One that I have been experimenting with is using analog phones (including rotary ones!) to act as the satellites. I live in an older home and have phone jacks in most of the rooms already so I only had to use a single analog telephone adapter. [0] The downside is I don't have wake word support, but it makes it more private and I don't find myself missing my smart speakers that much. At some point I would like to also support other types of calls on the phones, but for now I need to get an LLM hooked up to it.
I can confirm that Aliexpress doesn't allow me to checkout with a USA address and states that items can't be shipped to my region. -edit: Since this post it seems that I can order items again? Very odd.
I was shocked when I purchased a domain recently on GoDaddy (I normally use Cloudflare or AWS) and noticed that they have an 'upsell' with more security options (MFA and some other features) for something like $10/yr. Why wouldn't they want their customers to be more secure by default? To me it just reeks of money-grabbing for people that are none the wiser.
From what I've read, myQ is pretty locked down and doesn't support local control (outside of a HomeKit device that I think is no longer supported).
I would guess that the cert pinning would prevent such MITM attack, but I could be wrong. I'm not a huge fan of Chamberlain and myQ since they are so against 3rd party use of their products [0].
As someone in cybersecurity, it is handy as a low frequency RFID reader as Android phones only support higher frequency. Having something compact and in a single unit (compared to a Proxmark) makes it easier to 'grab-n-go'. It is neat to show people how insecure common access control systems are.
I've also used it as a universal remote more than a few times on devices that didn't come with a remote. The App running on a phone makes it somewhat easy to transfer new remote templates to the Flipper over Bluetooth.
It also comes in handy as a serial adapter as it has GPIO pins you can connect to things (UART headers).
The RF transceiver is also cool to capture RF remotes (garage doors, overhead fans, etc.) and replay them.
This is a great run down of the process to extract the firmware from these types of devices without desoldering the flash. I've done a fair amount of reverse engineering and a lot of devices have similar vulnerabilities.
I think more time needs to be spent looking into these commonly used, cheap IoT devices and educating consumers on the risks of using a poorly secured device on their network.
The upside of these vulnerabilities is that you can run your own code on these! 'Declouding' is great as it can extend the lifetime of these devices and make using them more private.
With Google Wallet (the only one I have at the moment), it is not static for the ticket. It has a NFC and barcode option. The barcode changes every 15 seconds for me.
I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.
One issue I have with the Flock cameras installed in my city is that they are installed on public land (right next to the road) and paid for with tax dollars.
One of the Flock cameras was installed in my city nearby where I live. Once I noticed it, I thought it was a red light camera at first since it was near an intersection.
I did some research on them and found that they are completely wireless (cellular network most of the time) and powered by a 65w solar panel. Since they capture every license plate that passes by, I wasn't thrilled it was a private company keeping the data, even if they say they only keep it for 30 days.
I did a FOIA request with my city to see how many are in use and their locations to share with my community. I also plan on asking why my city thinks it is a good use of tax dollars. I think it should be a requirement for cities to disclose their use since it is a private company installing private equipment (and a camera at that!) on public land to monitor the public.
If banks would spend money on this and not enabling support for hard to phish MFA options like hardware keys (FIDO2), I would change banks.
We have solutions to most of the phishing attacks, but most people find them hard to use or don't want to use them as they are seen as not important. I've made comments to several companies that SMS or TOTP based MFA is not phish-proof and that they need to implement something stronger, but it often is ignored.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
This sounds like HomeLink and is indeed more complex. My understanding of it is that they partner with lots of companies to support their rolling/fixed codes and remotes so that they can be paired to your garage door.
I linked this in a sub comment, but the largest garage door maker in the US is Chamberlain [0] (which owns a ton of other brands) and uses known rolling code algorithms that can be decoded. [1]
The largest garage door manufacture in the US uses the Security+ and Security+ 2.0 algorithms that are rolling, but can be fairly trivially decoded to gain the serial number and rolling value of a remote. [0] This is how the flipper zero decodes remotes for playback later.
I would say that money is the root of the problem. I think that most VOIP providers don't want to loose out on unencrypted traffic (both legitimate and spam).
Also, why do I seem to always get spam from a few providers? And why aren't we holding them accountable?
This was my thought too. While I do think going after this kind of scam is a good first step, I don't see overseas operators not using this any less. Most spam calls I get don't follow the do not call list, why would they follow this either?
I think the FCC needs to step up and have a hard deadline for STIR/SHAKEN with fines for operators who don't comply. That is the only way, IMHO, that the VOIP operators will take it seriously.
I find this strange but not surprising. I've heard of speed bumps in the past related to 'hackers in town' and I wouldn't be surprised if it comes out later that it had something to do with it, even if unfounded. I think overall, having that many 'hackers' in town makes people overly paranoid.
<tinfoil hat> I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows. </tinfoil hat>
This seems that Apple went to way too much thought to avoid a simple solution: Just let users sideload apps and put up a few warning messages like Android. Must have had a bunch of high-priced lawyers think this up.
Also, what is this Core Technology Fee for all apps? Maybe Apple has been losing money on the App Store infrastructure so they want to make it up? Or is this just a bid to try and keep as much control as possible? Seems that Apple wants to go into this kicking and screaming...
As someone in cybersecurity, I understand the need for secure apps, but I think Apple has been going about it in the wrong way.
[0] https://www.home-assistant.io/voice_control/worlds-most-priv...