Wearing Bluetooth headset may be located by hackers! This geek competition reveals how big the security risk is

2021-10-27

When you listen to music with Bluetooth headset, the music suddenly stops for a few seconds and then returns to normal. What happens in these seconds? Maybe it's a common connection interruption, or maybe your headset has been secretly modified into a "location tracker" to connect to the hacker's computer. As long as you wear headphones, your footprints can be seen at a glance by hackers. On the evening of October 24, such a black technology challenge was staged at geekpwn2021, a great night for security geeks, which aroused the exclamation of the whole audience. This competition brought together 20 groups of top security geek teams in China. They dug security vulnerabilities that were easy to be ignored from the details of AI, industry and intelligent life, and presented an "incredible" science and technology show to the audience on the stage. Great night award ceremony. Figure independent Organizer Headphones, cars, safes, food delivery robots... Hackers are everywhere Players from Tencent security Xuanwu laboratory challenged the Bluetooth headset, wrote code in the headset, implanted the positioning function, and recorded the action track in real time through the algorithm to realize remote positioning and tracking. At the scene, the player detected the target character wearing Bluetooth headset 50 meters away. It took only a few seconds to implant the positioning function into the other party's headset. The risk of intelligent hardware is more than that. Various networking devices were successfully attacked in geekpwn competition. For example, the safes, which are usually considered the most "safe", are easily cracked by geeks at the scene of the game. This is an online safe bought from the market. An audience set a new password for the safe at the scene. At the other end of the stage, a geek knocked down the code on the computer. Dozens of seconds later, the geek went to the safe and did not enter the password. The safe was easily unscrewed. Contestants use malicious code to open the safe. Figure independent Organizer With the rapid popularization of the Internet of vehicles, digital keys have become common. In the competition, some contestants cracked the digital key of a car rental platform through remote attack. As long as the license plate number is provided, the contestants can unlock the cars on the platform, open and close the windows and air conditioning regardless of geographical restrictions. In the medical field, wild geek Zeng Yingtao brought a challenge to break through its original injection setting by controlling the insulin pump. The contestant intruded into the controller of the insulin pump through Bluetooth, modified the original injection setting, and launched all the insulin with increased injection dose in a few seconds. If this happens in reality, it will pose a serious threat to the patient's life. In the field of smart home, more and more common home cameras have become a tool to spy on privacy under the attack of players; The players of Wuying security laboratory successfully broke through the home intelligent gateway by using the vulnerability, and disguised as the property to open the unit access control. In addition, on the stage of geekpwn2021, challenges closely related to intelligent life such as hotel meal delivery robot, enterprise internal printer and TV set-top box are staged in turn. For example, some contestants can easily "switch" the guests' takeout by invading the system of the hotel delivery robot and embedding malicious code. According to the contestants, the more threatening scenario is that by controlling the operation of the meal delivery robot, hackers may paralyze an elevator. In addition to the exhibition and competition, Yang Quan, the person in charge of geekpwn competition, said he hoped to reveal security problems through geekpwn competition and promote manufacturers to repair security vulnerabilities from bottom to top, which is more meaningful. Face recognition challenges for 5 consecutive years, from "how to cheat" to "not be cheated" At last year's geekpwn competition, geeks challenged to "crack" the face recognition system. They only need to wear a mask printed with a specific pattern to enable the face recognition system to recognize themselves as target characters. With the prominent risk of cracking face recognition with photos, many face recognition systems will add in vivo detection technology to "double insurance" the system. In this year's geekpwn competition, players proved to the audience that in vivo detection is not absolutely safe. In the project of "glasses changing technology", the players of tsail team made glasses from the photos generated by AI algorithm, successfully "deceived" the system, passed face recognition and living body detection, and made AI "stupid". Interestingly, while some geeks are constantly improving on how to "cheat" face recognition systems, others are challenging "not to be cheated". In recent years, it is difficult to distinguish the true and false of "Ai face change" using deep forgery technology. Black ash production even uses this technology to forge pornographic videos of public figures, which has been banned repeatedly. In the "Ai appraiser" project, we_ Team players used AI technology to judge 500 real videos and fake videos synthesized by "Ai face change" within 15 minutes. Finally, they correctly identified 394 videos and successfully challenged them with 78.8% accuracy. According to the judges, the accuracy rate of 78.8% is equivalent to the level of the top ten in the world. "Ai appraiser" challenges the scene. Figure independent Organizer Nandu AI · outpost noted that geekpwn has set up a face recognition cracking project for five consecutive years. From unlocking the access control to "recognizing the photos of host Jiang Changjian as American movie star Schwarzenegger", and then cheating the living body detection, it can be seen that with the development of face recognition technology, geekpwn has been improving the difficulty of the competition, and geeks have been breaking through the limit. Although the face recognition project has gone through five years, it still makes the on-site audience marvel. Is the face recognition technology that can be "easily" cracked by geeks very unsafe? In the face of such doubts, Yu Min, judge of geekpwn competition and head of Tencent security basaltic laboratory, introduced that geekpwn has insisted on holding face recognition related challenges for several consecutive years in the hope of revealing some possible potential security problems and application risks through the competition. However, compared with the actual application scenarios, the competition has different security levels in terms of technology and protection, There are differences. "The security of face recognition can not be generalized. It is divided into many technologies. For the same kind of technology, different manufacturers will have different implementations, so we can not simply say that face recognition is safe or unsafe. For example, face recognition technology based on 3D structured light is actually safer and may be safer than fingerprint technology. But if it is simply based on camera The head picture face recognition technology may be more difficult if you want to be safe. "He said," from my understanding, the state has not seen very unified (requirements) in the technical specifications so far, but there are some compliance requirements, such as some regulations on face collection and personal information protection, which is very important. " What about security risks? Expert: we can't rely on consumers, but on manufacturers The network security industry is expanding rapidly. According to the research of CCID Consulting, the scale of China's network security industry is 33.6 billion yuan, and the scale is expected to exceed 90 billion yuan in 2021. Under the huge industrial scale and high defense costs, the challenges faced by network security are still arduous. Geekpwn geek competition is an epitome. Since 2014, geekpwn competition has been held for eight times. Accompanied by the development and landing of new technologies, geeks' attack on Technology in the competition can also be described as "one foot higher than the devil". Using technology to turn Bluetooth headsets into trackers, invade corporate printers, and hijack medical devices... When all kinds of shocking technologies are truly presented to the audience, people can't help worrying - is the online world becoming more and more unsafe? Yu Min gave a negative answer. He believes that although the absolute number of network security problems may not decrease, the "concentration" is actually decreasing. "Over the past decade, the whole digital society has developed rapidly, so people may feel that there are more problems. But maybe eight of the average ten software in the past have problems, and now only four have problems, and the concentration is decreasing," he said. In his opinion, it is necessary to wait until the development of the digital society passes through a high-speed stage and begins to slow down. At that time, people may feel that the absolute number of security problems is declining. It is understood that there is still no very effective solution to the loopholes displayed by multiple projects in geekpwn competition. For example, the geek team that invaded the Bluetooth headset to realize tracking told reporters that the basic principle of positioning is crowdsourcing positioning network technology, and in theory, this technology itself will have such loopholes, which are difficult to repair. Yu Min introduced that many times, the more "secure" a technology itself is, the more difficult it will be to repair once it is used by hackers. The "blackmail virus", which has plagued people for many years, uses encryption technology, which was originally a security technology developed to protect communication privacy. When this technology is designed, the goal is to make it difficult to crack, so it is difficult to repair after criminals use this technology. "For example, if your gun is stolen by a criminal, it will be very powerful in his hand. There is no particularly good way." In addition to the limitations of technology itself, Yu Min also mentioned that the shortage of relevant talents is also a dilemma for the network security industry. He said that due to the rapid expansion of the digital world, there is a gap of hundreds of thousands of network security talents every year. In the training of security talents, many schools do not pay attention to the training of hardware ability. In fact, the current network security industry needs talents with both software and hardware ability, especially the ability of electronic circuit, which should be paid attention to by colleges and universities. Yang Quan said that there is a particular shortage of talents in the field of artificial intelligence and security. In recent years, the landing application of artificial intelligence has accelerated, and then the safety problems have also been highlighted, but the industry's attention to safety problems lags behind. In addition, in the whole university or research field, there are relatively few people studying artificial intelligence and fewer people studying artificial intelligence security. In turn, security issues will affect the development and implementation of a technology, which is a big challenge. As for how ordinary consumers avoid risks, this is still a thorny problem. Yu Min frankly said that for the public, there is no simple way to make themselves safe. The solution of security problems ultimately depends not on end consumers, but on manufacturers. "The meaning of geekpwn is not to teach people how to protect themselves, but to tell manufacturers what problems exist in your products and you should repair them. After manufacturers repair, thousands of consumers can use better products. Just like a car with defects, it is easy to cause accidents. We can't solve the problem by telling drivers how to be vigilant," he said. However, although the public has no direct and effective means to resist the attack, the situation is not as bad as some people think. Yang Quan compares geeks who display various black technologies in geekpwn competition to Olympic athletes. In his opinion, players have their own professional foundation and competition objectives, which determines that the challenges that seem to be easy to complete are actually very difficult. The public should see the difference between competition and real life. "Most of us ordinary people are not such professional athletes, but ordinary spectators or amateurs. Moreover, the quality of professional athletes is mostly very positive, but it is still not as serious as we think. Manufacturers see (competition), and take some measures to promote manufacturers," he said. (Xinhua News Agency)

Edit:    Responsible editor:

Source:

Special statement: if the pictures and texts reproduced or quoted on this site infringe your legitimate rights and interests, please contact this site, and this site will correct and delete them in time. For copyright issues and website cooperation, please contact through outlook new era email:lwxsd@liaowanghn.com

Return to list

Recommended Reading Change it

Links

Submission mailbox:lwxsd@liaowanghn.com Tel:020-817896455

粤ICP备19140089号 Copyright © 2019 by www.lwxsd.com.all rights reserved

>