A widely used infusion pump can be remotely hijacked, say researchers

An infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers.

Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson.

Infusion pumps are one of the most common bits of kit in a hospital. These devices control the dispensing of intravenous fluids and medications, like painkillers or insulin. They’re often hooked up to a central monitoring station so medical staff can check on multiple patients at the same time.

But the researchers found that an attacker could install malicious firmware on a pump’s onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, commonly used in pocket PCs before smartphones.

In the worst-case scenario, the researchers said it would be possible to adjust specific commands on the pump — including the infusion rate — on certain versions of the device by installing modified firmware.

The researchers said it was also possible to remotely brick the onboard computer, knocking the pump offline.

The bug was scored a rare maximum score of 10.0 on the industry standard common vulnerability scoring system, according to Homeland Security’s advisory. A second vulnerability, scored at a lesser 7.3 out of 10.0, could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.

The researchers said creating an attack kit was “quite easy” and “worked consistently,” said Elad Luz, CyberMDX’s head of research, in an email to TechCrunch. But the attack chain is complex and requires multiple steps, access to the hospital network, knowledge of the workstation’s IP address and the capability to write custom malicious code.

In other words, there are far easier ways … Read the rest

Google leaks its own phone

Details of the Pixel 4 have been swirling around this week, so Google decided to just leak the design of its next phone via its official Twitter account, revealing the backplate and new camera module on the smartphone.

Well, since there seems to be some interest, here you go! Wait ’til you see what it can do. #Pixel4,” the tweet from the company’s verified @MadeByGoogle account read.

Renders of the Pixel 4 had leaked this week via smartphone blog Pricebaba.

The back of the phone makes some big changes. Most noticeable is the now-square camera module with a pair of lenses, a flash module and a couple of other sensor modules. Also noteworthy is the apparent lack of a rear fingerprint reader, in contrast to past models. There’s not much else evident here; they didn’t post renders of the device’s front.

Google’s Pixel 3 release kind of cemented that Google doesn’t stake much of the Pixel line’s strengths on hardware specs, it’s all about what it can leverage machine learning software tricks to do within those bounds.

On that note, it’s worth noting that Google has been pretty late to the two-camera rear-module setup; at past events the company has always justified this by suggesting that because of their software they can do more with one than most can do with two. This was clearly the case given the strengths of their cameras, but there are undoubtedly advantages to having dual cameras with different specs; it seems Google is now ready to take this plunge.

Source link Read the rest

With antitrust investigations looming, Apple reverses course on bans of parental control apps

With congressional probes and greater scrutiny from federal regulators on the horizon, Apple has abruptly reversed course on its bans of parental control apps available in its app store.

As reported by The New York Times, Apple quietly updated its App Store guidelines to reverse its decision to ban certain parental control apps.

The battle between Apple and certain app developers dates back to last year when the iPhone maker first put companies on notice that it would cut their access to the app store if they didn’t make changes to their monitoring technologies.

The heart of the issue is the use of mobile device management (MDM) technologies in the parental control apps that Apple has removed from the App Store, Apple said in a statement earlier this year.

These device management tools give to a third party control and access over a device’s user location, app use, email accounts, camera permissions and browsing history.

“We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017,” the company said.

Apple acknowledged that the technology has legitimate uses in the context of businesses looking to monitor and manage corporate devices to control proprietary data and hardware, but, the company said, it is “a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device.”

Last month, developers of these parental monitoring tools banded together to offer a solution. In a joint statement issued by app developers including OurPact, Screen Time, Kidslox, Qustodio, Boomerang, Safe Lagoon and FamilyOrbit, the companies said simply, “Apple should release a public API granting developers access to the same functionalities that Apple’s native … Read the rest

iOS 13 will let you limit app location access to ‘just once’

Apple will soon let you grant apps access to your iPhone’s location just once.

Until now, there were three options — “always,” “never,” or “while using,” meaning an app could be collecting your real-time location as you’re using it.

Apple said the “just once” location access is a small change — granted — but one that’s likely to appeal to the more privacy-minded folk.

“For the first time, you can share your location to an app — just once — and then require it to ask you again next time at wants,” said Apple software engineering chief Craig Federighi at its annual developer conference on Monday.

That’s going to be helpful for those who download an app that requires your immediate location, but you don’t want to give it persistent or ongoing access to your whereabouts.

On top of that, Apple said that the apps that you do grant location access to will also have that information recorded on your iPhone in a report style, “so you’ll know what they are up to,” said Federighi.

Apps don’t always use your GPS to figure out where you are. All too often, apps use your Wi-Fi network information, IP address, or even Bluetooth beacon data to figure out where you physically are in the world so they can better target you with ads. Federighi said it will be “shutting the door on that abuse” as well.

The new, more granular location-access feature will feature in iOS 13, expected out later this year,.

Source link Read the rest

Oppo and Xiaomi tease under-screen selfie cameras for smartphones


The next innovation in mobile is peeking its head for all to see today after Chinese companies Oppo and Xiaomi both showed off under-screen cameras.

Apple’s notch set the ball rolling as a new way to pack a front-facing camera without compromising on the screen size, but it is already feeling date. The industry has since given us smartphone cameras that pop out, flip up and slide out, while the hole-punch condenses the notch further still, but the next stage is going under the screen for full invisibility.

The benefits are obvious. There’s no compromise on the front screen, which is now 100 percent screen, and removing moving parts means no concern for potential damage — but can it be done well enough?

Oppo VP Brian Shen teased his company’s early effort on Weibo. The video, which was later shared by Oppo’s Twitter account, doesn’t have a lot of detail but it does show a hidden camera that takes a photo of the ceiling.

We don’t get a chance to delve into the quality of the image and it isn’t clear what device it was taken on, but already Shen claims the technology is showing promise.

“At this stage, it’s difficult for under-display cameras to match the same results as normal cameras, there’s bound to be some loss in optical quality. But, no new technology jumps to perfection right away,” he said, according to Engadget.

You’d imagine that a number of Chinese smartphone makers are hard at work bringing this design to reality. Proof of that comes from Xiaomi’s very hasty … Read the rest