This Week In Security: Nintendo Accounts, Pernicious Android Malware, And An IOS 0-day

April 24, 2020 by 8 Comments

A rash of Nintendo account compromises has made the news over the last week. Nintendo’s official response was that they were investigating, and recommended everyone enabled two factor authentication on their accounts.

[Dan Goodin] over at Ars Technica has a canny guess: The compromised accounts were each linked to an old Nintendo Network ID (NNID). This is essentially a legacy Nintendo account — one made in the Wii U and 3DS era. Since they’re linked, access via the NNID exposes the entire account. Resetting the primary account password doesn’t change the NNID credentials, but turning on two factor authentication does seem to close the loophole. There hasn’t yet been official confirmation that NNIDs are responsible, but it seems to fit the situation. It’s an interesting problem, where a legacy account can lead to further compromise.

Just Can’t Lose You: xHelper

xHelper, an Android malware, just won’t say goodbye. xHelper looks like a cleaner application, but once installed it begins rather stubbornly installing itself via the Triada trojan. The process begins with rooting the phone, and then remounting /system as writable. Binaries are installed and startup scripts are tampered with, and then the mount command itself is compromised, preventing a user from following the same steps to remove the malware. Additionally, if the device has previously been rooted, the superuser binary is removed. This combination of techniques means that the infection will survive a factory reset. The only way to remove xHelper is to flash a clean Android image, fully wiping /system in the process. Continue reading “This Week In Security: Nintendo Accounts, Pernicious Android Malware, And An IOS 0-day”

Automate Your Xbox

April 24, 2020 by 9 Comments

First the robots took our jobs, then they came for our video games. This dystopian future is brought to you by [Little French Kev] who designed this adorable 3D-printed robot arm to interface with an Xbox One controller joystick. He shows it off in the video after the break, controlling a ball-balancing physics demonstration written in Unity.

Hats off to him on the quality of the design. There are two parts that nestle the knob of the thumbstick from either side. He mates those pieces with each other using screws, firmly hugging the stick. Bearings are used at the joints for smooth action of the two servo motors that control the arm. The base of the robotic appendage is zip-tied to the controller itself.

The build targets experimentation with machine learning. Since the computer can control the arm via an Arduino, and the computer has access to metrics of what’s happening in the virtual environment, it’s a perfect for training a neural network. Are you thinking what we’re thinking? This is the beginning of hardware speed-running your favorite video games like [SethBling] did for Super Mario World half a decade ago. It will be more impressive since this would be done by automating the mechanical bit of the controller rather than operating purely in the software realm. You’ll just need to do your own hack to implement button control.

Continue reading “Automate Your Xbox”

Debugging For Sed — No Kidding

April 24, 2020 by 13 Comments

If you do much Linux shell scripting, you’ve probably encountered sed — the stream editor — in an example. Maybe you’ve even used it yourself. If all you want to do is substitute text, it is easy and efficient. But if you try to do really elaborate editing, it is often difficult to get things right. The syntax is cryptic and the documentation is lacking. But thanks to [SoptikHa2] you can now debug sed scripts with a text-based GUI debugger. Seriously.

According to the author, the program has several notable features:

  • Preview variable values, both of them!
  • See how will a substitute command affect pattern space before it runs
  • Step through sed script – both forward and backward!
  • Place breakpoints and examine program state
  • Hot reload and see what changes as you edit source code
  • Its name is a palindrome

There’s only one word for that last feature: wow.

Continue reading “Debugging For Sed — No Kidding”

Coffee Maker Gives Plants An Automatic Drip

April 23, 2020 by 36 Comments

Somehow, [Jeremy S   Cook]’s wife was able to keep a Keurig machine going for 10 years before it quit slinging caffeine. [Jeremy] got it going again, but decided to buy a new one when he saw how it was inside from a decade of water deposits.

But why throw the machine out like spent coffee grinds? Since the pump is still good, he decided to turn it into an automatic plant watering machine. Now the Keurig pumps water using a Raspberry Pi Zero W and a transistor. [Jeremy] can set up watering cron jobs with PuTTY, or push water on demand during dry spells. We love that he wired up a soil moisture sensor to the red/blue LEDs around the brew button — red means the plant is thirsty, purple means water is flowing, and no light means the plant is quenched and happy.

This project is wide open, but cracking into the Keurig is up to you. Fortunately, that part of the build made it into the video, which is firmly planted after the break.

Old coffee makers really do seem suited to taking up plant care in retirement. Here’s a smart garden made from an espresso machine.

Continue reading “Coffee Maker Gives Plants An Automatic Drip”

Freeze Laser Beams — Sort Of

April 23, 2020 by 5 Comments

They say a picture is worth a thousand words, and by that logic a video must be worth millions. However, from nearly the dawn of photography around 1840, photographers have made fake photographs.  In modern times, Photoshop and Deepfake make you mistrust images and videos. [Action Lab] has a great camera trick in which it looks like he can control the speed of light. You can see the video below.

You probably can guess that he can’t really do it. But he has videos where a real laser beam appears to slowly move across the screen like a laser blaster shot in a movie. You might think you only need to slow down the video speed, but light is really fast, so you probably can’t practically pull that stunt.

Continue reading “Freeze Laser Beams — Sort Of”

The Rusty Nail Award For Worst WiFi Antenna

April 23, 2020 by 34 Comments

In general, you get what you pay for, and if what you pay for is a dollar-store WiFi antenna that claims to provide 12 dBi of signal gain, you shouldn’t be surprised when a rusty nail performs better than it.

The panel antenna that caught [Andrew McNeil]’s eye in a shop in Rome is a marvel of marketing genius. He says what caught his eye was the Windows Vista compatibility label, a ploy that really dates this gem. So too does the utterly irrelevant indication that it’s USB compatible when it’s designed to plug into an SMA jack on a WiFi adapter. [Andrew]’s teardown was uninspiring, revealing just a PCB with some apparently random traces to serve as the elements of a dipole. We found it amusing that the PCB silkscreen labels the thru-holes as H1 to H6, which is a great way to make an uncrowded board seem a bit more important.

The test results were no more impressive than the teardown. A network analyzer scan revealed that the antenna isn’t tuned for the 2.4-GHz WiFi band at all, and practical tests with the antenna connected to an adapter were unable to sniff out any local hotspots. And just to hammer home the point of how bad this antenna is, [Andrew] cobbled together a simple antenna from an SMA connector and a rusty nail, which handily outperformed the panel antenna.

We’ve seen plenty of [Andrew McNeil]’s WiFi antenna videos before, like his umbrella and tin can dish. We like the sanity he brings to the often wild claims of WiFi enthusiasts and detractors alike, especially when he showed that WiFi doesn’t kill houseplants. We can’t help but wonder what he thinks about the current 5G silliness.

Continue reading “The Rusty Nail Award For Worst WiFi Antenna”

Researchers Break FPGA Encryption Using FPGA Encryption

April 23, 2020 by 18 Comments

FPGAs are awesome — they can be essentially configured into becoming any computing device you want. Simply load your selected bitstream into the device on boot, and it behaves like a different piece of hardware. With great power comes great responsibility.

You might try to hack a given FPGA system by getting between the EEPROM that stores the bitstream and the FPGA during bootup, but FPGA manufacturers are a step ahead of you. Xilinx 7 series FPGAs have an onboard encryption and signing engine, and facilities for storing a secret key. Once the security bit is set, bitstreams coming in have to be encrypted to protect from eavesdropping, and HMAC-signed to assure that they are authentic. You can’t simply read the bitstream in transit or inject your own.

Researchers at Ruhr University Bochum and Max Planck Institute for Cybersecurity and Privacy in Germany have figured out a way to use the FPGA’s own encryption engine against itself to break both of these security guarantees for the entire mainstream 7-series. The attack abuses a MultiBoot function that allows you to specify an address to begin execution after reboot. The researchers send 32 bits of the encoded payload as a MultiBoot address, the FPGA decrypts it and stores it in a register, and then resets because their command wasn’t correctly HMAC signed. But because the WBSTAR register is meant to be readable on boot after reset, the payload is still there in its decrypted form. Repeat for every 32 bits in the bitstream, and you’re done.

Pulling off this attack requires physical access to the FPGA’s debug pins and up to 12 hours, so you only have to worry about particularly dedicated adversaries, but the results are catastrophic — if you can reconfigure an FPGA, you can make it do essentially anything. Security-sensitive folks, we have three words of consolation for you: “restrict physical access”.

What does this mean for Hackaday? If you’re looking at a piece of hardware with a hardened Xilinx 7-series FPGA in it, you’ll be able to use it, although it’s horribly awkward for debugging due to the multi-hour encryption procedure. Anyone know of a good side-channel bootloader for these chips? On the other hand, if you’re just looking to dig secrets out from the bitstream, this is a one-time cost.

This hack is probably only tangentially relevant to the Symbiflow team’s effort to reverse-engineer an open-source toolchain for this series of FPGAs. They are using unencrypted bitstreams for all of their research, naturally, and are almost done anyway. Still, it widens the range of applicability just a little bit, and we’re all for that.

[Banner image is a Numato Lab Neso, and comes totally unlocked naturally.]