Agreed, there is no IP address to collect, so this part of the article is inaccurate.
The rest of the article is not necessarily scaremongering, but they don't explain the issue well: it's not just a "giant clicker" as described, because it collects personally identifiable information (cellphone MAC address) without permission. This would be illegal in many other countries.
Additionallu, they claim the data is "encrypted" but since it's not an open algorithm it's possible that it's flawed, either because it's deterministic or reversible.
Unless you're one of those people who don't need internet to survive, then this is nonsense. Wifi is far from everywhere and I'm not going to manually connect to wifi just to check if my date is running late. Is this the 90s?
But you still have a cellular connection, it's just metered. Which doesn't matter because checking if your date is running late uses a trivial amount of cellular data. Whereas if it turns out that they are late and now you've got an hour to kill and want to watch Netflix on your phone, you connect to the local WiFi.
Which it will have done automatically at home and at work and anywhere else that you actually frequent, so having to do that is rare.
Same. I described my dizziness and pointed me to BPPV and 4 others that were quickly filtered out. I also asked how to further diagnose the issue and pointed me to some maneuvers. I then searched them on YouTube and I was fine 3 days later (this stuff can stick around for months)
Diagnosis is probably going to be one of the most impactful uses. Even if then you have to head to an actual doctor to confirm, it's good to have a possible lead.
We've been using Google for the same purpose for a decade but with much worse results, this is a step up.
It does add a slight extra layer in that they have to both have a compromise for whatever chip is controlling your bank and a compromise for whatever phone is attached which is more difficult to pack into a small controller chip. Although I'm willing to be a lot of power bank controllers are similar across the market which narrows that difficulty.
If it’s “just a reset” I still wouldn’t be too worried plugging into an otherwise normally placed public charger. It would obviously suck to have my device reset, especially when traveling, but of course a port could also just fry your device anyway.
If it's just a USB-initiated factory reset, that's much less worrying, just DoS not infiltration. Exploiting that at a busy airport would be a huge nuisance, but not a huge security risk. Just like wiring 110VAC into the USB wires would be a DoS...
USB is a very intelligent protocol, with a microcontrollor on both ends. The controller has access to at least the driver's state, which is usually in the kernel and potentially has access to system memory.
How does your Android phone even know that data is an option to switch into when you plug it into a USB port? It has already negotiated itself to be a device on the USB bus. Your phone will probably show up in lsusb on Linux even in charging mode. (Mine does.) When you switch the phone to data mode, it changes its USB device profile, and becomes a more sophisticated attached device, from the host's perspective.
Many (most?) phones made in recent years can be USB hosts, too. This lets you connect a USB mouse and keyboard to a tablet, for example. That would open you up to all kinds of pretty simple but often quite effective attacks, like simulating a virtual keyboard and mouse and just manipulating the UI that way.
I don't know if any of these particular attacks are possible with Android right now, but many variations on these themes have been shown over the years on many platforms. USB wasn't really designed with adversarial peripherals in mind.
Maybe I'm stupid but what I gather from this is simply that this is a potential vector, not that it is currently an actual possibility. It's akin to saying using Bluetooth is dangerous because theoretically any data on my phone can be extracted through it, while neglecting the fact that the people building a phone OS are clearly aware of that and have built-in countermeasures.
BadUSB emulates a keyboard. So one would want to make sure that the phone was locked before hooking it up to a random charging port. Android exploit demo here:
Sounds like there should be a legally mandated escrow for this kind of hiring. The employer should guarantee 2/3 months of employment if they’re asking someone to move across the world. This really shouldn’t be an issue if companies actually fulfilled their duties.
The issue is that if you do not set permissions in the manifest, clicking allow in the safari UI would only return a blank URI, "". The original extension in this case would also just return an error.
I've modified the manifest so that it is asking Safari for wider permissions, so that when the permission is granted by the user, the proper URL is returned.
Currently the extension will suggest that it needs access to every page the user visits, occasionally opening a popup automatically if I remember correctly.
For something that’s a glorified bookmarklet, that’s a lot to ask.
Uh, false? What IP address? This sentence is meaningless, users don’t connect to the sign, so there’s no IP to it.
This article is just scaremongering by people who don’t know technology.