Connect with us

Gadgets

Samsung spilled SmartThings app source code and secret keys – TechCrunch

Published

on

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens (Image: supplied)

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gadgets

US declares Xiaomi a “Communist Chinese military company,” bans investments

Published

on

Enlarge / The Xiaomi Mi 11.

Xiaomi

The latest shot in the US Government’s war on leading Chinese smartphone vendors is directed at Xiaomi, which today has landed on the US government’s list of “Communist Chinese Military Companies” via a new executive order. The declaration makes it illegal for US citizens to own Xiaomi stock.

The US and China have been trading blows for a year and a half now over Huawei, which was added to the “entity list” by the US Department of Commerce. While on the entity list, American companies can’t collaborate with Huawei or export products to it. It becomes illegal for Huawei to import any product of “US-Origin.” US Origin doesn’t just mean products made in the US by US companies; there’s also a “viral” component to the law, where any product made internationally with some US-origin components also counts as a US-origin product.

While Huawei got an all-encompassing ban, it doesn’t look like Xiaomi is in the same boat right now. Huawei landed on the Department of Commerce’s entity list, while Xiaomi is now on the Department of Defense’s list of “Communist Chinese Military Companies” (Huawei is also on this list). The DOD designation seems to only ban US investment in Xiaomi, and any American stakeholders need to divest their holdings by November 11, 2021. (Xiaomi is a public company and had an IPO back in 2018.) The suffocating supply chain restrictions that apply to Huawei don’t (yet?) apply to Xiaomi.

The DOD says the list is meant to “highlight and counter the People’s Republic of China’s (PRC) Military-Civil Fusion development strategy,” which the government says is a plan to funnel advanced technology to the Chinese Military through “PRC companies, universities, and research programs that appear to be civilian entities.”

Xiaomi has issued a response on Twitter, saying it “is not owned, controlled, or affiliated with the Chinese military, and is not a “Communist Chinese Military Company” as defined by the NDAA” (the NDAA is the National Defense Authorization Act that gives the DOD the power to make this list).

The IDC has Xiaomi as the number 3 smartphone manufacturer worldwide, behind Samsung and Huawei, and a spot ahead of Apple. Xiaomi regularly pumps out high-spec, low-cost Android phones to compete in the cutthroat Chinese and Indian markets. It started life as an Apple clone maker, but today Xiaomi is one of the fastest movers in the industry and regularly beats bigger companies in shipping new technologies and components to the market. It shipped the world’s first Qualcomm Snapdragon 888 phone, the Xiaomi Mi 11, and it’s leading the charge in under-display cameras. Being Chinese is a market advantage for Xiaomi. A company like Apple has to have US designers communicate to Chinese manufacturing across a 12-hour time zone difference and a language barrier, while Xiaomi’s Chinese designers and Chinese manufacturers can communicate more easily and quickly, allowing the company to develop products faster.

As Xiaomi may be the number 3 smartphone manufacturer worldwide, any kind of ban on the company in the US isn’t going to do much. Years ago, Xiaomi gave hints about entering the US smartphone market, but it never had the stomach to go through with it and instead only launched the US version of Mi.com as a seller of small accessories. In the US, you can buy a Xiaomi Android TV box, headphones, security cameras, and battery packs, along with stranger things like air purifiers, light bulbs, and toy robots.

Continue Reading

Gadgets

Report: MagSafe will return in new Apple Silicon MacBook Pro models

Published

on

Enlarge / This is the 16-inch MacBook Pro as it’s being sold now. According to today’s report, the new one will generally look quite similar.

According to a report in Bloomberg, Apple plans to launch new versions of its MacBook Pro laptops “around the middle of the year,” and these machines will feature speed and display enhancements, as well as a return of the MagSafe charging design seen in MacBook computers several generations ago.

Citing “a person with knowledge of the plans,” the Bloomberg story claims that Apple’s 13-inch MacBook Pro will get a 14-inch successor, just as the 15-inch MacBook Pro became a 16-inch model when the screen bezel was reduced to allow more screen real estate in a similarly sized chassis.

Both the 14-inch and 16-inch MacBook Pro are slated for the middle of the year and will incorporate Apple’s custom silicon. The company first introduced its own silicon with the M1 chip included in November refreshes of the low-end 13-inch MacBook Pro, MacBook Air, and Mac mini. The new machines described today would have a successor to Apple’s M1 chip with more CPU cores and “enhanced graphics.”

While the overall design of the laptops is not expected to be significantly different from current models (beyond the screen size in the smaller MacBook Pro), there is one major design change that may please fans of Macs prior to the Touch Bar and USB-C redesign introduced a few years ago: the return of the MagSafe charger.

Mac laptops once had charging cables that slotted easily into their ports, thanks to magnets, and were intended to gracefully disconnect without tugging on the laptop if someone pulled the cord or tripped on it. Over the past few years, the company purged this feature from its lineup, but it introduced a related tech using the same name in its iPhone 12 lineup last year.

According to the report, the MagSafe connector in the new MacBook Pro models will have a similar shape to that of MagSafe connectors in Macs of old. It will also allow the laptops to charge faster than before. The report does note that the computers will still have multiple USB-C ports as well, though.

The new MacBook Pros are also said to have brighter displays with better contrast. This report doesn’t explain how Apple will achieve this exactly, but recent supply-chain rumors and analysts have been predicting that Apple will incorporate Mini LED displays in its upcoming machines, which would likely produce that result.

Bloomberg’s source also says that Apple has been testing versions of the laptops without the Touch Bar, which was introduced to the lineup a few years back. The Touch Bar is a strip-shaped touch screen at the top of the keyboard that replaces the function keys with either virtual versions of those keys or other, app-specific functions.

While many apps support the Touch Bar, some power users have complained that they are not always as convenient as physical keys.

Finally, the report ends with a footnote that Apple plans to also update the MacBook Air with a new design but that it won’t arrive as soon as the MacBook Pro updates. It doesn’t outline any details about the MacBook Air redesign.

Continue Reading

Gadgets

AMD claims new Ryzen 5000 mobile CPUs best Intel for gaming, content creation

Published

on

As expected, AMD took to the CES stage this week to announce new laptop CPUs. Most of the new Ryzen 5000 mobile family of chips share similarities with the desktop CPUs the company announced a few months ago, and they’ll start shipping with laptops from some of the bigger computer-makers in February.

The new chips are divided into two sub-families, both at least in part based on 7nm Zen 3 tech: there’s the H-series, which is meant for high-end, performance-oriented gaming and content creation notebooks, and the U-series, which takes aim at Intel’s dominance in the ultraportable space with a greater focus on power efficiency.

The lineup’s biggest lifters are the Ryzen 9 5980HX and 5980HS. The former is a gaming-oriented chip that will be unlocked for overclocking in some machines. The latter, meanwhile, is tuned more for laptops made for creatives. Both of these (and all but two of the chips in the Ryzen 5000 mobile family) sport eight CPU cores and 16 threads at up to 4.8Hz.

Here’s a chart including specs for all the chips announced, from AMD’s website:

The AMD Ryzen 5000 mobile lineup.
Enlarge / The AMD Ryzen 5000 mobile lineup.

The U-series lineup also includes 8-core chips, but as you can see, a couple 6-core ones are in there, too. While AMD has been making rival Intel’s life difficult in performance-oriented machines of late, Intel still dominates the ultraportable space (for now), so AMD is surely hoping to achieve some growth there. To that point, AMD claims that the 5800U can deliver almost 18 hours of battery life for normal use cases and up to 21 for video playback. (Intel announced its own laptop chips this week, too.)

On the gaming side, AMD says the 5900HX beats Intel’s Core i9-10980HK by more than 20 percent in 3DMark, which certainly seems plausible given what we saw on the desktop side—though it would of course be wise to wait and see benchmarks from someone other than AMD.

OEMs have already started announcing laptops with these chips, so we expect to see those illuminating benchmarks as early as next month.

Continue Reading

Trending