This Week In Security: Another Record Patch Tuesday, LAME Is More Secure, Secure Boot Is Less Secure, And Milk Malware

Following the reports last week using the Windows Global Device ID (GDID) in tracking a malware operators behavior, here is a comprehensive write-up about what goes into the GDID and how it is used. It’s worth noting that the GDID itself was not used to catch the malware operator, however once a suspect was identified, the GDID was used to correlate behavior across various Microsoft products on the Internet.

The GDID is generated and assigned during a Windows install, but a re-install of Windows will generate a new GDID. Developer [SmtimesIWndr] tracks the generation and tracking of the GDID through the various Windows libraries and services, identifying where it appears to be created and how it is passed to other services like Azure.

Worth noting is your GDID is a unique, personally identifiable piece of information; if you go exploring and extract it from your Windows install, be sure to keep it private!

LAME mp3 updates

Those of us who were around for the dawn of MP3 files may remember the LAME encoder and library. After almost 10 years, there is a new LAME release.

Notably, this includes two security fixes, one for a stack buffer overflow based on malicious input to the Blade encoder, and an integer underflow in the AIFF header parser. Both of the fixed bugs feel very old-school, which seems appropriate given the age of the library and most of the related code.

Buffer overflows impacting the stack are some of the simplest and most direct forms of vulnerabilities, where it is possible to write past the end of a buffer and control how the function returns and instead execute arbitrary code. Integer under-flows, similarly, impact memory management; usually caused by allowing a variable that stores the size of a buffer to go negative. Since sizes are typically unsigned positive numbers, a negative is interpreted as an enormous positive number, writing past the proper buffer length.

Despite the new findings, the LAME codebase has been extremely resilient over the years, and considering the number of programs that likely still use LAME under the covers to process audio, seeing the project wake up with security fixes is great news.

Recovering Passwords from BIOS

Researchers have found a vulnerability in Dell BIOS code that allows extraction of the administrator password from the BIOS flash chips, either with physical access via a flash programmer, or via administrator or root level access to the operating system and reading the contents of the flash chip.

Dell used a 20 byte key to encrypt a 32 byte password field: for any admin password of 12 characters or fewer, the password is stored in completely plaintext. For longer passwords, characters beyond the first 12 are encrypted – but the random bytes are computed from the first character of the password mixed with fixed device data, yielding only 256 possible encryption seeds for the remaining bytes.

Using the BIOS admin password for evil requires local access, so the attack surface is small, however as the researchers note it controls the boot order and may allow an attacker with physical access to then boot an unsigned OS or bypass full-disk encryption, so it’s serious.

Continue reading “This Week In Security: Another Record Patch Tuesday, LAME Is More Secure, Secure Boot Is Less Secure, And Milk Malware”

EU Adds Exemptions To User-Serviceable Batteries Rules

Built-in batteries put a timebomb inside devices, with especially the calendar aging feature of Li-ion chemistries setting a hard limit on when you’ll have to toss the device or figure out a way to replace the battery somehow. Here the EU’s Battery Regulation policy with the 2027 implementation of the user-serviceable battery requirement provided a lot of hope. Now six new categories of exemptions are diminishing what could have been a bonanza of easy repairability.

Most notable here are smartwatches, fitness trackers, wireless earbuds and other so-called ‘wet devices’, which as GSMArena also notes is an area where having a user-replaceable battery might affect features like being water-resistant. Something which is also relevant for e.g. outdoor wireless speakers. There’s also a new exemption for smartphones, where if its battery retains at least 83% of its original capacity after 500 charge cycles, battery replacement has to be only replaceable by professionals. Which is probably code for ‘glue, hotplates and prying tools’.

Considering just how daft of an idea built-in batteries are, this is somewhat disappointing to see. While it’s understandable that ‘wet devices’ get such broad exemptions, it should be noted here that advanced technologies like gaskets are neither complicated nor expensive. You can even hand the average user a tube of RTV silicone and let them go to town on a part in the happy knowledge that there’s never such a thing as ‘too much’ RTV silicone.

It is likely that there was some pressure from the industry on the EU to not change too much, but at the very least us happy few in the EU will be getting a new Nintendo Switch 2 with easily replaced battery in both the main unit and its controllers. For the average rechargeable device you keep kicking around the house this should also still apply as long as its manufacturer cannot squeeze it into one of these exemption categories.

The Right to Repair battles shall continue.

Wireless LCD Streaming For The ANENG AN870 Multimeter

Having the information shown on the display of a digital multimeter also recorded off-screen can be incredibly useful, but unless the device exposes something like SCPI on a network interface, you will have to get creative. In the case of the budget ANENG AN870 digital multimeter (DMM), [Bits und Bolts] really wanted to show its display clearly as an overlay in OBS instead of just the camera view, but with said DMM not offering an easy way he had to resort to just copying the data sent to its multiplexed LCD.

The GitHub project page contains the background information, as well as the instructions if you too have this DMM. It might of course also be useful as the jumping off point for your own DMM modification. In total the project requires three modules: an RP2040 Zero and HC-12 433 MHz transceiver on the DMM side, and another HC-12 plus ESP32-C3 module on the receiving side. A boost module is also added to generate 3.3 V out of the 2.4 V – 3 V provided by the meter’s two AA cells.

To be able to read the LCD signal lines, a custom PCB was created that is installed inside the DMM. With the LCD’s segments mapped, this meant being able to send a perfect copy of the display’s state to the ESP32-C3 and from there making it available via WiFi.

Continue reading “Wireless LCD Streaming For The ANENG AN870 Multimeter”

A person's hand is shown holding a glass flask in a dark room. An orange-red glow is emanating from the flask in a patches, forming a splash-like pattern near the base of the flask.

A Sloshing-Mercury-Powered Neon Light

In 1675, while transporting a barometer by night, the astronomer Jean Picard noticed a glow inside its glass tube, just above the mercury. As the mercury sloshed and splashed across the surface of the glass, a static electric charge had built up, which was discharging by ionizing the residual gas molecules inside the evacuated tube. [Styropyro] recreated this effect, and found that the dim glow could be made much stronger by adding some noble gas to the tube.

It starts with a simple recreation: he took a volumetric flask, attached a narrow glass stem to the mouth, added some mercury to the flask, evacuated it with a vacuum pump, and sealed off the glass stem. This produced a faint glow when shaken, but it was only really visible under very low light. When [Styropyro] brought it near a Tesla coil, however, it did glow much more brightly.

Backfilling an identical flask with neon to about 40 millitorr produced a much more spectacular result (a low pressure in the tube is necessary, but moderate pressure variations don’t significantly alter the effect). When shaken even slightly, this neon-containing flask produced a bright orange-red glow just above the surface of the mercury. Points of obstruction, such as those in a zig-zag tube, produced a brighter glow. A krypton-containing tube glowed blue, but less brightly than the neon tube.

Since this is, essentially, a triboelectric effect, other materials besides mercury should work; [Styropyro] tested several materials, and found that pieces of Teflon produced a faint glow, and copper beads a somewhat brighter glow. Unfortunately, Galinstan, the obvious replacement for mercury, wets and coats glass, preventing a charge buildup.

Without an added noble gas, the standard glow of barometric light comes from the excitation of mercury vapors, a glow which can also be seen in mercury rectifiers, and which excites the phosphors of fluorescent light bulbs.

Continue reading “A Sloshing-Mercury-Powered Neon Light”

A rail sprayer somewhere on Union Pacific tracks

White Rails Are The Infrastructure Hack We Didn’t Know We Needed

Railroads might be a nineteenth century technology, but they’re still the backbone of cargo transportation in the 21st century. They’ve also far from run out of innovation, including this one which really just sounds like a hack: painting the rails white to beat the heat.

In the old days, when rails were short and riveted together, this might have been unecesssary; all those joints allowed for a lot of flex. But when you have kilometers of continously welded rail, the thermal expansion starts to matter. A lot. Even if the rails haven’t bent and buckled from excess heat, their capacity goes down. Trains must therefore slow way, way down in hot weather, reducing the overall amount of freight the system can handle.

So, how do you cool the million miles of metal that holds a country together? Paint. Simple white paint sprayed on the side of the rails can bring down temperatures 11 °C (20 °F), according to the Union Pacific Railroad, the first to try this in North America. It might not surprise you that this technique is also being rolled out on the other side of the pond during this summer’s European heat waves. Indeed, it was invented there; the Italians have been doing it for many years now.

If you think reducing solar heat with white paint is good, you can do better than that with special formulations that end up cooler than ambient. It passive cooling also comes in fibre form.

A USB Port By Any Other Color…

[Dr. Gough] bought a generic USB 3.0 hub on an Asian website. Surely, USB 3 is mature enough that even the cheapest hub will have some IC in it that will work well, right? You’d think so, but a little exploratory surgery showed that the only thing about this hub that was USB 3 were the blue port connectors.

We have a few problem USB hubs ourselves, so it might be worth doing this to any you have lying around. The first clue: most of the connectors on the PCB only have four pins. On closer examination, the hub appears to be a USB 3.0 extension cable with a USB 2.0 hub made from two HS8836A chips.

Not only are these USB 2-only, but all the ports on an HS8836A also share the same USB 1.1 bandwidth. Some hubs can provide multiple ports full 1.1 bandwidth, using the higher-speed USB protocol to the PC as a backhaul.

Continue reading “A USB Port By Any Other Color…”

Bad Apple On A Karaoke Machine

CD+Graphics was a format that never really caught on. It let music discs pack some graphics, maybe liner notes, and mostly song lyrics into the otherwise empty space on a CD. It was never intended for displaying full-motion video, but that didn’t stop [Adam Gashlin] from getting a Bad Apple, with lyrics, running on any device that will play CD+G.

The main challenge is that CD+G gives you 300 screen commands per second, which is plenty for updating text on the 48×16 blocks as the lyrics scroll by. But if you want to send custom blocks and draw images, that’s 2.5 seconds per screen: a lousy framerate.

[Adam]’s first trick is to drop the resolution way down, which gets him into the 8 FPS range. Only update the blocks that change pushes this up to a respectable 17-20 FPS. But you can see the updates, and that’s distracting. It really needed buffering.

If you don’t know Bad Apple, it’s in black and white. And like many old graphics engines of the day, CD+G uses a dynamic palette of colors. [Adam] uses this to pack four frames into one, switching between them using palette swapping. (Absolutely check out his “rainbow” version of the video to see how the palette-swapping trick works.)

In the end, his demo has audio, triple-buffered video, and lyrics at 16.3 FPS. It’s slower than the fastest video-only version, but it looks so good, and [Adam]’s explanation of all of the graphics tricks he uses to get there is the real star of the show.

If you want to see Bad Apple running on yet more minimal hardware, how about a 16×2 LCD? Or a much more ridiculous implementation? How’s regexes in Vim for absurd? Got any Bad Apple hacks of your own? Let us know in the comments or the tips line. You can never have too many.