This week, Editor-in-Chief Elliot Williams and [former Assignments Editor] Kristina Panos stood around talking about the greatest hacks of the previous week. But first, we’ve got a contest running now through March 21st — the Low Power Challenge!
Kristina almost got What’s That Sound this week, but could only describe it as some sort of underwater organ, so still no t-shirt for her. But [BalkanBoy] knew exactly what it was — the Zadar Sea Organ in Croatia. Then it’s on to the hacks, beginning with the most beautiful sea of 7-segments you’ll likely ever see. We gush over a tiny PC in a floppy drive that uses custom cartridges, dish about an expressive synth that uses a flexure mechanism, and enjoy a loving ode to the vacuum fluorescent display.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
As society transitions toward renewable energy sources, energy storage inevitably comes to mind. Researchers at the University of Illinois at Urbana-Champaign have found one way to store renewable energy that re-purposes existing fossil fuel infrastructure.
While geothermal electricity generation shows a lot of promise, it’s currently limited to a select few areas where hot rock is close to the Earth’s surface. Advanced Geothermal Energy Storage (AGES) stores energy underground as heat and recovers it later, even in places without high subsurface temperatures. For this study, the researchers located an old oil well and instrumented it with “flow meters, fiber optic
distributed temperature sensing (DTS) cable, surface pressure and temperature gauges, and downhole pressure and temperature gauges to monitor the thermal and hydraulic changes during the injection test.”
This field study found that AGES system efficiency could be as high as 82% and yield an “economically viable” levelized cost of electricity (LCOE) of $0.138/kWh. Using existing deep hole infrastructure speeds up site selection and deployment of AGES when compared to developing on an undisturbed location, making this a very interesting way to deploy grid-scale storage rapidly.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
Arrrrr
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
[Mike Harrison] has an upcoming project which will combine a large number of flip-dot displays salvaged from buses. [Mike] thought he knew how these things worked, and had a prototype PCB made right away. But while the PCB was being manufactured, he started digging deeper into the flip-dot’s flipping mechanism.
As he dismantled one of the flip-dots, he realized there was a lot going on under the hood than he realized. The dots are bistable — staying put when power is removed. This is achieved with a U-shaped electromagnet. The polarity of a driving pulse applied to the coil determines which way to flip the dot and saturates the electromagnet’s core in the process. Thus saturated, each dot is held in the desired position because the black side of the dot is made from magnetic material. But wait, there’s more — on further inspection, [Mike] discovered another permanent magnet mounted in the base. He’s not certain, but thinks its job is to speed up the flipping action.
Besides curiosity, the reason [Mike] is studying these so closely is that he wants to build a different driver circuit to have better and faster control. He sets out to better understand the pulse waveform requirements by instrumenting a flip-dot and varying the pulse width and voltage. He determines you can get away with about 500 us pulses at 24 V, or 1 ms at 12 V, much better that the 10 ms he originally assumed. These waveforms result in about 60 to 70 ms flip times. We especially enjoyed the slow-motion video comparing the flip at different voltages at 16:55 in the video after the break.
[Mike] still has to come up with the optimum driving circuit. He has tentatively has settled on a WD6208 driver chip from LCSC for $0.04/ea. Next he will determine the optimum technique to scale this up, deciding whether going for individual pixel control or a multiple sub-array blocks. There are mechanical issues, as well. He’s going to have to saw off the top and bottom margin of each panel. Reluctant to unsolder the 8500+ joints on each panel, his current idea is to solder new controller boards directly onto the back of the existing panels.
This video is a must-watch if you’re working on drivers for your flip-dot display project, and we eagerly look forward to any future updates from [Mike]. We also wrote about a project that repurposed similar panels a couple of years ago. There are a few details that [Mike] hasn’t figured out, so if you know more about how these flip-dots work, let us know in the comments below.
The possibility of a table saw accident is low, but never zero — and [Nerdforge] has lost a finger to this ever-useful but dangerous contraption. For a right-handed person, losing the left hand pinky might not sound like much, but the incident involved some nerve damage as well, making inaccessible a range of everyday motions we take for granted. For instance, holding a smartphone or a pile of small objects without dropping them. As a hacker, [Nerdforge] decided to investigate just how much she could do about it.
On Thingiverse, she’s hit a jackpot: a parametric prosthetic finger project by [Nicholas Brookins], and in no time, printed the first version in resin. The mechanics of the project are impressive in their simplicity — when you close your hand, the finger closes too. Meant to be as simple as possible, this project only requires a wrist mount and some fishing line. From there, what could she improve upon? Aside from some test fits, the new finger could use a better mounting system, it could stand looking better, and of course, it could use some lights.
For a start, [Nerdforge] redesigned the mount so that the finger would instead fasten onto a newly-fingerless glove, with a few plastic parts attached into that. Those plastic parts turned out to be a perfect spot for a CR2032 battery holder and a microswitch, wired up to a piece of LED filament inserted into the tip of the finger. As for the looks, some metal-finish paint was found to work wonders – moving the glove’s exterior from the “printed project” territory into the “futuristic movie prop” area.
The finger turned out to be a resounding success, restoring the ability to hold small objects in ways that the accident made cumbersome. It doesn’t provide much in terms of mechanical strength, but it wasn’t meant to do that. Now, [Nerdforge] has hacked back some of her hand’s features, and we have yet another success story for all the finger-deficient hackers among us. Hacker-built prosthetics have been a staple of Hackaday, with the OpenBionics project in particular being a highlight of 2015 Hackaday Prize — an endearing demonstration of hackers’ resilience.
