This Week In Security: ToTok, Edgium, Chrome Checks Your Passwords, And More

January 3, 2020 by 11 Comments

Merry Christmas and happy New Year! After a week off, we have quite a few stories to cover, starting with an unexpected Christmas gift from Apple. Apple has run an invitation-only bug bounty program for years, but it only covered iOS, and the maximum payout topped out at $200K. The new program is open to the public, covers the entire Apple product lineup, and has a maximum payout of $1.5 million. Go forth and find vulnerabilities, and make sure to let us know what you find.

ToTok

The United Arab Emirates had an odd policy regarding VoIP communications. At least on mobile networks, it seems that all VoIP calls are blocked — unless you’re using a particular app: ToTok. Does that sound odd? Is your “Security Spider Sense” tingling? It probably should. The New York Times covered ToTok, claiming it was actually a tool for spying on citizens.

While that coverage is interesting, more meat can be found in [Patrick Wardle]’s research on the app. What’s most notable, however, is the distinct lack of evidence found in the app itself. Sure, ToTok can read your files, uploads your contact book to a centralized server, and tries to send the device’s GPS coordinates. This really isn’t too far removed from what other apps already do, all in the name of convenience.

It seems that ToTok lacks end-to-end encryption, which means that calls could be easily decrypted by whoever is behind the app. The lack of malicious code in the app itself makes it difficult to emphatically call it a spy tool, but it’s hard to imagine a better way to capture VoIP calls. Since those articles ran, ToTok has been removed from both the Apple and Google’s app stores.

SMS Keys to the Kingdom

Have you noticed how many services treat your mobile number as a positive form of authentication? Need a password reset? Just type in the six-digit code sent in a text. Prove it’s you? We sent you a text. [Joakim Bech] discovered a weakness that takes this a step further: all he needs is access to a single SMS message, and he can control your burglar alarm from anywhere. Well, at least if you have a security system from Alert Alarm in Sweden.

The control messages are sent over SMS, making them fairly accessible to an attacker. AES encryption is used for encryption, but a series of errors seriously reduces the effectiveness of that encryption. The first being the key. To build the 128-bit encryption key, the app takes the user’s four-digit PIN, and pads it with zeros, so it’s essentially a 13 bit encryption key. Even worse, there is no message authentication built in to the system at all. An attacker with a single captured SMS message can brute force the user’s PIN, modify the message, and easily send spoofed commands that are treated as valid.

Microsoft Chrome

You may have seen the news, Microsoft is giving up on their Edge browser code, and will soon begin shipping a Chromium based Edge. While that has been a source of entertainment all on its own, some have already begun taking advantage of the new bug bounty program for Chromium Edge (Edgium?). It’s an odd bounty program, in that Microsoft has no interest in paying for bugs found in Google’s code. As a result, only bugs in the Edge-exclusive features qualify for payout from Microsoft.

As [Abdulrahman Al-Qabandi] puts it, that’s a very small attack surface. Even so, he managed to find a vulnerability that qualified, and it’s unique. One of the additions Microsoft has made to Edgium is a custom new tab page. Similar to other browsers, that new tab page shows the user their most visited websites. The problem is that the site’s title is shown on that page, but without any sanity checking. If your site’s title field happens to include Javascript, that too is injected into the new tab page.

The full exploit has a few extra steps, but the essence is that once a website makes it to the new tab page, it can take over that page, and maybe even escape the browser sandbox.

Chrome Password Checkup

This story is a bit older, but really grabbed my attention. Google has rolled a feature out in Chrome that automatically compares your saved passwords to past data breaches. How does that work without being a security nightmare? It’s clever. A three-byte hash of each username is sent to Google, and compared to the hashes of the compromised accounts. A encrypted database of potential matches is sent to your machine. Your saved passwords, already encrypted with your key, is encrypted a second time with a Google key, and sent back along with the database of possible matches, also encrypted with the same Google key. The clever bit is that once your machine decrypts your database, it now has two sets of credentials, both encrypted with the same Google key. Since this encryption is deterministic, the encrypted data can be compared without decryption. In the end, your passwords aren’t exposed to Google, and Google hasn’t given away their data set either.

The Password Queue

Password changes are a pain, but not usually this much of a pain. A university in Germany suffered a severe malware infection, and took the precaution of resetting the passwords for every student’s account. Their solution for bootstrapping those password changes? The students had to come to the office in person with a valid ID to receive their new passwords. The school cited German legal requirements as a primary cause of the odd solution. Still, you can’t beat that for a secure delivery method.

HoloLens Brings Video Game Kart Racing To Life

January 3, 2020 by 12 Comments

There aren’t a lot of video game experiences we can easily recreate in the physical realm. You’ll quickly find that jumping on mushrooms in the real world doesn’t have nearly the same appeal as it does in Super Mario, and we won’t even get into the dangers of trying to recreate Frogger on your local multi-lane. But video game style go-kart racing? We have all the technology to pull that off, somebody just has to put all the pieces together.

Which is precisely what [Ian Charnas] is trying to do with his latest project. Using Microsoft’s HoloLens augmented reality headset, electric go-karts, 433 MHz wireless transceivers, and some Arduinos sprinkled in, he’s created the closest thing to Mario Kart that us flesh and blood mortals are likely to experience anytime soon.

The HoloLens headset worn by each driver overlays the necessary graphical elements like pickups and weapon effects, as well as puts over-the-top cartoon heads on the other racers. But of course, that’s only half of the story. Seeing the pickups and gadgets doesn’t do you any good if they don’t have any effect on the actual race.

To that end, [Ian] has come up with a way to control the performance of the go-karts using an electronic “backpack” that mounts to each kart. So speed boosting pickups actually make the kart go faster, and if a driver gets hit with a weapon fired at them, they get slowed down.

That’s the high-level version, anyway. There’s obviously a lot going on behind the scenes, some of which are detailed on the Hackaday.io page. One of the interesting notes is that the HoloLens needs visual markers to orient itself, which in the video after the break can be seen as black and white posters dotting the walls alongside the track. As the project progresses, [Ian] is hoping that these can be camouflaged in creative ways (such as being made to look like audience members or checkered flags) to make the overall experience more immersive.

According to [Ian], the next step is to find partners who want to help elevate this from a one-off project to something that you might actually see at an amusement park. We wish him luck, if for no other reason than we really want to play the thing ourselves. In the meantime, we’ll have to settle for racing hacked Power Wheels.

Continue reading “HoloLens Brings Video Game Kart Racing To Life”

A Programming Language That Lets You Code With Pixels

January 3, 2020 by 23 Comments

This programming language gives you programs that resemble modern art. It’s fortunately a feature of the language, dubbed Piet after the famed abstract painter Piet Mondrian.

The language uses 20 distinct colors, with the colors cycling from red to yellow to green to cyan to blue to magenta and the lightness cycling from light to normal to dark. The code is formed from graphics made of the recognized colors, with individual pixels holding much of the information. Stacks are used for storing data values, that can exist as integers or as Unicode characters with the proper commands applied.

Numbers in the program are represented by colors, while black blocks indicates edges and white blocks indicate free zones. The interpreter physically slides through blocks in the direction of the Direction Pointer (DP), with hue changes indicating different commands based on the steps of the change.

To execute a program, the Piet language interpreter begins in the upper left codel (or individual code block) of the program, maintaining a DP initially pointed to the right and a Codel Chooser (CC) initially pointed to the left. The DP and CC turn right, left, down, or up depending on the execution.

There is currently a small community of coders developing sample programs, interpreters, IDEs, and compilers for the language. You can check out some of the sample programs here.

Prolific Videos Show Altair 8800 Recreation

January 2, 2020 by 24 Comments

The January 1975 issue of Popular Electronics introduced the Altair 8800 and hit the newsstands in December of 1974, so it is only natural that around the New Year people start thinking about the old computer. [Shadowtron] did more than think about it. He ordered some replica PCBs and is building a new one. Even better, he’s posted an amazing number of videos (up to number 56 as I write this) detailing his progress. You can find part 1, below.

The boards are from Trailing Edge Technology. There’s a backplane board (about $100) as well as a few boards to fit it available for about $30 each — unpopulated, of course.

Continue reading “Prolific Videos Show Altair 8800 Recreation”

LC Oscillators, Animated

January 2, 2020 by 23 Comments

We wish that all the beautiful animations that are available today to understand math and electronics had been around when we were in school. Nonetheless, they are there for today’s students and [Learn Engineering] has another gorgeous one covering LC oscillation. Check it out, below.

If you are thoroughly grounded — no pun intended — in LC circuits, you probably won’t learn anything new. However, the animations are worth watching, just to admire them, if nothing else.

Continue reading “LC Oscillators, Animated”

A Wireless Method For Pressing Tofu

January 2, 2020 by 47 Comments

Tofu is a fairly common food in East and Southeast Asian cuisines, but it has also been making its way around vegetarian circles as a meat substitute. While it may be a more environmentally friendly source of protein than meat, it does have the unfortunate side effect of being fairly tedious to cook. To reach the right consistency, tofu requires hours of pressing to drain excess water, which tends to be tedious for most amateur cooks.

A team of students at HackMIT developed a contraption that incrementally presses tofu for you, using signals sent over WiFi to initialize the device. Several 3D-printed components extend an existing food container, along with a stepper motor, motor shield, Adafruit Feather HUZZAH, and a screen.

The motor steps at a rate of 30rpm once a signal is sent from a mobile application, causing four connected threaded rods to begin rotating. The tofu tray travels upwards to press against its lid, draining out excess water. A central gear box containers complementary cutouts that allow the tofu platform to travel vertically when shafts are rotated, pushed by nuts below the platform. The students also included a screen indicating time remaining, as well as a notification sent to the user once the tofu is finished being pressed.

It’s certainly a useful solution that will hopefully increase the popularity of tofu-based recipes!

DIY Trommel Sifts Compost In Style

January 2, 2020 by 22 Comments

Composting is a great idea that helps you and the planet at the same time. But all that stuff is going to break down at different rates, and depending on what you put in there and how soon you want to use the compost, you’ll probably have to sift out some unwanted stuff first.

[Minnear Knives] had a bunch of apricot stones in his compost pile, and it was the pits. He did some research and decided to build his own rotary trommel to tumble out the trash. As you will see in the video after the break, it works really well. All he has to do is turn on the motor and shovel raw compost or dirt into one end. Bad stuff tumbles out the other end into a wheelbarrow, while the good stuff is sifted down into a pile under the cylinder. Just look at that rich, fluffy compost.

The best part is that he was able to make it mostly from stuff he had lying around, though he did trade some beer for the v-belt pulley. The cylinder is essentially made from mesh that’s zip-tied to bicycle rims. A 1/4 horsepower motor mounted up top uses that v-belt pulley to spin the cylinder’s rims against casters that are mounted to the frame. Thanks to the pair of bike wheels on the back, he can cart it around the ranch unassisted.

Composting doesn’t have to be any more difficult than a pile in the backyard. But if you don’t have a backyard, why not build a rotating bin that you can monitor from your phone?

Continue reading “DIY Trommel Sifts Compost In Style”