Apple and Google are launching a joint COVID-19 tracing tool for iOS and Android

Apple and Google’s engineering teams have banded together to create a decentralized contact tracing tool that will help individuals determine whether they have been exposed to someone with COVID-19.

Contact tracing is a useful tool that helps public health authorities track the spread of the disease and inform the potentially exposed so that they can get tested. It does this by identifying and ‘following up with’ people who have come into contact with a COVID-19 affected person.

The first phase of the project is an API that public health agencies can integrate into their own apps. The next phase is a system level contact tracing system that will work across iOS and Android devices on an opt-in basis.

The system uses on-board radios on your device to transmit an anonymous ID over short ranges — using Bluetooth beaconing. Servers relay your last 14 days of rotating IDs to other devices which search for a match. A match is determined based on a threshold of time spent and distance maintained between two devices.

If a match is found with another user that has told the system that they have tested positive, you are notified and can take steps to be tested and to self quarantine.

Contact tracing is a well known and debated tool, but one that has been adopted by health authorities and universities who are working on multiple projects like this. One such example is MIT’s efforts to use Bluetooth to create a privacy-conscious contact tracing tool that was inspired by Apple’s Find My system. The companies say that those organizations identified technical hurdles that they were unable to overcome and asked for help.

The project was started two weeks ago by engineers from both companies. One of the reasons that the companies got involved is that there is poor interoperability between systems on various manufacturer’s devices. With contact tracing, every time you fragment a system like this between multiple apps, you limit its effectiveness greatly. You need a massive amount of adoption in one system for contact tracing to work well.

At the same time, you run into technical problems like Bluetooth power suck, privacy concerns about centralized data collection and the sheer effort it takes to get enough people to install the apps to be effective.

Two Phase Plan

To fix these issues, Google and Apple teamed up to create an interoperable API that should allow the largest number of users to adopt it, if they choose.

The first phase, a private proximity contact detection API, will be released in mid-May by both Apple and Google for use in apps on iOS and Android. In a briefing today, Apple and Google said that the API is a simple one and should be relatively easy for existing or planned apps to integrate. The API would allow apps to ask users to opt-in to contact tracing (the entire system is opt-in only), allowing their device to broadcast the anonymous, rotating identifier to devices that the person ‘meets’. This would allow tracing to be done to alert those who may come in contact with COVID-19 to take further steps.

The value of contact tracing should extend beyond the initial period of pandemic and into the time when self-isolation and quarantine restrictions are eased.

The second phase of the project is to bring even more efficiency and adoption to the tracing tool by bringing it to the operating system level. There would be no need to download an app, users would just opt-in to the tracing right on their device. The public health apps would continue to be supported, but this would address a much larger spread of users.

This phase, which is slated for the coming months, would give the contract tracing tool the ability to work at a deeper level, improving battery life, effectiveness and privacy. If its handled by the system, then every improvement in those areas — including cryptographic advances — would benefit the tool directly.

How it works

A quick example of how a system like this might work.

  1. Two people happen to be near each other for a period of time, let’s say 10 minutes. Their phones exchange the anonymous identifiers (which change every 15 minutes).
  2. Later on, one of those people is diagnosed with COVID-19 and enters it into the system via a Public Health Authority app that has integrated the API.
  3. With an additional consent, the diagnosed user allows his anonymous identifiers for the last 14 days to be transmitted to the system.
  4. The person they came into contact with has a Public Health app on their phone that downloads the broadcast keys of positive tests and alerts them to a match.
  5. The app gives them more information on how to proceed from there.

Privacy and Transparency

Both Apple and Google say that privacy and transparency are paramount in a public health effort like this one and say they are committed to shipping a system that does not compromise personal privacy in any way.

There is zero use of location data, which includes users who report positive. This tool is not about where affected people are but instead whether they have been around other people.

The system works by assigning a random, rotating identifier to a person’s phone and transmitting it via Bluetooth to nearby devices. That identifier, which rotates every 15 minutes and contains no personally identifiable information, will pass through a simple relay server that can be run by health organizations worldwide.

Even then, the list of identifiers you’ve been in contact with doesn’t leave your phone unless you choose to share it. Users that test positive will not be identified to other users, Apple or Google. Google and Apple can disable the broadcast system entirely when it is no longer needed.

All identification of matches is done on your device, allowing you to see — within a 14-day window — whether your device has been near the device of a person who has self-identified as having tested positive for COVID-19.

The entire system is opt-in. Users will know up front that they are participating, whether in app or at a system level. Public health authorities are involved in notifying users that they have been in contact with an affected person. Apple and Google say that they will openly publish information about the work that they have done for others to analyze in order to bring the most transparency possible to the privacy and security aspects of the project.

“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems,” the companies said in a statement. “Through close cooperation and collaboration with developers, governments and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life.”

You can find more information about the contact tracing API on Apple’s page here including specifications.

OctoML raises $15M to make optimizing ML models easier

OctoML, a startup founded by the team behind the Apache TVM machine learning compiler stack project, today announced it has raised a $15 million Series A round led by Amplify, with participation from Madrone Ventures, which led its $3.9 million seed round. The core idea behind OctoML and TVM is to use machine learning to optimize machine learning models so they can more efficiently run on different types of hardware.

“There’s been quite a bit of progress in creating machine learning models,” OctoML CEO and University of Washington professor Luis Ceze told me. “But a lot of the pain has moved to once you have a model, how do you actually make good use of it in the edge and in the clouds?”

That’s where the TVM project comes in, which was launched by Ceze and his collaborators at the University of Washington’s Paul G. Allen School of Computer Science & Engineering. It’s now an Apache incubating project and because it’s seen quite a bit of usage and support from major companies like AWS, ARM, Facebook, Google, Intel, Microsoft, Nvidia, Xilinx and others, the team decided to form a commercial venture around it, which became OctoML. Today, even Amazon Alexa’s wake word detection is powered by TVM.

Ceze described TVM as a modern operating system for machine learning models. “A machine learning model is not code, it doesn’t have instructions, it has numbers that describe its statistical modeling,” he said. “There’s quite a few challenges in making it run efficiently on a given hardware platform because there’s literally billions and billions of ways in which you can map a model to specific hardware targets. Picking the right one that performs well is a significant task that typically requires human intuition.”

And that’s where OctoML and its “Octomizer” SaaS product, which it also announced, today come in. Users can upload their model to the service and it will automatically optimize, benchmark and package it for the hardware you specify and in the format you want. For more advanced users, there’s also the option to add the service’s API to their CI/CD pipelines. These optimized models run significantly faster because they can now fully leverage the hardware they run on, but what many businesses will maybe care about even more is that these more efficient models also cost them less to run in the cloud, or that they are able to use cheaper hardware with less performance to get the same results. For some use cases, TVM already results in 80x performance gains.

Currently, the OctoML team consists of about 20 engineers. With this new funding, the company plans to expand its team. Those hires will mostly be engineers, but Ceze also stressed that he wants to hire an evangelist, which makes sense, given the company’s open-source heritage. He also noted that while the Octomizer is a good start, the real goal here is to build a more fully featured MLOps platform. “OctoML’s mission is to build the world’s best platform that automates MLOps,” he said.

Ex-NSA hacker drops new zero-day doom for Zoom

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Volvo’s Polestar begins production of the all-electric Polestar 2 in China

Polestar has started production of its all-electric Polestar 2 vehicle at a plant in China amid the COVID-19 pandemic that has upended the automotive industry and triggered a wave of factory closures throughout the world.

The start of Polestar 2 production is a milestone for Volvo Car Group’s standalone electric performance brand  — and not just because it began in the midst of global upheaval caused by COVID-19, a disease that stems from the coronavirus. It’s also the first all-electric car under a brand that was relaunched just three years ago with a new mission.

Polestar was once a high-performance brand under Volvo Cars. In 2017, the company was recast as an electric performance brand aimed at producing exciting and fun-to-drive electric vehicles — a niche that Tesla was the first to fill and has dominated ever since. Polestar is jointly owned by Volvo Car Group and Zhejiang Geely Holding of China. Volvo was acquired by Geely in 2010.

COVID-19 has affected how Polestar and its parent company operate. Factory closures began in China, where the disease first swept through the population. Now Chinese factories are reopening as the epicenter of COVID-19 moves to Europe and North America. Most automakers have suspended production in Europe and North America.

Polestar CEO Thomas Ingenlath said the company started production under these challenging circumstances with a strong focus on the health and safety. He added that the Luqiao, China factory is an example of how Polestar has leveraged the expertise of its parent companies.

Extra precautions have been taken because of the outbreak, including frequent disinfecting of work spaces and requiring workers to wear masks and undergo regular temperature screenings, according to the company. Polestar has said that none of its workers in China tested positive of COVID-19 as a result of its efforts.

COVID-19 has also affected Polestar’s timeline. Polestar will only sell its vehicles online and will offer customers subscriptions to the vehicle. It previously revealed plans to open “Polestar Spaces,” a showroom where customers can interact with the product and schedule test drives. These spaces will be standalone facilities and not within existing Volvo retailer showrooms. Polestar had planned to have 60 of these spaces open by 2020, including Oslo, Los Angeles and Shanghai.

COVID-19 has delayed the opening of the showrooms. The company will have some pop up stores opening as soon as that situation improves, so people can go see the cars and learn more while the permanent showrooms are still under construction, TechCrunch has learned.

It’s not clear just how many Polestar 2 vehicles will be produced, Polestar has told TechCrunch that it is in the “tens of thousands” of cars per calendar year. Those numbers will also depend on demand for the Polestar 2 and other models that are built in the same factory.

Polestar 2 EV

Image Credits: Screenshot/Polestar

Polestar also isn’t providing the exact number of reservations until it begins deliveries, which are supposed to start this summer in Europe followed by China and North America. It was confirmed to TechCrunch that reservations are in the “five digits.”

The Polestar 2, which was first revealed in February 2019, has been positioned by the company to go up against Tesla Model 3. (The company’s first vehicle, the Polestar 1, is a plug-in hybrid with two electrical motors powered by three 34 kilowatt-hour battery packs and a turbo and supercharged gas inline 4 up front.)

But it will likely face off against other competitors launching new EVs in 2020 and 2021, including Volkswagen, GM, Ford and startups Lucid Motors and even adventure-focused Rivian.

Polestar is hoping customers are attracted to the tech and the performance of the fastback, which is produces 408 horsepower, 487 pound feet of torque and a 78 kWh battery pack that delivers an estimated range of 292 miles under Europe’s WLTP.

The Polestar 2’s infotainment system will be powered by Android OS and, as a result, bring into the car embedded Google services such as Google Assistant, Google Maps and the Google Play Store. This shouldn’t be confused with Android Auto, which is a secondary interface that lies on top of an operating system. Android OS is modeled after its open-source mobile operating system that runs on Linux. But instead of running smartphones and tablets, Google modified it so it could be used in cars.

Canonical’s Anbox Cloud puts Android in the cloud

Canonical, the company behind the popular Ubuntu Linux distribution, today announced the launch of Anbox Cloud, a new platform that allows enterprises to run Android in the cloud.

On Anbox Cloud, Android becomes the guest operating system that runs containerized applications. This opens up a range of use cases, ranging from bespoke enterprise app to cloud gaming solutions.

The result is similar to what Google does with Android apps on Chrome OS, though the implementation is quite different and is based on the LXD container manager, as well as a number of Canonical projects like Juju and MAAS for provisioning the containers and automating the deployment. “LXD containers are lightweight, resulting in at least twice the container density compared to Android emulation in virtual machines – depending on streaming quality and/or workload complexity,” the company points out in its announcements.

Anbox itself, it’s worth noting, is an open-source project that came out of Canonical and the wider Ubuntu ecosystem. Launched by Canonical engineer Simon Fels in 2017, Anbox runs the full Android system in a container, which in turn allows you to run Android application on any Linux-based platform.

What’s the point of all of this? Canonical argues that it allows enterprises to offload mobile workloads to the cloud and then stream those applications to their employees’ mobile devices. But Canonical is also betting on 5G to enable more use cases, less because of the available bandwidth but more because of the low latencies it enables.

“Driven by emerging 5G networks and edge computing, millions of users will benefit from access to ultra-rich, on-demand Android applications on a platform of their choice,” said Stephan Fabel, Director of Product at Canonical, in today’s announcement. “Enterprises are now empowered to deliver high performance, high density computing to any device remotely, with reduced power consumption and in an economical manner.”

Outside of the enterprise, one of the use cases that Canonical seems to be focusing on is gaming and game streaming. A server in the cloud is generally more powerful than a smartphone, after all, though that gap is closing.

Canonical also cites app testing as another use case, given that the platform would allow developers to test apps on thousands of Android devices in parallel. Most developers, though, prefer to test their apps in real — not emulated — devices, given the fragmentation of the Android ecosystem.

Anbox Cloud can run in the public cloud, though Canonical is specifically partnering with edge computing specialist Packet to host it on the edge or on-premise. Silicon partners for the project are Ampere and Intel .

Browsers are interesting again

A few years ago, covering browsers got boring.

Chrome had clearly won the desktop, the great JavaScript speed wars were over and Mozilla seemed more interested in building a mobile operating system than its browser. Microsoft tried its best to rescue Internet Explorer/Edge from being the punchline of nerdy jokes, but its efforts essentially failed.

Meanwhile, Opera had shuttered the development of its own rendering engine and redesigned its browser with less functionality, alienating many of its biggest fans. On mobile, plenty of niche players tried to break the Chrome/Safari duopoly, but while they did have some innovative ideas, nothing ever stuck.

But over the course of the last year or so, things changed. The main catalyst for this, I would argue, is that the major browser vendors — and we can argue about Google’s role here — realized that their products were at the forefront of a new online privacy movement. It’s the browser, after all, that allows marketers to set cookies and fingerprint your machine to track you across the web.

Add to that Microsoft’s move to the Chromium engine, which is finally giving Microsoft a seat at the browser table again, plus the success of upstarts like Brave and Vivaldi, and you’ve got the right mix of competitive pressure and customer interest for innovation to come back into what was a stagnant field only a few years ago.

Let’s talk about privacy first. With browsers being the first line of defense, it’s maybe surprising that we didn’t see Mozilla and others push for more built-in tracking protections before.

In 2019, the Chrome team introduced handling cookies in the browser and a few months ago, it launched a broader initiative to completely rethink cookies and online privacy for its users — and by extension, Google’s advertising ecosystem. This move centers around differential privacy and a ‘privacy budget’ that would allow advertisers to get enough information about you to group you into a larger cohort without providing so much information that you would love your anonymity.

At the time, Google said this was a multi-year effort that was meant to help publishers retain their advertising revenue (vs their users completely blocking cookies).

China Roundup: GitHub’s China ambitions and WeWork rival’s big hopes

Hello and welcome back to TechCrunch’s China Roundup, a digest of recent events shaping the Chinese tech landscape and what they mean to people in the rest of the world. This week, we are looking at how WeWork’s largest rival in China — UCommune — is pulling ahead with its initial public offering and GitHub’s potential big move in China.

GitHub turns to China

The world’s largest source code repository host GitHub is mulling to open a Chinese subsidiary, the company’s CEO told the Financial Times recently. The plan comes at a time when the technological rift between China and the U.S. is deepening. The U.S.’s trade sanctions on Huawei, which includes limiting the company’s access to certain Android services, has stirred concerns of further “decoupling” between the two countries. Since then Huawei has stepped up efforts to cut its reliance on American suppliers and develop its own core chips and software operating system.

American tech companies are feeling a similar chill from the trade war. Opening a China office could potentially help GitHub hedge against trade war bans and alleviate the company’s risks in its second-largest market. The demand for a China backup plan appears to have grown after GitHub restricted accounts of users in Cuba, Iran and a few other countries to comply with U.S. sanctions, a decision that sparked an outcry from open-source developer communities around the world and worried Chinese users that the same could befall them.

On the other hand, developers in China and overseas worry that maintaining a China-based operation might subject GitHub’s local projects to Beijing censorship as the country requires foreign companies operating in China to store users’ data locally. Though GitHub has previously been blocked in China seemingly for sharing anti-censorship tools, the restriction was usually temporary. As of now, the site remains largely accessible in China, according to Greatfire.org, a website that monitors China’s online censorship. But the concerns are justified. LinkedIn and Bing, sharing the same parent company — Microsoft — with GitHub, have been roundly criticized for practicing censorship in China.

Big hopes and losses

China’s shared space provider UCommune is moving ahead of its rival WeWork as it filed with the U.S. securities exchange for an IPO this week. Like its American counterpart, UCommune — which rebranded from UrWork after a name dispute with WeWork — hasn’t yet found its way to profitability. The Beijing-based company posted a net loss of 573 million yuan ($80.13 million) for the first three quarters ended September 30, 2019, up from 271 million yuan a year earlier, shows its F1 filing.

UCommune founder Mao Daqing, a real estate veteran, has previously forecasted that China’s co-working industry would be valued close to 100 billion yuan ($14 billion) by 2030. The reality is a bit more dismal. WeWork is reportedly coping with high vacancy rates across major Chinese cities, although sources told TechCrunch that spaces could be easily filled up with one or two large corporate contracts per location.

Perhaps more notably, half of UCommune’s revenue is derived from so-called “marketing and branding services,” which include content design as well as online and offline advertising services it sells to customers. The marketing segment, curiously, is attributed to one single subsidiary, a digital marketing services provider it acquired in late 2018. UCommune warns in its prospectus that “the historical financial results of our marketing and branding services may not serve as an adequate basis for evaluating the future financial results of this segment” because revenue from the unit relies overwhelmingly on a small number of major enterprise clients.

Also worth your attention…

Despite Huawei’s push to build its own alternative operating system — HarmonyOS — the Chinese giant is sticking with Android for the foreseeable future. At a company event this week in Shenzhen, its home city, consumer software executive Wang Chenglu announced (in Chinese) that all of Huawei’s handsets, tablets and laptops will continue to carry Android-based OS in 2020. Meanwhile, Huawei’s other products, including a broad range of Internet of Things that make up a smaller chunk of its consumer revenue, will ship with HarmonyOS.

Kuaishou, the largest rival to TikTok in China has reached 100 million daily active users, the company announced (in Chinese) this week. Tencent-backed Kuaishou was one of China’s first short-video apps to have attracted a meaningful following, but it was quickly leapfrogged by a latecomer, ByteDance’s Douyin, which is TikTok’s brand in China.

Though similarly focused on bite-sized videos, the two apps differ fundamentally in the way they distribute content. Trending videos on Douyin tend to come from pedigreed influencers and professional creators; users are fed what Douyin’s complex algorithms determine as “quality” content. Kuaishou, in comparison, works to cultivate a sense of community as its users get exposed to a broader range of long-tail content — often from creators with insignificant followings.

That places Douyin closer to a form of “media” and Kuaishou closer to a “social network,” suggested (in Chinese) Liu Jianing, managing director of China’s top boutique investment bank China Renaissance, at a recent industry conference. For that reason, the two apps also monetize differently — while Douyin generates revenue mainly from ads, Kuaishou harnesses its social graphs to enable social commerce wherein shoppers leverage other users’ recommendations to make purchases.

Volvo invests in autonomous vehicle operating system startup Apex.AI though its VC arm

Volvo is making an investment in Palo Alto-based Apex.AI, a startup working on developing a robotic operating system qualified for use in production automobiles. Apex.AI, founded by automated systems engineers Jan Becker and Dejan Pangercic, raised $15.5 million in a Series A last November, and revealed that its focus is on developing an enterprise-focused version of the Robot Operating System open-source middleware.

Apex.AI currently lists two products on its home page: Apex.OS and Apex.Autonomy. The former aims to provide a set of simple-to-integrate APIs that can give automakers and others access to fully certified autonomous mobility technology, while the latter is more focused on specific elements and components for those looking to make use of specific elements of autonomous technology including perception, localization, path planning and more.

Volvo Group Venture Capital acting CEO Anna Westerberg, who is also the automaker’s SVP of Connected Solutions, said in a press release announcing the news that Volvo Group is “excited to invest in a company that enables easier development of safety-certified systems.” In providing systems that comply with industry-standard safety requirements, Apex.AI could potentially help speed the process of getting autonomous driving systems into production vehicles, across both its commercial and consumer offerings.

The financial details of the investment were not disclosed, with publicly-traded Volvo Group saying only that it “has no significant impact” on the overall company’s “earnings or financial position,” which doesn’t mean much except that it’s not material enough to require a detailed disclosure just now. That still could mean a lot of money coming in for Apex.AI, given the relative yardstick of ‘material’ for a huge multinational automaker, and a two-year old Silicon Valley startup.

Every angle of Volvo’s first electric vehicle, the XC40 Recharge

Volvo Cars introduced Wednesday the XC40 Recharge, an all-electric vehicle that CTO Henrik Green described as “a car of firsts and a car of the future.”

The XC40 Recharge is hardly the first electric vehicle on the market. But for Volvo the XC40 is a “car of firsts.” This is the company’s first all-electric vehicle. It’s also the first Volvo to have an infotainment system powered by Google’s Android operating system as well as have the ability to make over-the-air software updates.

Before we move on to the photos, here are some of the specs.

The XC40 Recharge is equipped with an all-wheel drive powertrain and a 78 kilowatt-hour battery that can travel more than 400 kilometers (248 miles) on a single charge, in accordance with WLTP. The WLTP, or Worldwide Harmonised Light Vehicle Test Procedure, is the European standard to measure energy consumption and emissions, and tends to be more generous than the U.S. EPA estimates. The EPA estimates are not yet available, but it’s likely the XC40 Recharge will hit around the 200-mile range.

That would put the range of the Volvo XC40 Recharge below the Tesla Model 3, Chevy Bolt EV, Kia Niro and Hyundai Kona.

The vehicle’s electric motor produces the equivalent of 408 horsepower and 442 pound-feet of torque that allows the vehicle to go from zero to 60 mph in 4.8 seconds. The battery charges to 80% of its capacity in 40 minutes on a fast-charger system.

The XC40 Recharge is expected to go on sale in the U.S. late 2020.

Here’s what this car of “many firsts” looks like.

[gallery ids="1898424,1898427,1898434,1898428,1898429,1898431,1898432,1898435,1898436,1898426,1898437"]

Flaw in Cyberoam firewalls exposed corporate networks to hackers

Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.

The vulnerability allows an attacker to remotely gain “root” permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet. The attack takes advantage of the web-based operating system that sits on top of the Cyberoam firewall.

Once a vulnerable device is accessed, an attacker can jump onto a company’s network, according to the researcher who shared their findings exclusively with TechCrunch.

Cyberoam devices are typically used in large enterprises, sitting on the edge of a network and acting as a gateway to allow employees in while keeping hackers out. These devices filter out bad traffic, and prevent denial-of-service attacks and other network-based attacks. They also include virtual private networking (VPN), allowing remote employees to log on to their company’s network when they are not in the office.

It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password. Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.

Sophos, which bought Cyberoam in 2014, issued a short advisory this week, noting that the company rolled out fixes on September 30.

The researcher, who asked to remain anonymous, said an attacker would only need an IP address of a vulnerable device. Getting vulnerable devices was easy, they said, by using search engines like Shodan, which lists around 96,000 devices accessible to the internet. Other search engines put the figure far higher.

A Sophos spokesperson disputed the number of devices affected, but would not provide a clearer figure.

“Sophos issued an automatic hotfix to all supported versions in September, and we know that 99% of devices have already been automatically patched,” said the spokesperson. “There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.”

Customers still affected can update their devices manually, the spokesperson said. Sophos said the fix will be included in the next update of its CyberoamOS operating system, but the spokesperson did not say when that software would be released.

The researcher said they expect to release the proof-of-concept code in the coming months.