Poor Mojo's Newswire

Barnaby Jack of IOActive made a rather stunning announcement today at the Breakpoint security conference in Melbourne, Australia. He's figured out how to reverse-engineer pacemaker transmitters to deliver hacked firmware to any compatible devices within a 30 foot range, which can force them to deliver electric shocks of up to 830 volts. He's only done it with one brand of pacemaker, which he declined to name for obvious reasons, but said that it opened the door to "anonymous assassination" and, in a worst-case scenario, even mass murder. It seems that the pacemakers in question have a "secret function" that, when activated, causes them to return model and serial number information to a remote terminal, which Jack said provides "enough information to authenticate with any device in range." The function is presumably intended for diagnostic purposes, but he discovered that they have no encryption and even found user names and passwords for what is apparently the manufacturer's development server. "The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer," he said. "The compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range." That "compromised firmware" would let the controller do all sorts of unintended and unpleasant things with and to the pacemakers, including delivering some serious electric shocks. "With a max voltage of 830 volts, it's not hard to see why this is a fairly deadly feature," he continued. "Not only could you induce cardiac arrest, but you could continually recharge the device and deliver shocks on loop."

Previously, Apple had all but disabled tracking of iPhone users by advertisers when it stopped app developers from utilizing Apple mobile device data via UDID, the unique, permanent, non-deletable serial number that previously identified every Apple device. For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to track and target them in any meaningful way. In iOS 6, however, tracking is most definitely back on, and it's more effective than ever, multiple mobile advertising executives familiar with IFA tell us. (Note that Apple doesn't mention IFA in its iOS 6 launch page).

According to the TSA, 381 of its employees have been given the boot since 2003 for theft. There have already been 11 officers fired in 2012 for having sticky fingers. Among them is an Orlando-area man who was caught by ABC News with a pilfered iPad — and then blamed it all on his wife. This particular iPad wasn’t just a random tablet taken at a security checkpoint. It was one of ten left behind by ABC at airports around the country. Nine out of ten of the left-behind iPads were given back to the owners, whose contact information was clearly written on each device’s case. But within two hours of being left at an Orlando International Airport security checkpoint, a tracker on the iPad showed it was on its way to a new home. . . . “I’m so embarrassed,” he explained to ABC. “My wife says she got the iPad and brought it home.” When asked how his wife, who is not a TSA officer, could have “found” the iPad when it had been left at an airport security checkpoint, the man decided the interview was over and shut the door. The TSA says the hundreds of thieving employees represent a “less than one-half of one percent” of TSA officers. . . .

The FTC said that for many months in 2011 and 2012, Google placed a particular advertising tracking cookie on Safari users' computers who were visiting sites within Google's DoubleClick advertising network. That way, Google could serve ads based on what users were surfing for. But the funny thing was that Google had already told users they'd be automatically opted out of that tracking because it was supposed to be a default setting in Macs, iPhones and iPads using Safari. Nope! According to the FTC's complaint, Google went around all this by putting a temporary cookie from DoubleClick's domain in the browser, circumventing the default setting. That first little cookie then opened the floodgate for any other DoubleClick cookies, including that pesky advertising tracking cookie Google had said would be blocked from Safari. The earlier privacy settlement that the FTC said Google crossed was from October 2011, which told Google it couldn't misrepresent how much control users have over how their information is collected.