Canonical’s Anbox Cloud puts Android in the cloud

Canonical, the company behind the popular Ubuntu Linux distribution, today announced the launch of Anbox Cloud, a new platform that allows enterprises to run Android in the cloud.

On Anbox Cloud, Android becomes the guest operating system that runs containerized applications. This opens up a range of use cases, ranging from bespoke enterprise app to cloud gaming solutions.

The result is similar to what Google does with Android apps on Chrome OS, though the implementation is quite different and is based on the LXD container manager, as well as a number of Canonical projects like Juju and MAAS for provisioning the containers and automating the deployment. “LXD containers are lightweight, resulting in at least twice the container density compared to Android emulation in virtual machines – depending on streaming quality and/or workload complexity,” the company points out in its announcements.

Anbox itself, it’s worth noting, is an open-source project that came out of Canonical and the wider Ubuntu ecosystem. Launched by Canonical engineer Simon Fels in 2017, Anbox runs the full Android system in a container, which in turn allows you to run Android application on any Linux-based platform.

What’s the point of all of this? Canonical argues that it allows enterprises to offload mobile workloads to the cloud and then stream those applications to their employees’ mobile devices. But Canonical is also betting on 5G to enable more use cases, less because of the available bandwidth but more because of the low latencies it enables.

“Driven by emerging 5G networks and edge computing, millions of users will benefit from access to ultra-rich, on-demand Android applications on a platform of their choice,” said Stephan Fabel, Director of Product at Canonical, in today’s announcement. “Enterprises are now empowered to deliver high performance, high density computing to any device remotely, with reduced power consumption and in an economical manner.”

Outside of the enterprise, one of the use cases that Canonical seems to be focusing on is gaming and game streaming. A server in the cloud is generally more powerful than a smartphone, after all, though that gap is closing.

Canonical also cites app testing as another use case, given that the platform would allow developers to test apps on thousands of Android devices in parallel. Most developers, though, prefer to test their apps in real — not emulated — devices, given the fragmentation of the Android ecosystem.

Anbox Cloud can run in the public cloud, though Canonical is specifically partnering with edge computing specialist Packet to host it on the edge or on-premise. Silicon partners for the project are Ampere and Intel .

Android – TechCrunch

Cloud flaws expose millions of child-tracking smartwatches

Parents buy their children GPS-enabled smartwatches to keep track of them, but security flaws mean they’re not the only ones who can.

This year alone, researchers have found several vulnerabilities in a number of child-tracking smartwatches. But new findings out today show that nearly all were harboring a far greater, more damaging flaw in a common shared cloud platform used to power millions of cellular-enabled smartwatches.

The cloud platform is developed by Chinese white-label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices. The platform works as a backend system for Thinkrace-made devices, storing and retrieving locations and other device data. Not only does Thinkrace sell its own child-tracking watches to parents who want to keep tabs on their children, the electronics maker also sells its tracking devices to third-party businesses, which then repackage and relabel the devices with their own branding to be sold on to consumers.

All of the devices made or resold use the same cloud platform, guaranteeing that any white-label device made by Thinkrace and sold by one of its customers is vulnerable.

Ken Munro, founder of Pen Test Partners, shared the findings exclusively with TechCrunch. Their research found at least 47 million vulnerable devices.

“It’s only the tip of the iceberg,” he told TechCrunch.

Smartwatches leaking location data

Munro and his team found that Thinkrace made more than 360 devices, mostly watches and other trackers. Because of relabeling and reselling, many Thinkrace devices are branded differently

“Often the brand owner doesn’t even realize the devices they are selling are on a Thinkrace platform,” said Munro.

Each tracking device sold interacts with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. The researchers traced the commands all the way back to Thinkrace’s cloud platform, which the researchers described as a common point of failure.

The researchers said that most of the commands that control the devices do not require authorization and the commands are well documented, allowing anyone with basic knowledge to gain access and track a device. And because there is no randomization of account numbers, the researchers found they could access devices in bulk simply by increasing each account number by one.

The flaws aren’t just putting children at risk, but also others who use the devices.

In one case, Thinkrace provided 10,000 smartwatches to athletes participating in the Special Olympics. But the vulnerabilities meant that every athlete could have their location monitored, the researchers said.

Child voice recordings found exposed

One device maker bought the rights to resell one of Thinkrace’s smartwatches. Like many other resellers, this brand owner allowed parents to track the whereabouts of their children and raise an alarm if they leave a geographical area set by the parent.

The researchers said they could track the location of any child wearing one of these watches by enumerating easy-to-guess account numbers.

The smartwatch also allows parents and children to talk to each other, just like a walkie-talkie. But the researchers found that the voice messages were recorded and stored in the insecure cloud, allowing anyone to download files.

A recording of a child’s voice from a vulnerable server of a smartwatch reseller. (We’ve removed the audio to protect the child’s privacy.)

TechCrunch listened to several recordings picked at random and could hear children talking to their parents through the app.

The researchers likened the findings to CloudPets, an internet-connected teddy bear-like toy, which, in 2017, left their cloud servers unprotected, exposing two million child voice recordings.

Some five million children and parents use the smartwatch sold by the reseller.

Disclosure whack-a-mole

The researchers disclosed the vulnerabilities to several white-label electronics makers in 2015 and 2017, including Thinkrace.

Some of the resellers fixed their vulnerable endpoints. In some cases, the fixes put in place to protect vulnerable endpoints later became undone. But many companies simply ignored the warnings, prompting the researchers to go public with their findings.

Rick Tang, a spokesperson for Thinkrace, did not respond to a request for comment.

Munro said that while the vulnerabilities are not believed to have been widely exploited, device makers like Thinkrace “need to get better” at building more secure systems. Until then, Munro said owners should stop using these devices.

Gadgets – TechCrunch

Google overhauls Nest Aware cloud recording plan

Google is updating the Nest Mini today, the device formerly known as Google Home Mini. And the company used this opportunity to announce an update to its home awareness product, Nest Aware.

If you have Nest security cameras, you can subscribe to a Nest Aware plan. It currently costs $ 5 a month for 5-day video history, $ 10 per month for 10-day history and $ 30 per month for 30-day history. All plans include continuous recording, intelligence alerts, clips and more.

But it can get complicated when you have multiple cameras. Additional cameras require their own subscription plan, but those additional plans are a bit cheaper.

Google is going to simplify all that with plans that cover your whole home. New plans will cost $ 6 per month for 30-day event history and $ 12 per month for 60-day event history as well as 10-day 24/7 video history.

As you can see, you now have to pay $ 12 per month for continuous recording as the basic plan doesn’t include continuous recording anymore. But if you have 8 cameras, you’ll only have to play for a single subscription.

New plans will roll out in early 2020 with the option to switch to the new plans.

And now, Nest Mini and Nest Hubs integrate with Nest Aware. For instance, when your non-connected smoke detector is triggered by a fire, your Nest Mini will notice the alarm and send you a push notification.

You can listen live to confirm that it is a smoke alarm. You can confirm the alarm and the Home app then calls 911 or your local emergency service directly.

Gadgets – TechCrunch