“As bad as Acer was, however, Asus was worse. Its updater was so bad the researchers called it ‘remote code execution as a service’—essentially a built-in service for hackers to do remote-code execution. Asus transmits unsigned manifests over HTTP instead of HTTPS. And although the manifest file was encrypted, it was encrypted with an algorithm known to be broken, and the key to unlock the file was an MD5 hash of the words ‘Asus Live Update.’ As a result, attackers could easily intercept and unlock the list to make changes. Asus update files weren’t signed, either, and they were also transmitted via HTTP.”
https://www.wired.com/2016/05/2036876/
Did you like this?
Tip Freedomwat.ch Staff with Bitcoin
Tip Freedomwat.ch Staff with Bitcoin
Related posts:
Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
The Building Backlash of America’s Economically Forgotten
FTC can sue companies with poor information security: U.S. court
Challenging the 911 Landlord Law
Ex-Reddit Engineer Is Building a Decentralized Reddit
Man With 4th Amendment Written on Chest Wins Trial Over Airport Arrest
Drug Dealers Unfazed By Legal Pot: "Nobody Wants To Be On A List"
Hastings Crash Witness Tells All
Texas deputy sues woman for ‘mental anguish’ after he kills her son-in-law
Shield Law Defines Journalism So That It Leaves Out Wikileaks & Bloggers
NYPD to Launch Future Crime Unit
Washington lawmakers quietly approve bill to re-criminalize some marijuana possession
Fed Hawks Want Rate Hikes Soon
Post 9/11 AUMF Law Gives Trump Power to Wage Perpetual War
Winklevoss twins on Bitcoin: Time to work with the Feds