This Week In Security: BGP Bogons, Chrome Zero Day, And Save Game Attacks

November 8, 2019 by 24 Comments

Our own [Pat Whetman] wrote about a clever technique published by the University of Michigan, where lasers can be used to trigger a home assistant device. It’s an interesting hack, and you should go read it.

Borrowing IP Addresses

We’ve lived through several IPv4 exhaustion milestones, and the lack of available addresses is really beginning to show, even for trolls and scammers. A new approach takes advantage of the weak security of the Border Gateway Protocol, and allows bad actors to temporarily take over reserved address blocks. These particular providers operate out of Russia, operating network services they advertise as “bulletproof”, or immune to takedown requests. What better way to sidestep takedowns than to use IP addresses that aren’t really yours to begin with?

BGP spoofing has been at the center of other types of attacks and incidents, like in 2018 when a misconfiguration in a Nigerian ISP’s BGP tables routed traffic intended for Google’s servers through Chinese and Russian infrastructure. In that case it appeared to be a genuine mistake, but little prevents malicious BGP table poisoning.

Chrome Zero-day

Google released an update to Chrome on the 31st that addresses two CVEs, one of which is being actively exploited. That vulnerability, CVE-2019-13720, is a race condition resulting in a potential use-after-free. Kaspersky Labs found this one being actively used on a Korean news site. The attack runs entirely from Javascript, and simply visiting a malicious site is enough for compromise, so update Chrome if it’s installed.

Anti-anti-doping

What do you do when you feel you’ve been unfairly targeted by an anti-doping investigation? Apparently hacking the investigating agency and releasing stolen information is an option. It seems like this approach is more effective when there are shenanigans revealed in the data dump. In this case, the data being released seems rather mundane.

Firefox Blocking Sideload Extensions

Mozilla made a controversial announcement on the 31st. They intend to block “sideload” browser extensions. Until this change, it was possible to install browser extensions by copying them to a particular folder on the computer. Some legitimate extensions used this installation method, but so did malware, adware, and other unwanted software. While this change will block some malicious add-ons, it does present a bit of a challenge to a user installing an extension that isn’t on the official Mozilla store or signed by Mozilla.

As you might imagine, the response has been… less than positive. While making malware harder to install is certainly welcome, this makes some use cases very difficult. An example that comes to mind is a Linux package that includes a browser extension. It remains to be seen exactly how this change will shake out.

Save Games as Attack Vector

An oddball vulnerability caught my eye, published by [Denis Andzakovic] over at Pulse Security. He discovered that a recent indy game, Untitled Goose Game, can be manipulated into running arbitrary code as a result of loading a maliciously modified save file. The vulnerability is rooted in a naive deserialization routine.

If you’re interested in a deeper dive into .net deserialization bugs, a great paper was submitted to Blackhat 2012 discussing the topic. The short version is that if a programmer isn’t careful, the deserialization routine can overwrite variables in unexpected ways, potentially leading to code execution.

At first glance, a vulnerability triggered by a malicious save file seems relatively harmless. The level of access needed to modify a save file on a hard drive is enough to compromise that computer in a multitude of better ways. Enter cloud save synchronization. Steam, for instance, will automatically sync save games across a user’s install locations. This is a very useful feature for those of us that might play the same game on a laptop and a desktop. Having the save game automatically synced to all your devices is quite useful, but if an attacker compromised your Steam account, your save games could be manipulated. This leads to the very real possibility that an attacker could use a save game vulnerability to turn a Steam account compromise into an attack on all your machines with Steam installs.

Keep An Eye On The Neighborhood With This Passive Radar

November 8, 2019 by 25 Comments

If your neighborhood is anything like ours, walking across the street is like taking your life in your own hands. Drivers are increasingly unconcerned by such trivialities as speed limits or staying under control, and anything goes when they need to connect Point A to Point B in the least amount of time possible. Monitoring traffic with this passive radar will not do a thing to slow drivers down, but it’s a pretty cool hack that will at least yield some insights into traffic patterns.

The principle behind active radar – the kind police use to catch speeders in every neighborhood but yours – is simple: send a microwave signal towards a moving object, measure the frequency shift in the reflected signal, and do a little math to calculate the relative velocity. A passive radar like the one described in the RTL-SDR.com article linked above is quite different. Rather than painting a target with an RF signal, it relies on signals from other transmitters, such as terrestrial TV or radio outlets in the area. Two different receivers are used, both with directional antennas. One points to the area to be monitored, while the other points directly to the transmitter. By comparing signals reflected off moving objects received by the former against the reference signal from the latter, information about the distance and velocity of objects in the target area can be obtained.

The RTL-SDR test used a pair of cheap Yagi antennas for a nearby DVB-T channel to feed their KerberosSDR four-channel coherent SDR, a device we last looked at when it was still in beta. Essentially four SDR dongles on a common board, it’s available now for $149. Using it to build a passive radar might not save the neighborhood, but it could be a lot of fun to try.

Real Life QWOP Probably Stings A Fair Bit

November 8, 2019 by 8 Comments

QWOP was a flashgame released by [Bennett Foddy] in the distant past. Players would use individual keys to trigger muscle spasms in their character’s legs, attempting to sprint as far as possible without hitting the ground. Hackaday alumus [The Hacksmith] wanted to recreate this in real life, and set to work.

Initially planning to hack some TENS units to cause muscle contractions, instead a pair of lithium batteries were used. Supplying up to 48 volts through a MOSFET using PWM control, it’s quite effective at triggering muscle movement, albeit with a slight pain factor. With the MOSFETs under the control of an Arduino fitted with a USB keyboard, it allows a player to control [The Hacksmith]’s leg muscles, albeit without much finesse.

While the jumps are just video magic, the players do succeed in making some purposeful spasms happen. It’s about as effective as our attempts to play the original game, anyway. Don’t try this at home if you’d like to avoid possible burns or nerve injuries! It’s not the first moderately dangerous build we’ve seen from [The Hacksmith], either. Video after the break.

Continue reading “Real Life QWOP Probably Stings A Fair Bit”

Roofing Radio Telescope Sees The Galaxy

November 7, 2019 by 6 Comments

[David Schneider] asked himself, “How big a radio antenna would you need to observe anything interesting?” The answer turns out to be a $150 build of a half meter antenna. He uses it to detect the motions of the spiral arms of the Milky Way. The first attempt was a satellite TV dish and a cantenna feed, which didn’t work as the can wasn’t big enough to pick up signals at the 21cm wavelength of hydrogen emissions. Interstellar gas clouds are known to emit radio energy at this frequency.

Looking online, [David] tried aluminized foam board insulation, but was worried that the material didn’t seem to actually be conductive. A quick thrown-together Faraday cage with a cell phone didn’t seem to block any calls. Abandoning that approach, he settled on aluminum flashing used for roofing.

Continue reading “Roofing Radio Telescope Sees The Galaxy”

Easy Optical Drive Sharing With PYODS

November 7, 2019 by 41 Comments

For many of us, the optical drive is a thing of the past. Once considered essential, the technology is no longer featured in the average laptop,where their omission saves plenty of precious space, and they’re rare on desktops, too. However, every now and then, something comes up and it’d be useful to have one on hand. [Klattimer] has just the solution for the MacOS set. 

The Python Online Disk Server, or PYODS, is a tool that allows one to serve optical drives or ISO images over a network to MacOS clients. In its basic configuration, it shares all optical drives on a system, as well as all images found in a select folder. Thanks to using Python, it allows other operating systems to share their drives with Macs. It relies on Apple’s existing API to function, and should be a handy tool for anyone that regularly finds themselves having to scratch around for a way to mount an ISO in a pinch.

Thankfully, outside of legacy applications, cumbersome optical technologies and image files are a thing of the past. If you’ve got drives laying around that you’re not using anymore, why not repurpose them into a plotter?

Well-Engineered RF Amplifier Powers Ham Radio Contacts

November 7, 2019 by 35 Comments

Typically, amateur radio operators use the minimum power needed to accomplish a contact. That’s just part of being a good spectrum citizen, and well-earned bragging rights go to those who make transcontinental contacts on the power coming from a coin cell. But sometimes quantity has a quality all its own, and getting more power into the ether is what the contact requires. That’s where builds such as this well-engineered 600W broadband RF amplifier come into play.

We’re really impressed with the work that [Razvan] put into this power amp. One of the great joys of being a ham is being able to build your own gear, and to incorporate the latest technology long before the Big Three manufacturers start using it. While LDMOS transistors aren’t exactly new – laterally-diffused MOSFETs have been appearing in RF power applications for decades – the particular parts used for the amp, NXP’s MRF300 power transistors, are pretty new to the market. A pair of the LDMOS devices form the heart of the push-pull amp, as do an array of custom-wound toroids and transformers including a transmission line transformer wound with 17-ohm coax cable. [Razvan] paid a lot of attention to thermal engineering, too, with the LDMOS transistors living in cutouts in the custom PCB so they can mate with a hefty heatsink. Even the heatsink compound is special; rather than the typical silicone grease, he chose a liquid metal alloy called Gallinstan. The video below gives a tour of the amp and shows some tests with impressive results.

Continue reading “Well-Engineered RF Amplifier Powers Ham Radio Contacts”

Rock ‘n Roll With 3D-Printed Tonewheels

November 7, 2019 by 4 Comments

What can you do with ferromagnetic PLA? [TheMixedSignal] used it to give new meaning to the term ‘musicians’ gear’. He’s made a proof of concept for a DIY tone generator, which is the same revolutionary system that made the Hammond organ sing.

Whereas the Hammond has one tonewheel per note, this project uses an Arduino to drive a stepper at varying speeds to produce different notes. Like we said, it’s a proof of concept. [TheMixedSignal] is proving that tonewheels can be printed, pickups can be wound at home, and together they will produce audible frequencies. The principle is otherwise the same — the protruding teeth of the gear induce changes in the magnetic field of the pickup.

[TheMixedSignal] fully intends to expand on this project by adding more tone wheels, trying different gear profiles, and replacing the stepper with a brushless motor. We can’t wait to hear him play “Karn Evil 9”. In the meantime, put on those cans and check out the demo/build video after the break.

We don’t have to tell you how great Hammond organs are for making music. But did you know they can also encode secret messages?

Continue reading “Rock ‘n Roll With 3D-Printed Tonewheels”