A technique that allows thieves to silently unlock and drive away cars is getting cheaper and easier than ever.

In May 2017, Google announced that there are over two billion active Android devices. If we look at the latest stats (the far right edge), we can see that nearly half of these devices are two years out of date. At this point, we should expect that there are more than one billion devices that are two years out of date! Given Android’s update model, we should expect approximately 0% of those devices to ever get updated to a modern version of Android.

According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within Ring -3:

- Full networking stack
- File systems
- Many drivers (including USB, networking, etc.)
- A web server

Multiple online user reports claim that the MantisTek GK2 mechanical keyboard's configuration software is sending data to an Alibaba server. One of the reports even includes an analysis of the software’s traffic, which seems to include how many times keys have been pressed.

Estonia abruptly suspends digital ID cards as crypto attacks get easier and cheaper. [...] When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key.

Sometimes a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 …

According to a new report in Der Spiegel, the NSA regularly intercepts shipments of laptops and other electronic devices in ...

KRACK attack allows other nasties, including connection hijacking and malicious injection.

The big news in crypto today is the KRACK attack on WPA2 protected WiFi networks. logo-smallDiscovered by Mathy Vanhoef and Frank Piessens at KU Leuven, KRACK (Key Reinstallation Attack) leverages a vulnerability in the 802.11i four-way handshake in order to facilitate decryption and forgery attacks on encrypted WiFi traffic.

Breaking WPA2 by forcing nonce reuse

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack, the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via

Posted by Gal Beniamini, Project Zero In this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone ...

For several hours on Wednesday the site was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info that looked like this:

Who placed the JavaScript code on two primetime dot-coms? So far, it's a mystery

Exclusive: hackers may have accessed usernames, passwords and personal details of top accountancy firm’s blue-chip clients

Black Hat Europe 2017