This Week In Security: Escaping Linux VMs, Vulnerable Solar, Confusing AI (Again), And Confusing NPM Malware

The Januscape vulnerability allows a user in a guest VM managed by the Linux Kernel Virtual Machine (KVM) to corrupt memory in the host system and break out of isolation.

KVM virtualization is used by major hosting platforms like Amazon AWS, Google GCP, Digital Ocean, and many more. All of the shared hosting platforms count on virtualization to isolate untrusted guest systems from the physical hardware and each other; being able to corrupt memory for all guests or break isolation presents a major threat.

The bug report says the error has been present for 16 years, which is nearly the entire lifetime of the KVM subsystem in Linux. Fixes are available in mainline, and major hosting providers who count on KVM are likely already updating.

Vulnerabilities In Balcony Solar

Micro solar, or “balcony solar”, installs have been gaining traction in Europe as a way to offset rising electrical costs by connecting solar and battery systems to a house or apartment power system.

Vulnerabilities have been found in the popular Hoymiles micro-inverter, which uses a proprietary RF radio protocol to manage the devices. Unfortunately, it looks like this protocol has no encryption or authentication beyond validating the serial number, and the serial number is also available over a wireless probe command.

Armed with a Nordic nRF radio researchers were able to discover nearby inverters in the wild and collect the serial numbers, though of course they stopped short of issuing commands to random users.

The wireless management control allows controlling the device power and output levels, as well as setting a lockout PIN, which the researchers suspect could be used to disable devices and lock the legitimate owners out completely.

There are an estimated 500,000 units in use, and currently the only known mitigation is to unplug the device entirely and disconnect the solar panels, though the team suggests that setting an anti-theft PIN may also help – or at least prevent an unknown PIN being set.

Be sure to check out the link for an in-depth analysis of the protocol and the surprising lack of protection.

Continue reading “This Week In Security: Escaping Linux VMs, Vulnerable Solar, Confusing AI (Again), And Confusing NPM Malware”

Browser-Based Image Inpainting Runs Locally, If One Doesn’t Mind A Big Download

[Simon Willison] ported the Moebuis 0.2B image inpainting model to run locally in a web browser.  The web tool simply requires a user to provide an image, mark a section of it to be removed, and the model will do it’s best to patch up the missing area. The project was handled by Claude Code as an experiment in how things in the AI coding world have evolved, but more on that in a moment.

The existence of this tool shows that it’s possible for this kind of image editing to be done on the client side, running entirely locally with no reliance on remote services or server-side GPU resources. The online demo (GitHub repository here) is available if you want to try it out, but be warned it triggers a 1.27 gigabyte download of the required model on the first run.

What’s also interesting is [Simon]’s write-up, because he used the project as an opportunity to learn what has changed in the realm of AI coding agents. [Simon] is a software developer but in this project he didn’t personally write any of the code. One may think that means he didn’t learn anything other than how to use the tools, but that’s not quite true.

He learned it’s possible to convert a PyTorch-based model to ONXX, that the converted model can run in supported browsers using local WebGPU acceleration, and that the CacheStorage API will work on large files. Last but not least, he learned Claude Opus 4.8 is capable of handling such a project pretty much autonomously, and even created an informative document explaining the underlying architecture.

One may consider AI coding agents to be disasters waiting to happen, but it’s also true that the landscape is changing quickly, and write-ups like [Simon]’s give a helpful peek at those developments.

A Super Cheap Desk Toy Becomes A Hackable Desktop Notifier

The GeekMagic SmallTV is as its name suggests, a tiny, vaguely TV-styled, device with a screen, that’s sold as a desktop notifier. Depending on the firmware running on the device it can display various pieces of information, ranging from the time and weather to the current price of Bitcoin. What makes it interesting is that it supports software updates over WiFi, so [Giovi321] has made a new firmware package for it.

A screenshot of AliExpress showing a range of the devices for sale.
These things are readily available from AliExpress.

It seems there are several versions of this device, something which appears to be reflected in the prices they sell for on AliExpress. The older version runs on the ESP8266, and there’s also a ESP32-C2 variant in the wild. The firmware supports both flavors, providing stock and crypto tickers, an ADS-B tracker, and a Claude AI token usage gauge.

What gives this potential is that the various functions are clearly split out in the code, and there’s nothing to stop you pointing it at a data source of your choosing. This makes it more than a bit of cheap e-waste novelty, and we hope that others will take up the baton and do interesting things with it.

The ESSP8266 is a chip we don’t see too much of these days, having been surpassed by its ESP32 siblings. Still, someone recently gave it a simple OS.

Three Different Digital Counters To Remind Us How Good We Have It

Integrated electronic modules like counters and displays are convenient and space-saving, which may also make them easy to take for granted. [Nagy Krisztián] demonstrates this by making three very different digital counter designs, each breadboarded with a 7-segment LED display. Push a button, and the displayed number increments by one for each press. It was a personal project that ended up educational in more ways than one.

The progressively-integrated designs shrink in part count and board space, but the complexity doesn’t disappear. It just moves into software.

The first version uses discrete components only, and even though it handles the counting with CD4026B decade counter ICs instead of building counters from scratch with NAND gates, it’s still by far the largest of the three. The second version simplifies driving the display with an AT28C64B EEPROM acting as a sort of hardware lookup table translating binary counts into 7-segment digit display patterns. The third uses an ATtiny24A microcontroller, and unsurprisingly has the smallest footprint.

All of this highlights two things. One is that implementing even a simple counter and 7-segment LED readout is a nontrivial affair when one gets right down to it, even when taking advantage of purpose-built ICs. The second is that the complexity that is on full display in the first version doesn’t simply disappear as the footprint and component count goes down. Rather, it moves into software and other infrastructure, like the need for compilers and chip programmers.

The whole thing is both educational and a reminder of how good the average hardware hacker has it today. There are so many effective electronic assemblies, available to just about anyone at low cost, that it can be very easy to take it all for granted and forget just how much breadboard space and wires were needed for even simple-seeming things.

[Nagy] is certainly no stranger to dealing with a lot of wires, as we’ve seen when he fooled a 286 processor into thinking it was plugged into a functioning vintage motherboard.

Mechanosynthesis Of Atomic Carbon Structures Using Inverted-Mode STM

Generally chemical synthesis involves putting a variety of compounds together in an environment where they will react and self-assemble into the desired product. You could also imagine simply putting the atoms in the right place: direct mechanical manipulation. This mechanosynthesis is however not that simple, despite the deceptive appearance of those ball-and-stick representations in high school chemistry class.

This is demonstrated in a recent (pre-publication) study by [Megan Cowie] et al. using inverted-mode STM. Using a scanning tunneling microscope (STM) you can measure a surface on a nanoscale, with the inversed principle used in inverted-mode STM (IM-STM) to physically move individual molecules. In the paper the construction of carbon-based 3D structures using IM-STM is demonstrated.

In the paper it is demonstrated how C2 units can be moved using the tip of an IM-STM setup for subsequent polyyne structure construction through C-C bond formation at the target site. Although it’s not quite yet the leap into Neal Stephenson’s The Diamond Age with its science-based matter compilers – i.e. molecular assemblers – it’s definitely another step closer to making advanced feats of nanotechnology a part of every day life.

Radio-Gaga Is A Toddler Friendly Remote In A Radio

Humans of all ages like music, but you can’t exactly pass a toddler the aux cable. That’s not to say the younger set don’t have their own particular tastes– they absolutely do, and they absolutely love to take control and inflict them on the rest of us. [nbr23] has a toddler who loves both music and tactile controls, and decided to combine the two for them with a project he calls Radio-Gaga, which is a gutted Panasonic radio that calls up tunes via Home Assistant.

Interestingly enough the radio is now just a remote control– the speaker has been removed along with the rest of the radio hardware. The buttons and dials are still there, though, letting the toddler control what tunes are on offer and at what volume via couple of potentiometers hooked to an ESP32. The sound itself is being served up from the homelab to a USB speaker. There’s one notable flaw with this architecture: if the batteries die on the remote, “Let it Go” does not until an adult intervenes manually or recharges the remote.

One interesting lesson [nbr23] wanted to share was that he was able to improve an unsatisfactorily slow startup time by assigning the device a static IP on his network– apparently the single longest step in getting the tunes going was negotiating a DHCP lease. Skipping that gets the tunes playing in under a second, which is fast enough even for the most impatient of tiny humans.

If you prefer a more self-contained device, we’ve seen toddler jukeboxes that keep storage and speaker built-in, many with NFC control. 

Overpowered RC Car + Gimbal Cam = The Greatest Chase Vehicle We’ve Ever Seen

Modern cinema relies very heavily on quadrotor drones, because they make for very smooth, very easy to position platforms. From slow pans to chase shots, drones are great– if your shots can be taken at a high enough altitude. Close to the ground, things get a bit dodgier. That’s where [Transistor Man]’s camera chase vehicle comes in— it’s a rover, so it excels close to the ground. In fact, it can’t go anywhere else, except perhaps if provided with a jump. It’s got a hefty gimbal to hold the camera steady on any terrain, a decade-old surplus radio to provide full HD FPV to the remote driver, and a powerful 1/5th scale radio control rally chassis to make it all go. Plus googly eyes, because everything is better with googly eyes.

It looks like an enormous amount of fun to drive, but more importantly it provides smooth, cinematic shots from the professional Sony camera held in the gimbal. One big takeaway is that when 3D printing something that will bounce around this much, you can’t rely on pure strength– flexible filaments are your friend. Just about everything printed ended up remade in TPU if it didn’t start that way. The other takeaway is that we’ve reached enough of a technological plateau that if you scrounge around, you can build something to take a top-of-the-line footage with decade-old castoffs, like the gimbal and radio used in this project, which is a great thing for hobbyists and small studios.

If you can’t find surplus, you could always DIY a gimbal. We’re not filmmakers, but we find ourselves wondering how shots made with this rover would compare to a camera slider.