IKEA releases its line of wireless charging furniture

The IKEA Wireless Charging furniture collection, includes bedside tables, floor-and table lamps, desks and simple charging pads. Credit: IKEA

IKEA has launched its Wireless Charging collection of furniture, which has built-in Qi-enabled wireless chargers for compatible mobile phones.

In addition to offering bedside tables, floor- and table lamps, desks and simple charging pads, IKEA is also selling a DIY kit that lets users embed wireless chargers into furniture of their choice.

The furniture, and other items in IKEA’s wireless charging collection, ranges in price from $9.99 to $119.

The Wireless Charging collection will be rolled out globally, with U.S. stores seeing availability beginning in late spring, IKEA said today in a statement.

“With smartphones becoming such a natural part of our lives, we wanted the charging part to become a natural part of our homes,” Holly Harraway, IKEA’s lighting sales leader, said.

The furniture uses the most popular wireless charging specification, Qi, which is supported by brands such as Samsung and Energizer and has gotten an extension to its specification allowing it to charge devices at short distances

Users can check whether their mobile phone is compatible with the Qi standard at the Wireless Power Consortium’s this website.

The WPC with its Qi specification is up against two other industry organizations with their own wireless charging protocols: the Power Matters Alliance (PMA) and the Alliance for Wireless Power (A4WP).

To see more information and more photos follow this link to Computerworld for the full story.

Offline attack shows Wi-Fi routers still vulnerable

An attack can break into some common Wi-Fi routers, via a configuration feature.

A researcher has refined an attack on wireless routers with poorly implemented versions of the Wi-Fi Protected Setup that allows someone to quickly gain access to a router’s network.

The attack exploits weak randomization, or the lack of randomization, in a key used to authenticate hardware PINs on some implementations of Wi-Fi Protected Setup, allowing anyone to quickly collect enough information to guess the PIN using offline calculations. By calculating the correct PIN, rather than attempting to brute-force guess the numerical password, the new attack circumvents defenses instituted by companies.

While previous attacks require up to 11,000 guesses—a relatively small number—and approximately four hours to find the correct PIN to access the router’s WPS functionality, the new attack only requires a single guess and a series of offline calculations, according to Dominique Bongard, reverse engineer and founder of 0xcite, a Swiss security firm.

“It takes one second,” he said. “It’s nothing. Bang. Done.”

The problem affects the implementations provided by two chipset manufacturers, Broadcom and a second vendor whom Bongard asked not to be named until they have had a chance to remediate the problem. Broadcom did not provide a comment to Ars.

Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom’s reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness.

The Wi-Fi Alliance could not confirm whether the products impacted by the attack were certified, according to spokeswoman Carol Carrubba.

“A vendor implementation that improperly generates random numbers is more susceptible to attack, and it appears as though this is the case with at least two devices,” she said in a statement. “It is likely that the issue lies in the specific vendor implementations rather than the technology itself. As the published research does not identify specific products, we do not know whether any Wi-Fi certified devices are affected, and we are unable to confirm the findings.”

The research, originally demonstrated at the PasswordsCon Las Vegas 2014 conference in early August, builds on previous work published by Stefan Viehböck in late 2011. Viehböck found a number of design flaws in Wi-Fi Protected Setup, but most significantly, he found that the PIN needed to complete the setup of a wireless router could be broken into smaller parts and each part attacked separately. By breaking down the key, the number of attempts an attacker would have to try before finding the key shrunk from an untenable 100 million down to a paltry 11,000—a significant flaw for any access-control technology.

Viehböck was not the only researcher to notice the flaws in the technology. Independently, Craig Heffner of Tactical Network Solutions discovered the issue and created a tool, Reaver, to use brute-force guessing of all 11,000 combinations to find the PIN. Ars Technica used the tool to confirm the original issue.

Bongard’s updated attack exploits the lack of randomization in the nonce, a number used to create the pseudo-random inputs to calculate the keys.

For more information follow the source link below.

Source: Ars Technica

Wi-Fi group attracts cable companies Charter, Liberty Global as new members

The importance of Wi-Fi to cable operators, mobile carriers and telcos is evidenced by the list of 14 companies joining the Wireless Broadband Alliance (WBA), whose mission includes enabling Wi-Fi interoperability and roaming. The group said the new members “have joined its efforts to unite the ecosystem and progress the development of carrier Wi-Fi throughout the world.”

The list includes U.S. cable MSO Charter Communications, international cable company Liberty Global, Saudi Arabian mobile operator Mobily, Australian telco Telstra and Canadian telco Telus. Alcatel-Lucent (NYSE: ALU), Broadcom and Gemalto are also among vendors on the list of new WBA members.

The new members are joining WBA “at a pivotal time when Next Generation Hotspot (NGH) networks are now a commercial reality and operators are reaping the benefits of an improved carrier-grade of Wi-Fi,” the group said. Cable operators, in particular, have aggressively jumped on the Wi-Fi bandwagon as they seek to extend their customer touch points beyond homes and businesses and offer a less expensive wireless data alternative to costly cellular data service.

“These new additions join at a critical time when the benefits of Wi-Fi have been fully recognized and solutions such as NGH, carrier Wi-Fi and community Wi-Fi have finally broken in to the commercial world. Our new members play a crucial role in ensuring that consumers connecting to a Wi-Fi network will be exposed to the best user experience possible, regardless of time or location,” said Shrikant Shenwai, WBA CEO.

In February, the WBA rolled out its definition of carrier Wi-Fi, identifying the requirements that a carrier Wi-Fi network needs to provide a consistent user experience, have fully integrated end-to-end network capabilities and offer advanced network management. The alliance also collaborated with the Small Cell Forum on a white paper regarding next-generation hotspot-based integrated small cell Wi-Fi. The two groups are expected to maintain an ongoing collaboration with that will produce more research.

Existing WBA members include early advocates of Wi-Fi and offloading from cellular to Wi-Fi, including AT&T (NYSE: T), Boingo Wireless, BT, Cisco Systems, Comcast, Intel, iPass, KT, NTT DoCoMo, Orange and Time Warner Cable. The WBA has more than 100 members from various parts of the Wi-Fi ecosystem. Its operator members collectively serve more than 1 billion subscribers and operate more than 10 million hotspots globally.

The fifth Wi-Fi Global Congress and 25th WBA Roundtable Conference will be held Oct. 6-10 in San Francisco.

For more information and the full press release follow the source link below. 

Source: Fierce Wireless

Attackers can slip malicious code into many Android apps via open Wi-Fi

A vulnerability mostly affecting older versions of Google’s Android operating system may make it possible for attackers to execute malicious code on end-user smartphones that use a wide variety of apps, researchers said.

The weakness resides in a widely used programming interface known as WebView, which allows developers to embed Web-based content into apps used for banking, entertainment, and other purposes. Many apps available on the official Google Play market don’t properly secure the connection between the WebView component on a phone and the Web content being downloaded, researchers from UK-based MWR Labs recently warned. That makes it possible for attackers who are on the same open Wi-Fi network as a vulnerable user to hijack the connection and inject malicious code that can be executed by the phone.

“The lowest impact attack would be downloading contents of the SD card and the exploited application’s data directory,” the researchers wrote in an advisory published earlier this week. “However, depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.”

Researchers from several other security firms said they are also aware of the weakness, which can affect apps that run on Android versions 4.1 and earlier and don’t make proper use of the secure sockets layer (SSL) encryption protocol. Elad Shapira, a researcher with antivirus provider AVG recently demonstrated how an app that has already been given permission to access SMS capabilities (a common setting with many legitimate apps) could be hijacked by malicious JavaScript code that sends expensive text messages to premium services.

Google representatives declined to comment for this story.

Cross-device attacks

Einar Otto Stangvik, a security consultant with Indev.no, said he has identified Android banking apps used in Norway that are also open to remote-code attacks that make users more susceptible to phishing attacks. He theorized that attackers might exploit the weakness by planting malware on a target’s PC that hijacks a smartphone when both devices are connected to the same network.

“I am confident that we’ll soon see many more cross-device attacks, where a compromised computer starts targeting cell phones on the internal network,” he wrote in an e-mail to Ars. “That is what makes the JavaScript interface leak scary, along with the amount of poor uses of SSL, or worse still: no SSL at all.”

The vulnerability stems from JavaScript-based programming interfaces exposed in many Android apps. The interfaces are the code equivalent of a highly restricted bridge that links sensitive parts of Android’s Dalvik virtual machine to the Web. If the interface isn’t fully contained inside an SSL connection, it’s possible for hackers to mimic the legitimate website and, in effect, gain unauthorized access to the bridge. From there, an attacker can inject malicious JavaScript into the app. MWR Labs researchers reverse engineered the 100 most popular apps on Google Play and found 62 of them that are “potentially vulnerable” to the exploit. Potentially vulnerable apps as defined by the researchers were those apps that were developed using libraries or programming interfaces known to expose unprotected JavaScript commands to a variety of third-party ad networks under many but not all circumstances.

The reports of the weak apps come almost a year after two academic reports uncovered wide-ranging deficiencies in the cryptographic protections in smartphone software. One found that Android apps used by as many as 185 million people contained holes that leaked login credentials and other sensitive data even though they were supposed to be protected by SSL. The other revealed a variety of apps running on Android and PCs that were fooled by fraudulent SSL certificates. It’s possible that similar defects could fail to protect code exposed in WebView objects even when developers think they’re properly contained inside an SSL channel.

The good news

While the vulnerability is potentially serious, there are several limitations that minimize the damage attackers can do when exploiting vulnerable apps. Chief among them is the fact that Android’s permissions and sandboxing mechanisms prevent most Android apps from installing other apps without explicit permission from the end user. That will probably prevent the technique from being used to install malicious apps in most cases. As a backup, the “Verify Apps” setting available in all versions of Android could also be updated to stop malicious installations should attackers find a way to bypass the permissions and sandbox protections.

What’s more, Tim Wyatt, director of security engineering at smartphone security provider Lookout, said some researchers may be exaggerating the threat of attackers obtaining root privileges unless they can exploit a second, unknown vulnerability in Android’s permissions and sandbox protections.

Another mitigating factor: beginning with version 4.2 of Android, Google added new security enhancements that among other things introduced something called the @JavascriptInterface annotation. The function makes it easier for a developer to restrict the methods that can be called on a scriptable object. Unfortunately, it requires the developer to take explicit action to do so. If the developer fails to heed that advice, the app will remain vulnerable.

Still, while the weakness can largely be prevented in Android 4.2, users are protected only if developers of each app follow best practices. Additionally, the vast majority of users remain locked into carrier contracts that prevent them from upgrading. That means it’s up to app developers to follow best practices such as limiting the functionality exposed in JavaScript and securing communications channels for any WebView-exposing scriptable objects using SSL or its sister protocol, known as transport layer security (TLS). And as the MWR Labs researchers discovered, many widely used apps can’t be trusted to practice those common-sense guidelines.

“Exploiting this would require getting access to an exposed JavaScript object, and so in most cases, that would require hijacking content delivered by a server,” Tim Wyatt of Lookout told Ars. “It is therefore pretty critical that developers using JavaScript callbacks secure the delivery channels properly (e.g. using TLS with a proper certificate chain to prevent man-in-the-middle attacks).”

Source: Ars Technica

Google knows nearly every Wi-Fi password in the world

If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide. 

Recently IDC reported that 187 million Android phones were shipped in the second quarter of this year. That multiplies out to 748 million phones in 2013, a figure that does not include Android tablets. 

Many (probably most) of these Android phones and tablets are phoning home to Google, backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords. 

Sounds like a James Bond movie.  

Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldn’t change it. I suspect that many Android users have never even seen the configuration option controlling this. After all, there are dozens and dozens of system settings to configure. 

And, anyone who does run across the setting can not hope to understand the privacy implication. I certainly did not.

Specifically:

In Android 2.3.4, go to Settings, then Privacy. On an HTC device, the option that gives Google your Wi-Fi password is “Back up my settings”. On a Samsung device, the option is called “Back up my data”. The only description is “Back up current settings and application data”. No mention is made of Wi-Fi passwords. 

In Android 4.2, go to Settings, then “Backup and reset”. The option is called “Back up my data”. The description says “Back up application data, Wi-Fi passwords, and other settings to Google servers”. 

Needless to say “settings” and “application data” are vague terms. A longer explanation of this backup feature in Android 2.3.4 can be found in the Users Guide on page 374:

For details and more information click the source link below.

Source: Computerworld

Gogo announces new Ground to Orbit network to bring 60 Mbps internet to US flights next year

Inlfight internet service Gogo announced today that it plans to bring new technology to partner airlines in the US that will provide more than 60 Mbps starting with Virgin America flights in the second half of next year. Dubbed “Gogo GTO” or “Ground to Orbit,” the new service offers a 20-fold increase in speeds up from the peak 9.8Mbps delivered through Gogo’s current network.

“Because we are a Silicon Valley-based airline, Virgin America guests expect a fully connected in–flight experience that enables them to remain productive even at 35,000 feet,” said President and CEO of Virgin America David Cush. “We were proud to be the first to offer Gogo’s ATG-4 product last year and we are pleased to be the launch partner for GTO, which will be another leap forward in terms of speed and performance of in–flight Wi-Fi for our guests.”

Gogo will first have to get FAA approval before rolling out next year. But when it does, this is how it will work:

Gogo will be utilizing a Ku antenna developed specifically for receive only functionality.  The advantages of using satellite for reception only and Gogo’s ATG Network for the return link are unprecedented.  Existing two-way satellite antennas in the commercial aviation market have limited power for transmissions so they don’t interfere with other satellites.  This dynamic makes the connection from the aircraft to the ground using two-way satellite an inefficient and expensive return link compared to Gogo’s ATG Network. Gogo’s receive only antenna will be two times more spectrally efficient and half the height of other antennas in the commercial aviation market.  The low profile of the antenna will result in much less drag and therefore fuel burn on the aircraft and, ultimately, greater operational efficiencies for airlines.

Source: 9to5Mac

Car-to-Car Communication Put At Risk By FCC Wi-Fi Proposal

Technologies being developed to aid in communications between cars may be affected by the Federal Communications Commission’s plan to increase Wi-Fi spectrum.

Bands reserved since 1999 for car-to-car communication may become collateral damage in the FCC’s search for more wireless spectrum, and potentially puts the future of self-driving vehicles at risk.

A letter from automotive trade associations has been sent to FCC Chairman Julius Genachowski in protest of the plans, reports Bloomberg. Parallels were drawn with the LightSquared wireless broadband network proposal, which was at first approved by the FCC, before it was discovered that the signals affected GPS equipment. By opening nearby spectrum to other devices, the possibility of crosstalk or interference with the allocated-to-automotive bands could effectively cause an accident to occur.

The systems currently being developed allows cars at short range to communicate automatically, with data such as speeds, changes in direction, and other important details being transferred between the cars, with the ultimate goal of reducing collisions and vehicular accidents. Currently undergoing testing in Ann Arbor Michigan inside 3,000 vehicles, the technology is said by automakers to cost as little as $100 per vehicle to install, both from new and as an after-market option.

The FCC will be voting on the Wi-Fi proposal on February 20th.

Source: Electronista

The LifeBot 5 Telemedicine Tool Allows Doctors to Read Data and Send Instructions to Remote Medics in Real-Time

While people such as emergency medical technicians and army medics are true lifesavers, there are times when they could benefit from the resources or expertise of a hospital-based physician. That’s where all-in-one portable telemedicine units like the LifeBot 5 come into play.

Although the device isn’t the only one of its kind, the LifeBot company claims that it is “the world’s smallest, lightest, most advanced portable mobile telemedicine system.”

Weighing in at 15 pounds (6.8 kg), it is able to monitor a patient’s heart rate, blood pressure and body temperature, plus it is capable of performing electrocardiography and ultrasound. It can also transmit video and audio. Future versions may additionally include a defibrillator.

Data is sent securely via 4G, 3G, LTE, WiMax, cellular, Wi-Fi, satellite, and/or data radio connections – the machine automatically selects whatever system(s) work best for the given situation. Remotely-located doctors are then able to view a patient’s vital signs and other data with a delay of only a few seconds, and offer real-time guidance to the on-site medical personnel. Multiple LifeBot units can also communicate with one another, allowing for collaborative efforts on difficult procedures.

The original version of the device was developed using Department of Defense grants of US$14 million from the Telemedicine and Technology Research Center and U.S. Army Medical Research and Materiel Command.

Prices for the LifeBot 5 begin at under $20,000.

Source: LifeBot
Via: Gizmag