Month: August 2016

(credit: Frank Derks)

Over at Wired, Andy Greenberg reports that security researchers have discovered how to use software defined radio (SDR) to remotely unlock hundreds of millions of cars. The findings are to be presented at a security conference later this week, and detail two different vulnerabilities.

The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles.

Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob—obtained with a little electronic eavesdropping, say—you have a functional clone that will lock or unlock that car.

We've come a long way since this was the norm. (credit: eBay)

Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans' mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week's Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM.

Double trouble

Chip card technology—often called EMV for EuroPay, MasterCard, and Visa for the three companies that developed the chip card standard—is supposed to offer significant security benefits over the old magnetic stripe card system. Magnetic stripe cards have a static card number written into their magnetic stripe, and if a POS system is infected with malware, as was the case in the infamous Target and Home Depot hacks, then a malicious actor can take those card numbers and make counterfeit purchases with them. An EMV card, by contrast, uses a chip to transmit a dynamic number that changes with each purchase. That makes it a lot harder to steal a card number and reuse it elsewhere.

But that doesn’t mean it’s impossible. Late last year, security researcher Samy Kamkar demonstrated that he could calculate a replacement American Express card number based on the previous card number, replicate the credit card’s magnetic stripe information on a programmable chip, and use it to make purchases around town, much like the now-defunct Coin card. Kamkar was even able to do this with chip cards—the magnetic stripe on the back of every card has two tracks of data that tell card readers information like cardholder name, the card’s number, its expiration date, etc. Track 2 data will tell a card reader if the card has a chip and needs to be dipped—otherwise it can be swiped. Kamkar’s solution was to alter the Track 2 data and spoof the card reader to tell it that the card only has a magnetic stripe, no chip, thus bypassing the entry of a dynamic number.

(credit: Synology)

Storage vendor Synology this morning announced the availability of two additions to its rack-mounted storage appliance line-up: the 1U RS816, which has room for four internal disks, and the 2U RS3617xs, with 12 internal drive bays and up to 36 disks with additional enclosures.

Although it has been a while since we last did a review, Synology’s network attached storage (NAS) devices are pretty popular with Ars staff and readers. But these new rackmount offerings are meant for data centers, not home server closets—not unless you’re the kind of person with a 19" rack at home (and we know you folks are out there!). The 1U RS816 has a Marvel Armada dual-core CPU and a gigabyte of RAM on board, as well as a pair of gigabit Ethernet ports; the bigger RS3617xs uses a quad-core Intel Xeon E3-1230v2 CPU and comes with 4GB of ECC RAM and four gigabit Ethernet ports. The RS3617xs also has a pair of PCIe 3.0 8-lane slots which can each be filled by a 10Gbps Ethernet card.

On the low end, the RS816 lets you chop up your disks into a number of different redundancy schemes, including RAID 0, 1, 5, 6, and 10, and also Synology’s proprietary Synology Hybrid RAID containerized format (which lets you mix and match different sized disks without sacrificing as much space as with standard RAID layouts). The bigger RES3617xs doesn’t support Synology Hybrid RAID, but it does let you format its disks with the next-gen btrfs file system, which carries a number of advantages over the default ext4 file system.

(credit: CBS)

We still don't know much specific information about Star Trek: Discovery, the franchise's return to television after over a decade, but showrunner Bryan Fuller has dropped a few more hints during the Television Critics Association press tour this week.

According to TV Guide, the show's lead character will be a woman, but she won't be the captain of the USS Discovery. All iterations of Star Trek, especially from The Next Generation onward, have had an ensemble cast to some degree, but the commanding officer's perspective has usually been the most important.

"To see a character from a different perspective on a starship, who has a different dynamic [and] relationship with the captain and with subordinates, felt like it was going to give us richer context [and allow us to] have different types of stories with that character," said Fuller.

(credit: Epic Fireworks)

A trade group representing ISPs rejoiced over a court decision that allows states to limit the growth of municipal broadband networks.

The "decision is a victory for the rule of law," said Walter McCormick, president of the United States Telecom Association (USTelecom). "The FCC’s authority is not unbridled; it is limited to powers specifically delegated by the Congress, and it does not extend to preemption of state legislatures’ exercise of jurisdiction over their own political subdivisions."

The best way for the FCC to accelerate broadband deployment is to "eliminat[e] federal regulatory impediments to innovation and investment—where there remains to be much that can and should be done," he said.