This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

September 6, 2019 by 15 Comments

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.

Capture A Star In A Jar With Sonoluminescence

September 6, 2019 by 19 Comments

If nothing else, [Justin Atkin] is persistent. How else do you explain a five-year quest to create sonoluminescence with simple tools?

So what exactly is sonoluminescence? The short answer is as the name suggests: a release of light caused by sound. In [Justin]’s case, he used an ultrasonic transducer to set up a standing wave at the resonant frequency of a flask of water. A drop of water is used to entrain a small air bubble, which is held in a stable position in the flask in much the same way as styrofoam beads are in an acoustic levitator. Turn off the lights and you’ll see that the bubble glows with a ghostly blue light.

What causes the glow? Good question. According to [Justin], we just don’t know for sure what causes it, although the leading theory is that cavitation of the bubble causes the trapped gas to compress and heat violently, turning into a brief bit of plasma. But there are problems with that theory, which is one of the reasons he wanted to show just how easy the process can be – now that he’s shaken out the bugs with five years of effort. It wasn’t easy getting the transducers attached and the driver circuit properly tuned, but with little more than a signal generator, an audio amp, and a spool of magnet wire, you too can make your own “star in a jar.”

We applaud [Justin]’s determination to bring this project to a successful conclusion. It’s not unlike his dogged effort to make a cold plasma torch, or even his desktop radio telescope.

Continue reading “Capture A Star In A Jar With Sonoluminescence”

High Voltage Protects Low Denominations

September 6, 2019 by 17 Comments

How do you keep people out of your change jar? If you didn’t say with a 3D printed iris mechanism and high-voltage spark gap, then clearly you aren’t [Vije Miller]. Which is probably for the best, as we’re not sure we actually want to live in a world where there are two of these things.

Regular Hackaday readers will know that [Vije] has a way of using electromechanical trickery to inject a bit of excitement, and occasionally a little danger, into even the most mundane aspects of life. His latest project is an automated change jar that uses a pinpad to authenticate users, while everyone else gets the business end of a spark gap if the PIR sensor detects them getting to close.

You can see a demonstration of the jar in the video after the break, where he shows the jar’s ability to stop…himself, from getting access to it. Hey, nobody said it was meant to keep out real intruders. Though we do think a similar gadget could be a fun way to keep the kids out of the cookie jar before dinner, though we’d strongly suggest deleting the high-voltage component from the project before deploying it with a gullet full of Keebler’s best.

[Vije] was able to adapt a printable iris design he found on Thingiverse to fit over the mouth of the jar, and uses servos in the base to rotate the whole assembly around and open it up. The internal Arduino Nano handles reading from the pinpad, controlling the stepper, and of course firing up the spark generator for 1000 milliseconds each time the PIR sensor detects somebody trying to be cute. Just the sound of the arc should be enough to get somebody to reconsider the value of literal pocket change.

Some of the design elements used in this change jar’s high voltage components were influenced by the lessons learned when [Vije] was building his plasma-powered toilet air freshener. There’s a sentence we bet you never expected to read today.

Continue reading “High Voltage Protects Low Denominations”

PCIe Multiplier Expands Raspberry Pi 4 Possibilities

September 5, 2019 by 35 Comments

It probably goes without saying that hardware hackers were excited when the Raspberry Pi 4 was announced, but it wasn’t just because there was a new entry into everyone’s favorite line of Linux SBCs. The new Pi offered a number of compelling hardware upgrades, including an onboard PCI-Express interface. The only problem was that the PCIe interface was dedicated to the USB 3.0 controller; but that’s nothing a hot-air rework station couldn’t fix.

We’ve previously seen steady-handed hackers remove the USB 3.0 controller on the Pi 4 to connect various PCIe devices with somewhat mixed results, but [Colin Riley] has raised the bar by successfully getting a PCIe multiplier board working with the diminutive Linux computer. While there are still some software kinks to work out, the results are very promising and he already hasĀ  a few devices working.

Getting that first PCIe port added to the Pi 4 is already fairly well understood, so [Colin] just had to follow the example set by hackers such as [Tomasz Mloduchowski]. Sure enough, when he plugged the port multiplier board in (after a bit of what he refers to as “professional wiggling”), the appropriate entry showed up in lspci.

But there was a problem. While the port multiplier board was recognized by the kernel, nothing he plugged into it showed up. Checking the kernel logs, he found messages relating to bus conflicts, and one that seemed especially important: “devices behind bridge are unusable because [bus 02] cannot be assigned for them“. To make a long story short, it turns out that the Raspbian kernel is specifically configured to only allow a single PCI bus.

Fortunately, it’s an easy fix once you know what the problem is. Using the “Device Tree Compiler” tool, [Colin] was able to edit the Raspbian Device Tree file and change the PCI “bus-range” variable from <0x0 0x1> to <0x0 0xff>. From there, it was just a matter of plugging in different devices and seeing what works. Simple things such as USB controllers were no problem, but getting ARM Linux support for the NVIDIA GTX 1060 he tried will have to be a topic for another day.

[Thanks to Paulie for the tip.]

Ham Radio Company Wins Big

September 5, 2019 by 39 Comments

It is sort of the American dream: start a company in your garage and have it get crazy big. After all, Steve Jobs, Bill Gates, and even Bill Hewlett and Dave Packard did it. Seems hard to do these days, though. However, one ham radio company that has been pushing the edge of software defined radio appears to be well on the way to becoming more than its roots. FlexRadio has teamed with Raytheon to undertake a major project for the United States Air Force.

The Air Force has given Raytheon and FlexRadio $36 million to develop an HF radio based on the existing SmartSDR/Flex-6000. ARRL news reports quote FlexRadio’s CEO as saying that the investment in the military radios will pay dividends to the firm’s ham radio customers.

Continue reading “Ham Radio Company Wins Big”

Handmade LED Cube Is A Work Of Art

September 5, 2019 by 18 Comments

We see all kinds of projects come across the news desk at Hackaday. Sometimes it’s a bodge, neatly executed, that makes us laugh out loud at its simple ingenuity. Other times, it’s a case of great skill and attention to detail, brought to bear to craft something of great beauty. [Greg Davill]’s LED cube is firmly the latter.

The matte black finish makes the artwork really pop. Note the matrix of tiny pads for the LEDs on the backside.

The build starts with custom four layer PCBs, in matte black with gold-plated pads. It’s a classic color scheme, and sets the bar for the rest of the project. Rather than proceeding to hook up some commodity microcontrollers to off-the-shelf panels, [Greg] goes his own way. Each PCB gets a 24×24 raw LED matrix, directly soldered on the back side. By producing a “dumb” matrix, there are large savings in current draw to be had over the now-popular smart strings.

The panels are then loaded into a tidy 3D printed cube, with space inside for the FPGA running the show and a power supply. Five panels are held in with double sided-tape and screws, with the last being installed with magnets to allow access to the inside. Neatly folded flat-flex cables are pressed into service to connect everything up.

It’s a build that shows there is value in doing things your own way, and that the new methods don’t always beat out the old. With careful consideration of aesthetics from the start to the end of the project, [Greg] has built an LED cube both astounding in its simplicity, and beautiful in its execution. We’ve seen [Greg]’s work before, too – it’s not too often hand soldered BGAs cross these pages. Video after the break.

Continue reading “Handmade LED Cube Is A Work Of Art”

Print A Drill Press For Your Printed Circuit Boards

September 5, 2019 by 14 Comments

If you make printed circuit boards the old fashioned way by etching them yourself, you may need to drill a lot of holes; even surface-mount converts still need header pins on occasion. But, drilling these holes by hand often leads to broken drill bits, which always seems to happen with one un-drilled hole and no spare bits left. [Daumemo] came up with a solution: a 3D printed drill press for a Dremel or similar rotary tool.

While you can buy commercial presses designed to fit these tools, there’s a certain satisfaction to building your own, and if you have a well-stocked parts bin you might even finish it before a mail-ordered version could arrive. Certainly you could do it at lower cost. The design is straightforward, and uses printed parts augmented with “reprap vitamins” (i.e. the non-printable, typically metal, components). If you’ve ever built — or repaired — a 3D printer, you may have these pieces already: a couple of LM8UU bearings, some 8 mm steel rod, and a pair of springs seem like the most esoteric parts required, although even these could probably be substituted without much trouble.

Only a few pieces need to be printed: a base is outfitted with a removable table for holding the workpiece, while a lever actuates the frame holding the tool. [Daumemo] chose to print the design in ABS, but found that it flexes a little too much, occasionally requiring some care during use — a stiffer filament such as PLA might yield better results. Overall, though, this seems like a great project for that 3D printer you haven’t used in a while.

Be sure to check out the video of the press in action, after the break.

Continue reading “Print A Drill Press For Your Printed Circuit Boards”