An anonymous reader writes: In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.

Make Magazine weighs in on an issue that's suddenly relevant in a world where less than $10 can buy a new, (nominally) complete computer. Which one makes most sense? Both the $9 C.H.I.P and the newest, stripped-down Raspberry Pi model have pluses and minuses, but to make either one actually useful takes some additional hardware; at their low prices, it's not surprising that neither one comes with so much as a case. The two make different trade-offs, despite being just a few dollars apart in ticket price. C.H.I.P. comes with built-in storage that rPi lacks, for instance, but the newest Pi, like its forebears, has built in HDMI output. Make's upshot? The cost of owning either a C.H.I.P. or a Pi is a bit more money than the retail cost of the boards. Peripherals such as a power cable, keyboard, mouse, and monitor are necessary to accomplish any computer task on either of the devices. But it turns out the $5 Raspberry Pi Zero costs significantly more to operate than the Next Thing Co. C.H.I.P.

An anonymous reader writes: Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks. SEC Consult has analyzed firmware images of more than 4000 embedded devices of over 70 vendors — firmware of routers, IP cameras, VoIP phones, modems, etc. — and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

An anonymous reader writes: The Raspberry Pi Foundation unveiled the Pi Zero, a new $5 mini-computer, Thursday morning. The board is the smallest Raspberry Pi yet, containing the first-gen Raspberry Pi's BCM2835 chip (safely overclocked to 1GHz) and 512MB RAM. The latest issue of The Magpi will include a free Raspberry Pi Zero and hits U.K. newsstands Thursday. The announcement came just a few days before the highly anticipated C.H.I.P. $9 mini-computer goes on sale to the public. puddingebola writes: How can they achieve this price, you may ask? "Its 40-pin GPIO header has identical pinouts, although the pads on the circuit board are "unpopulated," meaning you'll have to solder on your own connector. The same goes for the composite video output: The connection is available, but if you need a socket, you must solder it yourself." Dude, go to Radio Shack. Some relevant specs besides those mentioned above, from the blog post linked:

• Micro-SD card slot
• mini-HDMI socket for 1080p60 video output
• Micro-USB sockets for data and power
• Identical pinout to Model A+/B+/2B
• An unpopulated composite video header
• "Our smallest ever form factor, at 65mm x 30mm x 5mm"

New submitter graffitiwriter adds a note that the newest Pi has "already been turned into a retro gaming console. It turns out the Pi Zero is more than capable of running Retro Pie and other emulators, and even has a video output that lets you play games on an old CRT TV."

An anonymous reader writes: Benedict Evans has an interesting post about where television hardware is headed. In the 1990s and early 2000s, the tech industry made a huge push to invade the living room, trying to make the internet mesh with traditional TV broadcasts. As we all know, their efforts failed. Now, we periodically see new waves of devices to attach to the TV, but none have been particularly ambitious. The most successful devices of the recent wave, like the Chromecast and Apple TV, are simply turning the TV into a dumb screen for streamed content. Meanwhile, consumption of all types of video content is growing on smaller screens — tablets, phones, etc. Even game consoles are starting to see their market eroded by boxes like the Steam Link, which acts as a pipe for a game being played elsewhere on a PC. It raises an intriguing question: where is the television headed? What uses and functions does one giant screen serve that can't be cleverly redistributed to smaller screens? Evans concludes, "The web's open, permissionless innovation beat the closed, top-down visions of interactive TV and the information superhighway."

An anonymous reader writes: Apparently even the easiest-to-remove ransomware is painfully hard to uninstall from smart TVs, if they're running on the Android TV platform, and many are. This didn't happen in a real-world scenario (yet), and was only a PoC test by Symantec. The researcher managed to remove the ransomware only because he enabled the Android ADB tool beforehand, knowing he would infect the TV with the ransomware. "Without this option enabled, and if I was less experienced user, I'd probably still be locked out of my smart TV, making it a large and expensive paper weight," said the researcher.

chicksdaddy writes: How do you know when the Nest Cam monitoring your house is "on" or "off"? It's simple: just look at the little power indicator light on the front of the device — and totally disregard what it is telling you. The truth is: the Nest Cam is never "off" despite an effort by Nest and its parent Google to make it appear otherwise. That, according to an analysis of the Nest Cam by the firm ABI Research, which found that turning the Nest Cam "off" using the associated mobile application only turns off the LED power indicator light on the front of the device. Under the hood, the camera continues to operate and, according to ABI researcher Jim Mielke, to monitor its surroundings: noting movement, sound and other activity when users are led to believe it has powered down.

Mielke reached that conclusion after analyzing Nest Cam's power consumption. Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times, Mielke said. But the Google Nest Cam's power consumption was almost identical in "shutdown" mode and when fully operational, dropping from 370 milliamps (mA) to around 340mA. The slight reduction in power consumption for the Nest Cam when it was turned "off" correlates with the disabling of the LED power light, given that LEDs typically draw 10-20mA.

In a statement to The Security Ledger, Nest Labs spokesperson Zoz Cuccias acknowledged that the Nest Cam does not fully power down when the camera is turned off from the user interface (UI). "When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time," Cuccias wrote in an e-mail. "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings." The privacy and security implications are serious. "This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running, which could potentially unleash a tidal wave of privacy concerns," Mielke wrote.

An anonymous reader writes: We live in an age of sorcery. The supercomputers in our pockets are capable of doing things it took armies of humans to accomplish even a hundred years ago. But let's face it: we're also complainers at heart. For every incredible, revolutionary device we use, we can find something that's obviously wrong with it. Something we'd instantly fix if we were suddenly put in charge of design. So, what's at the top of your list? Hardware, software, or service — don't hold back.

Here's an example: over the past several years, e-readers have standardized on 6-inch screens. For all the variety that exists in smartphone and tablet sizing, the e-reader market has decided it must copy the Kindle form factor or die trying. Having used an e-reader before all this happened, I found a 7-8" e-ink screen to be an amazingly better reading experience. Oh well, I'm out of luck. It's not the worst thing in the world, but I'd fix it immediately if I could.

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.

szczys writes: Eric Evenchick was one of the first backers of the Voltera V-One PCB Printer and just received the 6th device shipped so far. He ran it through its paces and published a review that gives it a positive rating. The hardware uses conductive ink to print traces on FR4 substrate. The board is then flipped upside down and the traces baked on the machine to make them robust. Next the printer dispenses solder paste and the same heating method is used to reflow after components are placed by hand.

schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.

Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.

Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."

An anonymous reader writes: The Bluetooth Special Interest Group (SIG) has announced its roadmap for Bluetooth Smart in 2016, promising a fourfold range increase in the low-energy, IoT-oriented version of the protocol, along with dedicated mesh networking, a 100% increase in speed and no extra consumption of energy. The last set of upgrades to the protocol offered direct access to the internet and security enhancements. Since Bluetooth must currently contend with attacks on everything from cars to toilets, the increased range means that developers may not be able to rely on 'fleeting contact' as a security feature quite as much.

MojoKid writes: Qualcomm held an event in New York City today to demonstrate for the first time its highly anticipated Snapdragon 820 System-on-Chip (SoC). More than just a speed bump and refresh of the Snapdragon 810, Qualcomm says it designed the Snapdragon 820 "from the ground up to be unlike anything else." Behind that marketing spin is indeed an SoC with a custom 64-bit quad-core Kyro processor clocked at up to 2.2GHz. Qualcomm says it delivers up to twice the performance and twice the power efficiency of its predecessor, which is in fact an 8-core chip. Qualcomm officials have quoted 2x the performance of their previous gen Snapdragon 810 in single threaded throughput alone, which is a sizable gain. Efficiency is also being touted here, and according to Qualcomm, the improvements it made to the underlying architecture translate into nearly a third (30 percent) less power consumption. That should help the Snapdragon 820 steer clear of overheating concerns, which is something the 810 wasn't able to do.

An anonymous reader writes: In 2012, a company raised over a million dollars on Indiegogo to build a robotic dragonfly. It was originally supposed to be delivered in 2013. Unfortunately for backers, the company seems to be struggling to complete the project. They haven't been able to resolve issues with the drone falling apart after just a few seconds of flight. Unless they locate investors soon, they're going to run out of funds to continue work at full force. They're in the process of uploading all design work and their knowledge base, in case they have to officially cancel the project. They say some part-time work will continue as long as funds allow. The TechCrunch article warns, "This is just the latest example of how consumers need to be more careful with crowdfunding. There are no guarantees with crowdfunding and there is more risk involved than what's advertised."

New submitter IMightB writes: My question is basically what is the best smart watch style device for runners. Must have features GPS, bluetooth and music storage for roughly 5 hours of use during a marathon. Pretty much everything else is a nice to have. My wife has recently decided to enter her first marathon and unfortunately, the other day during a training run her 7gen iPod Mini gave up the ghost due to moisture accumulating in the armband and her Garmin Forerunner 15 only lasts about 3 hours with GPS on (despite Manufacturer claims to the contrary). She would like to consolidate devices down to something with a watch style format and start using a bluetooth headset. I currently use, and really like, a pair of aging Jaybird JF3's for a bluetooth headset and will probably recommend to her whatever Jaybirds current equivalent is in their lineup. But the watch portion is eluding me still. Based on my current research, the Sony SmartWatch 3 may be the only one that fits my wife's 'Must have Requirements' Are there other options available? Can anyone with marathon or distance running experience share their thoughts on this subject? Thanks in Advance.

citadrianne writes: Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences. As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps. "The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the U.S. Copyright Office. Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.

harrymcc writes: GoDaddy, the world's biggest domain registrar, remains most famous for its tacky Super Bowl ads and controversial founder, Bob Parsons. But in recent years, the company was sold, hired a CEO from Microsoft and Yahoo, and has made a major effort to reinvent itself as a serious, uncontroversial, technologically-savvy outfit. And now it's partnered with MIT's Media Lab in an ambitious experiment--which I wrote about over at Fast Company--involving placing sensors around downtown Boston to collect big data that could help the small businesses which line the city's streets.

Espectr0 writes: YouTube user Hacking Jules would like you to see his collection of game emulators running on Android Wear. He manages to play classic 3D Mario and Zelda games running in a Nintendo 64 emulator on the original LG G-Watch, while also running Monster Hunter on the PPSSPP emulator.As the linked article admits, this is a work of passion rather than practicality -- if you actually want to play those games enjoyably, don't trade your console or conventional emulator for a smart watch.

New submitter Alypius writes: Dr Tom Insel, the head of the NIH, will be joining Google Life Sciences to research how wearable technology, already used for monitoring physical activity and sleep, can be expanded to cover mental health issues such as depression. Dr. Insel will also be researching how to integrate tech to monitor other aspects of day-to-day living such as calorie and alcohol consumption.