hello. there's a definite wintry feel to the weather today with snow at relatively low levels already. and the risk of snow remains with us, the risk of some very windy weather as well. there are warnings out, gales, possibly severe gales, very gusty winds for many making it feel colder today. notably so in the south, but as we got snow still falling further north and in the showers even further south, it is, as i say, going to be a little bit tricky if you are heading out. strong, gusty winds, snow to relatively low levels building up, blowing around in those winds. temperatures barely double figures for most. they've started in double figures in the south but they'll tend to fall away. so we could see several centimetres of snow building up, particularly for northern england and scotland, possibly northern ireland through the remainder of the day. those showers continue through the night actually and with temperatures falling to freezing, particularly in the countryside below freezing, it could turn quite icy as we head into monday morning. but otherwise, monday looks like a quieter day but the calm before the storm. hello, this is bbc news with ben brown. the headlines —

kenya's transport secretary has said seven britons were among the 157 people killed when an ethiopian airlines flight crashed. the plane crashed shortly after taking off from addis ababa on its way to the kenyan capital, nairobi. the foreign secretary, jeremy hunt, has warned mps that if they get crucial votes wrong this week they risk losing brexit. two more british women living in detention camps in syria, with five children between them, are reported to have been stripped of their uk citizenship the family of a 23—year—old british woman missing in guatemala say they're "desperately worried" for her safety. now on bbc news, it's time for click which this week looks at whether your car could be vulnerable to hackers. this week: gone in six seconds with a simple high—tech carjack. scrums and gums. and, it's the end of

the world as we know it... ..but we feel fine. for many of us, our car is one of the most valuable things that we own. sometimes crazy to think that we just leave them out on the streets but, of course, that is because they are built with good security. but in the last few years we have started to see this happening... newer cars with keyless entry have been fooled by thieves with relay boxes. they stand outside your house and the box magnifies the signal from your key fob, which may be sitting inside, so the car thinks the key fob is closer

than it really is and, hey presto, they are off with your car. so many car owners have turned to third party car alarms, which promise to protect against this kind of attack. they are fitted to order and many offer the ability to remotely control your car using a smartphone app — which is handy... ..unless these can be hacked too. you probably do not want to see what is coming next but we are going to show you anyway. it is something we had hoped was not possible in real life but, worryingly, it is. the black range rover has been chosen and then tracked and is now the target for two hackers, who are waiting to make their move. the victim has no idea about what is about to happen, as first the car alarm goes off... car alarm sounding. ..and then the attackers take control of the door locks.

get out of the car. give me your key. 0k, 0k. a new way to steal luxury cars to order? get out of the car... well, we've actually set this up to show you how security researchers have discovered what is now possible. the victim can't restart the car, only the attackers can do that. it is one of several ways in which car alarms sold by two of the world's biggest brands in car security can now be used against their owners. so how can this happen? we have been given exclusive access to the labs where the research happen, and the security companies who failed their customers have been given seven days to put things right. more on that later, but first,

let's take a closer look at what went so badly wrong. the test compromised a vw and a range rover, but the failing have nothing to do with the car manufacturer, but rather these makes of alarms that millions of car owners have fitted to protect their wheels. clifford in the uk, also sold as viper in the us, is one of the market leaders and claims to prevent car—jacking. while pandora, based in russia and sold in the uk, also fell short of its own audacious claims. currently i would not recommend the viper or the pandora alarms. the pandora alarm was claimed to be unhacklable but, right now, i would not recommend these alarms. pandora has recently dropped that claim from its website. just as well. so the first primary reason that most people fit a third party after—market car alarm, like the viper or the pandora,

is to prevent the key—relay attacks that we have seen videos of, where two guys appear at your house, wave a magic box by your wall, and then are able to drive your car away. so that's the first reason and the sort of additional security that comes with that. the second reason that people buy these is the remote start functionality and the remote start functionality could allow you to preheat a car before you get into it on a cold winter's day, have the ice gone off the windscreen, but also to cool the car down on a hot summer's day as well. the trouble is, some of these nice—to—have comfort features have been shown by the researchers to be the very reason why they were able to take so much control. the functionality we found a problem with is in the back—end systems. rather than asking for the information about my specific car, i could ask for any car. any car that this system is registered with, we can query that information, and that includes the person's name,

full name, the location and find it real time on a map, we can get the model of the car, we can do the start—stop remotely, we can turn the panic alarm on remotely. so i could look on the system and look for a nice lamborghini or a porsche, for example. and think, oh, i wonder where that is? is it in the uk, where i'm located? oh, yeah, it's just down the road from me. great, i am going to go and start that car if no—one is around, and unlock the doors and drive away. so who are these people with such superpowers? this is pen test partners, and it is one of a growing number of firms in the uk that are paid to break into security systems by the companies that run them. pen test has contracts with several car manufacturers, among other clients, who want them to find vulnerabilities. but when these guys have some spare time, well, they start testing other systems too. vangelis usually works from greece

but he has come over to show me how he broke into the pandora alarm. pandora provides you with an account and we found a flaw that we could enumerate all the users. and then we could change that user's e—mail, issue a password reset, and we would get the new passport on our changed e—mail, which we control. you basically reset the user's password and you got control? yes after changing his own e—mail to my corrupt email. and the system lets you do that? yeah, apparently. that is what we call an insecure direct object reference. can you show us how? yeah. i have written a script to automate everything. i am just using my own user id and this user id could be anyone's

that is using pandora. so you are using your own id mainly to stay within the law, just to show us what's possible. yes. so now i am waiting for the password e—mail. it will have the new password with my changed e—mail. and you could do this for any user out there of pandora. you changed their password, you've gained their account and then you're into the system. yes. so the system now is just waiting for the response from pandora. yes. that automatic e—mail that you get when you want to reset your password — you need to wait a few seconds. here it comes. yes. so you now have a new password. i can log into the system and i control mine — because i have provided my user id but any user's vehicle. now, it is worth emphasising that these are just normal manual cars, they are not autonomous, they just happen to have the extra security devices fitted. now, we think it affects around 3

million cars on the road globally, and as far as we know, criminals have not used the vulnerability yet to steal a vehicle, but the fact it is even possible will no doubt be cause for some red faces among the big brand names in the industry. in a statement, pandora said: directed, the parent company of clifford and viper alarms said:

for these professional security testers though, the failings they found ought to be a wake—up call for the people paid to protect us. so we were shocked. we see all sorts of vulnerabilities like this but this one is right up there. it's a security product that's supposed to make our cars safer and more secure, but yet it's actually made us potentially more exposed and less secure. i am concerned about the way this scales up. there are millions of cars that are exposed — something like £200 billion worth of vehicles have these alarms fitted. it was manufacturers that made the mistake — they had the security flaw — but there is still something you can do as a consumer. please, make sure that you do not use the same password for your mobile apps as you do on other systems. why? because hackers will be trying passwords, they'll try steal them from other places and if that is the same password as your car alarm, you might wake up the next morning

and find your car is gone. that was cam munroe finishing dan's piece. dan, i can't get over the fact that these are companies that work in the security industry and they put security holes in their own product. i know, i know. it is a face palm moment. they are playing it very cool with their reactions too, by saying nothing to see here. we fixed the problem. thanks very much for letting us know. but really, we are paying hundreds of pounds to these companies to keep us safe and they left a backdoor wide open. this is one of the reason why the security researchers that did this piece of work gave those companies just seven days to get their acts in gear. normally it is about 30 days for disclosure — give them a bit more time, work out what the problem is — but this needed sorting straightaway and in fairness they did a reasonably good job. ok, i'm sure there might be some

people watching who say, should we even be broadcasting this technique and details about this technique because surely it will tell people how to crack into cars. right, and obviously we wouldn't if that vulnerability was still out there. it has been solved, it's been fixed by these two companies. pandora did it in four days. viper took five days before they reported back to us. we have checked their results and we now know their security holes are fixed. and that is why we could go into some details with viewers exactly how the researches managed to break into the system. so this is a story just about car alarms. we are not talking about vulnerabilities in the actual driving of the car itself. but cars are becoming more automated, aren't they? they are starting to control various parts of the journey. any evidence that there is any vulnerabilities in that technology? when you hear a story like this, you get nervous as things get more and more automated. the trouble is, there is a security company that's dropped the ball here.

now, if that were to happen with a car in control of the steering wheel, or the speed at which it is travelling while we are inside, you could imagine that the consequences would be much, much worse than the possibility of thieves pinching your car. yeah, 0k, dan, thank you very much. brilliant report. drive safe, i guess. hello, and welcome to the week in tech. it was the week that huawei announced it is suing the us government, after they banned federal agency from using the chinese firm's products over national security concerns. the manufacturer says no evidence has been provided to back up the suggestions and denies any connection to the chinese government. autonomous vehicle trials continue. volvo's i2—metre bus was unveiled this week in singapore and is ready to be tested on designated public roads. eventually, it's expected

to help reduce traffic, pollution and, i guess, work for bus drivers. a robotic hand with haptic feedback has been developed. replicating the master robot's moves remotely, the shadow robot company's mission is to relay touch to its wearer, wherever they may be. and finally, meet this little, running, jumping, backflipping bot. but it's more about the fact that mit's mini cheetah is so springy and nifty on its feet that it can move in all directions twice as fast as a human‘s average walking pace. weighing in atjust 20 pounds, it's pitched as almost indestructible. impressive, but i'd still rather have a head. now, as the six nations enters its fourth round and the rugby world cup looms — the safety of the sport is in the headlines once again.

lara lewington has been looking at a piece of equipment which could offer key information to make the game safer. fast paced, heavy hitting, you wouldn't want to be in the way of one of these guys. and that's just the training. but impacts like this can really take their toll on both the tackled and the tackler. concussion and injury to the brain caused by a head impact is a serious issue in contact sport. it can lead to early retirement, or it can even prove fatal. concussion is trauma to the brain, either directly through a blow to the head, or transmitted from a blow from another part of the body. the symptoms of concussion are wide and variable,

it can be from headaches, changing vision, blurred vision, sensitivity to light, sensitvity to noise, you can feels nauseous, you can get neck pain. it's important that you identify that so that you get the diagnosis correct and you get the proper treatment. the 0spreys, a professional team in south wales, are one of the first to use technology to gather data aiming to deal with this kind of injury in the future. protect is a gumshield fitted with sensors to monitor impacts to the head. we've made these bespoke mouthguards, so each of these mouthguards is really tightly coupled to the player's teeth, so a dentist comes in and takes the impressions, that when they have a head impact, the mouthguard's actually moving with the skull, so you're getting really good, accurate skull acceleration. as far as us players go, it's just another mouthguard, and you don't really feel it,

in your mouth, so obviously the chips and things, like i say, it's just another mouthguard and you don't realise. fitted with accelerometers and gyroscopes, the device measures the force that the skull is subjected to during training and games. so one of the biggest problems with rugby union is the second impact syndrome. so that's the one that can be fatal. what this would help to reduce is the incidence of second impact syndrome. so a medic on the sideline can have a look at that and go 0k, maybe it's time we brought them off. it gives them an extra object, a source of information to base their decisions on. the result can be fed in real time to medics on the sidelines to decide on the best course of action if there's an incident. whilst it can't detect whether this has resulted in a concussion, the medics can keep an eye on the data to judge players who may be at risk. and in the long—term, this information also provides an opportunity to learn

the correlation between an impact and its effect. we can go into the individual player's impacts and start to look at the shape of the impacts themselves, both in terms of linear and rotational acceleration. so that becomes quite important because of the cumulative impact of concussion, so we're really trying to understand here what might have happened in the past that will influence the future. if you think about today, the way players are observed for head injuries is typically what happens is that it's very visual. what we're adding is a layer of data, so it very much is an additive thing that starts with visual, adds data, and that gives you a much more confident answer to both parts. but does wearing this kind of device provide any reassurance for the players? yeah, i don't know about that. if you've got a big guy coming down the channel, i think, it's going to the same whether you have it in or you don't

but like i say, if you've got a big collision, you know, you can look back and understand how big it was and feed back the data and get a better understanding of it. so whilst it may not prevent the incident or the damage, it could mean a chance for the speediest intervention possible. 0ld, unwanted cassette tapes lying around ?