RSS
 

Posts Tagged ‘vulnerability’

Security firm warns Android camera vulnerability lets hackers spy on phone owners

21 Nov

Security analyst firm Checkmarx has detailed the discovery of an Android security issue that enables hackers to access a smartphone’s camera app, existing videos and images, audio from the microphone and location information pulled from EXIF data. Though the issue has been fixed on Google and Samsung phones, it remains in many camera apps from other vendors

The security researchers first analyzed the Google Camera app included on the Pixel smartphones. Upon discovering the security vulnerability, which involves ‘manipulating specific actions and intents,’ they found the same issue could be exploited in the Samsung Camera app included in its various smartphone models.

The vulnerability is extensive, according to the researchers. Hackers can access the camera app, use it to capture videos and photos even if the display is turned off or a call is in progress and access content saved to the phone. In addition to accessing the images, hackers could pull the location information from image metadata and use that to locate the handset’s owner.

The exploit introduces a number of privacy issues for users; attackers could use the video recording functionality to record a phone call, for example, and could retrieve sensitive images from the user’s phone for blackmail purposes.

According to Checkmarx, Google confirmed that the issue isn’t limited to the Pixel phones and that it is working with its Android partners ‘to coordinate disclosure.’ Both Google and Samsung released fixes for the security issue in their respective camera apps before Checkmarx published its report. It’s unclear how many phones from other vendors may still be vulnerable to the exploit, however.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Security firm warns Android camera vulnerability lets hackers spy on phone owners

Posted in Uncategorized

 

DJI offering up to $30,000 ‘bounty’ to anyone who finds a critical software vulnerability

31 Aug

DJI is offering cash rewards to anyone who finds a significant bug in its software. The new bug bounty program offers financial incentives ranging from $ 100 to $ 30,000 in the hopes that researchers and users alike may find problems related to software security, flight safety, and app stability. This, following a leaked military memo that ordered the US Army to cease their use of DJI products over unspecified ‘cyber vulnerabilities.’

The alleged vulnerabilities cited by the military memo were found by the U.S. Army Research Lab and U.S. Navy, which ordered the U.S. Army to stop using ‘all DJI products,’ and news of the order stirred concerns in the private sector over whether DJI’s software was adequately protecting customers’ data. Around the same time, DJI introduced an offline mode that allows operators to limit a drone’s communications to just its controller.

DJI will soon launch a dedicated bug bounty website with a standardized form through which bug discoveries can be submitted. Until that time, the company advises individuals who have found a bug to report it to the ‘bugbounty@dji.com’ email address. Only qualified bugs will result in rewards, and specific terms will be detailed on the upcoming bug bounty website.

Press Release

DJI To Offer ‘Bug Bounty’ Rewards For Reporting Software Issues

Threat Identification Reward Program Will Address Software Concerns

August 28, 2017 – DJI, the world’s leader in civilian drones and aerial imaging technology, is establishing a “bug bounty” program to reward people who discover security issues with DJI software. The DJI Threat Identification Reward Program is part of an expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.

“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI Director of Technical Standards Walter Stockwell. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”

The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.

Rewards for qualifying bugs will range from $ 100 to $ 30,000, depending on the potential impact of the threat. DJI is developing a website with full program terms and a standardized form for reporting potential threats related to DJI’s servers, apps or hardware. Starting today, bug reports can be sent to bugbounty@dji.com for review by technical experts.

The DJI Threat Identification Reward Program is part of a renewed focus on addressing concerns about DJI product security, including new efforts to partner with security researchers and academics who have a common goal of trying to improve the security and stability of DJI products. DJI is also implementing a new multi-step internal approval process to review and evaluate new app software before it is released to ensure its security, reliability and stability.

DJI has not previously offered formal lines of communication about software issues to security researchers, many of whom have raised their concerns on social media or other forums when they could not determine how best to bring these issues to DJI’s attention.

“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on DJI offering up to $30,000 ‘bounty’ to anyone who finds a critical software vulnerability

Posted in Uncategorized