Wednesday, October 18, 2017

Boomerang, a Gmail plugin, arrives on iOS with a voice assistant

Gmail and Microsoft Outlook plugin Boomerang comes to iOS today, and it’s got a built-in AI voice assistant. The app syncs your email so that you essentially have two different apps to view your mail in, but it gives you tools Gmail and Outlook have yet to offer, like the ability to pause your email notifications for hours or weeks and send an email chain back to yourself as a reminder to follow up when needed. It’s taken Boomerang over four years to release its iOS app after launching on Android, and the latter isn’t getting the AI voice assistant for now.

Boomerang is also getting a few updates beyond its voice assistant. On the iOS app, you can swipe to the left on an email, and then move, mark, star, or delete the email with the flick of a finger. I tested out exactly how well Boomerang’s voice assistant works on iOS. The good news: the assistant can hear you over mild background noise, pause your emails on command, find what emails you need to respond to, and estimate the time it’ll take. It can even draft an email for meetings you need to reschedule. The bad news? Boomerang’s AI assistant is rudimentary, and it’s only trained for very specific commands; one or two wrong words, and you’ll get an “unknown command” error.

First, you have to toggle on the assistant in Settings. Then you can say “Hey Boomerang, brief me,” and in a very monotone voice, the AI assistant will show your next three meetings, and several numbers indicating how many minutes it will take to get through your emails. Boomerang’s founders, Alex Moore and Aye Moah, used an old product they had, called the Email Game, where they had people check and answer their emails on a timer, as their baseline to which they then applied machine learning. This feature was not so useful for me, as I skim PR emails based on keywords and delete if I see my name misspelled horrendously or another company's name pasted. An 800-word email written in graduate school-level English might take 10 minutes to go through based on Boomerang’s estimate, but if it’s spam, it only takes seconds to delete it right away without a response.

The rest of the commands don’t trigger a voice response, only a silent action, since the assumption is that you’ll be talking to Boomerang at work and maybe during a meeting. You can also say “Reschedule my meeting with so-and-so,” and the AI assistant will automatically create a draft email for you that begins, “I can no longer make it to the meeting at 2PM. Can we reschedule?” If you have multiple contacts of the same name, the assistant is smart enough to figure out the exact one you’re having the meeting with, so that you don’t send an email to the wrong John or Jack. It’s a convenient feature, but the draft email leaves out all the apologies and excuses I would normally include, so I’d have to rewrite most of it anyway. And since Boomerang is a plugin for Gmail and Outlook, it doesn’t sync with Apple’s calendar app.

Another command you can try is “Show me emails I need to respond to.” This one searches through all your emails, so it takes longer to load. It relies on machine learning to comb through sentences for phrases like “please let me know.” Does it work well? It could use improvement. It showed me a vacation notice from my editor as something that I needed to answer. Plus, it lacks the human ability to differentiate the spammers who would love you to answer from the legitimate pitches that deserve a response.

You can also command the Boomerang assistant to “Find me all emails with images from June,” which works, but seems to have some filtering issues, like including some pesky emails outside of June in the results. “Pause my email for such-and-such hours” is more reliable and stable to use. Boomerang’s email pausing function just hides all incoming mail for the time frame you set in a separate label until you’re ready to view it again. And commanding Boomerang to pause email makes the email paused on all platforms: mobile, web, and the Thunderbird desktop app.

The assistant is also not very hands-free. In order to activate the voice assistant, you need to first unlock your phone and then open Boomerang. Alternatively, in a chain reaction of assistants, you could ask Siri to open Boomerang and then talk to the Boomerang assistant from there. Moore and Moah say they’re speaking to Apple about fixing this in the future.

Boomerang’s voice assistant is a good first step, but it still has a lot of room to improve. The app itself is functional, but it turns off Spotify music whenever I open an email, and it loads slightly slower than Gmail. I’ll still be keeping the app on my iPhone solely for the ability to pause my email on the weekend through voice command. Hopefully, the minor issues that the assistant and iOS app have can be ironed out in future patches.

Monday, October 16, 2017

What we know about the KRACK Wi-Fi exploit and fixes so far

Today, researchers published details of a new attack against Wi-Fi encryption, which they dubbed “Krack.” Manufacturers have known about the issue for more than a month, but it still caught much of the industry off guard; major companies are still scrambling to deploy patches before an exploit code becomes available. It’s an unusual bug — both hard to exploit and hard to fix — and it’s already stretching vendor patching systems to their limit. Here’s what you need to know to keep your own devices safe.


The good news is Krack is a wide but shallow bug: nearly every device that uses Wi-Fi is vulnerable, but the attack itself is difficult to execute and not as damaging as you might expect. Taking advantage of this bug would take a lot of preparation and a very specific target, which is very good news in the short term.

Krack is essentially a weakness in the WPA2 system, which secures the Wi-Fi connection between a router and a computer. When that system breaks down, it could let an attacker get in between you and your router. From there, they can eavesdrop on unencrypted (non-HTTPS) traffic or compromise your computer by slipping malware into legitimate websites. But an attacker would have to be within Wi-Fi range to carry out any of those exploits, which dramatically reduces the risk that an average person will be targeted. Unlike server-side bugs like Heartbleed or Shellshock, there’s no way to carry out the attack over the internet at large. Hackers need to be physically present in range of a network, and even if you’re war-driving, you can only hit one network at a time.

The upshot of all of that is you probably don’t have to worry about hackers going after your network specifically. Still, we encrypt Wi-Fi signals for a reason, so you will want to patch your software as soon as you can.


Unfortunately, many vendors are still putting together patches for the bug, so updating immediately won’t be an option for everyone. There’s a real-time list of affected devices here, although it only covers the most common exploitation of the bug. Because WPA2 is so widespread, researchers predict that nearly every device that uses Wi-Fi will be vulnerable in some way. That starts with computers and phones, but also your router and any other device that plays a part in your home Wi-Fi network.

The most important devices to patch are the ones you use most often: your computer and your phone. Those would be the center of any attack, and locking them down will prevent the most severe damage from the bug. Microsoft is currently deploying a Windows patch, and Apple says that a patch for the bug is currently deployed in the beta versions of iOS, macOS, watchOS and tvOS. (The patch is expected to go public in the coming weeks.) Android phones will probably be the hardest to patch: the ecosystem is notoriously slow to deploy patches, and because of a specific implementation issue, more than a third of Android phones are vulnerable to a simpler form of the attack. Google has promised to deploy an Android patch in the coming weeks, but it may be some time before that patch will reach non-Pixel devices. Even if your router isn’t patched, patching the device should be enough to stop an attacker from getting in the middle.

Beyond computers and phones, it’s time to take a look at every Wi-Fi-enabled device you own, and checking on software updates for those devices in the weeks to come. We’re likely to see all kinds of exotic attacks on Wi-Fi-equipped TVs, printers, and other Internet of Things devices in the upcoming weeks. You’ll also want to patch the router itself, but because routers are often underpowered and with less robust support, it may also be one of the hardest devices to patch.

Krack is also harder to patch than the average bug. It targets a fundamental weakness in the way WPA2 reinstalls private keys, which makes it particularly difficult for security teams to be sure a given patch will protect against every attack. We’re likely to see related exploits popping up for years to come, potentially until the industry moves to the next Wi-Fi encryption standard.

Microsoft says it has already fixed the problem for customers running supported versions of Windows. “We have released a security update to address this issue,” says a Microsoft spokesperson in a statement. Google has promised a fix for affected devices “in the coming weeks.” Google’s own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Apple also confirmed that the vulnerability is patched in a beta version of the current operating systems. The fix should go public in a few weeks, so iOS and macOS devices aren't in the clear just yet. Also reported that AirPort hardware, including the Time Machine, AirPort Extreme base station, and AirPort Express do not have a patch.

As we wait for vendors to get their acts together, the simplest thing you can do to protect yourself is avoid Wi-Fi in general. Krack-based attacks have to happen in real time — they have to be splicing in malware at the same time you’re loading an HTTP page — so the less you use unpatched Wi-Fi, the less vulnerable you’ll be. That’s not possible in every situation, of course, but it’s the one thing that will guarantee you’ll be protected.

Due to WiFi breach called KRACK, 41 percent of Android phones are vulnerable

A new exploit can allow attackers to read Wi-Fi traffic between devices and wireless access points, and even modify it to inject malware into websites. Researchers have started disclosing security vulnerabilities today, and it looks like Android and Linux-based devices are the worst affected by multiple vulnerabilities. Researchers also claim some of the attack works against all modern Wi-Fi networks using WPA or WPA 2 encryption, and that the weakness is in the Wi-Fi standard itself so it affects macOS, Windows, iOS, Android, and Linux devices.

Intercepting traffic lets attackers read information that was previously assumed to be safely encrypted, and hackers don’t need to even crack a Wi-Fi password to achieve this. The vulnerability requires that a device be in range to a malicious attacker, and it can be used to steal credit card numbers, passwords, chat messages, photos, emails, and lots of other online communications.

Android 6.0 and above contains a vulnerability that researchers claim “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.” 41 percent of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic. Attackers might be able to inject ransomware or malware into websites thanks to the attack, and Android devices will require security patches to protect against this. Google says the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”

Although most devices appear to be vulnerable to attacks reading Wi-Fi traffic, the exploit doesn’t target access points. The attack exploits vulnerabilities in the 4-way handshake of the WPA2 protocol, a security handshake that ensures client and access points have the same password when joining a Wi-Fi network.

As this is a client-based attack, expect to see a number of patches for devices in the coming weeks. Researchers sent out notifications to specific vendors in July, and a broad notification was distributed in late August. Security researchers note that it’s not worth changing your Wi-Fi password as this won’t help prevent attacks, but that it’s worth updating router firmware and all client devices to the latest security fixes. “It might be that your router does not require security updates,” say researchers, but it’s worth checking with your router vendor to make sure.

Security for WiFi has been breached by exploit called KRACK according to researchers

At about 7AM ET this morning, researchers revealed details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points. The exploit, as first reported by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks. “If your device supports Wi-Fi, it is most likely affected,” say researchers.

So yeah, this is bad.

The United States Computer Emergency Readiness Team issued the following warning in response to the exploit:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

The researchers noted that 41 percent of all Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack. All Wi-Fi devices are to some degree susceptible to the vulnerabilities making them ripe for data theft or ransomware code injection from any malicious attacker within range. The researchers recommend patching all Wi-Fi clients and access points when the fixes are available and to continue using WPA2 until then (WPA1 is also affected and WEP security is even worse). It's not yet clear if the vulnerabilities revealed today are actively being exploited in the wild.

You can read more about the exploit at, before the vulnerabilities are formally presented on November 1st in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 at a security conference in Dallas.

Sunday, October 15, 2017

T-Mobile announces throttling changes for ‘Mobile Without Borders’ feature in Mexico and Canada

T-Mobile this week announced some changes to its “Mobile Without Borders” initiative. The changes bring a new 5GB data cap to users who are traveling to Canada and Mexico. Mobile Without Borders was originally introduced in 2015 as part of T-Mobile’s Uncarrier program.

T-Mobile outlined the changes in a post to its support website. Previously, T-Mobile customers had access to unlimited LTE data in Canada or Mexico and were only subject to throttling at 50GB or more of usage. With the changes, users can now access 5GB of data before being subject to throttling – or, how T-Mobile puts it – “data prioritization.”

The changes take effect on November 12th. The important thing to note here is that you get 5GB total between Canada and Mexico – not 5GB per country. Either way, T-Mobile says that less than 1 percent of users who travel to either country use over 5GB in a month.

The Uncarrier explains that it is making this change to “prevent usage beyond the intent of the product.” Once you hit 5GB, your speeds will fall to 128kbps for most plans and 256kbps for T-Mobile One Plus plans:

Mobile Without Borders is an incredible benefit and allows customers to stay connected when traveling in Canada and Mexico. In order to prevent usage beyond the intent of the product, we implemented a limit on the amount of monthly 4G LTE data. Less than 1% of people with this benefit travel to Mexico and Canada use over 5GB a month.

After 5GB of high-speed data is used in Mexico and Canada (or your high-speed data allotment is reached, whichever comes first), customers will stay connected with unlimited data at Simple Global speeds (up to 128kbps for most plans or 256kbps with T-Mobile ONE Plus.