Biz & IT

The top smartphone trends to watch in 2019

Published

5 years ago

December 23, 2018

This was a bad year for the smartphone. For the first time, its seemingly unstoppable growth began to slow.

Things started off on a bad note in February, when Gartner recorded its first year-over-year decline since it began tracking the category. Not even the mighty Apple was immune from the trend. Last week, stocks took a hit as influential analyst Ming-Chi Kuo downgraded sales expectations for 2019.

People simply aren’t upgrading as fast as they used to. This is due in part to the fact that flagship phones are pretty good across the board. Manufacturers have painted themselves into a corner as they’ve battled it out over specs. There just aren’t as many compelling reasons to continually upgrade.

Of course, that’s not going to stop them from trying. Along with the standard upgrades to things like cameras, you can expect some radical rethinks of smartphone form factors, along with the first few pushes into 5G in the next calendar year.

If we’re lucky, there will be a few surprises along the way as well, but the following trends all look like no-brainers for 2019.

5G

GUANGZHOU, CHINA – DECEMBER 06: Attendees look at 5G mobile phones at the Qualcomm stand during China Mobile Global Partner Conference 2018 at Poly World Trade Center Exhibition Hall on December 6, 2018 in Guangzhou, Guangdong Province of China. The three-day conference opened on Thursday, with the theme of 5G network. (Photo by VCG/VCG via Getty Images)

Let’s get this one out of the way, shall we? It’s a bit tricky — after all, plenty of publications are going to claim 2019 as “The Year of 5G,” but they’re all jumping the gun. It’s true that we’re going to see the first wave of 5G handsets appearing next year.

OnePlus and LG have committed to a handset and Samsung, being Samsung, has since committed to two. We’ve also seen promises of a Verizon 5G MiFi and whatever the hell this thing is from HTC and Sprint.

Others, most notably Apple, are absent from the list. The company is not expected to release a 5G handset until 2020. While that’s going to put it behind the curve, the truth of the matter is that 5G will arrive into this world as a marketing gimmick. When it does fully roll out, 5G has the potential to be a great, gaming-changing technology for smartphones and beyond. And while carriers have promised to begin rolling out the technology in the States early next year (AT&T even got a jump start), the fact of the matter is that your handset will likely spend a lot more time using 4G.

That is to say, until 5G becomes more ubiquitous, you’re going to be paying a hefty premium for a feature you barely use. Of course, that’s not going to stop hardware makers, component manufacturers and their carrier partners from rushing these devices to market as quickly as possible. Just be aware of your chosen carrier’s coverage map before shelling out that extra cash.

Foldables

We’ve already seen two — well, one-and-a-half, really. And you can be sure we’ll see even more as smartphone manufacturers scramble to figure out the next big thing. After years of waiting, we’ve been pretty unimpressed with the foldable smartphone we’ve seen so far.

The Royole is fascinating, but its execution leaves something to be desired. Samsung’s prototype, meanwhile, is just that. The company made it the centerpiece of its recent developer conference, but didn’t really step out of the shadows with the product — almost certainly because they’re not ready to show off the full product.

Now that the long-promised technology is ready in consumer form, it’s a safe bet we’ll be seeing a number of companies exploring the form factor. That will no doubt be helped along by the fact that Google partnered with Samsung to create a version of Android tailored to the form factor — similar to its embrace of the top notch with Android Pie.

Of course, like 5G, these designs are going to come at a major premium. Once the initial novelty has worn off, the hardest task of all will be convincing consumers they need one in their life.

Pinholes

Bezels be damned. For better or worse, the notch has been a mainstay of flagship smartphones. Practically everyone (save for Samsung) has embraced the cutout in an attempt to go edge to edge. Even Google made it a part of Android (while giving the world a notch you can see from space with the Pixel 3 XL).

We’ve already seen (and will continue to see) a number of clever workarounds like Oppo’s pop-up. The pin hole/hole punch design found on the Huawei Nova 4 seems like a more reasonable route for a majority of camera manufacturers.

Embedded Fingerprint Readers

The flip side of the race to infinite displays is what to do with the fingerprint reader. Some moved it to the rear, while others, like Apple, did away with it in favor of face scanning. Of course, for those unable to register a full 3D face scan, that tech is pretty easy to spoof. For that reason, fingerprint scanners aren’t going away any time soon.

OnePlus’ 6T was among the first to bring the in-display fingerprint scanner to market, and it works like a charm. Here’s how the tech works (quoting from my own writeup from a few months ago):

When the screen is locked, a fingerprint icon pops up, showing you where to press. When the finger is in the right spot, the AMOLED display flashes a bright light to capture a scan of the surface from the reflected light. The company says it takes around a third of a second, though in my own testing, that number was closer to one second or sometimes longer as I negotiated my thumb into the right spot.

Samsung’s S10 is expected to bring that technology when it arrives around the February time frame, and I wouldn’t be surprised to see a lot of other manufacturers follow suit.

Cameras, cameras, cameras (also, cameras)

What’s the reasonable limit for rear-facing cameras? Two? Three? What about the five cameras on that leaked Nokia from a few months back? When does it stop being a phone back and start being a camera front? These are the sorts of existential crises we’ll have to grapple with as manufacturers continue to attempt differentiation through imagining.

Smartphone cameras are pretty good across the board these days, so one of the simple solutions has been simply adding more to the equation. LG’s latest offers a pretty reasonable example of how this will play out for many. The V40 ThinQ has two front and three rear-facing cameras. The three on the back are standard, super wide-angle and 2x optical zoom, offering a way to capture different types of images when a smartphone camera isn’t really capable of that kind of optical zoom in a thin form factor.

On the flip side, companies will also be investing a fair deal in software to help bring better shots to existing components. Apple and Google both demonstrated how a little AI and ML can go a long way toward improving image capture on their last handsets. Expect much of that to be focused on ultra-low light and zoom.

Source link

Biz & IT

Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits

Published

2 hours ago

October 4, 2023

Francisco Peguero

Getty Images

If your organization uses servers that are equipped with baseboard management controllers from Supermicro, it’s time, once again, to patch seven high-severity vulnerabilities that attackers could exploit to gain control of them. And sorry, but the fixes must be installed manually.

Typically abbreviated as BMCs, baseboard management controllers are small chips that are soldered onto the motherboard of servers inside data centers. Administrators rely on these powerful controllers for various remote management capabilities, including installing updates, monitoring temperatures and setting fan speeds accordingly, and reflashing the UEFI system firmware that allows servers to load their operating systems during reboots. BMCs provide these capabilities and more, even when the servers they’re connected to are turned off.

Code execution inside the BMC? Yup

The potential for vulnerabilities in BMCs to be exploited and used to take control of servers hasn’t been lost on hackers. In 2021, hackers exploited a vulnerability in BMCs from HP Enterprise and installed a custom rootkit, researchers from Amnpardaz, a security firm in Iran, reported that year. ILObleed, as the researchers named the rootkit, hid inside the iLO, a module in HPE BMCs that’s short for Integrated Lights-Out.

ILObleed was programmed to destroy data stored on disk. If admins reinstalled the operating system, iLObleed would remain intact and reactivate the disk-wiping attack repeatedly. The unknown attackers responsible took control of the BMCs by exploiting a vulnerability HPE had fixed four years earlier. In June, the National Security Agency urged admins to follow guidance to prevent such incidents.

Researchers from security firm Binarly on Tuesday disclosed seven high-severity vulnerabilities in the IPMI (Intelligent Platform Management Interface) BMC firmware. Supermicro has acknowledged the vulnerabilities, thanked Binarly, and provided patching information here. There’s no automated way to install the updates. Supermicro said it’s unaware of any malicious exploitation of the vulnerabilities in the wild.

One of the seven vulnerabilities, tracked as CVE-2023-40289, allows for the execution of malicious code inside the BMC, but there’s a catch: Exploiting the flaw requires already obtained administrative privileges in the web interface used to configure and control the BMCs. That’s where the remaining six vulnerabilities come in. All six of them allow cross-site scripting, or XSS, attacks on machines used by admins. The exploit scenario is to use one or more of them in combination with CVE-2023-40289.

In an email, Binarly founder and CEO Alex Matrosov wrote:

Exploiting this vulnerability requires already obtained administrative privileges in the BMC Web Interface. To achieve it, a potential attacker can utilize any of the XSS vulnerabilities we found. In such a case, the exploitation path will look like this potential scenario:

1. an attacker prepares a malicious link with the malicious payload
2. includes it in phishing emails (for example)
3. when this click is opened, the malicious payload will be executed inside BMC OS.

Admins can remotely communicate with Supermicro BMCs through various protocols, including SSH, IPMI, SNMP, WSMAN, and HTTP/HTTPS. The vulnerabilities Binarly discovered can be exploited using HTTP. While the NSA and many other security practitioners strongly urge that BMC interfaces be isolated from the Internet, there’s evidence that this advice is routinely ignored. A recent query to the Shodan search engine revealed more than 70,000 instances of Supermicro BMC that have their IPMI web interface publicly available.

Enlarge / A screenshot showing Shodan results.

The road map for exploiting the vulnerabilities against servers with Supermicro interfaces exposed this way is illustrated below:

Enlarge / The road map for exploiting a BMC that has its web interface exposed to the Internet.

In Tuesday’s post, Binarly researchers wrote:

First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the Internet. An attacker can then gain access to the Server’s operating system via legitimate iKVM remote control BMC functionality or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attacker from lateral movement within the internal network, compromising other internal hosts.

All the vulnerabilities Binarly discovered originate in IPMI firmware third-party developer ATEN developed for Supermicro. While ATEN patched CVE-2023-40289 six months ago, the fix never made its way into the firmware.

“This is a supply chain problem because it can be other BMC vendors that can be potentially impacted by these vulnerabilities,” Matrosov wrote.

Biz & IT

Facebook’s new AI stickers can generate Mickey Mouse holding a machine gun

Published

8 hours ago

October 4, 2023

Francisco Peguero

Enlarge / A selection of AI-generated stickers created in Facebook Messenger and shared on social media site X.

Less than a week after Meta unveiled AI-generated stickers in its Facebook Messenger app, users are already abusing it to create potentially offensive images and sharing the results on social media, reports VentureBeat. In particular, an artist named Pier-Olivier Desbiens posted a series of virtual stickers that went viral on X on Tuesday, starting a thread of similarly problematic AI image generations shared by others.

“Found out that facebook messenger has ai generated stickers now and I don’t think anyone involved has thought anything through,” Desbiens wrote in his post. “We really do live in the stupidest future imaginable,” he added in a reply.

Available to some users on a limited basis, the new AI stickers feature allows people to create AI-generated simulated sticker images from text-based descriptions in both Facebook Messenger and Instagram Messenger. The stickers are then shared in chats, similar to emojis. Meta uses its new Emu image synthesis model to create them and has implemented filters to catch many potentially offensive generations. But plenty of novel combinations are slipping through the cracks.

The questionable generations shared on X include Mickey Mouse holding a machine gun or a bloody knife, the flaming Twin Towers of the World Trade Center, the pope with a machine gun, Sesame Street’s Elmo brandishing a knife, Donald Trump as a crying baby, Simpsons characters in skimpy underwear, Luigi with a gun, Canadian Prime Minister Justin Trudeau flashing his buttocks, and more.

This isn’t the first time AI-generated imagery has inspired threads full of giddy experimenters trying to break through content filters on social media. Generations like these have been possible in uncensored open source image models for over a year, but it’s notable that Meta publicly released a model that can create them without more strict safeguards in place through a feature integrated into flagship apps such as Instagram and Messenger.

Notably, OpenAI’s DALL-E 3 has been put through similar paces recently, with people testing the AI image generator’ filter limits by creating images that feature real people or include violent content. It’s difficult to catch all the potentially harmful or offensive content across cultures worldwide when an image generator can create almost any combination of objects, scenarios, or people you can imagine. It’s yet another challenge facing moderation teams in the future of both AI-powered apps and online spaces.

Enlarge / A selection of AI-generated stickers created in Facebook Messenger.

Over the past year, it has been common for companies to beta-test generative AI systems through public access, which has brought us doozies like Meta’s flawed Galactica model last November and the unhinged early version of the Bing Chat AI model. If past instances are any indication, when something offensive gets wide attention, the developer typically reacts by either taking it down or strengthening built-in filters. So will Meta pull the AI stickers feature or simply clamp down by adding more words and phrases to its keyword filter?

When VentureBeat reporter Sharon Goldman questioned Meta spokesperson Andy Stone about the stickers late Tuesday, he pointed to a blog post titled Building Generative AI Features Responsibly and said, “As with all generative AI systems, the models could return inaccurate or inappropriate outputs. We’ll continue to improve these features as they evolve and more people share their feedback.”

Biz & IT

They’ve begun: Attacks exploiting vulnerability with maximum 10 severity rating

Published

1 day ago

October 3, 2023

Francisco Peguero

Getty Images

Ransomware hackers have started exploiting one or more recently fixed vulnerabilities that pose a grave threat to enterprise networks around the world, researchers said.

One of the vulnerabilities has a severity rating of 10 out of a possible 10 and another 9.9. They reside in WS_FTP Server, a file-sharing app made by Progress Software. Progress Software is the maker of MOVEit, another piece of file-transfer software that was recently hit by a critical zero-day vulnerability that has led to the compromise of more than 2,300 organizations and the data of more than 23 million people, according to security firm Emsisoft. Victims include Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

About as bad as it gets

CVE-2023-40044, as the vulnerability in WS_FTP Server is tracked, and a separate vulnerability tracked as CVE-2023-42657 that was patched in the same October 28 update from Progress Software, are both about as critical as vulnerabilities come. With a severity rating of 10, CVE-2023-40044 allows attackers to execute malicious code with high system privileges with no authentication required. CVE-2023-42657, which has a severity rating of 9.9, also allows for remote code execution but requires the hacker to first be authenticated to the vulnerable system.

Last Friday, researchers from security firm Rapid7 delivered the first indication that at least one of these vulnerabilities might be under active exploitation in “multiple instances. On Monday, the researchers updated their post to note they had discovered a separate attack chain that also appeared to target the vulnerabilities. Shortly afterward, researchers from Huntress confirmed an “in-the-wild exploitation of CVE-2023-40044 in a very small number of cases within our partner base (single digits currently).” In an update Tuesday, Huntress said that on at least one hacked host, the threat actor added persistence mechanisms, meaning it was attempting to establish a permanent presence on the server.

Also on Tuesday came a post on Mastodon from Kevin Beaumont, a security researcher with extensive ties to organizations whose enterprise networks are under attack.

“An org hit by ransomware is telling me the threat actor got in via WS_FTP, for infos, so you might want to prioritize patching that,” he wrote. “The ransomware group targeting WS_FTP are targeting the web version.” He added advice for admins using the file transfer program to search for vulnerable entry points using the Shodan search tool.

A bit shocking

CVE-2023-40044 is what’s known as a deserialization vulnerability, a form of bug in code that allows user-submitted input to be converted into a structure of data known as an object. In programming, objects are variables, functions, or data structures that an app refers to. By essentially transforming untrusted user input into code of the attacker’s making, deserialization exploits have the potential to carry severe consequences. The deserialization vulnerability in WS_FTP Server is found in code written in the .NET programming language.

Researchers from security firm Assetnote discovered the vulnerability by decompiling and analyzing the WS_FTP Server code. They eventually identified a “sink,” which is code designed to receive incoming events, that was vulnerable to deserialization and worked their way back to the source.

“Ultimately, we discovered that the vulnerability could be triggered without any authentication, and it affected the entire Ad Hoc Transfer component of WS_FTP,” Assetnote researchers wrote Monday. “It was a bit shocking that we were able to reach the deserialization sink without any authentication.”

Besides requiring no authentication, the vulnerability can be exploited by sending a single HTTP request to a server, as long as there’s what’s known as a ysoserial gadget pre-existing.

The WS_FTP Server vulnerability may not pose as grave a threat to the Internet as a whole compared to the exploited vulnerability in MOVEit. One reason is that a fix for WS_FTP Server became publicly available before exploits began. That gave organizations using the file-transfer software time to patch their servers before they came under fire. Another reason: Internet scans find many fewer servers running WS_FTP Server as compared to MOVEit.

Still, the damage to networks that have yet to patch CVE-2023-40044 will likely be as severe as what was inflicted on unpatched MOVEit servers. Admins should prioritize patching, and if that’s not possible right away, disable server-ad hoc transfer mode. They should also analyze their environments for signs they’ve been hacked. Indicators of compromise include: