All posts in “Technology”

D-Link thinks 5G will cut your cords forever

Network gear maker D-Link just announced a 5G router that sends high-speed Wi-Fi through your house without cables. The router, called the DWR-2010, should allow users to get massive speeds over 5G networks without running cable. Don’t expect to pick this up at the local Best Buy, however, as the 5G router will probably ship from wireless service providers.

The DWR-2010 also offers customization options for service providers, making it suitable for deployment on a range of network configurations. The gateway features an embedded 5G NR (New Radio) NSA module and can operate on the sub-6 GHz or mmWave frequencies in 200 MHz (2 x 100 MHz) or 800 MHz (8 x 100 MHz) configurations. Complete with remote management (TR-069) and FOTA, the DWR-2010 provides hassle-free operation and a better customer experience.

D-Link also announced some new Exo mesh routers as well as a cute little mydlink devices including a smart switch and a weird little water sensor that will warn you when your water heater explodes. The Indoor Wi-Fi Smart Plug (DSP-W118) and Outdoor Wi-Fi Smart Plug (DSP-W320) will control your lights and appliances both indoors and out.

Expect these cool tools to hit stores in Q2 2019.

AT&T is lying to customers with 5G marketing

After a recent update some AT&T phones now have a 5G E icon. This icon replaces the one indicated the phone is running on a 4G network. But here’s the thing: The phone is still on a 4G network. AT&T has played these games before, too.

This nonsense is a marketing ploy by AT&T. The so-called 5G E (5G Evolution) network is just a beefed-up 4G network and not true 5G, which is still far from being ready for general consumption. AT&T used the same deceptive tactics before launching its LTE network.

Right now only select phones in a few markets will see the change. The wireless carrier intends to roll out this madness to even more phones and even more markets throughout the year.

Disclosure: TechCrunch is a Verizon Media company.

QLED is finally available in a glass display with the HP Pavilion 27

HP today announced the Pavilion 27 and it looks spectacular. This is the first display that offers a QLED screen — HP calls it by it’s official name Quantum Dot — that’s on glass instead of film. The differences should be clear. When offered on glass, the images are sharper and cleaner — though so is the glare. I like glass displays.

This is a big step forward in the display world and should open up opportunities for additional products both larger and smaller. This screen offers over a billion different colors.

The Pavilion 27 is also HP’s thinnest screen to date. Most of it is just 6.5mm thick though the bottom of the display, where the ports and power supply lives, is much thicker. This screen cannot be mounted flush on a wall and that’s a sham.

Connectivity options include USB-C, DisplayPort and HDMI. It will be available in March for $399.

The good news and bad news of HP’s new AMD Chromebook

Good news: HP made an AMD Chromebook. Bad news: It uses an old chipset.

Meet the new HP Chromebook 14. This is one of the first Chromebooks powered by an AMD processor. But don’t get too excited. This isn’t the AMD-powered Chromebook a lot of people were waiting for. This Chromebook is powered by a really old AMD chipset.

Traditionally, Chromebooks use Intel chips. But in the summer of 2018, word spread that Chromebooks would eventually be offered with Qualcomm and AMD chips — both offering unique advantages over their Intel counterparts. The Qualcomm models, in theory, could offer always-on connectivity options with stellar battery life while the AMD could, in theory, bring better graphic render capabilities to Chromebooks.

This HP Chromebook offers neither.

The new HP Chromebook 14 packs a AMD Dual-Core A4-9120. This chip was released in June 2016. Compared to the chips in other Chromebooks announced at CES 2019, this chip is slower and has less power management capabilities. On the upside it packs Radeon R4 graphics, but again, when paired with the older silicon, the net result will not likely be a impressive as it could be.

Hopefully, this model will lead to another AMD Chromebook but one with a modern chipset.

Google sat on a Chromecast bug for years, now hackers could wreak havoc

Google was warned of a bug in its Chromecast media streaming stick years ago, but did not fix it. Now, hackers are exploiting the bug — and security researchers say things could get even worse.

A hacker, known as Hacker Giraffe, has become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hacker hijacked thousands of Chromecasts, forcing them to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like himself.

Not one to waste an opportunity, the hacker also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As Hacker Giraffe says, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the years-old bug that gives anyone with access to a Chromecast the ability to hijack the media stream and display whatever they want, because Chromecast doesn’t check to see if someone is authorized to change the video stream. (Google did not respond to our follow-up question.)

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found the bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch.

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

Hacker Giraffe is the latest to resort to “Good Samaritan security,” by warning users of the issues and providing advice on how to fix them before malicious hackers take over, where tech companies and device makers have largely failed.

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

[embedded content]

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.