A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.
Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.
But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.
Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.
Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Reiling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.
Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.
The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.
Arvind Vishwakarma from Rapid7 said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.
Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.
Hello friends, and welcome back to Week in Review! Last week we dove into Bezos’s Blue Origin suing NASA. This week, I’m writing about the unlikely and triumphant resurgence of the NFT market.
If I could, I would probably write about NFTs in this newsletter every week. I generally stop myself from actually doing so because I try my best to make this newsletter a snapshot of what’s important to the entire consumer tech sector, not just my niche interests. That said, I’m giving myself free rein this week.
The NFT market is just so hilariously bizarre and the culture surrounding the NFT world is so web-native, I can’t read about it enough. But in the past several days, the market for digital art on the blockchain has completely defied reason.
Back in April, I wrote about a platform called CryptoPunks that — at that point — had banked more than $200 million in lifetime sales since 2017. The little pop art pixel portraits have taken on a life of their own since then. It was pretty much unthinkable back then but in the past 24 hours alone, the platform did $141 million in sales, a new record. By the time you read this, the NFT platform will have likely passed a mind-boggling $1.1 billion in transaction volume according to crypto tracker CryptoSlam. With 10,000 of these digital characters, to buy a single one will cost you at least $450,000 worth of the Ethereum cryptocurrency. (When I sent out this newsletter yesterday that number was $300k)
When I published this back in April, the cheapest CryptoPunks were $30k, today the cheapest one available for sale is just shy of $300k https://t.co/X4iTSl6FjC
— Lucas Matney (@lucasmtny) August 27, 2021
It’s not just CryptoPunks either; the entire NFT world has exploded in the past week, with several billions of dollars flowing into projects with drawings of monkeys, penguins, dinosaurs and generative art this month alone. After the NFT rally earlier this year — culminating in Beeple’s $69 million Christie’s sale — began to taper off, many wrote off the NFT explosion as a bizarre accident. What triggered this recent frenzy?
Part of it has been a resurgence of cryptocurrency prices toward all-time-highs and a desire among the crypto rich to diversify their stratospheric assets without converting their wealth to fiat currencies. Dumping hundreds of millions of dollars into an NFT project with fewer stakeholders than the currencies that underlie them can make a lot of sense to those whose wealth is already over-indexed in crypto. But a lot of this money is likely FOMO dollars from investors who are dumping real cash into NFTs, bolstered by moves like Visa’s purchase this week of their own CryptoPunk.
I think it’s pretty fair to say that this growth is unsustainable, but how much further along this market growth gets before the pace of investment slows or collapses is completely unknown. There are no signs of slowing down for now, something that can be awfully exciting — and dangerous — for investors looking for something wild to drop their money into… and wild this market truly is.
Here’s some advice from Figma CEO Dylan Field who sold his alien CryptoPunk earlier this year for 4,200 Eth (worth $13.6 million today).
Just getting into NFT’s? Welcome!! It’s a fascinating world and this is just the very start :)
My unsolicited advice: exercise caution + restraint. There are a lot of speculators in the space right now. Buy things you love / plan to hold forever and don’t expect prices to go up!
— Dylan Field (@zoink) August 28, 2021
Image Credits: Kanye West
Here are the TechCrunch news stories that especially caught my eye this week:
OnlyFans suspends its porn ban
In a stunning about-face, OnlyFans declared this week that they won’t be banning “sexually explicit content” from their platform after all, saying in a statement that they had “secured assurances necessary to support our diverse creator community and have suspended the planned October 1 policy change.”
Kanye gets into the hardware business
Ahead of the drop of his next album, which will definitely be released at some point, rapper Kanye West has shown off a mobile music hardware device called the Stem Player. The $200 pocket-sized device allows users to mix and alter music that has been loaded onto the device. It was developed in partnership with hardware maker Kano.
Apple settles developer lawsuit
Apple has taken some PR hits in recent years following big and small developers alike complaining about the take-it-or-leave-it terms of the company’s App Store. This week, Apple shared a proposed settlement (which still is pending a judge’s approval) that starts with a $100 million payout and gets more interesting with adjustments to App Store bylines, including the ability of developers to advertise paying for subscriptions directly rather than through the app only.
Twitter starts rolling out ticketed Spaces
Twitter has made a convincing sell for its Clubhouse competitor Spaces, but they’ve also managed to build on the model in recent months, turning its copycat feature into a product that succeeds on its own merits. Its latest effort to allow creators to sell tickets to events is just starting to roll out, the company shared this week.
CA judge strikes down controversial gig economy proposition
Companies like Uber and DoorDash dumped tens of millions of dollars into Prop 22, a law which clawed back a California law that pushed gig economy startups to classify workers as full employees. This week a judge declared the proposition unconstitutional, and though the decision has been stayed on appeal, any adjustment would have major ramifications for those companies’ business in California.
Image Credits: guirong hao (opens in a new window) / Getty Images
Some of my favorite reads from our Extra Crunch subscription service this week:
Future tech exits have a lot to live up to
“Inflation may or may not prove transitory when it comes to consumer prices, but startup valuations are definitely rising — and noticeably so — in recent quarters. That’s the obvious takeaway from a recent PitchBook report digging into valuation data from a host of startup funding events in the United States…”
OpenSea UX teardown
“…is the experience of creating and selling an NFT on OpenSea actually any good? That’s what UX analyst Peter Ramsey has been trying to answer by creating and selling NFTs on OpenSea for the last few weeks. And the short answer is: It could be much better...“
Are B2B SaaS marketers getting it wrong?
“‘Solutions,’ ‘cutting-edge,’ ‘scalable’ and ‘innovative’ are just a sample of the overused jargon lurking around every corner of the techverse, with SaaS marketers the world over seemingly singing from the same hymn book. Sadly for them, new research has proven that such jargon-heavy copy — along with unclear features and benefits — is deterring customers and cutting down conversions…”
Apple has encountered monumental backlash to a new child sexual abuse material (CSAM) detection technology it announced earlier this month. The system, which Apple calls NeuralHash, has yet to be activated for its billion-plus users, but the technology is already facing heat from security researchers who say the algorithm is producing flawed results.
NeuralHash is designed to identify known CSAM on a user’s device without having to possess the image or knowing the contents of the image. Because a user’s photos stored in iCloud are end-to-end encrypted so that even Apple can’t access the data, NeuralHash instead scans for known CSAM on a user’s device, which Apple claims is more privacy friendly, as it limits the scanning to just photos rather than other companies which scan all of a user’s file.
Apple does this by looking for images on a user’s device that have the same hash — a string of letters and numbers that can uniquely identify an image — that are provided by child protection organizations like NCMEC. If NeuralHash finds 30 or more matching hashes, the images are flagged to Apple for a manual review before the account owner is reported to law enforcement. Apple says the chance of a false positive is about one in one trillion accounts.
But security experts and privacy advocates have expressed concern that the system could be abused by highly resourced actors, like governments, to implicate innocent victims or to manipulate the system to detect other materials that authoritarian nation states find objectionable. NCMEC called critics the “screeching voices of the minority,” according to a leaked memo distributed internally to Apple staff.
Last night, Asuhariet Ygvar reverse-engineered Apple’s NeuralHash into a Python script and published code to GitHub, allowing anyone to test the technology regardless of whether they have an Apple device to test. In a Reddit post, Ygvar said NeuralHash “already exists” in iOS 14.3 as obfuscated code, but was able to reconstruct the technology to help other security researchers understand the algorithm better before it’s rolled out to iOS and macOS devices later this year.
It didn’t take long before others tinkered with the published code and soon came the first reported case of a “hash collision,” which in NeuralHash’s case is where two entirely different images produce the same hash. Cory Cornelius, a well-known research scientist at Intel Labs, discovered the hash collision. Ygvar confirmed the collision a short time later.
Hash collisions can be a death knell to systems that rely on cryptography to keep them secure, such as encryption. Over the years several well-known password hashing algorithms, like MD5 and SHA-1, were retired after collision attacks rendered them ineffective.
Kenneth White, a cryptography expert and founder of the Open Crypto Audit Project, said in a tweet: “I think some people aren’t grasping that the time between the iOS NeuralHash code being found and [the] first collision was not months or days, but a couple of hours.”
When reached, an Apple spokesperson declined to comment on the record. But in a background call where reporters were not allowed to quote executives directly or by name, Apple downplayed the hash collision and argued that the protections it puts in place — such as a manual review of photos before they are reported to law enforcement — are designed to prevent abuses. Apple also said that the version of NeuralHash that was reverse-engineered is a generic version, and not the complete version that will roll out later this year.
It’s not just civil liberties groups and security experts that are expressing concern about the technology. A senior lawmaker in the German parliament sent a letter to Apple chief executive Tim Cook this week saying that the company is walking down a “dangerous path” and urged Apple not to implement the system.
Blockchain infrastructure startups are heating up as industry fervor brings more developers and users to a space that still feels extremely young despite a heavy institutional embrace of the crypto space in 2021.
The latest crypto startup to court the attention of venture capitalists is Tenderly, which builds a developer platform for Ethereum devs to monitor and test the smart contracts that power their decentralized apps. Tenderly CEO Andrej Bencic tells TechCrunch his startup has closed a $15.3 million Series A funding round led by Accel with additional participation from existing investors. The Belgrade startup already raised a $3.3 million seed round earlier this year led by Point Nine Capital.
The startup’s aim to date has been ensuring fledgling blockchain developers aren’t left finding out about contract errors when users discover issues and complain, instead allowing users to discover these bugs proactively. While the company’s Visual Debugger is already used by “tens of thousands” of Ethereum developers, Tenderly hopes to continue building out its toolset to help more developers build on Ethereum networks without dealing with the headaches and irregularities that they’ve had to.
“Tenderly, from its inception, has been a solution to one of our own problems,” Bencic tells TechCrunch. “We wanted to make it as easy as possible to observe and extract information from Ethereum and the adjacent networks.”
Bencic hopes the company’s product can help developers get their products out more quickly without compromising on usability.
To date, the majority of Tenderly’s customers have been relatively small startup efforts aiming to tap into the exciting world of blockchain-based computing with a particular focus on decentralized finance. Tenderly itself is a small company with its team of 14 based in Serbia. Bencic says this funding will help the company expand its global footprint and build out engineering and business hires in other geographies.
Climbing cryptocurrency prices have historically aligned pretty closely with developer uptake in the blockchain world so there is some concern that bitcoin and Ethereum’s downward-trending price corrections will lead to less stability in the pipeline of new developers embracing blockchain. That said, volatility is far from unusual to the crypto world and many developers have learned that riding its ebbs and flows is just part of the experience.
“We built most of Tenderly in the bear market, and one thing we saw is that even though you get these concerning prices, people that are excited about the tech are excited about the tech whether the coins are up or down,” Bencic says.
Magic, a San Francisco-based startup that builds “plug and play” passwordless authentication technology, has raised $27 million in Series A funding.
The round, led by Northzone and with participation from Tiger Global, Volt Capital, Digital Currency Group and CoinFund, comes just over a year after Magic launched from stealth, rebranding from its previous name Formatic.
The company, like many others, is on a mission to end traditional password-based authentication. Magic’s flagship SDK, which launched in April 2020, enables developers to implement a variety of passwordless authentication methods with just a few lines of code and integrates with a number of modern frameworks and infrastructures.
Not only does the SDK make it easier for companies and developers to implement passwordless auth methods in their applications, but it could also help to mitigate the expensive fallout that many have to deal with as a result of data breaches.
“This is why the password is so dangerous,” Sean Li, Magic co-founder and CEO tells TechCrunch. “It’s like a Jenga tower right now — a hacker breaching your system can download an entire database of encrypted passwords, and then easily crack them. It’s a huge central point of failure.”
The company recently built out its SDK to add support for WebAuthn, which means it can support hardware-based authentication keys like Yubico, as well as biometric-based Face ID and fingerprint logins on mobile devices.
“It’s less mainstream right now, but we’re making it super simple for developers,” says Li. “This way we can help promote new technologies, and that’s really good for user security and privacy.”
It’s a bet that seems to be working: Magic has recorded a 13% month-over-month increase in developer signups, and the number of identities secured is growing at a rate of 6% weekly, according to Magic. It has also secured a number of big-name customers, from crypto news publisher Decrypt to fundraising platform Fairmint.
Wendy Xiao Schadeck, a partner at Northzone said: “We couldn’t be more excited to support Sean and the Magic team as they redefine authentication for the internet from the bottom up, solving a core pain point for developers, users, and companies.
“It was clear to us that they’re absolutely loved by their customers because the team is so obsessed with serving every single part of the developer journey across several communities. What’s potentially even more exciting is what they will be able to do to empower users and decentralize the identity layer of the web.”
The company now plans to continue to scale its platform and expand its team to meet what Magic describes as “soaring” demand. The startup, which currently has 30 employees that work remotely on a full-time basis, expects to at least double its headcount across all core functions, including product, engineering, design, marketing, finance, people and operations.
It’s also planning to build out the SDK even further; Li says he wants to be able to plug into more kinds of technology, from low-code applications to workflow automations.
“The vision is much bigger than that. We want to be the passport of the internet,” Li adds.