Gigabytes The Dust With UEFI Vulnerabilities

April 4, 2017 by Jack Laidlaw 46 Comments

At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.

Gigabyte has been working on a fix since the start of 2017. Gigabyte are preparing to release firmware updates as a matter of urgency to only one of the affected models — GB-BSi7H-6500 (firmware vF6), while leaving the — GB-BXi7-5775 (firmware vF2) unpatched as it has reached it’s end of life. We understand that support can’t last forever, but if you sell products with such a big fault from the factory, it might be worth it to fix the problem and keep your reputation.

The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.

Attackers may exploit the vulnerabilities to execute unsigned code in System Management Mode (SMM), planting whatever malware they like into the low level workings of the computer. Cylance explain a possible scenario as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.

With all this said, it does raise some interesting opportunities for the hacker community. We wonder if anyone will come up with a custom UEFI for the Brix since Gigabyte left the keys in the door.

Hackaday Prize Entry: Micro Matrix Charlieplexed Displays

April 4, 2017 by Brian Benchoff 9 Comments

If you need a very thin, low power display that doesn’t use a whole bunch of pins on your microcontroller, [bobricius] has just the thing for you. His entry to the Hackaday Prize this year is a Charlieplexed LED display. With this board, you can drive 110 LEDs using only 11 GPIO pins.

Charlieplexing is a bit of a dark art around these parts. That’s not to say the theory is difficult; it’s really just sourcing or sinking current from a GPIO pin and arranging LEDs unparallel to each other. The theory is one thing, implementation is another. To build a Charlieplexed LED matrix, you need to go a bit crazy with the PCB layout, and god help you if you’re doing this point-to-point on a perf board.

Somehow, [bobricius] managed to fit 110 LEDs on a PCB, all while managing to break out those signal wires to a sensible set of pads on one side of the board. Only eleven pins are required to drive all these LEDs, making this project a great foundation for some very cool wearables or other projects that require a bright, low-res display.

Since [bobricius] can put 110 LEDs on a small board, he can obviously take LEDs away from that board. That’s what he did with his cut down version designed to be a clock. Both are great little boards, and the perfect solution for tiny displays for low-pin-count micros.

Continue reading “Hackaday Prize Entry: Micro Matrix Charlieplexed Displays” →

The Shocking Truth About Transformerless Power Supplies

April 4, 2017 by Elliot Williams 114 Comments

Transformerless power supplies are showing up a lot here on Hackaday, especially in inexpensive products where the cost of a transformer would add significantly to the BOM. But transformerless power supplies are a double-edged sword. That title? Not clickbait. Poking around in a transformerless-powered device can turn your oscilloscope into a smoking pile or get you electrocuted if you don’t understand them and take proper safety precautions.

But this isn’t a scare piece. Transformerless designs are great in their proper place, and you’re probably going to encounter one someday because they’re in everything from LED lightbulbs to IoT WiFi switches. We’re going to look at how they work, and how to design and work on them safely, because you never know when you might want to hack on one.

Here’s the punchline: transformerless power supplies are safely useable only in situations where the entire device can be enclosed and nobody can accidentally come in contact with any part of it. That means no physical electrical connections in or out — RF and IR are fair game. And when you work with one, you have to know that any part of the circuit can be at mains voltage. Now read on to see why!

Continue reading “The Shocking Truth About Transformerless Power Supplies” →

Canary For USB Ports

April 4, 2017 by Michael Uttmark 12 Comments

If you’re a paranoid system admin, [errbufferoverfl] has your back with software that keeps track of whenever someone plugs in or disconnects an USB-based device from a workstation.

Christened USB Canary, [errbufferoverfl’s] tool is written in Python. However, even though Python is cross-platform, USB Canary only works on Linux currently. But, fret not: [errbufferoverfl] is already working on Windows and Mac versions.

Primarily, USB Canary watches USB connectors for any activity and logs anything it sees. Moreover, when a USB device is plugged in or unplugged, USB Canary can alert the owner of the workstation via an SMS message courtesy of the Twilio API, post a message in a Slack channel or even make a noise to alert a nearby sysadmin. Additionally, USB Canary can be configured to only run when the workstation is locked (if you’re not completely paranoid).

[errbufferoverfl’s] USB Canary was born out of dissatisfaction with current workstation monitoring tools. You see, most tools only notify users after someone has logged on. [errbufferoverfl] points out that there are means to automate attacks without logging in, and we can think of many unsavory things that can be done when logged out.

While USB Canary won’t protect you from -220V , it might at least warn of a BadUSB attack. But, for the really paranoid, why not try GoodUSB?

[via bleepingcomputer]

How Many Parts In A Triumph Herald Heater?

April 4, 2017 by Jenny List 67 Comments

This Herald is in much better condition than my 12/50 was. Philafrenzy [CC BY-SA 4.0]

What was your first car? Mine was a 1965 Triumph Herald 12/50 in conifer green, and to be frank, it was a bit of a dog.

The Triumph Herald is a small saloon car manufactured between about 1959 and 1971. If you are British your grandparents probably had one, though if you are not a Brit you may have never heard of it. Americans may be familiar with the Triumph Spitfire sports car, a derivative on a shortened version of the same platform. It was an odd car even by the standards of British cars of the 1950s and 1960s. Standard Triumph, the manufacturer, had a problem with their pressing plant being owned by a rival, so had to design a car that used pressings of a smaller size that they could do in-house. Thus the Herald was one of the last British mass-produced cars to have a separate chassis, at a time when all other manufacturers had produced moncoques for years.

My 12/50 was the sporty model, it had the high-lift cam from the Spitfire and a full-length Britax sunroof. It was this sunroof that was its downfall, when I had it around a quarter century of rainwater had leaked in and rotted its rear bodywork. This combined with the engine being spectacularly tired and the Solex carburetor having a penchant for flooding the engine with petrol made it more of a pretty thing to look at than a useful piece of transport. But I loved it, tended it, and when it finally died irreparably I broke it for parts. Since then I’ve had four other Heralds of various different varieties, and the current one, a 1960 Herald 948, I’ve owned since the early 1990s. A piece of advice: never buy version 0 of a car.

Continue reading “How Many Parts In A Triumph Herald Heater?” →

How To Find A Twitter Account

April 4, 2017 by Michael Uttmark 35 Comments

[Ashley Feinberg] is not one to say no to a challenge. When James Comey (the current Director of the Federal Bureau of Investigation for the United States of America) let slip that he has a secret Twitter and Instagram account, [Ashley] knew what she had to do.

At the beginning, [Ashley] knew only a few things: (1) Comey had recently joined twitter and (2) he only allows his “immediate relatives and one daughter’s serious boyfriend” to follow him. As such, [Ashely] deduced that “if we can find the Instagram accounts belonging to James Comey’s family, we can also find James Comey.”

To start, [Ashley] found the Instagram account of Comey’s 22-year-old son, a basketball star at Kenyon College. Not phased by Brien’s locked down Instagram account, [Ashley] requested access to Brien’s account in order to access the “Suggested for You” selections that are algorithmically generated from Brien Comey’s account. Sifting through the provided accounts [Ashley] found one that fit Comey’s profile: locked down with few friends. That account was named reinholdniebuhr. Not sure it was, in fact, James Comey, [Ashley] found Comey’s senior thesis on theologian Reinhold Niebuhr and televangelist Jerry Falwell as verification.

With Comey’s Instagram found, [Ashley] moved back to Twitter (something y’all can’t seem to get enough of). With only seven accounts on Twitter using some variation of “Reinhold Niebuhr” as a user name, [Ashley] was quickly able to narrow it down to one account (@projectexile7) via profiling, sealing the deal on an awesome hack filled quest. Can’t get enough of social media? Don’t worry, you never have to be disconnected.

Hackaday.io User Reviews Six STM32 IDEs

April 4, 2017 by Al Williams 52 Comments

One of the issues with getting started with any Arm-based project is picking a toolset. Some of us here just use the command line with our favorite editor, but we know that doesn’t suit many people–they want a modern IDE. But which one to choose? User [Wassim] faced this problem, evaluated six different options for STM32 and was kind enough to document his findings over on Hackaday.io.

Many of the tools are Windows-only and at least two of them are not totally free, but it is still a good list with some great observations. Of course, the choice of an IDE is a highly personal thing, but just having a good list is a great start.

Continue reading “Hackaday.io User Reviews Six STM32 IDEs” →