This Week In Security: The Robots Are Watching, Insecure VPNs, Graboids, And Biometric Fails

October 25, 2019 by 10 Comments

A Japanese hotel chain uses robots for nearly everything. Check in, room access, and most importantly, bedside service. What could possibly go wrong with putting embedded Android devices, complete with mics and cameras, right in every hotel room? While I could imagine bedside robots ending badly in many ways, today we’re looking at the possibility that a previous guest installed an app that can spy on the room. The kiosk mode used on these devices left much to be desired. Each bot has an NFC reader, and all it takes is an URL read by that reader to break out of the kiosk jail. From there, a user has full access to the Android system underneath, and can install whatever software they wish.

[Lance Vick] discovered this potential problem way back in July, and after 90 days of inaction has released the vulnerability. More of these hotels are being rolled out for the 2020 Olympics, and this sort of vulnerability is sure to be present in other similar kiosk devices.

VPN Compromise

In March 2018, a server in a Finnish data center was compromised through a remote management system. This was probably a Baseboard Management Controller (BMC), which is as dangerous as it is useful. Most BMCs have their own Ethernet adapter, not controlled by the host computer, and allows a remote user to access the machine just as if they had a monitor and keyboard connected to it. This particularly server was one rented by NordVPN, who was apparently not notified of the data center breach.

So what was captured from this server? Apparently the OpenVPN credentials stored on that server, as well as a valid TLS key. (Document mirror via TechCrunch) It’s been noted that this key is now expired, which does mean that it’s not being actively exploited. There were, however, about 7 months between the server break-in and the certificate expiration, during which time it could have been used for man-in-the-middle attacks.

NordVPN has confirmed the breach, and tried to downplay the potential impact. This report doesn’t seem to entirely match the leaked credentials. An attacker with this data and root access to the server would have likely been able to decrypt VPN traffic on the fly.

Graboid

Named in honor of a certain sci-fi worm, Graboid is an unusual piece of malware aimed at Docker instances. It is a true worm, in that compromised hosts are used to launch attacks against other vulnerable machines. Graboid isn’t targeting a Docker vulnerability, but simply looking for an unsecured Docker daemon exposed to the internet. The malware downloads malicious docker images, one of which is used for crypto-currency mining, while another attempts to compromise other servers.

Graboid has an unusual quirk — the quirk that earned it the name: It doesn’t constantly mine or attempt to spread, but waits over a minute between bursts of activity. This was likely an attempt to mask the presence of mining malware. It’s notable that until discovered, the malicious Docker images were hosted on the Docker Hub. Be careful what images you trust, and look for the “Docker Official Image” tag.

Iran and Misdirection

Remember a couple weeks ago, when we discussed the difficulty of attack attribution? It seems a healthy dose of such paranoia might be warranted. The American NSA and British NCSC revealed that they now suspect Russian actors compromised Iranian infrastructure and deployed malware developed by Iranian coders. The purpose of this seems to have been redirection — to compromise targets and put the blame on Iran. To date it’s not certain that this particular gambit fooled any onlookers, but this is likely not the only such effort.

Android Biometrics

New Android handsets have had a rough week. First, the Samsung Galaxy S10 had an issue with screen protectors interfering with the under-the-screen fingerprint reader. This particular problem seems to only affect fingerprints that are enrolled after a screen protector has been applied. With the protector still in place, anyone’s fingerprint is able to unlock the device. What’s happening here seems obvious. The ultrasonic fingerprint scanner isn’t able to penetrate the screen protector, so it’s recording an essentially blank fingerprint. A patch to recognize these blank prints has been rolled out to devices in Samsung’s home country of South Korea, with the rest of the world soon to follow.

The second new handset is the Google Pixel 4, which includes a new Face Unlock feature. While many have praised the feature, there is trouble in paradise. The Pixel’s Face Unlock works even when the user is asleep or otherwise unmoving. To their credit, Apple’s Face ID also checks for user alertness, trying to avoid unlocking unless the user is intentionally doing so.

The humorous scenario is a child or spouse unlocking your phone while you’re asleep, but a more sobering possibility is your face being used against you unwillingly, or even while unconscious or dead. Based on leaks, it’s likely that there was an “eyes open” mode planned but cut before launch. Hopefully the bugs can be worked out of that feature, and it can be re-added in a future update. Until then, it’s probably best not to use Google’s Face Unlock on Pixel 4 devices.

TI-99/4A KSP Controller Has A Handle On Vintage NASA Styling

October 25, 2019 by 22 Comments

[MelkorsGreatestHits] had an extra USB MAME board burning a hole in his parts bin, so he turned it into fuel for this far-out Kerbal Space Program controller. Cool your jets — no fully-functioning TI-99/4As were harmed in the making of this baby. Besides, this is a KAL 9000 from Kexas Instruments. See the badges?

After donating the usable parts deemed unnecessary for space exploration, [MelkorsGreatestHits] had even more room inside the case for the throng of toggles that make this controller so touchable. We love the two tiers of toggles here — the important ones are separated with 3D-printed Space Shuttle-style switch guards, and the super-important toggles have flip-up covers to protect them from errant flicks of the hand. The vintage embosser labels are an impressive touch, and make us wish we had one that stamps vertically.

[MelkorsGreatestHits] modeled the combo throttle/roll handle and the joystick after the Apollo 11 command module controls. Unfortunately, the MAME board didn’t like his 3-axis analog joystick, so both are 2-axis and give WASD control. Good enough to get to the Mün!

We’ve seen more than a few KSP controllers around here, but none so overdone as this wonderful stand-up command station.

Via r/DIY

A Visual Infrared Thermometer That Runs Off Your Laptop

October 25, 2019 by 4 Comments

A common measurement for circuits is heat dissipation inspection. While single point thermometers do the trick, they can be quite annoying to use. Meanwhile, a thermal imaging camera is often out of the budget for hobbyists. How about building your own visual thermometer for cheap? That’s what [Thomas Fischl] decided to do, using an infrared thermal sensor array (MLX90640) connected through a PIC16LF1455 to a host computer. The computer handles the temperature calculation and visualization of hot spots, gathered from data collected by the IR pixel.

The interface board, USB2FIR, has full access to MLX90640 memory and can handle bulk transfer for faster data transmission of the raw sensor data collected by the pixel. A USB driver is needed to access the board – once the data is fetched, the visualizations can be created from a Matplotlib and TKinter GUI showing frame data and a real time heat map with minimum, maximum, and central temperature.

The hardware isn’t complicated, since the board relies on several ICs for processing the sensor data and immediately sends over the data to be processed externally. With some modifications – a 3D-printed enclosure, for instance – this can easily be made into a discreet tool for heat detection.

Faux Cow Munches Faux Grass On A Faux Roomba

October 24, 2019 by 13 Comments

Out in the countryside, having a cow or to two wouldn’t be a big deal. You can have a cattle shed full of them, and no one will bat an eyelid. But what if you’re living in the big city and have no need of pet dogs or cats, but a pet cow. It wouldn’t be easy getting it to ride in the elevator, and you’d have a high chance of being very, very unpopular in the neighbourhood. [Dane & Nicole], aka [8 Bits and a Byte] were undaunted though, and built the Moomba – the Cow Roomba to keep them company in their small city apartment.

The main platform is built from a few pieces of lumber and since it needs to look like a Roomba, cut in a circular shape. Locomotion comes from two DC geared motors, and a third swivel free wheel, all attached directly to the wooden frame. The motors get their 12V juice from eight “AA” batteries. The free range bovine also needs some smarts to allow it to roam at will. For this, it uses a Raspberry Pi powered by a power bank. The Pi drives a 2-channel relay board which controls the voltage applied to the two motors. Unfortunately, this prevents the Moomba from backing out if it gets stuck at a dead end. For anyone else trying to build this it should be easy enough to fix with an electronic speed controller or even by adding a second 2-channel relay board which can reverse the voltage applied to the motors. The Moomba needs to “Moo” when it feels like, so the Raspberry Pi streams a prerecorded mp3 audio clip to a pair of USB speakers.

If you see the video after the break, you’ll notice that making the Moomba sentient is a simple matter of doing “ctrl+C” and “ctrl+V” and you’re good to go. The python code is straight forward, doing one of four actions – move forward, turn left, turn right or play audio. The code picks a random number from 0 to 3, and then performs the action associated with that number. Finally, as an added bonus, the Moomba gets a lush carpet of artificial green grass and it’s free to roam the range.

At first sight, many may quip “where’s the hack” ? But simple, easy to execute projects like these are ideal for getting younglings started down the path to hacking, with adult supervision. The final result may appear frivolous, but it’ll excite young minds as they learn from watching.

Continue reading “Faux Cow Munches Faux Grass On A Faux Roomba”

Reverse-Engineering Xiaomi IoT Firmware

October 24, 2019 by 13 Comments

IoT devices rarely ever just do what they’re advertised. They’ll almost always take up more space than they need to – on top of that, their processor and memory alone should be enough to run a multitude of other tasks while not necessarily compromising the task they were built to do.

That’s partially the motivation for rooting any device, but for Xiaomi devices, it’s a bit more fun – that is to say, it’s a little bit harder when you’re reverse engineering its firmware from scratch.

Similar to his other DEF CON 26 talk on modifying ARM Cortex-M firmware, [Dennis Giese] returns with a walkthrough of how to reverse-engineer Xiaomi IoT devices. He starts off talking about the Xiaomi ecosystem and the drawbacks of reusing firmware across all the different devices connected to the same cloud network before jumping into the walkthrough for accessing the devices.

Continue reading “Reverse-Engineering Xiaomi IoT Firmware”

Wiping Your Windscreen To The Beat

October 24, 2019 by 32 Comments

Nothing spoils your mood quite like your windscreen wipers not feeling it when the beat drops. Every major car manufacturer is focused on trying to build the electric self driving vehicle for the masses, yet ignoring this very real problem. Well [Ian Charnas] is taking charge, and has successfully slaved his car’s wipers to beat of its stereo.

Starting with the basics, [Ian] first needed to control the speed of the wiper motor. This was done using a custom power supply adapted from another project. The brain of the system is a Raspberry Pi 3B+ which runs a phase locked loop algorithm to sync the music and the motor. Detecting the beat turned out to be the most difficult part of the project, and from the research [Ian] did, there is no standard solution. He ended up settling on “madmom“, a Python audio and music signal processing library, which runs a neural net to detect the beat in real time. The Raspi sends the required PWM and Enable signals to an Arduino over serial, which in turn controls the power supply. The entire system was neatly integrated in the car, with a switch in the dash that connects the motor to the new power supply on demand, to allow the wipers to still be used normally (and safely).

[Ian] filed a provisional patent application for the idea, and will be putting it on auction on eBay soon, with the hope that some major car manufacturer would be interested. For older cars, you can shove an Arduino into the stereo, or do a super cheap bluetooth upgrade. Check out the video after the break. Continue reading “Wiping Your Windscreen To The Beat”

ESP8266 Unlocks Hidden Features In Sound Bar

October 24, 2019 by 22 Comments

It’s no secret that the hardware devices we buy are often more capable than their manufacturer leads on. Features hidden behind firmware locks are a common trick, as it allows companies to sell the same piece of gear as a different model by turning off certain capabilities. Luckily for us, these types of arbitrary limitations are often easy to circumvent.

As a perfect example, [Acuario] recently discovered that the LG SJ2 sound bar has quite a few features that aren’t advertised on the box. Whether it’s due to greed or just laziness, it turns out LG isn’t using many of the capabilities offered by the ESMT AD83586B IC inside the amplifier. The chip gets its configuration via I2C, so thanks to the addition of an ESP8266, the expanded capabilities can now be easily enabled through a web interface.

[Acuario] has already found out how to turn on things like simulated surround sound, or per-channel volume controls; all functions which aren’t even exposed through the normal controls on the sound bar. But it goes deeper than that. The LG SJ2 is a 2.1 channel system, with a wireless speaker providing the right and left channels. But the AD83586B inside the subwoofer is actually capable of driving two locally connected speakers, though you obviously need to do a little rewiring.

There are still even more capabilities to unlock, though [Acuario] is currently struggling with some incomplete documentation. The datasheet says there’s support for user-defined equalizer settings, but no examples are given for how to actually do it. If anyone’s got a particular affinity for these sort of amplifier chips, now could be your time to shine.

For hackers, there’s perhaps no better example of feature-locked products than Rigol’s line of oscilloscopes. From the 2000 series of scopes in 2013 up to their higher-end MSO5000 just last year, there’s a long history of unlocking hidden features on these popular tools.