67.4 F
jacksonville,fl
Sunday, January 19, 2020

Tech

Home Tech

Lawmakers Prod FCC to Act on SIM Swapping

0

Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping.

Lawmakers Prod FCC to Act on SIM Swapping 1

On Thursday, a half-dozen Democrats in the House and Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” reads the letter, signed by Sens. Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and Reps. Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY).

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Once in control of the stolen phone number, the attacker can then reset the password for any online account that allows password resets and/or two-factor verification requests via text messages or automated phone calls (i.e. most online services, including many of the mobile carrier Web sites).

From there, the scammers can pivot in a variety of directions, including: Plundering the victim’s financial accounts; hacking their identities on social media platforms;  viewing the victim’s email and call history; and abusing that access to harass and scam their friends and family.

The lawmakers asked the FCC to divulge whether it tracks consumer complaints about fraudulent SIM swapping and number “port-outs,” which involve moving the victim’s phone number to another carrier. The legislators demanded to know whether the commission offers any guidance for consumers or carriers on this important issue, and if the FCC has initiated any investigations or taken enforcement actions against carriers that failed to secure customer accounts.

The letter also requires the FCC to respond as to whether there is anything in federal regulations that prevents mobile carriers from sharing with banks information about the most recent SIM swap date of a customer as a way to flag potentially suspicious login attempts — a method already used by financial institutions in other countries, including Australia, the United Kingdom and several nations in Africa.

“Some carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID,” the letter continues. “Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late.”

The FCC did not immediately respond to requests for comment.

SIM SWAP (CRIM)INNOVATIONS

Legitimate SIM swaps are a common request for all carriers, and they usually happen when a customer has lost their mobile phone or when they need to upgrade to a newer model that requires a different-sized SIM card (the small, removable smart chip that ties the customer’s device to their phone number).

But unauthorized SIM swaps enable even low-skilled thieves to quickly turn a victim’s life upside down and wrest control over a great deal of their online identities and finances. What’s more, the security options available to wireless customers concerned about SIM swapping — such as personal identification number (PIN) codes — are largely ineffective against crooked or clueless mobile phone store employees.

A successful SIM swap may allow tormentors to access a victim’s email inbox even after the target has changed his or her password. For example, some email services allow customers to reset their passwords just by providing a piece of information that would likely only be known to the legitimate account holder, such as the month and year the account was created, or the name of a custom folder or label in the account previously created by the user.

One technique used by SIM swappers to regain access to hacked inboxes is to jot down this information once a SIM swap affords them the ability to reset the account’s password. Alternatively, SIM swappers have been known to create their own folders or labels in the hacked account to facilitate backdoor access later on.

A number of young men have recently been criminally charged with using SIM swapping to steal accounts and cryptocurrencies like Bitcoin from victims. This week, a court in New York unsealed a grand jury indictment against 22-year-old alleged serial SIM swapper Nicholas Truglia, who stands accused of using the technique to siphon $24 million worth of cryptocurrencies from blockchain investor Michael Terpin.

But experts say the few arrests that have been made in conjunction with SIM swapping attacks have pushed many involved in this crime to enlist help from co-conspirators who are minors and thus largely outside the reach of federal prosecutors.

For his part, Terpin sent an open letter to FCC commissioners in October 2019, urging them to mandate that wireless carriers provide a way for customers to truly lock down their accounts against SIM swapping, even if that means requiring an in-person visit to a store or conversation with the carrier’s fraud department.

In an interview with KrebsOnSecurity, Terpin said the FCC has so far abdicated its responsibility over the carriers on this matter.

“It took them a long time to get around to taking robocalls seriously, but those scams rarely cost people millions of dollars,” Terpin said. “Imagine going into a bank and you don’t remember your PIN and the teller says, ‘Oh, that’s okay I can look it up for you.’ The fact that a $9-an-hour mobile store employee can see your high security password or PIN is shocking.”

“The carriers should also have to inform every single current and future customer that there is this high security option available,” Terpin continued. “That would stop a lot of this fraud and would take away the ability of these ne’er-do-well 19-year-old store employees who get bribed into helping out with the scam.”

Want to read more about SIM swapping? Check out Busting SIM Swappers and SIM Swap Myths, or view the entire catalog of stories on the topic here.


Lawmakers Prod FCC to Act on SIM Swapping 2

Tags: Ajit Pai, Anna Eshoo, Edward Markey, FCC, Michael Terpin, Nicholas Truglia, Ron Wyden, Sherrod Brown, SIM swapping, Ted Lieu, U.S. Federal Communications Commission, Yvette Clarke

You can skip to the end and leave a comment. Pinging is currently not allowed.

Alleged Member of Neo-Nazi Swatting Group Charged

0

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

In July 2019, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists (myself included).

Alleged Member of Neo-Nazi Swatting Group Charged 3

A portion of the Doxbin, as it existed in late 2019.

An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley. According to the affidavit, Kelley was instrumental in setting up and maintaining the Internet Relay Chat (IRC) channel called “Deadnet” that was used by he and other co-conspirators to plan, carry out and document their swatting attacks.

Prior to his recent expulsion on drug charges, Kelley was a student studying cybersecurity at Old Dominion University in Norfolk, Va. Interestingly, investigators allege it was Kelley’s decision to swat his own school in late November 2018 that got him caught. Using the handle “Carl,” Kelley allegedly explained to fellow Deadnet members he hoped the swatting would get him out of having to go to class.

The FBI says Kelley used virtual private networking (VPN) services to hide his true Internet location and various voice-over-IP (VoIP) services to conduct the swatting calls. In the ODU incident, investigators say Kelley told ODU police that someone was armed with an AR-15 rifle and had placed multiple pipe bombs within the campus buildings.

Later that day, Kelley allegedly called ODU police again but forgot to obscure his real phone number on campus, and quickly apologized for making an accidental phone call. When authorities determined that the voice on the second call matched that from the bomb threat earlier in the day, they visited and interviewed the young man.

Investigators say Kelley admitted to participating in swatting calls previously, and consented to a search of his dorm room, wherein they found two phones, a laptop and various electronic storage devices.

The affidavit says one of the thumb drives included multiple documents that logged statements made on the Deadnet IRC channel, which chronicled “countless examples of swatting activity over an extended period of time.” Those included videos Kelley allegedly recorded of his computer screen which showed live news footage of police responding to swatting attacks while he and other Deadnet members discussed the incidents in real-time on their IRC forum.

The FBI believes Kelley also was linked to a bomb threat in November 2018 at the predominantly African American Alfred Baptist Church in Old Town Alexandria, an incident that led to the church being evacuated during evening worship services while authorities swept the building for explosives.

The FBI affidavit was based in part on interviews with an unnamed co-conspirator, who told investigators that he and the others on Deadnet IRC are white supremacists and sympathetic to the neo-Nazi movement.

“The group’s neo-Nazi ideology is apparent in the racial tones throughout the conversation logs,” the affidavit reads. “Kelley and other co-conspirators are affiliated with or have expressed sympathy for Atomwafen Division,” an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Investigators say on one of Kelley’s phones they found a photo of he and others in tactical gear holding automatic weapons next to pictures of Atomwaffen recruitment material and the neo-Nazi publication Siege.

As I reported last summer, several Deadnet members maintained a site on the Dark Web called the “Doxbin,” which listed the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family. After those indexed on the Doxbin were successfully swatted, a blue gun icon would be added next to the person’s name.

One of the core members of the group on Deadnet — an individual who used the nickname “Chanz,” among others — stated that he was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason (whose various books call on followers to start a violent race war in the United States).

Deadnet chat logs obtained by KrebsOnSecurity show that another key swatting suspect on Deadnet who used the handle “Zheme” told other IRC members in March 2019 that one of his friends had recently been raided by federal investigators for allegedly having connections to the person responsible for the mass shooting in October 2018 at the Tree of Life Jewish synagogue in Pittsburgh.

At one point last year, Zheme also reminded denizens of Deadnet about a court hearing in the murder trial of Sam Woodward, an alleged Atomwaffen member who’s been charged with killing a 19-year-old gay Jewish college student.

As reported by this author last year, Deadnet members targeted dozens of journalists whose writings they considered threatening to their worldviews. Indeed, one of the targets successfully swatted by Deadnet members was Pulitzer prize winning columnist Leonard G. Pitts Jr., whose personal information as listed on the Doxbin was annotated with a blue gun icon and the label “anti-white race/politics writer.”

In another Deadnet chat log seen by this author, Chanz admits to calling in a bomb threat at the UCLA campus following a speech by Milo Yiannopoulos. Chanz bragged that he did it to frame feminists at the school for acts of terrorism.

On a personal note, I sincerely hope this arrest is just the first of many to come for those involved in swatting attacks related to Deadnet and the Doxbin. KrebsOnSecurity has obtained information indicating that several members of my family also have been targeted for harassment and swatting by this group.

Finally, it’s important to note that while many people may assume that murders and mass shootings targeting people because of their race, gender, sexual preference or religion are carried out by so-called “lone wolf” assailants, the swatting videos created and shared by Deadnet members are essentially propaganda that hate groups can use to recruit new members to their cause.

The Washington Post reports that Kelley had his first appearance in federal court in Alexandria, Va. on Friday.

“His public defender did not comment on the allegations but said his client has ‘very limited funds,’” The Post’s courts reporter Rachel Weiner wrote.

The charge against Kelley of conspiracy to make threats carries up to five years in prison. The affidavit in Kelley’s arrest is available here (PDF).


Alleged Member of Neo-Nazi Swatting Group Charged 4

Tags: Atomwaffen Division, Chanz, Deadnet, Doxbin, fbi, John William Kirby Kelley, Zheme

You can skip to the end and leave a comment. Pinging is currently not allowed.

Phishing for Apples, Bobbing for Links

0

Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.

KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com — which is most definitely not a legitimate Apple or iCloud link and is one of countless spoofing Apple’s “Find My” service for locating lost Apple devices.

Phishing for Apples, Bobbing for Links 5

While maps-icloud[.]com is not a particularly convincing phishing domain, a review of the Russian server where that domain is hosted reveals a slew of far more persuasive links spoofing Apple’s brand. Almost all of these include encryption certificates (start with “https://) and begin with the subdomains “apple.” or “icloud.” followed by a domain name starting with “com-“.

Here are just a few examples (the phishing links in this post have been hobbled with brackets to keep them from being clickable):

apple.com-support[.]id
apple.com-findlocation[.]id
apple.com-sign[.]in
apple.com-isupport[.]in
icloud.com-site-log[.]in

Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first forward slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name.

For instance, in the case of the imaginary link below, example.com is the true destination, not apple.com:

https://www.apple.com.example.com/findmyphone/

Of course, any domain can be used as a redirect to any other domain. Case in point: Targets of the phishing domains above who are undecided on whether the link refers to a legitimate Apple site might seek to load the base domain into a Web browser (minus the customization in the remainder of the link after the first forward slash). To assuage such concerns, the phishers in this case will forward anyone visiting those base domains to Apple’s legitimate iCloud login page (icloud.com).

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.


Phishing for Apples, Bobbing for Links 6

Tags: Apple phishing

You can skip to the end and leave a comment. Pinging is currently not allowed.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

0

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday 7

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Update 7:49 p.m. ET: Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. The company also said it does “not release production-ready updates ahead of regular Update Tuesday schedule. “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments,” Microsoft said in a written statement. “Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”

Original story:

Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?” Dormann declined to elaborate on that teaser.

It could be that the timing and topic here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a heads up from the U.S. National Security Agency (NSA) stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

The NSA’s public affairs folks did not respond to requests for more information on the nature or purpose of the discussion. The invitation from the agency said only that the call “reflects NSA’s efforts to enhance dialogue with industry partners regarding its work in the cybersecurity domain.”

Stay tuned for tomorrow’s coverage of Patch Tuesday and possibly more information on this particular vulnerability.

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.

Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.


Cryptic Rumblings Ahead of First 2020 Patch Tuesday 8

Tags: Anne Neuberger, CERT Coordination Center, CERT-CC, crypt32.dll, microsoft, Microsoft CryptoAPI, national security agency, nsa, Patch Tuesday January 2020, Will Dormann, windows

You can skip to the end and leave a comment. Pinging is currently not allowed.

Patch Tuesday, January 2020 Edition

0

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.

Patch Tuesday, January 2020 Edition 9As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”

Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.

Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.

“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”

Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.

“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”

Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon.

According to security vendor Qualys, only eight of the 50 flaws fixed in today’s patch roundup from Microsoft earned the company’s most dire “critical” rating, a designation reserved for bugs that can be exploited remotely by malware or miscreants to seize complete control over the target computer without any help from users.

Once again, some of those critical flaws include security weaknesses in the way Windows implements Remote Desktop connections, a feature that allows systems to be accessed, viewed and controlled as if the user was seated directly in front of the remote computer. Other critical patches include updates for the Web browsers and Web scripting engines built into Windows, as well as fixes for ASP.NET and the .NET Framework.

The security fix for the CVE-2020-0601 bug and others detailed in this post will be offered to Windows users as part of a bundle of patches released today by Microsoft. To see whether any updates are available for your Windows computer, go to the Start menu and type “Windows Update,” then let the system scan for any available patches.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Today also marks the last month in which Microsoft will ship security updates for Windows 7 home/personal users. I count myself among some 30 percent of Windows users who still like and (ab)use this operating system in one form or another, and am sad that this day has come to pass. But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.

That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer. If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer. Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.


Patch Tuesday, January 2020 Edition 10

Tags: CVE-2020-0601, Johns Hopkins University, Kenneth White, Matthew Green, MongoDB, Qualys, Windows 10

You can skip to the end and leave a comment. Pinging is currently not allowed.

Xiaomi spins off POCO as an independent company

0

Xiaomi said today it is spinning off POCO, a sub-smartphone brand it created in 2018, as a standalone company that will now run independently of the Chinese electronics giant and make its own market strategy.

The move comes months after a top POCO executive — Jai Mani, a former Googler — and some other founding and core members left the sub-brand. The company today insisted that POCO F1, the only smartphone to be launched under the POCO brand, remains a “successful” handset. The POCO F1, a $300 smartphone, was launched in 50 markets.

Manu Kumar Jain, VP of Xiaomi, said POCO had grown into its own identity in a short span of time. “POCO F1 is an extremely popular phone across user groups, and remains a top contender in its category even in 2020. We feel the time is right to let POCO operate on its own now, which is why we’re excited to announce that POCO will spin off as an independent brand,” he said in a statement.

A Xiaomi spokesperson confirmed to TechCrunch that POCO is now an independent company, but did not share how it would be structured.

Xiaomi created the POCO brand to launch high-end, premium smartphones that would compete directly with flagship smartphones of OnePlus and Samsung. In an interview with yours truly in 2018, Alvin Tse, the head of POCO, and Mani, said that they were working on a number of smartphones and were also thinking about other gadget categories.

At the time, the company had 300 people working on POCO, and they “shared resources” with the parent firm.

“The hope is that we can open up this new consumer need …. If we can offer them something compelling enough at a price point that they have never imagined before, suddenly a lot of people will show interest in availing the top technologies,” Tse said in that interview.

It is unclear, however, why Xiaomi never launched more smartphones under the POCO brand — despite the claimed success.

In the years since, Xiaomi, which is known to produce low-end and mid-range smartphones, itself launched a number of high-end smartphones, such as the K20 Pro. Indeed, earlier this week, Xiaomi announced it was planning to launch a number of premium smartphones in India, its most important market and where it is the top handset vendor.

“These launches will be across categories which we think will help ‘Mi’ maintain consumer interest in 2020. We also intend to bring the premium smartphones from the Mi line-up, which has recorded a substantial interest since we entered the market,” said Raghu Reddy, head of Categories at Xiaomi India, in a statement.

That sounds like an explanation. As my colleague Rita pointed out last year, Chinese smartphone makers have launched sub-brands in recent years to launch handsets that deviate from their company’s brand image. Xiaomi needed POCO because its Mi and Redmi smartphone brands are known for their mid-range and low-tier smartphones. But when the company itself begins to launch premium smartphones — and gain traction — the sub-brand might not be the best marketing tool.

Tarun Pathak, a senior analyst at research firm Counterpoint, told TechCrunch that the move would allow the Mi brand to flourish in the premium smartphone tier as the company begins to seriously look at 5G adoption.

“POCO can continue to make flagship-class devices, but at lower price points and 4G connectivity. 5G as a strategy requires a premium series which has consistent message across geographies…and Mi makes that cut in a more efficient way than POCO,” he said.

Besides, Xiaomi has bigger things to worry about.

In our recent Xiaomi’s earnings coverage, we noted that the Chinese electronics giant was struggling to expand its internet services business as it attempts to cut reliance on its gadgets empire. Xiaomi posted Q3 revenue of 53.7 billion yuan, or $7.65 billion, up 3.3% from 51.95 billion yuan ($7.39 billion) revenue it reported in Q2 and 5.5% rise since Q3 2018.

On top of that, the smartphone business revenue of Xiaomi, which went public in 2018, stood at 32.3 billion yuan ($4.6 billion) in Q3 last year, down 7.8% year-over-year. The company, which shipped 32.1 million smartphone units during the period, blamed “downturn” in China’s smartphone market for the decline.

Baraja’s unique and ingenious take on lidar shines in a crowded industry

0

It seems like every company making lidar has a new and clever approach, but Baraja takes the cake. Its method is not only elegant and powerful, but fundamentally avoids many issues that nag other lidar technologies. But it’ll need more than smart tech to make headway in this complex and evolving industry.

To understand how lidar works in general, consult my handy introduction to the topic. Essentially a laser emitted by a device skims across or otherwise very quickly illuminates the scene, and the time it takes for that laser’s photons to return allows it to quite precisely determine the distance of every spot it points at.

But to picture how Baraja’s lidar works, you need to picture the cover of Pink Floyd’s “Dark Side of the Moon.”

Baraja’s unique and ingenious take on lidar shines in a crowded industry 11

GIFs kind of choke on rainbows, but you get the idea.

Imagine a flashlight shooting through a prism like that, illuminating the scene in front of it — now imagine you could focus that flashlight by selecting which color came out of the prism, sending more light to the top part of the scene (red and orange) or middle (yellow and green). That’s what Baraja’s lidar does, except naturally it’s a bit more complicated than that.

The company has been developing its tech for years with the backing of Sequoia and Australian VC outfit Blackbird, which led a $32 million round late in 2018 — Baraja only revealed its tech the next year and was exhibiting it at CES, where I met with co-founder and CEO Federico Collarte.

“We’ve stayed in stealth for a long, long time,” he told me. “The people who needed to know already knew about us.”

The idea for the tech came out of the telecommunications industry, where Collarte and co-founder Cibby Pulikkaseril thought of a novel use for a fiber optic laser that could reconfigure itself extremely quickly.

We thought if we could set the light free, send it through prism-like optics, then we could steer a laser beam without moving parts. The idea seemed too simple — we thought, ‘if it worked, then everybody would be doing it this way,’ ” he told me, but they quit their jobs and worked on it for a few months with a friends and family round, anyway. “It turns out it does work, and the invention is very novel and hence we’ve been successful in patenting it.”

Rather than send a coherent laser at a single wavelength (1550 nanometers, well into the infrared, is the lidar standard), Baraja uses a set of fixed lenses to refract that beam into a spectrum spread vertically over its field of view. Yet it isn’t one single beam being split but a series of coded pulses, each at a slightly different wavelength that travels ever so slightly differently through the lenses. It returns the same way, the lenses bending it the opposite direction to return to its origin for detection.

It’s a bit difficult to grasp this concept, but once one does it’s hard to see it as anything but astonishingly clever. Not just because of the fascinating optics (something I’m partial to, if it isn’t obvious), but because it obviates a number of serious problems other lidars are facing or about to face.

First, there are next to no moving parts whatsoever in the entire Baraja system. Spinning lidars like the popular early devices from Velodyne are being replaced at large by ones using metamaterials, MEMS, and other methods that don’t have bearings or hinges that can wear out.

Baraja’s unique and ingenious take on lidar shines in a crowded industry 12

Baraja’s “head” unit, connected by fiber optic to the brain.

In Baraja’s system, there are two units, a “dumb” head and an “engine.” The head has no moving parts and no electronics; it’s all glass, just a set of lenses. The engine, which can be located nearby or a foot or two away, produces the laser and sends it to the head via a fiber-optic cable (and some kind of proprietary mechanism that rotates slowly enough that it could theoretically work for years continuously). This means it’s not only very robust physically, but its volume can be spread out wherever is convenient in the car’s body. The head itself also can be resized more or less arbitrarily without significantly altering the optical design, Collarte said.

Second, the method of diffracting the beam gives the system considerable leeway in how it covers the scene. Different wavelengths are sent out at different vertical angles; a shorter wavelength goes out toward the top of the scene and a slightly longer one goes a little lower. But the band of 1550 +/- 20 nanometers allows for millions of fractional wavelengths that the system can choose between, giving it the ability to set its own vertical resolution.

Baraja’s unique and ingenious take on lidar shines in a crowded industry 13

It could for instance (these numbers are imaginary) send out a beam every quarter of a nanometer in wavelength, corresponding to a beam going out every quarter of a degree vertically, and by going from the bottom to the top of its frequency range cover the top to the bottom of the scene with equally spaced beams at reasonable intervals.

But why waste a bunch of beams on the sky, say, when you know most of the action is taking place in the middle part of the scene, where the street and roads are? In that case you can send out a few high frequency beams to check up there, then skip down to the middle frequencies, where you can then send out beams with intervals of a thousandth of a nanometer, emerging correspondingly close together to create a denser picture of that central region.

Baraja’s unique and ingenious take on lidar shines in a crowded industry 14

If this is making your brain hurt a little, don’t worry. Just think of Dark Side of the Moon and imagine if you could skip red, orange and purple, and send out more beams in green and blue — and because you’re only using those colors, you can send out more shades of green-blue and deep blue than before.

Third, the method of creating the spectrum beam provides against interference from other lidar systems. It is an emerging concern that lidar systems of a type could inadvertently send or reflect beams into one another, producing noise and hindering normal operation. Most companies are attempting to mitigate this by some means or another, but Baraja’s method avoids the possibility altogether.

“The interference problem — they’re living with it. We solved it,” said Collarte.

The spectrum system means that for a beam to interfere with the sensor it would have to be both a perfect frequency match and come in at the precise angle at which that frequency emerges from and returns to the lens. That’s already vanishingly unlikely, but to make it astronomically so, each beam from the Baraja device is not a single pulse but a coded set of pulses that can be individually identified. The company’s core technology and secret sauce is the ability to modulate and pulse the laser millions of times per second, and it puts this to good use here.

Collarte acknowledged that competition is fierce in the lidar space, but not necessarily competition for customers. “They have not solved the autonomy problem,” he points out, “so the volumes are too small. Many are running out of money. So if you don’t differentiate, you die.” And some have.

Instead companies are competing for partners and investors, and must show that their solution is not merely a good idea technically, but that it is a sound investment and reasonable to deploy at volume. Collarte praised his investors, Sequoia and Blackbird, but also said that the company will be announcing significant partnerships soon, both in automotive and beyond.

‘PigeonBot’ brings flying robots closer to real birds

0

Try as they might, even the most advanced roboticists on Earth struggle to recreate the effortless elegance and efficiency with which birds fly through the air. The “PigeonBot” from Stanford researchers takes a step toward changing that by investigating and demonstrating the unique qualities of feathered flight.

On a superficial level, PigeonBot looks a bit, shall we say, like a school project. But a lot of thought went into this rather haphazard-looking contraption. Turns out the way birds fly is really not very well understood, as the relationship between the dynamic wing shape and positions of individual feathers are super complex.

Mechanical engineering professor David Lentink challenged some of his graduate students to “dissect the biomechanics of the avian wing morphing mechanism and embody these insights in a morphing biohybrid robot that features real flight feathers,” taking as their model the common pigeon — the resilience of which Lentink admires.

As he explains in an interview with the journal Science:

The first Ph.D.student, Amanda Stowers, analyzed the skeletal motion and determined we only needed to emulate the wrist and finger motion in our robot to actuate all 20 primary and 20 secondary flight feathers. The second student, Laura Matloff,uncovered how the feathers moved via a simple linear response to skeletal movement. The robotic insight here is that a bird wing is a gigantic underactuated system in which a bird doesn’t have to constantly actuate each feather individually. Instead, all the feathers follow wrist and finger motion automatically via the elastic ligament that connects the feathers to the skeleton. It’s an ingenious system that greatly simplifies feather position control.

In addition to finding that the individual control of feathers is more automatic than manual, the team found that tiny microstructures on the feathers form a sort of one-way Velcro-type material that keeps them forming a continuous surface rather than a bunch of disconnected ones. These and other findings were published in Science, while the robot itself, devised by “the third student,” Eric Chang, is described in Science Robotics.

‘PigeonBot’ brings flying robots closer to real birds 15

Using 40 actual pigeon feathers and a super-light frame, Chang and the team made a simple flying machine that doesn’t derive lift from its feathers — it has a propeller on the front — but uses them to steer and maneuver using the same type of flexion and morphing as the birds themselves do when gliding.

Studying the biology of the wing itself, then observing and adjusting the PigeonBot systems, the team found that the bird (and bot) used its “wrist” when the wing was partly retracted, and “fingers” when extended, to control flight. But it’s done in a highly elegant fashion that minimizes the thought and the mechanisms required.

‘PigeonBot’ brings flying robots closer to real birds 16

PigeonBot’s wing. You can see that the feathers are joined by elastic connections so moving one moves others.

It’s the kind of thing that could inform improved wing design for aircraft, which currently rely in many ways on principles established more than a century ago. Passenger jets, of course, don’t need to dive or roll on short notice, but drones and other small craft might find the ability extremely useful.

“The underactuated morphing wing principles presented here may inspire more economical and simpler morphing wing designs for aircraft and robots with more degrees of freedom than previously considered,” write the researchers in the Science Robotics paper.

Up next for the team is observation of more bird species to see if these techniques are shared with others. Lentink is working on a tail to match the wings, and separately on a new bio-inspired robot inspired by falcons, which could potentially have legs and claws as well. “I have many ideas,” he admitted.

Formlabs CEO on the state of 3D printing and its remaining challenges

0

3D printing isn’t the buzzy, hype-tastic topic it was just a few years ago — at least not with consumers. 3D printing news out of CES last week seemed considerably quieter than years prior; the physical booths for many 3D printing companies I saw took up fractions of the footprints they did just last year. Tapered, it seems, are the dreams of a 3D printer in every home.

In professional production environments, however, 3D printing remains a crucial tool. Companies big and small tap 3D printing to design and test new concepts, creating one-off prototypes in-house at a fraction of the cost and time compared to going back-and-forth with a factory. Sneaker companies are using it to create new types of shoe soles from experimental materials. Dentists are using it to create things like dentures and bridges in-office, in hours rather than days.

One of the companies that has long focused on pushing 3D printing into production is Formlabs, the Massachusetts-based team behind the aptly named Form series of pro-grade desktop 3D printers. The company launched its first product in 2012 after raising nearly $3 million on Kickstarter; by 2018, it was raising millions at a valuation of over a billion dollars.

Apple buys edge-based AI startup Xnor.ai for a reported $200M

0

Xnor.ai, spun off in 2017 from the nonprofit Allen Institute for AI (AI2), has been acquired by Apple for about $200 million. A source close to the company corroborated a report this morning from GeekWire to that effect.

Apple confirmed the reports with its standard statement for this sort of quiet acquisition: “Apple buys smaller technology companies from time to time and we generally do not discuss our purpose or plans.” (I’ve asked for clarification just in case.)

Xnor.ai began as a process for making machine learning algorithms highly efficient — so efficient that they could run on even the lowest tier of hardware out there, things like embedded electronics in security cameras that use only a modicum of power. Yet using Xnor’s algorithms they could accomplish tasks like object recognition, which in other circumstances might require a powerful processor or connection to the cloud.

CEO Ali Farhadi and his founding team put the company together at AI2 and spun it out just before the organization formally launched its incubator program. It raised $2.7M in early 2017 and $12M in 2018, both rounds led by Seattle’s Madrona Venture Group, and has steadily grown its local operations and areas of business.

The $200M acquisition price is only approximate, the source indicated, but even if the final number were less by half that would be a big return for Madrona and other investors.

The company will likely move to Apple’s Seattle offices; GeekWire, visiting the Xnor.ai offices (in inclement weather, no less), reported that a move was clearly underway. AI2 confirmed that Farhadi is no longer working there, but he will retain his faculty position at the University of Washington.

An acquisition by Apple makes perfect sense when one thinks of how that company has been directing its efforts towards edge computing. With a chip dedicated to executing machine learning workflows in a variety of situations, Apple clearly intends for its devices to operate independent of the cloud for such tasks as facial recognition, natural language processing, and augmented reality. It’s as much for performance as privacy purposes.

Its camera software especially makes extensive use of machine learning algorithms for both capturing and processing images, a compute-heavy task that could potentially be made much lighter with the inclusion of Xnor’s economizing techniques. The future of photography is code, after all — so the more of it you can execute, and the less time and power it takes to do so, the better.

 

It could also indicate new forays in the smart home, toward which with HomePod Apple has made some tentative steps. But Xnor’s technology is highly adaptable and as such rather difficult to predict as far as what it enables for such a vast company as Apple.

Follow threeblocksaway | styleandeasy

0FansLike
0FollowersFollow
34FollowersFollow
7SubscribersSubscribe

EDITOR PICKS