Security News

A security flaw in a series of IoT connectivity chips could leave billions of industrial, commercial, and medical devices open to attackers. EHS8 modules are built for industrial IoT machines that operate in factories, the energy sector, and medical roles, and are designed to create secure communication channels over 3G and 4G networks.

Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks. The proprietary subsystem is licensed for programming to OEMs and a small number of application developers, and the code running on DSP is signed, but the security researchers have identified ways to bypass Qualcomm's signature and run code on DSP. Vendors can build software for DSP using the Hexagon SDK, and serious security flaws in the development kit itself have resulted in hundreds of vulnerabilities being introduced in code from Qualcomm and partner vendors.

The Kr00k vulnerability disclosed earlier this has only been found to impact devices using Wi-Fi chips from Broadcom and Cypress, but researchers revealed this week that similar flaws have been discovered in chips made by Qualcomm and MediaTek. While Wi-Fi chips from Qualcomm, Ralink, Realtek and MediaTek are not vulnerable to Kr00k attacks, ESET researchers discovered that they are affected by similar flaws.

Vulnerabilities were found in a Qualcomm Snapdragon chip that could let attackers obtain photos, videos, call recordings, and other data on Android phones, says Check Point Research. A new report by cyber threat intelligence provider Check Point Research explains how vulnerabilities found in a chip in many Android phones could allow hackers to spy on users.

A recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards. Virtually all chip-based cards still have much of the same data that's stored in the chip encoded on a magnetic stripe on the back of the card.

Siemens this week announced that it is acquiring UltraSoC Technologies, a provider of embedded analytics and monitoring solutions for systems-on-chip. Founded in 2006 and based in Cambridge, UK, UltraSoC delivers instrumentation and analytics solutions embedding monitoring, cybersecurity and functional safety capabilities into core SoC hardware.

As far as we can see, the first wave of Intel processors that will include these new protections are the not-quite-out-yet CPUs known by the nickname "Tiger Lake", so if you're a programmer you can't actually start tinkering with the CET features just yet. Errors in using memory are one of the leading causes of software bugs that lead to security holes, known in the trade as vulnerabilities.

Known as Control Flow Enforcement Technology, or CET, the protections are designed to prevent miscreants from exploiting certain programming bugs to execute malicious code that infects systems with malware, steals data, spies on victims, and so on. There are various mitigations in place on modern systems, such as Data Execution Prevention, that stop hackers from injecting and executing malicious code into a program when a victim opens a specially crafted document or connects to a remote service.

If, for example, your program is reading through an array of data to perform a complex calculation based on all the values in it, the processor needs to make sure that you don't read past the end of your memory buffer, because that could allow someone else's private data to leak into your computation. The theory is that if the checks fail, the chip can just discard the internal data that it now knows is tainted by insecurity, so there's a possible performance boost without a security risk given that the security checks will ultimately prevent secret data being disclosed anyway.

Samsung on Tuesday unveiled a new security solution - composed of a secure element chip and security software - designed to enhance data protection on mobile devices. Samsung has described it as a "Standalone turnkey security solution" that provides protection for the booting process, isolated storage, mobile payments and other applications.