scammers are putting that number in the caller ID. If you’re worried about what the caller says, hang up and call 1-800-772-1213 to speak to the real SSA. Even if the wait time is long, confirm with the real SSA before responding to one of these calls.

  • Never give any part of your Social Security number to anyone who contacts you. Or your bank account or credit card number.

If you get one of these calls, tell the FTC at ftc.gov/complaint.

New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps

facebook-leak.PNG

Facebook's latest mishap — a programming bug in Facebook website accidentally gave 1,500 third-party apps access to the unposted Facebook photos of as many as 6.8 million users.

Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users' private photos which they never shared on their timeline, including images uploaded to Marketplace or Facebook Stories.

"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories," Facebook said.

What's worse? The bug even exposed photos that people uploaded to Facebook but chose not to post or didn't finish posting it for some reason.

The flaw left users' private data exposed for 12 days, between September 13th and September 25th, until Facebook discovered and fixed the security blunder on the 25th September.

"Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos," Facebook said.

facebook-leak-body.PNG

The social media giant has started notifying impacted users of the flaw through an alert on their Facebook timeline that their photos may have been exposed, which will direct them to its Help Center page with more information.

Facebook also says the social media network will soon be rolling out "tools for app developers that will allow them to determine which people using their app might be impacted by this bug."

Facebook also assures its users that the company will be working with app developers to delete copies of photos that they were not supposed to access.