Connect with us

Biz & IT

Trump’s Huawei ban also causing tech shocks in Europe

Published

on

The escalating U.S.-China trade war that’s seen Chinese tech giant Huawei slapped on a U.S. trade blacklist is causing ripples of shock across Europe too, as restrictions imposed on U.S. companies hit regional suppliers concerned they could face U.S. restrictions if they don’t ditch Huawei.

Reuters reports shares fell sharply today in three European chipmakers — Infineon Technologies, AMS and STMicroelectronics — after reports suggested some already had, or were about to, halt shipments to Huawei following the executive order barring U.S. firms from trading with the Chinese tech giant.

The interconnectedness of high-tech supply chains coupled with U.S. dominance of the sector and Huawei’s strong regional position as a supplier of cellular, IT and network kit in Europe suddenly makes political risk a fast-accelerating threat for EU technology companies, large and small.

On the small side is French startup Qwant, which competes with Google by offering a pro-privacy search engine. In recent months it has been hoping to leverage a European antitrust decision against Google  Android last year to get smartphones to market in Europe that preload its search engine, not Google’s.

Huawei was its intended first major partner for such devices. Though, prior to recent trade war developments, it was already facing difficulties related to price incentives Google included in reworked EU Android licensing terms.

Still, the U.S.-China trade war threatens to throw a far more existential spanner in European Commission efforts to reset the competitive planning field for smartphone services — certainly if Google’s response to Huawei’s blacklisting is to torch its supply of almost all Android-related services, per Reuters.

A key aim of the EU antitrust decision was intended to support the unbundling of popular Google services from Android so that device makers can try selling combinations that aren’t entirely Google-flavored — while still being able to offer enough “Google” to excite consumers (such as preloading the Play Store but with a different search and browser bundle instead of the usual Google + Chrome combo).

Yet if Google intends to limit Huawei’s access to such key services, there’s little chance of that.

(In a statement responding to the Reuters report Google suggested it’s still deciding how to proceed, with a spokesperson writing: “We are complying with the order and reviewing the implications. For users of our services, Google Play and the security protections from Google Play Protect will continue to function on existing Huawei devices.”)

Going on Google’s initial response, Qwant co-founder and CEO Eric Léandri told us he thinks Google has overreacted — even as he dubbed the U.S.-China trade war “world war III — economical war but it’s a world war for sure.”

“I really need to see exactly what President Trump has said about Huawei and how to work with them. Because I think maybe Google has overreacted. Because I haven’t [interpreted it] that way so I’m very surprised,” he told TechCrunch.

“If Huawei can be [blacklisted] what about the others?,” he added. “Because I would say 60% of the cell phone sales in Europe today are coming from China. Huawei or ZTE, OnePlus and the others — they are all under the same kind of risk.

“Even some of our European brands who are very small like Nokia… all of them are made in China, usually with partnership with these big cell phone manufacturers. So that means several things but one thing that I’m sure is we should not rely on one OS. It would be difficult to explain how the Play Store is not as important as the search in Android.”

Léandri also questioned whether Google’s response to the blacklisting will include instructing Huawei not to even use its search engine — a move that could impact its share of the smartphone search market.

“At the end of the day there is just one thing I can say because I’m just a search engine and a European one — I haven’t seen Google asking to not be by default in Huawei as search engine. If they can be in the Huawei by default as a search engine so I presume that everyone else can be there.”

Léandri said Qwant will be watching to see what Huawei’s next steps will be — such as whether it will decide to try offering devices with its own store baked in in Europe.

And indeed how China will react.

“We have to understand the result politically, globally, the European consequences. The European attitude. It’s not only American and China — the rest of the world exists,” he said.

“I have plan b, plan c, plan d, plan f. To be clear we are a startup — so we can have tonnes of plans, The only thing is right now is it’s too enormous.

“I know that they are the two giants in the tech field… but the rest of the world have some words today and let’s see how the European Commission will react, my government will react and some of us will react because it’s not only a small commercial problem right now. It’s a real political power demonstration and it’s global so I will not be more — I am nobody in all this. I do my job and I do my job well and I will use the maximum opportunity that I can find on the market.”

We’ve reached out to the Commission to ask how it intends to respond to escalating risks for European tech firms as Trump’s trade war steps up. Update: A Commission spokesperson for the Digital Single Market reiterated its prior statements around Huawei and cybersecurity, recommending Member States evaluate risks and strengthen risk mitigation measures. “EU Member States have the right to decide whether to exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework,” the spokesperson added.

Also today, Reuters reports that the German Economy Minister is examining the impact of U.S. sanctions against Huawei on local companies.

But while a startup like Qwant waits to see what the next few months will bring — and how the landscape of the smartphone market might radically reconfigure in the face of sharply spiking political risk, a different European startup is hoping to catch some uplift: Finland-based Jolla steers development of a made-in-Europe Android alternative, called Sailfish OS.

It’s a very tiny player in a Google-dominated smartphone world. Yet could be positioned to make gains amid U.S. and Chinese tech clashes — which in turn risk making major platform pieces feel a whole lot less stable.

A made-in-Europe non-Google-led OS might gain more ground among risk averse governments and enterprises — as a sensible hedge against Trump-fueled global uncertainty.

“Sailfish OS, as a non-American, open-source based, secure mobile OS platform, is naturally an interesting option for different players — currently the interest is stronger among corporate and governmental customers and partners, as our product offering is clearly focused on this segment,” says Jolla co-founder and CEO Sami Pienimäki .

“Overall, there definitely has been increased interest towards Sailfish OS as a mobile OS platform in different parts of the world, partly triggered by the on-going political activity in many locations. We have also had clearly more discussions with e.g. Chinese device manufacturers, and Jolla has also recently started new corporate and governmental customer projects in Europe.”

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

100 million more IoT devices are exposed—and they won’t be the last

Published

on

Elena Lacey

Over the last few years, researchers have found a shocking number of vulnerabilities in seemingly basic code that underpins how devices communicate with the Internet. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including an array of Internet-of-things products and IT management servers. The larger question researchers are scrambling to answer, though, is how to spur substantive changes—and implement effective defenses—as more and more of these types of vulnerabilities pile up.

Dubbed Name:Wreck, the newly disclosed flaws are in four ubiquitous TCP/IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control firm Siemens, all relate to how these stacks implement the “Domain Name System” Internet phone book. They all would allow an attacker to either crash a device and take it offline or gain control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, health care, or manufacturing settings where infiltrating a connected device or IT server can disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim’s network.

All of the vulnerabilities, discovered by researchers at the security firms Forescout and JSOF, now have patches available, but that doesn’t necessarily translate to fixes in actual devices, which often run older software versions. Sometimes manufacturers haven’t created mechanisms to update this code, but in other situations they don’t manufacture the component it’s running on and simply don’t have control of the mechanism.

“With all these findings, I know it can seem like we’re just bringing problems to the table, but we’re really trying to raise awareness, work with the community, and figure out ways to address it,” says Elisa Costante, vice president of research at Forescout, which has done other, similar research through an effort it calls Project Memoria. “We’ve analyzed more than 15 TCP/IP stacks both proprietary and open source and we’ve found that there’s no real difference in quality. But these commonalities are also helpful, because we’ve found they have similar weak spots. When we analyze a new stack, we can go and look at these same places and share those common problems with other researchers as well as developers.”

The researchers haven’t seen evidence yet that attackers are actively exploiting these types of vulnerabilities in the wild. But with hundreds of millions—perhaps billions—of devices potentially impacted across numerous different findings, the exposure is significant.

Siemens USA chief cybersecurity officer Kurt John told Wired in a statement that the company “works closely with governments and industry partners to mitigate vulnerabilities … In this case we’re happy to have collaborated with one such partner, Forescout, to quickly identify and mitigate the vulnerability.”

The researchers coordinated disclosure of the flaws with developers releasing patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other vulnerability-tracking groups. Similar flaws found by Forescout and JSOF in other proprietary and open source TCP/IP stacks have already been found to expose hundreds of millions or even possibly billions of devices worldwide.

Issues show up so often in these ubiquitous network protocols because they’ve largely been passed down untouched through decades as the technology around them evolves. Essentially, since it ain’t broke, no one fixes it.

“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” says Ang Cui, CEO of the IoT security firm Red Balloon Security. “And it works; it never failed. But once you connect that to the Internet, it’s insecure. And that’s not that surprising, given that we’ve had to really rethink how we do security for general-purpose computers over those 20 years.”

The problem is notorious at this point, and it’s one that the security industry hasn’t been able to quash, because vulnerability-ridden zombie code always seems to reemerge.

“There are lots of examples of unintentionally recreating these low-level network bugs from the ’90s,” says Kenn White, co-director of the Open Crypto Audit Project. “A lot of it is about lack of economic incentives to really focus on the quality of this code.”

There’s some good news about the new slate of vulnerabilities the researchers found. Though the patches may not proliferate completely anytime soon, they are available. And other stopgap mitigations can reduce the exposure, namely keeping as many devices as possible from connecting directly to the Internet and using an internal DNS server to route data. Forescout’s Costante also notes that exploitation activity would be fairly predictable, making it easier to detect attempts to take advantage of these flaws.

When it comes to long-term solutions, there’s no quick fix given all the vendors, manufacturers, and developers who have a hand in these supply chains and products. But Forescout has released an open source script that network managers can use to identify potentially vulnerable IoT devices and servers in their environments. The company also maintains an open source library of database queries that researchers and developers can use to find similar DNS-related vulnerabilities more easily.

“It’s a widespread problem; it’s not just a problem for a specific kind of device,” Costante says. “And it’s not only cheap IoT devices. There’s more and more evidence of how widespread this is. That’s why we keep working to raise awareness.”

This story originally appeared on wired.com.

Continue Reading

Biz & IT

Microsoft acquires Nuance—makers of Dragon speech rec—for $16 billion

Published

on

Enlarge / In this 2011 photo, Dr. Michael A. Lee uses Dragon Medical voice-recognition software to enter his notes after seeing a patient.

Earlier today, Microsoft announced its plans to purchase Nuance for $56 per share—23 percent above Nuance’s closing price last Friday. The deal adds up to a $16 billion cash outlay and a total valuation for Nuance of about $19.7 billion, including that company’s assumed debt.

Who is Nuance?

In this 2006 photo, Rollie Berg—who has extremely limited use of his hands due to multiple sclerosis—uses Dragon NaturallySpeaking 8 to interact directly with his PC.
Enlarge / In this 2006 photo, Rollie Berg—who has extremely limited use of his hands due to multiple sclerosis—uses Dragon NaturallySpeaking 8 to interact directly with his PC.

Nuance is a well-known player in the field of natural language recognition. The company’s technology is the core of Apple’s Siri personal assistant. Nuance also sells well-known personal speech-recognition software Dragon NaturallySpeaking, which is invaluable to many people with a wide range of physical disabilities.

Dragon NaturallySpeaking, originally released in 1997, was one of the first commercially continuous dictation products—meaning software that did not require the user to pause briefly between words. In 2000, Dragon Systems was acquired by ScanSoft, which acquired Nuance Communications in 2005 and rebranded itself as Nuance.

Earlier versions of Dragon software used hidden Markov models to puzzle out the meaning of human speech, but this method had serious limitations compared to modern AI algorithms. In 2009, Stanford researcher Fei-Fei Li created ImageNet—a massive training data set that spawned a boom in deep-learning algorithms used for modern, core AI tech.

After Microsoft researchers Dong Yu and Frank Seide successfully applied deep-learning techniques to real-time automatic speech recognition in 2010, Dragon—now Nuance—applied the same techniques to its own speech-recognition software.

Fast forward to today, and—according to both Microsoft and Nuance—medically targeted versions of Dragon are in use by 77 percent of hospitals, 75 percent of radiologists, and 55 percent of physicians in the United States.

Microsoft’s acquisition play

Microsoft and Nuance began a partnership in 2019 to deliver ambient clinical intelligence (ACI) technologies to health care providers. ACI technology is intended to reduce physician burnout and increase efficiency by offloading administrative tasks onto computers. (A 2017 study published in the Annals of Family Medicine documented physicians typically spending two hours of record-keeping for every single hour of actual patient care.)

Acquiring Nuance gives Microsoft direct access to its entire health care customer list. It also gives Microsoft the opportunity to push Nuance technology—currently, mostly used in the US—to Microsoft’s own large international market. Nuance chief executive Mark Benjamin—who will continue to run Nuance as a Microsoft division after the acquisition—describes it as an opportunity to “superscale how we change an industry.”

The move doubles Microsoft’s total addressable market (TAM) in the health care vertical to nearly $500 billion. It also marries what Microsoft CEO Satya Nadella describes as “the AI layer at the healthcare point of delivery” with Microsoft’s own massive cloud infrastructure, including Azure, Teams, and Dynamics 365.

The acquisition has been unanimously approved by the Boards of Directors of both Nuance and Microsoft, and it is expected to close by the end of 2021.

Continue Reading

Biz & IT

No password required: Mobile carrier exposes data for millions of accounts

Published

on

Getty Images

Q Link Wireless, a provider of low-cost mobile phone and data services to 2 million US-based customers, has been making sensitive account data available to anyone who knows a valid phone number on the carrier’s network, an analysis of the company’s account management app shows.

Dania, Florida-based Q Link Wireless is what’s known as a Mobile Virtual Network Operator, meaning it doesn’t operate its own wireless network but rather buys services in bulk from other carriers and resells them. It provides government-subsidized phones and service to low-income consumers through the FCC’s Lifeline Program. It also offers a range of low-cost service plans through its Hello Mobile brand. In 2019, Q Link Wireless said it had 2 million customers.

The carrier offers an app called My Mobile Account (for both iOS and Android) that customers can use to monitor text and minutes histories, data and minute usage, or to buy additional minutes or data. The app also displays the customer’s:

  • First and last name
  • Home address
  • Phone call history (from/to)
  • Text message history (from/to)
  • Phone carrier account number needed for porting
  • Email address
  • Last four digits of the associated payment card

Screenshots from the iOS version look like this:

No password required . . . what?

Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That’s right—no password or anything else required.

When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate.

The person who started the Reddit thread said in an email that he first reported this glaring insecurity to Q Link Wireless sometime last year. Emails he provided show that he notified support twice again this year, first in February and again this month.

Feedback left in reviews for both the iOS and Android offerings also reported this issue, in several cases with a response from a Q Link Wireless representative thanking the person for the feedback.

Downright negligence

The data exposure is serious because phone numbers are so easy to come by. We give them to prospective employers, car mechanics, and other strangers. And of course, phone numbers are easily obtained by private detectives, abusive spouses, stalkers, and other people who have an interest in a particular person. Q Link Wireless making customer data freely available to anyone who knows a customer’s phone number is an act of downright negligence.

I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn’t respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers.

Then late on Thursday, My Mobile Account stopped connecting to customers’ accounts. When presented with the number of a Q Link Wireless customer, the app responds with a message that says: “Phone number doesn’t match any account.” The iOS and Android versions of the app were last updated in February, suggesting that the fix is the result of a change Q Link Wireless made to a server.

While My Mobile Account displayed customers’ personal information, it didn’t provide a means to change that data. The app also didn’t display passwords. That means a person couldn’t exploit this leak to perform a SIM swap, or lock users out of their accounts, although the exposure might make it easier for a would-be SIM swapper to social engineer a Q Link Wireless employee into porting a number to a new phone.

There are no indications one way or the other that this leakage was actively exploited. Researchers from security firm Intel471 found no discussions in criminal forums about the available data, but there’s no way to know if it was abused on a smaller scale, say by someone a Q Link Wireless customer knows or has interacted with.

As phone users seeking low-cost, no-frills mobile service, Q Link Customers are a part of a population that may be least able to afford data breach services and other privacy services. The carrier has yet to notify customers of the data exposure. People using the service should consider any data displayed by the app to be available to anyone who had their phone number.

Continue Reading

Trending