Hey, hey, there’s actually some good news for privacy! A judge in California ruled that feds can’t force people to unlock their smartphones with a finger or thumbprint, facial recognition, or even an iris. Although the government had shown probable cause to search a property in Oakland, California, U.S. Magistrate Judge Kandis Westmore said the government’s expectation to seize all devices and force people at the house to unlock them with their biometrics “runs afoul of the Fourth and Fifth Amendments.”
“The challenge facing the courts is that technology is outpacing the law,” Judge Westmore wrote. The government’s request to force the unlocking of all biometrically-locked devices at the property was “overbroad.” She added, “The Government cannot be permitted to search and seize a mobile phone or other device that is on a non-suspect’s person simply because they are present during an otherwise lawful search.”
“If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device,” the judge wrote.
“The undersigned finds that a biometric feature is analogous to the 20 nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial.”
Other cybersecurity news
Hackers can exploit flaws to remotely take control of industrial machinery
Trend Micro discovered flaws and vulnerabilities in radio frequency (RF) remote controllers “can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories.” The company confirmed that attackers can remotely manipulate connected industrial equipment deployed at construction sites, factories, and transportation businesses.
Last year for DerbyCon
It’s sad to see this happening, but DerbyCon is throwing in the towel; its final security conference will be held in September 2019. Press F to pay respects.
So the DerbyCon drama is the continual insistence that conferences be responsible for things they cannot possibly be responsible for, to solve problems that society has not solved, and to abuse the organizers when they don’t agree with your Righteous beliefs on these issues.
— Robᵉʳᵗ Graham, at S4x19 then at shmoocon (@ErrataRob) January 14, 2019
Tesla Model 3 open for hacking at Pwn2Own
Pwn2Own will have a Tesla Model 3 on hand this year as part of an automotive category. Successfully hacking it could pay out between $35,000 to $250,000. In addition, ZDI said, “Along with the prize money, the first-round winner in this category will win a Tesla Model 3 mid-range rear-wheel drive vehicle.”
PoC for zero-day disclosed after Microsoft fails to patch
After Microsoft failed to issue a patch as it promised to do in October, ZDI and researcher John Page released advisory details and proof-of-concept code for a zero-day flaw in Windows processing of vCard files. As noted by ZDNet’s Catalin Cimpanu, “The good news is that this vulnerability can lead to remote code execution, but is not remotely exploitable, as it requires user interaction first.”
Flaws made web-hosting platforms Bluehost, Dreamhost, HostGator, OVH, and iPage easy to hack
Host any websites on Bluehost, Dreamhost, HostGator, OVH, or iPage? If so, security researcher Paulos Yibelo has bad news for you, as he discovered “all can be easily hacked.” There was “at least one client-side vulnerability in all the platforms we tested, allowing account takeover when the victim clicks a link or visits a malicious website.”
TechCrunch reported, “In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost’s one million domains and OVH’s four million domains — totaling some seven million domains.” All web host providers except OVH confirmed to TechCrunch that the bugs were fixed.
Other roundup tidbits
• CyberArk Labs explained how it hacked Play-with-Docker and remotely ran code on the host.
• Researcher Avinash Jain has a good writeup about an exposed NASA server leaking employee and project data.
• The Intercept warned Amazon Ring security camera owners that strangers might also be watching. Ring denied ever giving engineers or employees access to any live feeds.