On land and in space, IoT networks can now cover the planet

The whole idea of IoT is to connect more things, including devices far from a company’s data centers or maintenance crews. For enterprises that have things all over the world, vendors and service providers are starting to look at the big picture.20160224 stock mwc nokia booth sign

At Mobile World Congress later this month, Nokia will show off what it calls WING  a virtual global infrastructure that may include multiple private and carrier networks and satellite systems, depending on what an enterprise needs to connect and how it intends to use the data that’s collected.

“A global enterprise can actually have what they think is their own virtual network of global connectivity for their IoT devices,” said Phil Twist, vice president of mobile networks marketing & communications, in a briefing this week. WING will be commercially available in the second half of this year.

Nokia announced WING on Friday, just days after Inmarsat started talking about its own foray into global IoT. The venerable satellite operator is linking low-power, unlicensed LoRaWAN networks with its worldwide fleet of spacecraft. Real-world use cases for that setup, including cattle-tracking in Australia and water monitoring on a remote plantation in Malaysia, hint at what’s possible with that combination.

WING is a broader vision of a managed service that may include low-power networks, cellular, Wi-Fi and wired infrastructure in addition to satellites. It doesn’t rely on Nokia hardware, so it can run on networks built by competing vendors. Nokia can virtually string together a set of networks for a service provider or for a multinational enterprise.

Companies could use WING to stay connected to networked cars or freight containers as they move around the world, automatically getting handed off from satellite to cellular and other networks as they come into range, Nokia says.

Nokia’s Impact IoT platform will manage all the devices and the subscriptions to various service providers. It can use eSIMs, a software-defined form of the Subscriber Identity Modules in cellphones, to shift devices from one carrier to another as they move across borders.

Impact will also analyze data coming from IoT devices, primarily for operational purposes like optimizing security and customer experience, but also for some vertical applications. The vertical-markets focus will be on the energy, health care, public safety, transportation and auto industries, plus smart cities. Impact already includes an analytics platform for streaming video, designed for things like monitoring traffic patterns.

Privacy groups claim FBI hacking operation went too far

Privacy advocates are claiming in court that an FBI hacking operation to take down a child pornography site was unconstitutional and violated international law.

That’s because the operation involved the FBI hacking 8,700 computers in 120 countries, based on a single warrant, they said.Legislation of privacy security keyboard law legal gavel court ruling

“How will other countries react to the FBI hacking in their jurisdictions without prior consent?” wrote Scarlet Kim, a legal officer with U.K.-based Privacy International.

On Friday, that group, along with the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union of Massachusetts, filed briefs in a lawsuit involving the FBI’s hacking operation against Playpen. The child pornography site was accessible through Tor, a browser designed for anonymous web surfing. But in 2014, the FBI managed to take it over.

In a controversial move, the agency then decided to use the site to essentially infect visitors with malware as a way to track them down.

As a result, the FBI is prosecuting hundreds who were found visiting the site, but it also happened to hack into computers from 120 countries.

On Friday, the three privacy groups filed briefs in a case involving Alex Levin, a suspect in the FBI’s Playpen investigation who’s appealing the way the agency used malware to gather evidence against him.

Privacy International claims that the warrant the FBI used to conduct the hacking is invalid. This is because the U.S. was overstepping its bounds by conducting an investigation outside its borders without the consent of affected countries, the group said.

According to Privacy International, the case also raises important questions: What if a foreign country had carried out a similar hacking operation that affected U.S. citizens? Would the U.S. welcome this?

The EFF and ACLU also claim that the FBI’s warrant was invalid, but they cite the U.S. Constitution, which protects citizens from unreasonable searches.

“Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world,” EFF attorney Mark Rumold wrote in a blog post. “If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied.”

A key concern is that a warrant to hack into so many computers will set a precedent. “Even serious crimes can’t justify throwing out our basic constitutional principles,” Rumold said.

U.S. attorneys have argued in court that the FBI followed proper procedures in obtaining its warrant from a federal judge. They said the FBI’s hacking techniques managed to identify hundreds of Playpen users who otherwise were cloaked in anonymity.

Allowing the Playpen suspects “to evade capture and carry on abusing children in the dark shadows of Tor would be repugnant to justice,” the U.S. attorneys argued in court in October.

Intel researches quantum computing and neuromorphic chips for future PCs

Intel realizes there will be a post-Moore’s Law era and is already investing in technologies to drive computing beyond today’s PCs and servers.0853 as 26

The chipmaker is “investing heavily” in quantum and neuromorphic computing, said Brian Krzanich, CEO of Intel, during a question-and-answer session at the company’s investor day on Thursday.

“We are investing in those edge type things that are way out there,” Krzanich said.

To give an idea of how far out these technologies are, Krzanich said his daughter would perhaps be running the company by then.

Researching in these technologies, which are still in their infancy, is something Intel has to do to survive for many more decades. Shrinking silicon chips and cramming more features into them is becoming difficult, and Intel is already having trouble in manufacturing smaller chips.

Smartphones, PCs, and other devices are getting smaller, faster and more power efficient thanks to Moore’s Law, a 1965 observation loosely stating that the number of transistors in a die area would double every two years, causing performance to double while driving down the cost of making chips.

Intel has been using Moore’s Law as a guiding star to make faster and smaller chips and reducing the price of devices. However, it is widely agreed that Moore’s Law is slowly dying, and Intel’s manufacturing struggles are growing.

For decades, Intel’s business has been heavily reliant on its ability to make and deliver chips. But the process is slowing down. Intel used to advance manufacturing processes every two years, and that has now changed to three to four years.

One way to resolve that crisis—which all chipmakers face—is to completely change the current computing model in PCs, smartphones, and servers. The current model—known as the Von Neumann approach—involves data being pushed to a processor, calculated, and sent back to memory. But storage and memory are becoming bottlenecks.

The answer is to adopt new models of computing, which is where quantum computers and neuromorphic chips fit in. Quantum computers have the potential to be powerful computers harnessing the unique quality of a large number of qubits to perform multiple calculations in parallel. Neuromorphic chips are modeled after the human brain, which could help computers make decisions based on patterns and associations.

Intel has made some advances in quantum computing and neuromorphic chips. But Krzanich’s comments lend more credibility to the company’s push to look at a future beyond today’s computing models.

Some short-term answers can resolve the bottlenecks based on Von Neumann model, including Optane, Intel’s new form of super-fast memory and storage. It could unite SSDs and DRAM in systems, cutting one bottleneck. Intel is also embracing silicon photonics, which could resolve throughput issues in data centers. Both technologies have researched for more than a decade and are now practical.

The chipmaker has lived off the PC industry for decades but is now looking to grow in markets like data centers, the internet of things, automotive and high-performance computing. The new focus is bringing a gradual change to the way Intel makes chips. It’s similar to the 1970s, when different types of chips like vector processors and floating point arrays were crammed together for complex calculations.

For example, Intel is slapping together two separate functional blocks for applications like machine learning and autonomous cars. Intel envisions FPGAs combining with CPUs in autonomous cars. Later this year, the company will release a chip called Lake Crest, which combines a Xeon server CPU with deep-learning chip technology it picked up through its Nervana Systems acquisition. Intel is also merging an FPGA inside an Intel Xeon chip to carry out machine learning tasks.

Intel is expecting a lot of data to be generated by sources like autonomous cars, which will need edge processing for tasks like image recognition, analysis, and map updates. Intel is pushing its wide roster of co-processors to the edge, and that is where the quantum and neuromorphic chips may fit.

Quantum computer research is also being done by other companies. D-Wave recently released a 2,000-qubit quantum computer based on quantum annealing, while IBM has a 5-bit quantum computer accessible via the cloud. IBM is also playing with brain-like chips and has benchmarked its TrueNorth chip, which has a million neurons and 256 million synapses.

Academic institutions like the University of Heidelberg in Germany, Stanford University, and the University of Manchester in the U.K. are also working on neuromorphic chips. HPE has shown a computer that emulates the human brain, and it intends to adapt ideas from that for servers.

LG leaks seemingly reveal G6, co-designed Google watches

CNET has released additional information about the G6. This article has been updated to reflect this news.lg g6 leak

With the Mobile World Congress show just about a month away, rumors are starting to ramp up, but we might have already seen the biggest leak of all. With Samsung bowing out of MWC to fine-tune the Galaxy S8 a little longer, the star of this year’s show might very well be the LG G6, and the first purported partial image of the new handset is already in the wild.

The Verge has published what appears to be an official product shot of the G6, and it looks like it’s going to be a stunner. As expected, the handset features narrower bezels than the G5 and a 5.7-inch Quad HD LCD screen with a unique super-wide 2:1 ratio. According to the site, the phone will dispense of the modular chin that the G5 introduced, focusing instead on turning heads with an all-glass design.

Elsewhere, the phone is expected to retain the 3.5mm headphone jack and be waterproof, while retaining the G5’s dual-camera setup and rear-mounted fingerprint scanner, since there won’t be room for it on the front. The Verge reports that the G6’s screen-to-bezel ratio “is greater than 90 percent, and though its bottom isn’t shown in the image, it’s only slightly taller than the top bezel.”

In a separate report, CNET claims that in addition to ditching the modular concept for the G6, LG will completely seal the phone as it promotes full water resistance. That also means the battery will not be removable this time around, previously one of the standout features of LG’s flagships. Additionally, the publication confirms that the phone will be powered by the Snapdragon 821 rather than the upcoming 835, which is reportedly launching with the Galaxy S8 in April.

One bright spot for the G6, according to CNET, will be support for Google Assistant, which would make the handset one of the first phones other than the Pixel to include Google’s digital helper. HTC’s U Ultra is including is own assistant called Companion (though the company does have plans to incorporate Google Assistant at some point), and Huawei’s Mate 9 opted to partner with Amazon to include Alexa. CNET also reports that LG will be adding Alexa into the G6 “later this year.”

lg sport style leak

Also leaking on the LG front are low-resolution pics of what could very well be the Android Wear 2.0 smartwatches the company co-developed with Google. TechnoBuffalo has published a pair of images that match up pretty well with the rumors so far—two sizes, circular displays, a crown, a bit of chunkiness—but it’s hard to glean much else. It was previously reported that the larger model would feature a 1.38-inch display and sport a 480×480 screen, with the smaller Style having a 1.2-inch, 360×360 display.

Most notably, the larger Sport model pictured includes a pair of buttons above and below the crown, while the smaller Style watch does not. Previously, it had been reported that the larger model would include cellular connectivity, GPS, and NFC, so the buttons could be used for Android Pay or some other feature not available on the Style.

 While nothing is confirmed, the images here look like LG is going to seriously shake things up with its upcoming releases. While we’ll need to see the watches in person to get a true feel for them, the image of the G6 looks like a massive improvement over last year’s model, and with Samsung pushing its Galaxy S8 launch back, LG could be in a position to capitalize with an early sales boost. That would be good news for the company, as last year’s flagships failed to resonate much with consumers.

This story, “LG leaks seemingly reveal G6, co-designed Google watches” was originally published by Greenbot.

AI-based typing biometrics might be authentication’s next big thing Advances in machine learning pave the way for typing-based au

Identifying or authenticating people based on how they type is not a new idea, but thanks to advances in artificial intelligence it can now be done with a very high level of accuracy, making it a viable replacement for other forms of biometrics.Research in the field of keystroke dynamics spans decades.

Research in the field of keystroke dynamics, also known as keyboard or typing biometrics, spans back over 20 years. The technique has already been used for various applications that need to differentiate among computer users, but its widespread adoption as a method of authentication has been held back by insufficient levels of accuracy.

Keystroke dynamics relies on unique patterns derived from the timing between key presses and releases during a person’s normal keyboard use. The accuracy for matching such typing-based “fingerprints” to individual persons by using traditional statistical analysis and mathematical equations varies around 60 percent to 70 percent, according to Raul Popa, CEO and data scientist at Romanian startup firm TypingDNA.

Some vendors have invested a lot of money over the past 10 years in an attempt to improve the precision of typing biometrics, but true success has only been achieved over the past two or three years due to advances in machine learning, Popa said.

Popa’s company has used these advances to develop AI-powered typing pattern recognition technology that it claims has an accuracy of more than 99 percent and can even reach 99.9 percent when there is a sufficiently large typing profile built for the user over time.

The technique involves recording small pieces of information about how users type, like the time it takes them to move from one key to another or the length of time they keep each key pressed. This is used to create unique typing patterns that are represented as feature vectors made up of 320 values.

TypingDNA’s technology only records statistics about the 44 most used keys on a keyboard and doesn’t record sequences between two or more keys because such information could potentially be used to reconstruct text.

Keystroke recognition is not meant to replace passwords or to be used alone as a method of authentication. Instead, it can be used in a multifactor authentication system and is easier to implement than other forms of biometric verification.

To use fingerprint, face or voice recognition, websites have to ask users for access to their microphones, webcams or fingerprint readers. Gathering the data needed to build typing patterns, however, can be done from JavaScript with no additional permissions other than what websites already have by default inside browsers.

In order to build typing profiles, TypingDNA’s technology needs users to type a minimum of 60-70 characters, but this can vary depending on what the service is being used for, according to Popa.

For example, an application that needs to check a user’s identity more frequently can use a longer text of 170-180 characters for initial enrollment and then use shorter texts when performing verification. Meanwhile, for applications that rarely need to verify the user’s identity—for example for password reset attempts—the enrollment can be shorter and the verification text much longer.

Since different applications have different requirements, the error threshold can also be adjusted to suit the application owners’ needs, helping them find the right balance between usability and accuracy. For example, an e-learning platform that uses typing biometrics to ensure that the people taking online exams are the actual account holders might have an acceptable error rate that’s higher than a bank that wants to use typing biometrics for transaction authorization.

Tricking one or several typing recognition algorithms is technically possible using various techniques, Popa said. That’s why TypingDNA uses 10 different algorithms in parallel so that the system is more resilient against potential fraud attempts, he said.

Ultimately though, typing patterns are as vulnerable to cloning as other types of biometrics. Just as attackers can copy someone’s fingerprint, record their voice or obtain a high-resolution picture of their face, it is theoretically possible to record how someone types over a long period of time and then replicate that to defeat typing-based verification.

One common question that often comes up when discussing typing biometric technologies is how they handle various incidents that can affect the user’s style of typing. For example, when users are inebriated or experience dizziness, they’ll probably type slower and make more errors, which changes their typing profiles. Accidents can also temporarily leave users unable to type normally with one of their hands.

According to Popa, TypingDNA’s system is smart enough to figure out when a user continues to type normally on one half of the keyboard and differently on the other half, which suggests that they have a problem with one of their hands. A lower score on one half of the keyboard can be compensated by asking the user to type a longer text so that more data from the unaffected half is collected.

In cases where the overall typing style changes too much, authentication success or failure depends on the configured accuracy threshold.

To account for smaller changes in a person’s typing over time, the system can also perform so-called continuous enrollment, where the user’s typing profile is enriched with new typing information collected over time. For example, new data collected from every typed verification text can be used to refresh the user’s stored typing pattern.

TypingDNA provides access to its typing-based authentication service through an API (application programming interface) and developers can add the functionality into their web apps through a software development kit.

Trying out the service is free for the first 1,000 authentication requests. Beyond that users have to buy prepaid packages that include basic and professional plans and a variety of pricing tiers. For example, a basic package for 5,000 requests is priced at $99 and a basic package for 50,000 requests is priced at $999. The company plans to add a monthly subscription plan, but for now you can only buy these prepaid packages and add more credit when you reach the limit. API access is available through the firm’s website and the company says it works for users typing in any language.

The company is also developing an application for desktops and laptops that performs “continuous authentication.” The application sits in the background and learns the computer owner’s typing patterns. It can then quickly lock out any unauthorized user who tries to use the computer when it’s left unlocked and unattended.

Typing pattern analysis can also have applications beyond authentication. TypingDNA is currently conducting research into the area of user profiling and has built an experimental system that attempts to determine a person’s gender, age, IQ, openness and personality (Myers–Briggs Type Indicator) based on how they type.

The large number of data breaches announced by online service providers over the past few years is a clear indication that password-based authentication is no longer enough. Two-factor authentication systems, often based on one-time-use codes sent via text messages or generated by mobile apps, have now become the norm.

But SMS is not a secure channel for transmitting authentication codes and users might not always have their mobile phones with them. AI-powered typing biometrics could be a viable alternative for the web, much more so than other forms of biometrics that require special access to peripheral devices.

Huge update brings the new Nvidia Shield TV’s flagship features to the original

A little more than a week ago, Nvidia put its second-generation Shield TV up for sale. On Thursday, the company followed up with a massive software refresh for the original Nvidia Shield that brings many of the new device’s features to the old one.Nvidia Shield Android TV

Rolling out now, the latest Shield Experience Upgrade brings the headlining feature of 4K high dynamic range support to the first generation device. HDR support works with video streaming on services like Amazon Video and Netflix, as well as with GameStream—the feature that lets you stream a game from your GeForce graphics card-equipped PC to your TV.

The new update also adds a new Nest app, allowing you to view all your Nest Cams at home. Other notable app additions include NFL, Twitter, Vimeo, and Comedy Central.

The underlying OS is also upgraded to Android 7.0 Nougat with support for picture-in-picture in compatible apps, a new settings menu, and a recently used apps page.

What the new upgrade doesn’t bring to old Shield devices is the promised smart home hub functions—at least not yet. These features aren’t yet on the second-generation device either so it’s not a suprise.

When smart home functionality does roll out the software will support the Zigbee and Z-Wave protocols. Google Assistant—the same software behind Google Home and built into the Pixel smartphone—is also coming to the Shield, allowing for smart home voice control. One caveat for original Shield device owners: Those features require an always-on microphone and hence, the new Shield TV controller. Still, spending an extra $60 to bring your machine up to par with its successor is not a bad deal.

Trump’s executive order won’t destroy Privacy Shield, says EU

Fears that U.S. President Trump has destroyed the Privacy Shield Transatlantic data transfer agreement with one of the many executive orders he has signed this week are unfounded, the European Commission said Friday.Trump inauguration

On Wednesday, Trump signed an executive order entitled “Enhancing Public Safety in the Interior of the U.S.,” one of several he has issued since taking office on Jan. 20. Such executive orders are used by U.S presidents to manage the operations of the federal government.

Like the “Border Security and Immigration Enforcement Improvements” executive order signed the same day, the public safety order seeks to repatriate foreigners who have either entered the U.S. illegally or entered legally but overstayed or otherwise violated the terms of their visas.

To do that, law enforcers need to be able to track the foreigners concerned, but privacy laws can make it difficult for them to obtain the information necessary to identify them.

That’s why Trump ordered U.S. government agencies to “ensure that their privacy policies exclude persons who are not U.S. citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

There has been concern that the president’s move would have an impact on Privacy Shield. Guaranteeing privacy rights for foreigners’ data processed in the U.S. was one of the requirements the European Union imposed on the U.S. when negotiating Privacy Shield, the agreement that allows businesses to transfer the personal information of EU citizens to the U.S. for processing. Such transfers are forbidden by EU privacy law unless the destination country provides privacy protection at least equal to that required in under EU law.

One EU legislator who had fought for the protections enshrined in Privacy Shield immediately criticized the president’s public safety order.  Member of the European Parliament Jan Philipp Albrecht feared the order would undermine Privacy Shield and another EU-U.S. privacy agreement, the so-called Umbrella Agreement, which is due to take effect next Wednesday.

“If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement,” tweeted Albrecht.

But the fears of Albrecht and others are unfounded, said a Commission spokeswoman. Privacy Shield protects data of EU citizens that is transferred to the U.S. but does not cover the privacy of data gathered in the U.S.

“The U.S. Privacy Act has never offered data protection rights to Europeans,” she said. Privacy Shield does not rely on the Privacy Act, which covers data held by U.S. agencies, not by private companies.

Otherwise, the Umbrella Agreement that MEP Albrecht referred to covers the exchange of personal information between U.S. and EU law enforcers during the course of their investigations. However, it depends on a law that appears to exclude Europeans from Trump’s executive order.

“To finalize this agreement the U.S. Congress adopted a new law last year, the U.S. Judicial Redress Act, which extends the benefits of the U.S. Privacy Act to Europeans and gives them access to U.S. courts,” the Commission spokeswoman said.

And since Trump only asked agencies to exclude Europeans from the Privacy Act “to the extent consistent with applicable law,” it seems that the protections of the Judicial Redress Act still apply.

The Commission remains vigilant. “We will continue to monitor the implementation of both instruments and are following closely any changes in the U.S. that might have an effect on European’s data protection rights,” the spokeswoman said.

Humble Store offers X-COM: UFO Defense for free, XCOM 2 for dirt cheap

Giveaways pop up all the time in the world of PC gaming, but this latest freebie should bring a particularly big grin to the faces of old-school PC gamers and retro gaming enthusiasts. Through 1 p.m. Eastern on Friday—just over 24 hours from now—the Humble Store will give you X-COM: UFO Defense for the low, low price of absolutely nothing.xcom ufo defense

UFO Defense is the game that kicked off the legendary series, with all the Sectoids and UFOs that make X-COM famous. The graphics definitely look a bit dated more than 20 years after its release, but X-COM’s big draw has always been its tough, tactical gameplay, and all the time in the world can’t take that away.

XCOM 2

Looking for a more modern, refined take on alien hunting? Humble’s also offering 2017’s XCOM 2—one of the 10 best PC games of 2016, and a personal favorite—for just $12 in the February Humble Monthly Bundle. That’d be a heck of a price for XCOM 2 alone, but the bundle will also include several additional games when it goes live Friday at 1 p.m. Eastern. (Subscribing now will unlock XCOM 2 for your immediately.)

Not too shabby—and it gets even better. The massive Long War 2 mod for XCOM 2 released earlier this month, which is probably why the core game popped up in the Monthly Bundle. This total conversion mod tweaks and toughens virtually every aspect of the game, adding new soldier classes, weapons, aliens, mission types, gameplay mechanics, and more. Think of it as an expansion you can snag for free.

Google pushes out 7.1.2 beta, but Nexus 6 and Nexus 9 won’t get it

While many Android phones are still waiting for the first taste of Nougat, Google is pushing ahead on the latest version of Android for its Nexus and Pixel devices. Or rather, most of them.androud nougat 7.0 on nexus 6p

Available for users enrolled in the Android Beta Program, the next release is, according to Google’s blog description, “an incremental maintenance release focused on refinements, so it includes a number of bug fixes and optimizations, along with a small number of enhancements for carriers and users.” That means you probably won’t see any differences in your day-to-day use, unless you were consistently bothered by a particular bug.

However, if you happen to own a Nexus 6 or Nexus 9, you’re out of luck. Not only is the device unable to install the beta, Google says that the general release of 7.1.2, which is expected to land in a couple of months, will be available for the Pixel, Pixel XL, Nexus 5X, Nexus 6P, Nexus Player, and Pixel C devices. Notably excluded from that list are 2014’s Nexus 6 and Nexus 9, 2014 devices released by Motorola and HTC, respectively, that were on board with the previous Nougat updates. While Google doesn’t specifically say they will be excluded from future releases, it would appear that they have reached the end of the line for updates.

The 7.1.2 public beta is available through the Android Beta Program, which you can sign up for at android.com/beta with a Google account and one of the supported phones. If you’ve already enrolled in the program, your phone will receive the update within the next few days, according to Google. To check to see if an update is available, you can go to the About tab in Settings and tap on System updates.

While it may be sooner than expected, it was pretty inevitable that Google would stop supporting the 2014 Nexus 6 and Nexus 9 devices sometime this year. When Google announced its updated security efforts for Nexus devices ahead of Marshmallow’s release in 2015, it vowed they would “continue to receive major updates for at least two years.” More importantly, it will continue to deliver security patches “for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.” So you don’t need to toss them in the recycle bin just yet.

This story, “Google pushes out 7.1.2 beta, but Nexus 6 and Nexus 9 won’t get it” was originally published by Greenbot.

Easy-to-exploit authentication bypass flaw puts Netgear routers at risk

For the past half year Netgear has been working on fixing a serious and easy-to-exploit vulnerability in many of its routers. And it’s still not done.netgear r8500 AC5300 Nighthawk X8

While Netgear has worked to fix the issue, the list of affected router models increased to 30, of which only 20 have firmware fixes available to date. A manual workaround is available for the rest.

The vulnerability was discovered by Simon Kenin, a security researcher at Trustwave, and stems from a faulty password recovery implementation in the firmware of many Netgear routers. It is a variation of an older vulnerability that has been publicly known since 2014, but this new version is actually easier to exploit.

In January 2014, a researcher found that he could trick the web-based management interface of Netgear WNR1000v3 routers to disclose the admin’s password. The exploit involved passing a numerical token obtained from one script called unauth.cgi to another called passwordrecovered.cgi. Neither of them required authentication to access.

Last year, Kenin came across this old exploit when he wanted to break into his own router — a different Netgear model — and realized that it worked. The researcher decided to write a script to automate the exploit so that other people could test their own router models, but due to a programming error the script didn’t pass the correct token to passwordrecovered.cgi. Yet the exploit still worked.

“After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send,” Kenin said in a blog post Monday. “This is a totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.”

Kenin claims that he reported the vulnerability to Netgear in early April and the company put out an advisory in June, along with patched firmware for “a small subset of vulnerable routers.” Firmware fixes are now available for 20 models.

The company’s workaround for routers that don’t yet have patched firmware versions involves logging into their management interfaces and enabling the Password Recovery feature on the ADVANCED > Administration > Set Password page. The exploit only works when password recovery is disabled, which is the default setting.

Routers that are configured for remote administration over the internet are directly vulnerable to attacks that exploit this flaw. By obtaining admin credentials attackers can, at the very least, change a router’s DNS server settings to redirect users to malicious websites.

However, this doesn’t mean that routers whose web interfaces can only be accessed over the local area network — the default setting — are not at risk.

If vulnerable routers are used to provide wireless internet access in a public space like a library, a bar or a restaurant, anyone connecting to those networks can compromise them. People also routinely share their home Wi-Fi passwords with friends and family members who can bring compromised computers or smart phones into their networks.

There are also cross-site request forgery (CSRF) attacks that can hijack a user’s browser when visiting a specially crafted web page and use it to send malicious requests to a router over the local area network.

“We have found more than ten thousand vulnerable devices that are remotely accessible,” Kenin said. “The real number of affected devices is probably in the hundreds of thousands, if not over a million.”

In an emailed statement, Netgear said, “This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability.” The company added that firmware fixes are available for the majority of the affected devices and that users should follow the advised workaround for routers for which final updates are still pending.

The company did not clarify whether the list of affected router models in its advisory, which was last updated Friday, is final or if additional models might be added to it in the future.

Some of the affected models, like the C6300 router, which also has cable modem functionality, are distributed to customers by ISPs. Service providers also distribute firmware patches. Kenin found that the Lenovo-branded R3220 router uses Netgear firmware and is also vulnerable.

When it comes to security, Netgear is actually one of the better router manufacturers out there. Earlier this month the company launched a bug bounty program through the Bugcrowd platform.

Attacks against home routers have intensified over the past few years and powerful DDoS botnets like Mirai are now being built from compromised embedded devices. Unfortunately, the software running on such devices continues to be plagued by ’90s-era vulnerabilities like command injection and buffer overflows and basic security features found in modern software, like automatic updates or sandboxing, are rare