Hyundai App Bugs Allowed Hackers To Remotely Unlock, Start Cars

Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. BleepingComputer reports: Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM “smart vehicle” platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to “remotely unlock, start, locate, flash, and honk” them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads.

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user’s email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target’s email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai’s endpoint containing the spoofed address in the JSON token and the victim’s address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target’s email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan’s app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target’s vehicle identification number (VIN). The response to the unauthorized request contained the target’s name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle’s history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. […] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

Read more of this story at Slashdot.

Cocaine Synthesized In a Tobacco Plant

Longtime Slashdot reader Amiga Trombone shares a report from Phys.Org: A team of researchers at the Chinese Academy of Sciences, working with a colleague from Syngenta Jealott’s Hill International Research Centre in the U.K., has developed a way to synthesize cocaine using a tobacco plant. The group describes how they synthesized the notorious drug and possible uses for their process in their paper published in Journal of the American Chemical Society.

In studying the coca plant, the researchers discovered that the cocaine that winds up in its leaves is not produced by elements in the plant converting 4-(1-methyl-2-pyrrolidinyl)-3-oxobutanoic acid to hyoscyamine, as has been thought. They found that it is instead produced by the two enzymes, EnMT4 and EnCYP81AN15. To prove their discovery, the group genetically engineered a tobacco plant to produce the two enzymes in its leaves, which resulted in the production of small amounts of cocaine (with assistance from a substance also produced in the plant called ornithine, which is similar to the precursor in the coca plant). […] Not mentioned in the paper is the possibility of synthesizing the two enzymes produced by both the coca and engineered tobacco plant as a more direct way to synthesize cocaine.

Read more of this story at Slashdot.

EU Unveils Plans To Cut Europe’s Plastic and Packaging Waste

The EU executive wants to ban mini-shampoo bottles in hotels and the use of throwaway cups in cafes and restaurants, as part of sweeping legal proposals to curb Europe’s mountains of waste. The Guardian reports: A draft EU regulation published on Wednesday also proposes mandatory deposit and return schemes for single-use plastic drinks bottles and metal cans, as well as an end to e-commerce firms wrapping small items in huge boxes. The new rules, which will have to be approved by EU member states and the European parliament, are intended to tackle the surge in plastic and other packaging waste. EU officials estimate that 40% of new plastics and 50% of paper are used in packaging, making the sector a vast consumer of virgin materials.

The EU passed a law in 2019 to ban the most common single-use plastic items, such as plastic cutlery, stirrers and straws, but officials want to go further to tackle soaring amounts of packaging rubbish. The average European is thought to generate 180kg of packaging waste each year, which could rise by 19% by 2030, without action. Under the latest proposals, EU member states would have to reduce packaging waste per capita by 15% by 2040 compared with 2018. Officials think this could be achieved by more reuse and refilling, as well as tighter controls on packaging. For example, e-commerce retailers would have to ensure that empty space in a box is a maximum 40% in relation to the product.

The commission also hopes to end confusion about recycling: it proposes harmonized labels, probably pictograms, to make it clear to consumers which bin to use. In a separate law, the commission seeks to ensure that products claiming to be “biobased,” “biodegradable” or “compostable” meet minimum standards. In an attempt to clamp down on greenwashing, consumers would be able to tell how long it takes an item to biodegrade, how much biomass was used in its production and whether it is really suitable for home composting.

Read more of this story at Slashdot.

Judge Approves Apple’s Massive MacBook Keyboard Lawsuit Payout

A California federal judge has given preliminary approval to Apple’s plan to pay $50 million to settle a long-running class-action lawsuit over the faulty MacBook butterfly keyboard. MacTrast reports: Law360 says the payment will include $13.6 million in attorney fees, up to $2 million in litigation costs, and $1.4 million in settlement administration costs, with the rest distributed to class members. The lawsuit covers customers in California, Florida, Illinois, Michigan, New Jersey, New York, and Washington, who complained that Apple knew of and concealed the fact that its 2015 and later MacBook, MacBook Air, and MacBook Pro machines were equipped with “butterfly” keyboards that were prone to failure, and that its repair program for the keyboard was insufficient, as the replacement keyboards could also fail. […]

Apple initially agreed to the settlement in July 2022. Customers in the above-mentioned states are expected to receive maximum payouts of $395 to customers who replaced multiple keyboards, $125 to people who replaced one keyboard, and $50 to people who replaced keycaps. Mac owners who received butterfly keyboard replacements will begin receiving class notices later in December.

Read more of this story at Slashdot.

Apple’s iPhone Pro Shipments May Fall 20 Million Units Short of Estimates

Apple’s iPhone 14 Pro and Pro Max model shipments could miss market expectations by up to 20 million units in the holiday quarter due to labor unrest at a major Chinese factory, TF Securities analyst Ming-Chi Kuo said. Reuters reports: Kuo is the latest to flag a hit to the world’s most valuable company from protests over pay and strict COVID-19 curbs at the world’s biggest iPhone factory, the Foxconn-operated plant in the central city of Zhengzhou. He trimmed his estimate for quarterly iPhone shipments by about 20% to between 70 million and 75 million units, compared with the market consensus of 80 million to 85 million units.

Kuo, in a blog post on Tuesday, also predicted that the supply shortfall could erase demand for the more popular Pro models, instead of deferring sales, as consumers also grapple with a weakening economy. In contrast, other Apple analysts expect sales to pick up once production constraints ease and more Pro models become available. Some analysts signaled the possibility of the challenges extending into 2023.

Read more of this story at Slashdot.

Torrent Site User Who Transferred 120TB of Pirated Content Avoids Prison

A torrent site user accused of downloading and uploading at least 120TB of movies, TV shows, eBooks, music and software, has avoided an immediate prison term. The 28-year-old was arrested as part of a police operation against DanishBytes. A member of the same site was sentenced earlier this month after he uploaded Netflix content obtained using hacked credentials. TorrentFreak reports: Early November 2021, Denmark’s Public Prosecutor for Special Economic and International Crime (SOIK) announced that six people had been arrested following criminal referrals by Rights Alliance. All were members and/or operators of ShareUniversity and DanishBytes. Prosecution of site operators is not uncommon but when it’s deemed in the public interest, pirate site users can also face charges. Every case is unique so criteria differ, especially across national borders, but when evidence shows large volumes of infringement, successful prosecutions become more likely. That was the case when a former DanishBytes user was sentenced last week. According to Danish anti-piracy group Rights Alliance, the 28-year-old man was a regular site member and wasn’t involved in running the site. That being said, evidence showed that for the period January 2021 to November 2021, he downloaded and/or uploaded no less than 3,000 copyrighted works, including movies, TV shows, music, books, audiobooks and comics.

Information released by the National Unit for Special Crimes (NSK), a Danish police unit focused on cybercrime, organized crime, and related financial crime, reveals that the user’s traffic statistics interested prosecutors. “During the period, the man downloaded no less than 100 TB and uploaded no less than 20 TB of copyrighted material,” NSK says. BitTorrent trackers operating a ratio model usually insist on a better ratio of downloads to uploads but DanishBytes’ situation was out of the ordinary.

The site launched in January 2021 in the wake of other sites being shut down, so had to get going from a standing start with no users. Even when arrests were being made, the site still had a relatively small userbase, which can limit opportunities to upload more. That may have been a blessing in disguise. Faced with the evidence, the man decided to plead guilty and was sentenced last week at the Court in Vibourg. In common with similar prosecutions recently, he received a suspended conditional sentence of 60 days’ probation, 80 hours of community service, and confiscation of his computer equipment. The case against the DanishBytes user began with a Rights Alliance investigation and a referral to the police. As part of his sentence, the man must pay the anti-piracy group DKK 5,000 (US$600) in compensation but Rights Alliance director Maria Fredenslund is focused on the deterrent effect of another successful prosecution.

Read more of this story at Slashdot.

Snap Demands Employees Work In Office 80% of the Time Starting Early Next Year

Snapchat’s parent company is asking workers to return to the office 80% of the time, or the equivalent of four days a week, beginning early next year, in the latest sign of tech employees receiving less flexibility nearly three years after the pandemic took hold and amid a wave of industry cost cutting. CNN reports: “After working remotely for so long we’re excited to get everyone back together next year with our new 80/20 hybrid model,” a spokesperson for Snap (SNAP) confirmed to CNN in a statement Tuesday. “We believe that being together in person, while retaining flexibility for our team members, will enhance our ability to deliver on our strategic priorities of growing our community, driving revenue growth, and leading in [augmented reality].” The new policy will take effect at the end of February.

News of Snap’s stricter in-office policy was first reported by Bloomberg, which cited an internal memo from CEO Evan Spiegel telling employees they may have to “sacrifice” some amount of “individual convenience” but it will benefit “our collective success.”

Read more of this story at Slashdot.

BlockFi Sues FTX’s Bankman-Fried Over Shares In Robinhood

Newly-bankrupt crypto lending platform BlockFi has filed a lawsuit against Sam Bankman-Fried’s holding company Emergent Fidelity Technologies seeking his shares in Robinhood that were pledged as collateral earlier in November. CoinTelegraph reports: The suit was filed on Nov. 28 in the United States Bankruptcy Court for the District of New Jersey just hours after BlockFi filed for Chapter 11 bankruptcy in the same court. As per the filing, BlockFi is demanding Emergent turnover collateral as part of a Nov. 9 pledge agreement that saw Emergent agree to a payment schedule with BlockFi that it has allegedly failed to pay.

BlockFi names the collateral as “including certain shares of common stock.” In May, Bankman-Fried acquired a 7.6% stake in the online brokerage firm Robinhood, buying a total of $648 million in Robinhood shares through his Emergent investment company.

Read more of this story at Slashdot.

UK Ditches Ban On ‘Legal But Harmful’ Online Content In Favor of Free Speech

Britain will not force tech giants to remove content that is “legal but harmful” from their platforms after campaigners and lawmakers raised concerns that the move could curtail free speech, the government said on Monday. Reuters reports: Online safety laws would instead focus on the protection of children and on ensuring companies removed content that was illegal or prohibited in their terms of service, it said, adding that it would not specify what legal content should be censored. Platform owners, such as Facebook-owner Meta and Twitter, would be banned from removing or restricting user-generated content, or suspending or banning users, where there is no breach of their terms of service or the law, it said.

The government had previously said social media companies could be fined up to 10% of turnover or 18 million pounds ($22 million) if they failed to stamp out harmful content such as abuse even if it fell below the criminal threshold, while senior managers could also face criminal action. The proposed legislation, which had already been beset by delays and rows before the latest version, would remove state influence on how private companies managed legal speech, the government said. It would also avoid the risk of platforms taking down legitimate posts to avoid sanctions. […]

The revised Online Safety Bill, which returns to parliament next month, puts the onus on tech companies to take down material in breach of their own terms of service and to enforce their user age limits to stop children circumventing authentication methods, the government said. If users were likely to encounter controversial content such as the glorification of eating disorders, racism, anti-Semitism or misogyny not meeting the criminal threshold, the platform would have to offer tools to help adult users avoid it, it said. Only if platforms failed to uphold their own rules or remove criminal content could a fine of up to 10% of annual turnover apply. Britain said late on Saturday that a new criminal offense of assisting or encouraging self-harm online would be included in the bill.

Read more of this story at Slashdot.

Media Groups Urge US To Drop Julian Assange Charges

The US government must drop its prosecution of the WikiLeaks co-founder Julian Assange because it is undermining press freedom, according to the media organizations that first helped him publish leaked diplomatic cables. The Guardian reports: Twelve years ago today, the Guardian, the New York Times, Le Monde, Der Spiegel, and El Pais collaborated to release excerpts from 250,000 documents obtained by Assange in the “Cablegate” leak. The material, leaked to WikiLeaks by the then American soldier Chelsea Manning, exposed the inner workings of US diplomacy around the world. The editors and publishers of the media organizations that first published those revelations have come together to publicly oppose plans to charge Assange under a law designed to prosecute first world war spies. “Publishing is not a crime,” they said, saying the prosecution is a direct attack on media freedom.

Read more of this story at Slashdot.