Resources

In the confines of his small cell, Ovalbek Turdakun was watched 24/7. At any attempt to speak to others he was instantly told to be quiet, while lights in the room were on round the clock, making it impossible to know what time of day it was.

Turdakun and his fellow detainees in the Xinjiang camp were not watched by guards, but by software. Cameras made by the Chinese company Hikvision monitored his every move, according to an account he gave to US surveillance website IPVM.

More than a million of the same company’s cameras are in Britain’s schools, hospitals and police departments. Tesco, Costa Coffee and McDonald’s have purchased Hikvision cameras. They are present in a string of Government buildings.

Britain’s population is caught on CCTV more than any nation outside of China, with 6m cameras in use – one for every 11 people. Hikvision is the biggest provider of them.

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion. The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.

By reverse engineering ProTrack and iTrack’s Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up. At that point, the hacker said he brute-forced ‘millions of usernames’ via the apps’ API. Then, he said he wrote a script to attempt to login using those usernames and the default password. This allowed him to automatically break into thousands of accounts that were using the default password and extract data from them.

In 2009 GM equipped 17,000 of its units with “remote ignition block,” a kill switch that can turn off the engine if the car is stolen. But that was just the beginning.

Imagine this: You’re leaving work, walking to your car, and you find an empty parking spot — someone stole your brand new Tesla (or whatever fancy autonomous car you’re driving). When you call the police, they ask your permission for a “takeover,” which you promptly give them. Next thing you know, your car is driving itself to the nearest police station. And here’s the kicker — if the thief is inside he will remain locked inside until police can arrest them.

This futuristic and almost slapstick scenario is closer than we think, says Chief Innovation Officer Hans Schönfeld who works for the Dutch police. Currently, his team has already done several experiments to test the crime-halting possibilities of autonomous cars. “We wanted to know if we can make them stop or drive them to certain locations,” Schönfeld tells me. “And the result is: yes, we probably can.”

The Dutch police tested Tesla, Audi, Mercedes, and Toyota vehicles, he reports, adding “We do this in collaboration with these car companies because this information is valuable to them, too.

“If we can hack into their cars, others can as well.”

Researchers have used a neural network to generate artificial fingerprints that work as a “master key” for biometric identification systems and prove fake fingerprints can be created.

According to a paper presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed “DeepMasterPrints” by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.

The researchers, led by NYU’s Philip Bontrager, say that “the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis.” As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future.

In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.

Crucially, such systems do not blend all the partial images in order to compare the full finger against a full record; instead, they simply compare the partial scan against the partial records. That means that an attacker has to match just one of tens or hundreds of saved partial fingerprint in order to be granted access.

The second is that some features of fingerprints are more common than others. That means that a fake print that contains a lot of very common features is more likely to match with other fingerprints than pure chance would suggest.

Based on those insights, the researchers used a common machine learning technique, called a generative adversarial network, to artificially create new fingerprints that matched as many partial fingerprints as possible.

The neural network not only allowed them to create multiple fingerprint images, it also created fakes which look convincingly like a real fingerprint to a human eye – an improvement on a previous technique, which created jagged, right-angled fingerprints that would fool a scanner but not a visual inspection.

They compare the method to a “dictionary attack” against passwords, where a hacker runs a pre-generated list of common passwords against a security system.

Such attacks may not be able to break into any specific account, but when used against accounts at scale, they generate enough successes to be worth the effort.