Scammers are increasingly using visually stylized QR codes to deliver phishing links, Help Net Security reports.
QR code phishing (quishing) is already more difficult to detect, since these codes deliver links without a visible URL. Attackers are now using QR codes with colors, shapes, and logos woven into the codeβs pattern.
Γike were an Estonian scooter company, which sadly went bust last year. [Rasmus Moorats] has one, and since the app and cloud service the scooter depends on have lost functionality, he decided to reverse engineer it. Along the way he achieved his goal, but found a vulnerability that unlocks all Γike scooters.
The write-up is a tale of app and Bluetooth reverse engineering, ending with the startling revelation of a hardcoded key thatβs simply βffffffffffffffffβ. From that he can unlock and interact with any Γike scooter, except for a subset that were used as hire scooters and didnβt have Bluetooth. Perhaps of more legitimate use is the reverse engineering of the scooter functionality.
What do you do when you find a vulnerability in a product whose manufacturer has gone? He reported to the vendor of the IoT module inside the scooter, who responded that the key was a default value that should have been changed by the Γike developers. Good luck, should you own one of these machines.
Meanwhile, scooter hacking is very much a thing for other manufacturers too.
Red Teaming has become one of the most discussed and misunderstood practices in modern cybersecurity. Many organizations invest heavily in vulnerability scanners and penetration tests, yet breaches continue to happen through paths those tools never simulate. Enterprise leaders now ask a deeper question: βDoes our security testing completely reflect how attackers will break in?β This [β¦]
The post 10 Questions Enterprise Leaders Should Ask Before Running a Red Teaming Exercise appeared first on Kratikal Blogs.
The post 10 Questions Enterprise Leaders Should Ask Before Running a Red Teaming Exercise appeared first on Security Boulevard.
After an Instagram impersonation, Alan Shimel reveals how Metaβs AI moderation dismissed a clear security threatβshowing why identity protection is broken.
The post Someone Is Impersonating Me on Instagram β and Meta Doesnβt Give a Sh*t appeared first on Security Boulevard.
After the swivel by Helium Inc. towards simply running distributed WiFi hotspots after for years pushing LoRaWAN nodes, much of the associated hardware became effectively obsolete. This led to quite a few of these Nebra LoRa Miners getting sold off, with the [Buy it Fix it] channel being one of those who sought to give these chunks of IP-67-rated computing hardware a new life.
Originally designed to be part of the Helium Network Token (HNT) cryptocurrency mining operation, with users getting rewarded by having these devices operating, they contain fairly off-the-shelf hardware. As can be glanced from e.g. the Sparkfun product page, itβs basically a Raspberry Pi Compute Module 3+ on a breakout board with a RAK 2287 LoRa module.Β The idea in the video was to convert it into a Meshcore repeater, which ought to be fairly straightforward, one might think.
Unfortunately the unit came with a dead eMMC chip on the compute module, the LoRa module wasnβt compatible with Meshcore, and the Nebra breakout board only covers the first 24 pins of the standard RPi header on its pin header.
The solutions involved using a Β΅SD card for the firmware instead of the eMMC, and doing some creative routing on the bottom of the breakout board to connect the unconnected pins on the breakoutβs RPi header to the pins on the compute moduleβs connector. This way a compatible LoRa module could be placed on this header.
Rather than buying an off-the-shelf LoRa module for the RPi and waiting for delivery, a custom module was assembled from an eByte E22 LoRa module and some stripboard to test whether the contraption would work at all. Fortunately a test of the system as a Meshcore repeater showed that it works as intended, serving as a pretty decent proof-of-concept of how to repurpose those systems from a defunct crypto mining scheme into a typical LoRa repeater, whether Meshcore or equivalent.
A widespread phishing campaign is targeting LinkedIn users by posting comments on usersβ posts, BleepingComputer reports.
Threat actors are using bots to post the comments, which impersonate LinkedIn itself and inform the user that their account has been restricted due to policy violations. The comments contain links to supposedly allow the user to appeal the restriction.
Akin to the razor-and-blades model, capsule-based coffee machines are an endless grind of overpriced pods and cheaply made machines that youβre supposed to throw out and buy a new one of, just so that you donβt waste all the proprietary pods you still have at home. What this also means is a seemingly endless supply of free broken capsule coffee makers that might be repairable. This is roughly how [Mark Furneaux] got into the habit of obtaining various Nespresso VertuoLine machines for attempted repairs.
The VirtuoLine machines feature the capsule with a bar code printed on the bottom of the lip, requiring the capsule to be spun around so that it can be read by the optical reader. Upon successful reading, the code is passed to the MCU after which the brewing process is either commenced or cruelly halted if the code fails. Two of the Vertuo Next machines that [Mark] got had such capsule reading errors, leading to a full teardown of the first after the scanner board turned out to work fine.
Long story short and many hours of scrubbed footage later, one machine was apparently missing the lens assembly on top of the photo diode and IR LED, while the other simply had these lenses gunked up with spilled coffee. Of course, getting to this lens assembly still required a full machine teardown, making cleaning it an arduous task.
Unfortunately the machine that had the missing lens assembly turned out to have another fault which even after hours of debugging remained elusive, but at least there was one working coffee machine afterwards to make a cup of joe to make [Mark] feel slightly better about his life choices. As for why the lens assembly was missing, itβs quite possible that someone else tried to repair the original fault, didnβt find it, and reassembled the machine without the lens before passing the problem on to the next victim.
A survey by the World Economic Forum (WEF) found that 47% of organizations cite the advancement of adversarial capabilities as their top concern surrounding generative AI.
There was a time when wise older people warned you to check your tire pressure regularly. We never did, and would eventually wind up with a flat or, worse, a blowout. These days, your car will probably warn you when your tires are low. Thatβs because of a class of devices known as tire pressure monitoring systems (TPMS).
If you are like us, you see some piece of tech like this, and you immediately guess how it probably works. In this case, the obvious guess is sometimes, but not always, correct. There are two different styles that are common, and only one works in the most obvious way.
Weβd guess that the tire would have a little pressure sensor attached to it that would then wirelessly transmit data. In fact, some do work this way, and thatβs known as dTPMS where the βdβ stands for direct.
Of course, such a system needs power, and thatβs usually in the form of batteries, although there are some that get power wirelessly using an RFID-like system. Anything wireless has to be able to penetrate the steel and rubber in the tire, of course.
But this isnβt always how dTPMS systems worked. In days of old, they used a finicky system involving a coil and a pressure-sensitive diaphragm β more on that later.
This is cheap and requires no batteries in the tire. However, it isnβt without its problems. It is purely a relative measurement. In practice, you have to inflate your tires, tell the system to calibrate, and then drive around for half an hour or more to let it learn how your tires react to different roads, speeds, and driving styles.
Changes in temperature, like the first cold snap of winter, are notorious for causing these sensors to read flat. If the weather changes and you suddenly have four flat tires, thatβs probably what happened. The tires really do lose some pressure as temperatures drop, but because all four change together, the indirect system canβt tell which one is at fault, if any.
The first passenger vehicle to offer TPMS was the 1986 Porsche 959. Two sensors made from a diaphragm and a coil are mounted between the wheel and the wheelβs hub. The sensors were on opposite sides of the tire. With sufficient pressure on the diaphragm, an electrical contact was made, changing the coil value, and a stationary coil would detect the sensor as it passed. If the pressure drops, the electrical contact opens, and the coil no longer sees the normal two pulses per rotation. The technique was similar to a grid dip meter measuring an LC resonant circuit. The diaphragm switch would change the LC circuitβs frequency, and the sensing coil could detect that.
If one or two pulses were absent despite the ABS system noting wheel rotation, the car would report low tire pressure. There were some cases of centrifugal force opening the diaphragms at high speed, causing false positives, but for the most part, the system worked. This isnβt exactly iTPMS, but it isnβt quite dTPMS either. The diaphragm does measure pressure in a binary way, but it doesnβt send pressure data in the way a normal dTPMS system does.
Of course, as you can see in the video, the 959 was decidedly a luxury car. It would be 1991 before the US-made Corvette acquired TPMS. The Renault Laguna II in 2000 was the first high-volume car to have similar sensors.
In many places, laws were put in place to require TPMS in vehicles. It was also critical for cars that used βrun flatβ tires. The theory is that you might not notice your run flat tires were actually flat, and while they are, as their name implies, made to run flat, they also require you to limit speed and distance when they are flat.
Old cars or other vehicles that donβt have TPMS can still add it. There are systems that can measure tire pressure and report to a smartphone app. These are, of course, a type of dTPMS.
Of course, there are always problems. An iTPMS system isnβt really reading the tire pressure, so it can easily get out of calibration. Direct systems need battery changing, which usually means removing the tire, and a good bit of work β watch the video below. That means there is a big tradeoff between sending data with enough power to go through the tire and burning through batteries too fast.
Another issue with dTPMS is that you are broadcasting. That means you have to reject interference from other cars that may also transmit. Because of this, most sensors have a unique ID. This raises privacy concerns, too, since you are sending a uniquely identifiable code.
Of course, your car is probably also beaming Bluetooth signals and who knows what else. Not to even mention what the phone in your car is screaming to the ether. So, in practice, TPMS attacks are probably not a big problem for anyone with normal levels of paranoia.
An iTPMS sensor wonβt work on a tire that isnβt moving, so monitoring your spare tire is out. Even dTPMS sensors often stop transmitting when they are not moving to save battery, and that also makes it difficult to monitor the spare tire.
Sometimes, when you think of the βobviousβ way something works, you are wrong. In this case, you are half right. TPMS reduces tire wear, prevents accidents that might happen during tire failure, and even saves fuel.
Thanks to this technology, you donβt have to remember to check your tire pressure before a trip. You should, however, probably check the tread.
You can roll your own TPMS. Or just listen in with an SDR. If biking is more your style, no problem.
Todayβs data centers are hardened facilities with layered access controls, surveillance, redundancy and security teams focused on keeping threats out. Yet, even the most secure environment can be compromised by a single moment of trust, such as a legitimate-looking email that prompts someone to click a link. Thatβs the modern cybersecurity paradox. The perimeter can..
The post The Data Center Is Secure, But Your Users Are Not appeared first on Security Boulevard.
Researchers with security firm Miggo used an indirect prompt injection technique to manipulate Google's Gemini AI assistant to access and leak private data in Google Calendar events, highlighting the challenges AI presents that traditional security measures can't address.
The post Exploiting Google Gemini to Abuse Calendar Invites Illustrates AI Threats appeared first on Security Boulevard.
PromptArmor threat researchers uncovered a vulnerability in Anthropic's new Cowork that already was detected in the AI company's Claude Code developer tool, and which allows a threat actor to trick the agent into uploading a victim's sensitive files to their own Anthropic account.
The post Vulnerability in Anthropicβs Claude Code Shows Up in Cowork appeared first on Security Boulevard.
We've known that social engineering would get AI wings. Now, at the beginning of 2026, we are learning just how high those wings can soar.
The post Cyber Insights 2026: Social Engineering appeared first on SecurityWeek.
Microsoft and law enforcement agencies in Europe disrupted the operations of RedVDS, a global cybercrime service that sold cheap and disposable dedicated virtual servers to threat actors that used them to run BEC, phishing, and other fraud campaigns. The vendor now wants to shut down its payment networks and find the operators behind it.
The post Microsoft, Law Enforcement Disrupt RedVDS Global Cybercrime Service appeared first on Security Boulevard.
A sophisticated phishing campaign impersonating WhatsApp Web uses fake meeting links and QR codes to hijack accounts and enable real-time surveillance.
The post This WhatsApp Link Can Hand Over Your Account in Seconds appeared first on TechRepublic.
A sophisticated phishing campaign impersonating WhatsApp Web uses fake meeting links and QR codes to hijack accounts and enable real-time surveillance.
The post This WhatsApp Link Can Hand Over Your Account in Seconds appeared first on TechRepublic.
With more and more kitchen utilities gaining touch screens and capable microcontrollers itβd be inconceivable that they do not get put to other uses as well. To this end [Aaron Christophel] is back with another briefly Doom-less device in the form of the Krups Cook4Me pressure cooking pot with its rather sizeable touch screen and proclaimed smarts in addition to WiFi and an associated smartphone app.
Inside is an ESP32 module for the WiFi side, with the brains of the whole operation being a Renesas R7S721031VC SoC with a single 400 MHz Cortex-A9. This is backed by 128 MB of Flash and 128 MB of RAM. The lower touch interface is handled by a separate Microchip PIC MCU to apparently enable for low standby power usage until woken up by touch.
The developers were nice enough to make it easy to dump the firmware on the SoC via SWD, allowing for convenient reverse-engineering and porting of Doom. With the touch screen used as the human input device it was actually quite playable, and considering the fairly beefy SoC, Doom runs like a dream. Sadly, due to the rarity of this device, [Aaron] is not releasing project files for it.
As for why a simple cooking pot needs all of this hardware, the answer is probably along the lines of βbecause we canβ.
Progress at your own pace through Python, Pandas, Databricks and more in these seven comprehensive courses.
The post Master Data Engineering From Beginner To Advanced For $35 appeared first on TechRepublic.
Progress at your own pace through Python, Pandas, Databricks and more in these seven comprehensive courses.
The post Master Data Engineering From Beginner To Advanced For $35 appeared first on TechRepublic.
Login