This Week In Security: What’s Up With Whatsapp, Windows XP Patches, And Cisco Is Attacked By The Thrangrycat

May 21, 2019 by 21 Comments

Whatsapp allows for end-to-end encrypted messaging, secure VoIP calls, and until this week, malware installation when receiving a call. A maliciously crafted SRTCP connection can trigger a buffer overflow, and execute code on the target device. The vulnerability was apparently found first by a surveillance company, The NSO Group. NSO is known for Pegasus, a commercial spyware program that they’ve marketed to governments and intelligence agencies, and which has been implicated in a number of human rights violations and even the assassination of Jamal Khashoggi. It seems that this Whatsapp vulnerability was one of the infection vectors used by the Pegasus program. After independently discovering the flaw, Facebook pushed a fixed client on Monday.

Windows XP Patched Against Wormable Vulnerability

What year is it!? This Tuesday, Microsoft released a patch for Windows XP, five years after support for the venerable OS officially ended. Reminiscent of the last time Microsoft patched Windows XP, when Wannacry was the crisis. This week, Microsoft patched a Remote Desktop Protocol (RDP) vulnerability, CVE-2019-0708. The vulnerability allows an attacker to connect to the RDP service, send a malicious request, and have control over the system. Since no authentication is required, the vulnerability is considered “wormable”, or exploitable by a self-replicating program.

Windows XP through Windows 7 has the flaw, and fixes were rolled out, though notably not for Windows Vista. It’s been reported that it’s possible to download the patch for Server 2008 and manually apply it to Windows Vista. That said, it’s high time to retire the unsupported systems, or at least disconnect them from the network.

The Worst Vulnerability Name of All Time

Thrangrycat. Or more accurately, “😾😾😾” is a newly announced vulnerability in Cisco products, discovered by Red Balloon Security. Cisco uses secure boot on many of their devices in order to prevent malicious tampering with device firmware. Secure boot is achieved through the use of a secondary processor, a Trust Anchor module (TAm). This module ensures that the rest of the system is running properly signed firmware. The only problem with this scheme is that the dedicated TAm also has firmware, and that firmware can be attacked. The TAm processor is actually an FPGA, and researchers discovered that it was possible to modify the FPGA bitstream, totally defeating the secure boot mechanism.

The name of the attack, thrangrycat, might be a satirical shot at other ridiculous vulnerability names. Naming issues aside, it’s an impressive bit of work, numbered CVE-2019-1649. At the same time, Red Balloon Security disclosed another vulnerability that allowed command injection by an authenticated user.

Odds and Ends

See a security story you think we should cover? Drop us a note in the tip jar!

Stick Your Own Samples In The Cheetah SpecDrum

May 21, 2019 by 10 Comments

The Sinclair ZX Spectrum was a popular computer in the 8-bit era, and particularly so in its homeland of the United Kingdom. It was known more for its low cost than its capabilities, but it gained many add-ons over the years. One of those was the Cheetah SpecDrum, which turned the Spectrum into a rudimentary drum machine. [PianoMatt] wasn’t happy with the original drum samples, so he set about loading a custom kit into the SpecDrum.

The SpecDrum software initially came with extra sample tapes, so [PianoMatt] knew it was an achievable task to load in custom samples. Starting by loading the software in an emulator, the RAM was then exported as raw data and loaded up in Audacity. After some experimentation, it was determined the samples were stored in 8-bit format at a sample rate of approximately 20 kHz. With this figured out, it was then possible to load replacement samples directly into RAM through the emulator.

However, this wasn’t enough for [PianoMatt]. Further digging enabled him to reverse engineer the format of the replacement sample tapes. Armed with this knowledge, [PianoMatt] then generated his own tape, complete with proper headers and labels for each drum sound.

It’s a tidy effort to bring a more modern sound to a now positively ancient piece of hardware. We’d love to hear a track with drums courtesy of the SpecDrum, so we’ll keep an ear out on Soundcloud. Mucking around with old sound hardware is a popular pastime in these parts – we’ve even seen people go so far as to build bespoke Sega chiptune players from scratch. 

Paperclip Breadboard

May 21, 2019 by 28 Comments

TV’s MacGyver would love the breadboard arrangement we saw recently: it uses paperclips and crimping to make circuits that can be more or less permanent with no soldering. The basic idea is simple. A cardboard base has a piece of paper affixed. Metal paperclips are bent straight and glued to the paper using PVA glue (you know, like ordinary Elmer’s; hot glue would probably work, too). You could probably salvage wires out of old house wiring that would work for this, too.

The scheme uses two sizes of paper clips. Large ones are made straight and form the rails, while small paperclips make connections. The rails are bent to have a little “ear” that pushes into the cardboard base to hold them still. A little glue stabilizes them. The ears poke out the back, so the author suggests covering them with duct tape, hot glue, or another piece of cardboard. Using the top of a shoebox would also solve the problem.

Continue reading “Paperclip Breadboard”

Design Tips For Easier CNC Milling

May 20, 2019 by 12 Comments

CNC machining is a wonderful thing, taking away a lot of the manual work required in machining and replacing it with accurate, repeatable computer control. However, this doesn’t mean that you can simply click a few buttons and become a great machinist overnight. There are a wide variety of skills involved in utilizing these tools effectively, and [Adam Bender] has created a guide to help budding makers learn the skills of design for CNC milling. 

[Adam]’s guide starts from a basic level, considering 3-axis CNC milling with the most commonly used tools. From there, a whole range of tips, tricks, and potential pitfalls are discussed to help new machinists get to grips with CNC milling. Everything from dogbone corners, to tool selection and feature heights are covered, as well as cost-saving techniques like minimising the number of setups required.

These are skills any engineer will learn in a hurry when approaching an experienced CNC machinist, but it’s always better to go in forewarned and forearmed. Of course, for those eager to not just work with, but build their own CNC machine, we’ve covered that base too. Video after the break.

Continue reading “Design Tips For Easier CNC Milling”

Lateral Thinking For An Easier Charlieplex

May 20, 2019 by 9 Comments

In the practical world we live in, PCBs are often rectangles (or rectangles with rectangles, it’s just rectangles all the way down). When a designer goes to schematic capture things are put down on nice neat grid intersections; and if there isn’t a particular demand during layout the components probably go on a grid too. Routing even the nastiest fractal web of traces is mostly a matter of layers and patience. But if the layout isn’t being done in a CAD tool and needs to be hand assembled free-form this isn’t always as simple. [M Rule] had this very problem and discovered a clever solution, turning things diagonal.

They changed the fitness criteria to the optimization problem that is controlling a lot of LEDs. Instead of minimum pins to drive the goal became “easiest assembly”, which meant avoiding wires snaking back and forth across the layout, a big source of frustration in a big Charlieplexed design. The observation was that if they turned the a rectilinear LED matrix by 45° and wrapped each connection around at the edges it formed what was essentially a large multiplexed matrix. The topology is pretty mind bending, so take a minute to study the illustration and build your mental model.

It looks a little strange, but this display works the same way a normal multiplexed display does but with the added benefit that each trace flows from one side to the other without turning back on itself at any point. To light any LED set the right row/column pair as source/sink and it turns on!

What if you actually need a rectangular display? Well that’s no problem, the matrix can be bent and smooshed as desired to change its shape. At the most extreme the possible display topologies get pretty wild! We’re sure to try thinking laterally next time we need to design an unusual display, maybe there is a more efficient matrix to be found.

Using A Cheap Handheld Radio As A Morse Transceiver

May 20, 2019 by 38 Comments

Both grizzled hams and potential future amateur radio operators are well-served by the market these days. Powerful and capable UHF and VHF handheld transceivers can now be had for well under $100, something unimaginable as recently as 20 years ago. Of course, a major part of the amateur radio scene used to be Morse code. Not to worry though, you can do that with a handheld, too!

The setup is simple but effective. A Morse code training unit generates tones in response to input from a Morse keyer. This audio is passed into the headset port of a Baofeng handheld transmitter. A toggle switch is wired up to the Push-To-Transmit circuit of the Baofeng to trigger transmission when required.

It’s a little different from the more typical constant-wave transmission methods that are so seldom used nowadays, but it gets the job done. Morse code has always been appreciated in situations where voice transmission is difficult due to low bandwidth or interference, and now it’s easy for new hams to give it a try.

Morse code can be a trial to learn, but spare a thought for the folks who had to pick it up back in 1939. Video after the break.

Continue reading “Using A Cheap Handheld Radio As A Morse Transceiver”

Integrated Circuits Can Be Easy To Understand With The Right Teachers

May 20, 2019 by 22 Comments

For years I’ve been trying to wrap my mind around how silicon chips actually work. How does a purposefully contaminated shard of glass wield control over electrons? Every once in a while, someone comes up with a learning aid that makes these abstract concepts really easy to understand, and this was the case with one of the booths at Maker Faire Bay Area. In addition to the insight it gave me (and hundreds of Faire-goers), here is an example of the best of what Maker Faire stands for. You’ll find a video of their presentation embedded below, along with closeup images of the props used at the booth.

The Uncovering the Silicon booth had a banner and a tablecloth, but was otherwise so unassuming that many people I spoke with missed it. Windell Oskay, Lenore Edman, Eric Schlepfer, John McMaster, and Ken Shirriff took a 50-year-old logic chip and laid it bare for anyone who cared to stop and ask what was on display. The Fairchild μL914 is a dual NOR gate, and it’s age matters because the silicon is not just simple, it’s enormous by today’s standards making it relatively easy to peer inside with tools available to the individual hacker.

ATmega328 decapped by John McMaster was also on display at this booth

The first challenge is just getting to the die itself. This is John McMaster’s specialty, and you’re likely familiar from his Silicon Pr0n website. He decapped the chip (as well as an ATmega328 which was running the Arduino blink sketch with it’s silicon exposed). Visitors to the booth could look through the microscope and see the circuit for themselves. But looking doesn’t mean understanding, and that’s where this exhibit shines.

To walk us through how this chip works, a stack-up of laser-cut acrylic demonstrates the base, emitter, and collector of a single transistor. The color coding and shape of this small model makes it easy to pick out the six transistors of the 941 on a full model of the chip. This lets you begin to trace out the function of the circuit.

For me, a real ah-ha moment was the resistors in the design. A resistive layer is produced by doping the semiconductor with impurities, making it conduct more poorly. But how do you zero-in on the desired resistance for each part? It’s not by changing the doping, that remains the same. The trick is to make the resistor itself take up a larger footprint. More physical space for the electrons to travel means a lower resistance, and in the model you can see a nice fat resistor in the lower right. The proof for these models was the final showpiece of the exhibit as the artwork of the silicon die was laid out as a circuit board with discrete transistors used to recreate the functionality of the original chip.

Windell takes us through the booth presentation in the video below. I think you’ll be impressed by the breakdown of these concepts and how well they aid in understanding. This was a brilliant concept for an exhibit; it brought together interdisciplinary experts whom I respect and whose work I follow, and sought to invite everyone to gain a better understanding of the secrets hiding in the chips that underpin this technological age. This is exactly the kind of thing I love to see at a Maker Faire.

Continue reading “Integrated Circuits Can Be Easy To Understand With The Right Teachers”