This Week In Security: GTA, Apple And Android, And Insecure Boot

January 27, 2023 by 11 Comments

When we first saw tweets about a security issue in Grand Theft Auto V, it sounded a bit like a troll. “Press ‘alt and f4’ to unlock a cheat mode”, or the hacker that claims to be able to delete your character. [Tez2]’s warning tweet that you shouldn’t play GTA Online without a firewall sounds like another of these online urban legends. But this one actually seems legit. NIST is even in on the fun, assigning CVE-2023-24059 for the exploit.

When playing an online game, other users send a “join request” to join the active session. This packets can contain malformed data which has been observed to crash the game client remotely. It’s believed, though not publicly confirmed, that it’s also a Remote Code Execution (RCE) vulnerability. It seems likely that this aspect will be added to some of the various cheat panels that are already widely used for this 10-year-old game. So now, rather than just giving your own character infinite ammo and health, you can inflict some havoc on other players, possibly up to corrupting their character files and getting them banned.

But why stop there? If we have code execution inside the game, what stops another player from launching a real attack? A video game isn’t sandboxed like a browser, and there’s nothing preventing a disk wiper attack or even a worm from compromising a bunch of players. The worst part is that it’s an old game, and even though there’s a large playerbase, it’s not guaranteed to get a fix. There’s at least one project aiming to be a firewall to prevent the issue. Continue reading “This Week In Security: GTA, Apple And Android, And Insecure Boot”

Nokia 5110 Gets Android Stowaway And A Keyboard

July 21, 2022 by 11 Comments

Even though Nokia is largely an afterthought in the phone market now, there was a time when their products represented the state-of-the-art in mobile devices. Some of the their handsets even featured slide-out keyboards and the ability to sent emails; largely unheard of for a device from the late 90s. [befinitiv] was a kid back then and couldn’t afford one of these revolutionary devices, so he built his own modern version that still looks and feels like the original.

To do this he borrowed the case and structure of a Nokia 5110 phone, but modified it to hold a small Android device in the old battery compartment along with a tiny Bluetooth keyboard (which was also built from scratch by [befinitiv]) that connects to the Android phone to mimic the old slide-out style. This isn’t just a case mod, though. He also reverse-engineered the original PCB of the phone and included a Bluetooth module there as well, which allows the phone’s screen and keypad to work mostly as originally intended.

This project goes pretty far to scratch the 90s phone nostalgia itch while still being largely usable as a real phone in the modern world. Assuming you aren’t too hung up on the literal phone aspect, the Notkia project is also an impressive effort to bring new life to these old handsets.

Continue reading “Nokia 5110 Gets Android Stowaway And A Keyboard”

This Week In Security: Android And Linux, VirusTotal, More Psychic Signatures

April 29, 2022 by 10 Comments

To start our week of vulnerabilities in everything, there’s a potentially big vulnerability in Android handsets, but it’s Apple’s fault. OK, maybe that’s a little harsh — Apple released the code to their Apple Lossless Audio Codec (ALAC) back in 2011 under the Apache License. This code was picked up and shipped as part of the driver stack for multiple devices by various vendors, including Qualcomm and MediaTek. The problem is that the Apple code was terrible, one researcher calling it a “walking colander” of security problems.

Apple has fixed their code internally over the years, but never pushed those updates to the public code-base. It’s a fire-and-forget source release, and that can cause problems like this. The fact that ALAC was released under a permissive license may contribute to the problem. Someone (in addition to Apple) likely found and fixed the security problems, but the permissive license doesn’t require sharing those fixes with a broader community. It’s worth pondering whether a Copyleft license like the GPL would have gotten a fix distributed years ago.

Regardless, CVE-2021-0674 and CVE-2021-0675 were fixed in both Qualcomm and MediaTek’s December 2021 security updates. These vulnerabilities are triggered by malicious audio files, and can result in RCE. An app could use this trick to escape the sandbox and escalate privileges. This sort of flaw has been used by actors like the NSO group to compromise devices via messaging apps. Continue reading “This Week In Security: Android And Linux, VirusTotal, More Psychic Signatures”

Want Octoprint But Lack A Raspberry Pi? Use An Old Android Phone

November 27, 2021 by 21 Comments

3D printers and Octoprint have a long history together, and pre-built images for the Raspberry Pi make getting up and running pretty easy. But there’s also another easy way to get in on the Octoprint action, and that’s to run it on an Android phone with the octo4a project.

A modern smartphone has a lot of useful features that make it attractive as an Octoprint host. There is a built-in touchscreen, easy power management, a built-in camera, and the fact that people regularly upgrade to new phones means that older Android phones — still powerful pieces of hardware in their own right — are readily available at low cost. The project is still relatively new, so don’t forget to check the Octoprint community thread for this project if you give it a try.

If you are wondering what Octoprint is and what it brings to the table, our own Tom Nardi explained what it does and why it matters when he shared his own upgrade experience from 2018. A few details are no longer current — for example one is no longer likely to encounter a Printrbot — but it’s still a perfectly valid primer on adding great management functionality to a 3D printer.

Privacy Report: What Android Does In The Background

November 18, 2021 by 76 Comments

We’ve come a long way from the Internet of the 90s and early 00s. Not just in terms of technology, capabilities, and culture, but in the attitude most of us take when accessing the ‘net. In those early days most users had a militant drive to keep any personal or identifying information to themselves beyond the occasional (and often completely fictional) a/s/l, and before eBay and Amazon normalized online shopping it was unheard of to even type in a credit card number. On today’s internet we do all of these things with reckless abandon, and to make matters worse most of us carry around a device which not only holds all of our personal information but also reports everything about us, from our browsing habits to our locations, back to databases to be stored indefinitely.

It was always known that both popular mobile operating systems for these devices, iOS and Android, “phone home” or report data about us back to various servers. But just how much the operating systems themselves did was largely a matter of speculation, especially for Apple devices which are doing things that only Apple can really know for sure. While Apple keeps their mysteries to themselves and thus can’t be fully trusted, Android is much more open which paradoxically makes it easier for companies (and malicious users) to spy on users but also makes it easier for those users to secure their privacy on their own. Thanks to this recent privacy report on several different flavors of Android (PDF warning) we know a little bit more on specifically what the system apps are doing, what information they’re gathering and where they’re sending it, and exactly which versions of Android are best for those of us who take privacy seriously.

Continue reading “Privacy Report: What Android Does In The Background”

This Week In Security: REvil Goes Dark, Kaseya Cleanup, Android Updates, And Terrible Firmware

July 16, 2021 by 16 Comments

The funniest thing happened to REvil this week. Their online presence seems to have disappeared.
Their Tor sites as well as conventional sites all went down about the same time Tuesday morning, leading to speculation that they may have been hit by a law enforcement operation. This comes on the heels of a renewed push by the US for other countries, notably Russia, to crack down on ransomware groups operating within their borders. If it is a coordinated takedown, it’s likely a response to the extremely widespread 4th of July campaign launched via the Kaseya platform. Seriously, if you’re going to do something that risks ticking off Americans, don’t do it on the day we’re celebrating national pride by blowing stuff up.

Speaking of Kaseya, they have finished their analysis, and published a guide for safely powering on their VSA on-premise hardware. Now that the fixes are available, more information about the attack itself is being released. Truesec researchers have been following this story in real time, and even provided information about the attack back to Kaseya, based on their observations. Their analysis shows that 4 separate vulnerabilities were involved in the attack. First up is an authentication bypass. It takes advantage of code that looks something like this: Continue reading “This Week In Security: REvil Goes Dark, Kaseya Cleanup, Android Updates, And Terrible Firmware”

A Phone That Old Shouldn’t Be Running Android

June 28, 2021 by 23 Comments

Cars and smartphones have something curious in common, just as most everyday saloon cars from different manufacturers have tended towards similarity, so have smartphones. Whether your smartphone the latest and greatest or only cost you $50 from a supermarket, it matters little to look at because both phones will be superficially near-identical black slabs.

It wasn’t always this way though, in decades past phones from different manufacturers each had their own flavours, and there was a variety in form factors to suit all tastes. There’s a ray of hope for fans of those days though, in the form of [befinitiv]’s 2000-era Sony flip phone. It runs Android. Yes, you read that right, there on the tiny screen is Android 9.

Of course whatever processor and electronics the phone came with are long gone, and instead the phone sports the internals of a modern Chinese watch-smartphone grafted in in place of the original. The whole electronics package fits in the screen opening, and though it required some wiring for the USB-C socket and a few other parts it looks for all the world from the outside as though it was meant to run Android. You can take a look in the video below the break.

He cheerfully admits that there’s still a way to go for example in getting the original keyboard working, but even with a tiny touchscreen it’s good enough to be a daily driver. It may be a little on the small side, but for those of us who miss our old phones maybe there’s hope in it for something new.

Meanwhile this isn’t the first re-use of an old phone we’ve seen recently.

Continue reading “A Phone That Old Shouldn’t Be Running Android”