software updates – Techdirt (original) (raw)
NordicTrack Patches Out 'God Mode' In Treadmills That Allowed Users To Watch Anything On Its Display
from the mine-mine-mine! dept
If you are a console gamer of a certain age, you will remember the bullshit Sony pulled when it patched its PS3 systems to remove useful features it had used as selling points for the console to begin with. Essentially, the PS3 had a feature that allowed you to install another operating system on it. This was used by hobbyists, companies, and the US Military alike to creatively use PS3s for purposes other than that for which they were built, such as research supercomputers and creating homebrew PS3 games. Sony later decided that those features could also be used for piracy or other nefarious actions and so patched it out. Sell the console with a feature, remove it later after the purchase… and then get sued in a class action, as it turned out.
The story of NordicTrack’s treadmill isn’t exactly like that, but it’s pretty damned close. The company’s treadmill has a large display mounted on it. That display was designed to be used with a subscription to iFit, which is the parent company of NordicTrack. There are all sorts of useful features when you view subscribed content on the display while exercising, such as difficulty and incline changes that follow along with the subscribed workout content. But the console also has a way to bypass the user-facing portion of the console and get into the underlying OS, which means users like JD Howard could then setup their own internet browser, through which they could put any web content on the display while they worked out.
To get into his X32i, all Howard needed to do was tap the touchscreen 10 times, wait seven seconds, then tap 10 more times. Doing so unlocked the machine—letting Howard into the underlying Android operating system. This privilege mode, a sort of God mode, gave Howard complete control over the treadmill: he could sideload apps and, using a built-in browser, access anything and everything online. “It wasn’t complicated,” Howard says. After accessing privilege mode he installed a third-party browser that allowed him to save passwords and fire up his beloved cloud security videos.
While NordicTrack doesn’t advertise privilege mode as a customer feature, its existence isn’t exactly a secret. Multiple unofficial guides tell people how to get into their machines, and even iFit’s support pages explain how to access it. The whole reason Howard bought the X32i, he says, was because he could access God mode. But the good times didn’t last long.
No they didn’t, because NordicTrack subsequently removed the God mode feature through a software update. And not just on the treadmill, but also on its other associated exercise equipment. And a not insignificant number of customers are absolutely pissed about it. The comments coming in largely are combinations of anger and confusion, with many owners wondering why in the world they suddenly can’t watch sports or Netflix while they workout. The other theme appears to be confusion as to how the company can even do this because, “Hey, don’t we own this thing we bought?”
The answer, of course, is no.
“The block on privilege mode was automatically installed because we believe it enhances security and safety while using fitness equipment that has multiple moving parts,” says a spokesperson for NordicTrack and iFit. The company has never marketed its products as being able to access other apps, the spokesperson adds. “As there is no way of knowing what kind of changes or errors a consumer could introduce into the software, there is no way of knowing what specific issues accessing privilege mode might cause,” the spokesperson says. “Therefore, to maintain security, safety, and machine functionality, we have restricted access to privilege mode.” The spokesperson also emphasizes that privilege mode was “never designed as a consumer-facing functionality.” Rather, it was designed to allow the company’s customer service team to remotely access the products to “troubleshoot, update, reset, or repair our software.”
The move puts the company at the center of the right-to-repair debate, with consumers increasingly demanding that companies let them alter the products they purchase.
Kinda, yeah. And it’s important to note that “owners” like Howard already had regular old treadmills and bought their NordicTrack treadmill because of the ability to put what they wants on the display. Again, sell the thing with a useful feature, then remove the useful feature afterwards via a software update. As I said, it’s not exactly like the PS3 case, but it’s pretty damned close.
The only real question now is whether iFit and NordicTrack too will have to pay out millions in attorney’s fees and barely anything to the actual consumer in some massive class action like Sony did.
Filed Under: god mode, hacking, nordic track, ownership, software updates
Companies: ifit, nordic track
Asus Goes Mute As Hackers Covertly Install Backdoors Using Company Software Update
from the supply-chain-shenanigans dept
Tue, Mar 26th 2019 09:33am - Karl Bode
According to new analysis by Kaspersky Lab, nearly a million PC and laptop owners may have installed a malicious ASUS software update that embedded a backdoor into their computers without their knowledge. According to the security firm, state-sponsored hackers (presumed to be China) managed to subvert the company’s Live Update utility, which is pre-installed on most ASUS computers and is used to automatically update system components such as BIOS, UEFI, drivers and applications.
The malicious file was signed by a legitimate ASUS digital certificate to hide the fact that it wasn’t a legitimate software update from the company, with an eye on a very particular target range:
“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters? MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.”
According to Kaspersky, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. And while Symantec has confirmed the problem and stated it found 13,000 computers infected with the backdoor, Kaspersky estimates the total number of impacted PC users could be as high as a million.
For its part, Asus isn’t helping matters by going entirely mute on the subject. Motherboard was the first to report on the hack (in turn prompting Kaspersky’s acknowledgement). But Asus apparently thought that silence was a better idea than owning the problem, confirming the data discovered by researchers, or quickly and accurately informing the company’s subscribers:
“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,? said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab?s Global Research and Analysis Team who led the research. He noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. But the download path for the malware samples Kaspersky collected leads directly back to the ASUS server, Kamluk said.
Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company.”
Yeah, hiding your head in the sand should fix everything. While this hack specifically focused on supply-chain issues, Asus is no stranger to privacy scandals. The company was given a hearty wrist slap by the FTC a few years back for selling routers with paper-mache-grade security. As part of that deal, Asus was required to agree to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. Apparently that didn’t help much.
Filed Under: breaches, cybersecurity, hacks, response, software updates, supply chain attack
Companies: asus
Court Case Management Software Upgrade Results In Bogus Felony Convictions, Wrongful Arrests
from the patch-notes-to-be-entered-as-evidence-in-inevitable-civil-lawsuit dept
Software updates are seldom painless. The history of the Windows operating system is littered with stories of computers/programs bricked by auto-update patches and OS iterations. They’re not much fun on the IT end either, especially when businesses depend on functioning computers/programs for pretty much everything. An enterprise-level OS upgrade can take days or weeks — and that’s not counting the aftershocks which continue for months after as every interdependent application finds new and exciting ways to clash with the upgraded system software.
Days, weeks, months chewed up by an upgrade. It’s horrible, but hey, at least you’re still relatively free to step outside periodically and/or exit the building when you’ve had enough for one day. It could be much much worse.
Take the example of Andrew.
It was Saturday and he was woken up with a start by his mother. There were four officers at the front door and he was about to be arrested.
“I’d only had four hours sleep and I’m only wearing gym shorts,” he recalled.
“I’m thinking, what happened? I was completely confused.”
Unbeknown to his parents, 24-year-old Andrew – not his real name – had recently finished a six-month drug programme after he was caught in possession of marijuana and ecstasy.
Which is why he was so confused. It was his first offence and he had done the course as asked. A judge had then told him the case had been dismissed.
“I did what I was supposed to.”
But the court’s new computer system had other ideas and Andrew was put into a police car and driven off to jail.
The computer system is Odyssey, California’s new case management software. So far, attempts to integrate it with the existing system have resulted in multiple rejections of the donor. If this had only resulted in a less smoothly-flowing bureaucracy, that would be one thing. Instead, it’s ruining people’s lives.
The company behind it — Tyler Technologies — calls the transition “challenging.” That’s one way to put it — a way that only those not adversely affected by the transition can put it. To those on the receiving end of a raft of new case management errors, the transition can more accurately be described as “nightmarish.” In addition to the case described above, the upgrade has resulted in wrongful arrests, incorrectly extended sentences, and misdemeanor offenses being reclassified as felonies.
Nothing on this list of problems could be considered a harmless error. The last one on the list could result in job hunters, prospective tenants, parents in custody battles, etc. being kicked to the curb when their moving violations show up in background check systems as serious felonies.
On the plus [?] side, Odyssey’s malfunctioning software has also managed to produce a few criminal justice “winners.”
Alameda County is not the only area to have struggled with Odyssey. Similar problems have been reported in Tennessee and also in Indiana – where prosecutors have had a perhaps more troubling issue of inmates being mistakenly released early.
The software will continue to be upgraded and lives will be bricked. Those the software has determined need more time served or felonies added to their record are pretty much on their own. Alameda County public defender Brendon Woods is fielding as many cases as he can, but he seems to be one of the only ones interested in assisting victims of a “challenging” system upgrade. The county itself isn’t offering anything to these victims and the software company certainly doesn’t want to open itself up to liability by admitting any culpability in this debacle.
The criminal justice system barely works. The last thing it needs is software that makes this even worse.
Filed Under: arrests, case management, felonies, odyssey, software, software updates
Companies: tyler technologies