A widely used infusion pump can be remotely hijacked, say researchers

A hospital infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers.

Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson.

Infusion pumps are one of the most common bits of kit in a hospital. These devices control the dispensing of intravenous fluids and medications, like painkillers or insulin. They’re often hooked up to a central monitoring station so medical staff can check on multiple patients at the same time.

But the researchers found that an attacker could install malicious firmware on a pump’s onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, commonly used in pocket PCs before smartphones.

In the worst case scenario, the researchers said it would be possible to adjust specific commands on the pump — including the infusion rate — on certain versions of the device by installing modified firmware.

The researchers said it was also possible to remotely brick the onboard computer, knocking the pump offline.

The bug was scored a rare maximum score of 10.0 on the industry standard common vulnerability scoring system, according to Homeland Security’s advisory. A second vulnerability, scored at a lesser 7.5 out of 10.0 could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.

The researchers said creating an attack kit was “quite easy” and “worked consistently,” said Elad Luz, CyberMDX’s head of research, in an email to TechCrunch. But the attack chain is complex and requires multiple steps, access to the hospital network, knowledge of the workstation’s IP address, and the capability to write custom malicious code.

In other words, there are far easier ways to kill a patient than exploiting these bugs.

CyberMDX disclosed the vulnerabilities to Becton Dickinson in November and to federal regulators.

Becton Dickinson said device owners should update to the latest firmware, which contains fixes for the vulnerabilities. Spokesperson Troy Kirkpatrick said the pump is not sold in the U.S., but would not say how many devices were vulnerable “for competitive reasons.”

“There are about 50 countries that have these devices,” said Kirkpatrick. He confirmed that eight countries that have more than 1,000 devices, three countries have more than 2,000 devices, but no country has more than 3,000 devices.

The flaws are another reminder that security issues can exist in any device — particularly life-saving equipment in the medical space.

Earlier this year, Homeland Security warned about a set of critical-rated vulnerabilities in Medtronic defibrillators. The government-issued alert said the device’s proprietary radio communications protocol did not require authentication, allowing a nearby attacker in certain circumstances to intercept and modify commands over-the-air.

Google Assistant comes to Waze navigation app

Ever since Google acquired Waze back in 2013, features from each have been slowly making their way back and forth between it and Google Maps – and today Waze gets a big upgrade with Google Assistant integration, which means you can use the smart voice companion within the app.

Google Assistant in Waze will provide access to your usual Assistant features, like playback of music and podcasts, but it’ll also offer access to many Waze-specific abilities, including letting you asking it to report traffic conditions, or specifying that you want to avoid tolls when routing to your destination.

Google has done a good job of rolling out support for Assistant in its own Android Auto in-car software, and even brought it to Google Maps on Apple’s competing CarPlay system earlier this year. The benefits of having Assistant work natively within Waze are many, but the number one might be its potential to reduce distractions while on the road.

Waze remains a top choice among drivers, and anecdotally most Uber and Lyft drivers I encounter still swear by its supremacy over the competition, including Google’s other own-branded Maps solution.

Google Assistant will be available via a roll-out starting today in the U.S., in English only to start and on Android smartphones. Expect that availability to expand over time.

Here’s how Google Stadia performs depending on your internet connection

Google is introducing more about the launch of its Stadia streaming gaming service today, and VP Phil Harrison gave us performance specifics today so you can see exactly how the company thinks the service will perform based on what kind of internet connection you have. It tops out at an impress 4K resolution, with HDR color, 60fps frame rate and 5.1 surround sound, but you’ll have to have at least a 35 Mbps connection to get that level of quality.

Meanwhile, at 20 Mbps you’ll get full HD 1080p output, while retaining HDR video, 60fps and 5.1 surround. And Google has optimized for smoothness of stream by retaining 60 fps all the way down to its recommended minimum bandwidth connection quality of 10 Mbps (and even potentially below that based on this chart). You’ll only get 720p streams at that level, however, and stereo instead of surround sound.

“With Stadia, our goal is to make gaming more accessible for everyone,” is how Harrison framed it, and that applies to its range of connection support as well as its device availability. At launch you’ll be able to play stadia games on your TV (via Chromecast Ultra), desktop, laptop, and tablet (via browsers) and on smartphones, though only Pixel phones to begin with starting with Pixel 3 and Pixel 3a (via dedicated Stadia app).

With antitrust investigations looming, Apple reverses course on bans of parental control apps

With Congressional probes and greater scrutiny from Federal regulators on the horizon, Apple has abruptly reversed course on its bans of parental control apps available in its app store.

As reported by The New York Times, Apple quietly updated its App Store guidelines to reverse its decision to ban certain parental control apps.

The battle between Apple and certain app developers dates back to last year when the iPhone maker first put companies on notice that it would cut their access to the app store if they didn’t make changes to their monitoring technologies.

The heart of the issue is the use of mobile device management (MDM) technologies in the parental control apps that Apple has removed from the App Store, Apple said in a statement earlier this year.

These device management tools give control and access over a device’s user location, app use, email accounts, camera permissions and browsing history to a third party.

“We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017,” the company said.

Apple acknowledged that the technology has legitimate uses in the context of businesses looking to monitor and manage corporate devices to control proprietary data and hardware, but, the company said, it is “a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device.”

Last month, developers of these parental monitoring tools banded together to offer a solution. In a joint statement issued by app developers including OurPact, Screentime, Kidslox, Qustodio, Boomerang, Safe Lagoon, and FamilyOrbit, the companies said simply, “Apple should release a public API granting developers access to the same functionalities that Apple’s native “Screen Time” uses.”

By providing access to its screen time app, Apple would obviate the need for the kind of controls that developers had put in place to work around Apple’s restrictions.

“The API proposal presented here outlines the functionality required to develop effective screen time management tools. It was developed by a group of leading parental control providers,” the companies said. “It allows developers to create apps that go beyond iOS Screen Time functionality, to address parental concerns about social media use, child privacy, effective content filtering across all browsers and apps and more. This encourages developer innovation and helps Apple to back up their claim that “competition makes everything better and results in the best apps for our customers”.

Now, Apple has changed its guidelines to indicate that apps using MDM “must request the mobile device management capability, and may only be offered by commercial enterprises, such as business organizations, educational institutions, or government agencies, and, in limited cases, companies utilizing MDM for parental controls. MDM apps may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy.”

Essentially it just reverses the company’s policy without granting access to Screen Time as the consortium of companies have suggested.

“It’s been a hellish roller coaster,” said Dustin Dailey, a senior product manager at OurPact, told The New York Times . OurPact had been the top parental control app in the App Store before it was pulled in February. The company estimated that Apple’s move cost it around $3 million, a spokeswoman told the Times.

 

iOS 13 will let you limit app location access to ‘just once’

Apple will soon let you grant apps access to your iPhone’s location just once.

Until now, there were three options — “always,” “never,” or “while using,” meaning an app could be collecting your real-time location as you’re using it.

Apple said the “just once” location access is a small change — granted — but one that’s likely to appeal to the more privacy-minded folk.

“For the first time, you can share your location to an app — just once — and then require it to ask you again next time at wants,” said Apple software engineering chief Craig Federighi at its annual developer conference on Monday.

That’s going to be helpful for those who download an app that requires your immediate location, but you don’t want to give it persistent or ongoing access to your whereabouts.

On top of that, Apple said that the apps that you do grant location access to will also have that information recorded on your iPhone in a report style, “so you’ll know what they are up to,” said Federighi.

Apps don’t always use your GPS to figure out where you are. All too often, apps use your Wi-Fi network information, IP address, or even Bluetooth beacon data to figure out where you physically are in the world so they can better target you with ads. Federighi said it will be “shutting the door on that abuse” as well.

The new, more granular location-access feature will feature in iOS 13, expected out later this year,.

Oppo and Xiaomi tease under-screen selfie cameras for smartphones

The next innovation in mobile is peeking its head for all to see today after Chinese companies Oppo and Xiaomi both showed off under-screen cameras.

Apple’s notch set the ball rolling as a new way to pack a front-facing camera without compromising on the screen size, but it is already feeling date. The industry has since given us smartphone cameras that pop out, flip up and slide out, while the hole-punch condenses the notch further still, but the next stage is going under the screen for full invisibility.

The benefits are obvious. There’s no compromise on the front screen, which is now 100 percent screen, and removing moving parts means no concern for potential damage — but can it be done well enough?

Oppo VP Brian Shen teased his company’s early effort on Weibo. The video, which was later shared by Oppo’s Twitter account, doesn’t have a lot of detail but it does show a hidden camera that takes a photo of the ceiling.

We don’t get a chance to delve into the quality of the image and it isn’t clear what device it was taken on, but already Shen claims the technology is showing promise.

“At this stage, it’s difficult for under-display cameras to match the same results as normal cameras, there’s bound to be some loss in optical quality. But, no new technology jumps to perfection right away,” he said, according to Engadget.

You’d imagine that a number of Chinese smartphone makers are hard at work bringing this design to reality. Proof of that comes from Xiaomi’s very hasty response, which saw the company posts its own under-screen camera teaser right after Oppo’s.

This one comes courtesy of Xiaomi co-founder Bin Lin, and it also originated on Weibo before it made its way to Twitter.

The Xiaoki video appears to show a prototype Mi 9 with the hidden camera compared with a regular model. As with the Oppo tease, we don’t know when this technology will reach consumers but these tactical leaks certainly show that the wheels are in motion.

Foxconn halts production lines for Huawei phones, according to reports

Huawei, the Chinese technology giant whose devices are at the center of a far-reaching trade dispute between the U.S. and Chinese governments, is reducing orders for new phones, according to a report in The South China Morning Post.

According to unnamed sources, the Taiwanese technology manufacturer Foxconn has halted production lines for several Huawei phones after the Shenzhen-based company reduced orders. Foxconn also makes devices for most of the major smart phone vendors including Apple and Xiaomi (in addition to Huawei).

In the aftermath of President Donald Trump’s declaration of a “national emergency” to protect U.S. networks from foreign technologies, Huawei and several of its affiliates were barred from acquiring technologies from U.S. companies.

The blacklist has impacted multiple lines of Huawei’s business including it handset manufacturing capabilities given the company’s reliance on Google’s Android operating system for its smartphones.

In May, Google reportedly suspended business with Huawei, according to a Reuters report. Last year, Huawei shipped over 200 million handsets and the company had a stated goal to become the world’s largest vendor of smartphones by 2020.

These reports from The South China Morning Post are the clearest indication that the ramifications of the U.S. blacklisting are beginning to be felt across Huawei’s phone business outside of China.

Huawei was already under fire for security concerns, and will be forced to contend with more if it can no longer provide Android updates to global customers.

Contingency planning is already underway at Huawei. The company has built its own Android -based operating system, and can use the stripped down, open source version of Android that ships without Google Mobile Services. For now, its customers also still have access to Google’s app store. But if the company is forced to make developers sell their apps on a siloed Huawei-only store, it could face problems from users outside of China.

Huawei and the Chinese government are also retaliating against the U.S. efforts. The company has filed a legal motion to challenge the U.S. ban on its equipment, calling it “unconstitutional.”  And Huawei has sent home its American employees deployed at R&D functions at its Shenzhen headquarters.

It has also asked its Chinese employees to limit conversations with overseas visitors, and cease any technical meetings with their U.S. contacts.

Still, any reduction in orders would seem to indicate that the U.S. efforts to stymie Huawei’s expansion (at least in its smartphone business) are having an impact.

A spokesperson for Huawei U.S. did not respond to a request for comment.

The latest modular Moto Z has a beefy battery and improved low-light camera

When it arrived in 2016, the Moto Z felt revolutionary — or, at the very least, novel. Motorola soon announced it was making the Moto Z its flagship device. In the intervening three years, the line has yet to set the world on fire.

It’s seemingly been a decent seller for the company, but with rare exceptions (as it happens, today is the second anniversary of the Essential announcement) the rest of the smartphone industry has yet to embrace the modular handset revolution.

It’s not for lack of trying, of course. Motorola’s released a wide range of Mods, including, most notably, a 5G unit, marking the first time that technology was widely available in North America. This morning the Lenovo-owned brand just announced the availability of the Moto Z4 (though not before the product accidentally went on sale at at least one retail location).

As ever, the latest version of the line points to one of the peculiarities of the modular phone concept, with upgraded base specs on a phone whose features rely largely on peripherals. Of course, the reasonable $499 starting price certainly cushions the blow a bit.

The base specs are a mixed bag. It’s got a 6.39-inch display, coupled with a middling Qualcomm Snapdragon 675 and a beefy 3,600mAh battery that the company rates at two days. The phone also adds a night-vision mode to the rear-facing 48 megapixel sensor.

The gray version of the handset starts shipping June 13, with a white model arriving over the summer. The unlocked version ships with a free Moto 360. Verizon’s also making the 5G Mod available for $200 (down from $350) for a limited time.

I’ll be spending more time with the phone in the near future — for now, however, it feels like Motorola’s most intriguing and promising handset is beginning to feel more and more like a middle of the road device.

UK Internet attitudes study finds public support for social media regulation

UK telecoms regulator Ofcom has published a new joint report and stat-fest on Internet attitudes and usage with the national data protection watchdog, the ICO — a quantitative study to be published annually which they’re calling the Online Nation report.

The new structure hints at the direction of travel for online regulation in the UK, following government plans set out in a recent whitepaper to regulate online harms — which will include creating a new independent regulator to ensure Internet companies meet their responsibilities.

Ministers are still consulting on whether this should be a new or existing body. But both Ofcom and the ICO have relevant interests in being involved — so it’s fitting to see joint working going into this report.

As most of us spend more time than ever online, we’re increasingly worried about harmful content — and also more likely to come across it,” writes Yih-Choung Teh, group director of strategy and research at Ofcom, in a statement. “ For most people, those risks are still outweighed by the huge benefits of the internet. And while most internet users favour tighter rules in some areas, particularly social media, people also recognise the importance of protecting free speech – which is one of the internet’s great strengths.”

While it’s not yet clear exactly what form the UK’s future Internet regulator will take, the Online Nation report does suggest a flavor of the planned focus.

The report, which is based on responses from 2,057 adult internet users and 1,001 children, flags as a top-line finding that eight in ten adults have concerns about some aspects of Internet use and further suggests the proportion of adults concerned about going online has risen from 59% to 78% since last year (though its small-print notes this result is not directly comparable with last year’s survey so “can only be interpreted as indicative”).

Another stat being highlighted is a finding that 61% of adults have had a potentially harmful online experience in the past year — rising to 79% among children (aged 12-15). (Albeit with the caveat that it’s using a “broad definition”, with experiences ranging from “mildly annoying to seriously harmful”.)

While a full 83% of polled adults are found to have expressed concern about harms to children on the Internet.

The UK government, meanwhile, has made child safety a key focus of its push to regulate online content.

At the same time the report found that most adults (59%) agree that the benefits of going online outweigh the risks, and 61% of children think the internet makes their lives better.

While Ofcom’s annual Internet reports of years past often had a fairly dry flavor, tracking usage such as time spent online on different devices and particular services, the new joint study puts more of an emphasis on attitudes to online content and how people understand (or don’t) the commercial workings of the Internet — delving into more nuanced questions, such as by asking web users whether they understand how and why their data is collected, and assessing their understanding of ad-supported business models, as well as registering relative trust in different online services’ use of personal data.

The report also assesses public support for Internet regulation — and on that front it suggests there is increased support for greater online regulation in a range of areas. Specifically it found that most adults favour tighter rules for social media sites (70% in 2019, up from 52% in 2018); video-sharing sites (64% v. 46%); and instant-messaging services (61% v. 40%).

At the same time it says nearly half (47%) of adult internet users expressed recognition that websites and social media platforms play an important role in supporting free speech — “even where some people might find content offensive”. So the subtext there is that future regulation of harmful Internet content needs to strike the right balance.

On managing personal data, the report found most Internet users (74%) say they feel confident to do so. A majority of UK adults are also happy for companies to collect their information under certain conditions — vs over a third (39%) saying they are not happy for companies to collect and use their personal information.

Those conditions look to be key, though — with only small minorities reporting they are happy for their personal data to be used to program content (17% of adult Internet users were okay with this); and to target them with ads (only 18% didn’t mind that, so most do).

Trust in online services to protect user data and/or use it responsibly also varies significantly, per the report findings — with social media definitely in the dog house on that front. “Among ten leading UK sites, trust among users of these services was highest for BBC News (67%) and Amazon (66%) and lowest for Facebook (31%) and YouTube (34%),” the report notes.

Despite low privacy trust in tech giants, more than a third (35%) of the total time spent online in the UK is on sites owned by Google or Facebook.

“This reflects the primacy of video and social media in people’s online consumption, particularly on smartphones,” it writes. “Around nine in ten internet users visit YouTube every month, spending an average of 27 minutes a day on the site. A similar number visit Facebook, spending an average of 23 minutes a day there.”

And while the report records relatively high awareness that personal data collection is happening online — finding that 71% of adults were aware of cookies being used to collect information through websites they’re browsing (falling to 60% for social media accounts; and 49% for smartphone apps) — most (69%) also reported accepting terms and conditions without reading them.

So, again, mainstream public awareness of how personal data is being used looks questionable.

The report also flags limited understanding of how search engines are funded — despite the bald fact that around half of UK online advertising revenue comes from paid-for search (£6.7BN in 2018). “[T]here is still widespread lack of understanding about how search engines are funded,” it writes. “Fifty-four per cent of adult internet users correctly said they are funded by advertising, with 18% giving an incorrect response and 28% saying they did not know.”

The report also highlights the disconnect between time spent online and digital ad revenue generated by the adtech duopoly, Google and Facebook — which it says together generated an estimated 61% of UK online advertising revenue in 2018; a share of revenue that it points out is far greater than time spent (35%) on their websites (even as those websites are the most visited by adults in the UK).

As in previous years of Ofcom ‘state of the Internet’ reports, the Online Nation study also found that Facebook use still dominates the social media landscape in the UK.

Though use of the eponymous service continues falling (from 95% of social media users in 2016 to 88% in 2018). Even as use of other Facebook-owned social properties — Instagram and WhatsApp — grew over the same period.


The report also recorded an increase in people using multiple social services — with just a fifth of social media users only using Facebook in 2018 (down from 32% in 2018). Though as noted above, Facebook still dominates time spent, clocking up way more time (~23 minutes) per user per day on average vs Snapchat (around nine minutes) and Instagram (five minutes).  

A large majority (74%) of Facebook users also still check it at least once a day.

Overall, the report found that Brits have a varied online diet, though — on average spending a minute or more each day on 15 different internet sites and apps. Even as online ad revenues are not so equally distributed.

“Sites and apps that were not among the top 40 sites ranked by time spent accounted for 43% of average daily consumption,” the report notes. “Just over one in five internet users said that in the past month they had used ‘lots of websites or apps they’ve used before’ while a third (36%) said they ‘only use websites or apps they’ve used before’.”

There is also variety when it comes to how Brits search for stuff online, and while 97% of adult internet users still use search engines the report found a variety of other services also in the mix. 

It found that nearly two-thirds of people (65%) go more often to specific sites to find specific things, such as a news site for news stories or a video site for videos; while 30% of respondents said they used to have a search engine as their home page but no longer do.

The high proportion of searches being registered on shopping websites/apps (61%) also looks interesting in light of the 2017 EU antitrust ruling against Google Shopping — when the European Commission found Google had demoted rival shopping comparison services in search results, while promoting its own, thereby undermining rivals’ ability to gain traffic and brand recognition.

The report findings also indicate that use of voice-based search interfaces remains relatively low in the UK, with just 10% using voice assistants on a mobile phone — and even smaller percentages tapping into smart speakers (7%) or voice AIs on connected TVs (3%).

In another finding, the report suggests recommendation engines play a major part in content discovery.

“Recommendation engines are a key way for platforms to help people discover content and products — 70% of viewing to YouTube is reportedly driven by recommendations, while 35% of what consumers purchase on Amazon comes from recommendations,” it writes. 

In overarching aggregate, the report says UK adults now spend the equivalent of almost 50 days online per year.

While, each week, 44 million Brits use the internet to send or receive email; 29 million send instant messages; 30 million bank or pay bills via the internet; 27 million shop online; and 21 million people download information for work, school or university.

The full report can be found here.

TikTok parent Bytedance is reportedly working on its own smartphone

It’s been a busy couple of months for Bytedance, one of the world’s most valuable startups and the operator of globally popular video app TikTok. The Beijing-based company has continued to grow its list of apps to include the likes of work collaboration tool Lark, an instant messenger called Feiliao as well as a music streaming app, and now it appears to be taking a bold step into the hardware realm.

Bytedance is planning to develop its own smartphone, the Financial Times reported (paywalled) citing two sources. A spokesperson from Bytedance declined to comment on the matter, but the rumor is hardly a surprise as smartphone pre-installs have long been a popular way for Chinese internet companies to ramp up user sizes.

There’s also urgency from Bytedance to carve out more user acquisition channels. After a few years of frantic growth, Bytedance failed to hit its revenue target for the first time last year amid slowing ad spending in China, according to a report by Bloomberg.

Some of Bytedance’s predecessors include selfie app maker Meitu, which builds smartphones pre-loaded with its suite of photo editors and recently sold this segment to Xiaomi as the latter tries to capture more female users and newcomers, including Snow-owned camera app B612 and Bytedance’s Faceu, close on Meitu’s heels.

Others have taken a less asset-heavy approach in the early days of the Chinese internet. Baidu, Alibaba and Tencent — known collectively as the BAT for their supremacy in China’s tech world — all worked on their own custom Android ROMs, which come with extra features compared to a stock ROM pre-installed by a phone manufacturer.

Alibaba’s ambition also manifested in a $590 million investment in Meizu in 2016 that saw the eommerce giant take up the challenge to develop a tailored operating system for the handset maker. More recently in March, WeChat owner Tencent teamed up with gaming smartphone maker Razor on a number of initiatives that cover hardware.

There were early clues to Bytedance’s smartphone endeavor. The company confirmed in January that it has acquired certain patents and some employees from phone maker Smartisan, although it said at the time the deal was done to “explore the education business.” That was a curious statement as Smartisan’s business has little to do with education. At the very least, the tie-up confers hardware development capability on the mobile internet upstart.

Indeed, a source told the Financial Times that Bytedance founder Zhang Yiming “has long dreamt of a phone with Bytedance apps pre-installed.” Nonetheless, this is tipped to be an uphill battle, at least in China where smartphone sales are cooling and competition intensifies between entrenched players like Huawei, Vivo, Oppo, Xiaomi and Apple.

Bytedance has built a leg up away from home, thanks to its empire of mobile apps. The company is one of the few — and many would argue the first — Chinese internet startups that manage to gain a meaningful foothold globally. TikTok has consistently topped the worldwide app ranking in the last handful of months, though it’s also encountered a few stumbling blocks in some of its larger markets.

In the United States, the Federal Trade Commission imposed a fined on TikTok for violating children’s privacy protection law. The government of India, which has driven much of TikTok’s recent growth, also took issue with the app to temporarily ban it on account of illegal content.

While the US market may be difficult to penetrate given Washington’s concerns around the security threat that Chinese companies may present, India is now crowded with Chinese brands. A research done by Counterpoint found that in the first quarter, Chinese manufacturers led by Xiaomi controlled a whopping 66 percent of India’s smartphone market. That means Bytedance, alongside its potential ally Smartisan, is not only up against local rivals in India but also the familiar faces from its home market.