This Week In Security: Macstealer, 3CX Carnage, And Github’s Lost Key

March 31, 2023 by 6 Comments

There’s a naming overload here, as two bits of security news this week are using the “MacStealer” moniker. We’re first going to talk about the WiFi vulnerability, also known as Framing Frames (pdf). The WPA encryption schemes introduced pairwise encryption, ensuring that not even other authenticated users can sniff each others’ traffic. At least that’s the idea, but this attack finds a couple techniques to bypass that protection.

A bit more background, there are a couple ways that packets can be delayed at the sender side. One of those is the power-save message, that signals the access point that the given client is going into a low power state. “Hold my calls, I’m going to sleep.” That message is a single bit in a frame header. And notably, that bit isn’t covered by WPA encryption or verification. An attacker can send a message, spoof a victim’s MAC address, and the access point marks that client as being in power-save mode.

This observation leads to a question: What happens when the encryption details change between the packet joining the queue, and actually transmitting? Turns out, the specifications on WiFi encryption don’t spell it out, and some implementations do the last thing you’d want, like sending the packets in the clear. Whoops. This behavior was the case in the Linux kernel through version 5.5.0, but starting with 5.6.0, the buffered packets were simply dropped when the encryption key was unavailable. Continue reading “This Week In Security: Macstealer, 3CX Carnage, And Github’s Lost Key”

Graphene And Copper Nanowire Thermal Interface With Low Thermal Resistance

March 5, 2023 by 8 Comments

With the increasing waste heat production by today’s electronics in ever smaller spaces, drawing this heat away quickly enough to prevent thermal throttling or damage is a major concern. This is where research by Lin Jing and colleagues from Carnegie Mellon University’s Department of Mechanical Engineering demonstrates a thermal interface material (TIM) that should provide a significant boost here. In the article, published in ACS Nano (paywalled; open access preprint alternative) the construction of this copper and graphene ‘sandwich’ TIM is described, along with tests.

The general idea is to use pillars between the two surfaces that can quickly carry the heat from the hot surface to the cool one. Although pure copper versions exist and do work, they suffer from the complications of having to build up these copper pillars in place, and subsequent oxidation reducing the effectiveness. While graphene and similar materials have shown superior heat-transfer capabilities, interfacing these materials with copper and other metals has proven problematic.

What Lin Jing et al. demonstrate in this study is to use essentially the pure copper approach, but to combine it with earlier research by Raghav Garg et al. (2017), who demonstrated how to grow 3-dimensional graphene structures. By cladding the copper pillars with graphene, this material improves heat transfer by 60%, while preventing oxidation of the metal. While the challenge is obviously to transfer these findings to something that can be mass-produced for consumer devices, it demonstrates how much potential there is in the use of graphene, which is a relatively new material for such applications due to how hard it was to produce until recently.

 

Security Vulnerabilities In Modern Cars Somehow Not Surprising

March 2, 2023 by 16 Comments

As the saying goes, there’s no lock that can’t be picked, much like there’s no networked computer that can’t be accessed. It’s usually a continual arms race between attackers and defenders — but for some modern passenger vehicles, which are essentially highly mobile computers now, the defenders seem to be asleep at the wheel. The computing systems that control these cars can be relatively easy to break into thanks to manufacturers’ insistence on using wireless technology to unlock or activate them.

This particular vulnerability involves the use of a piece of software called gattacker which exploits vulnerabilities in Bluetooth Low Energy (BLE), a common protocol not only for IoT devices but also to interface a driver’s smartphone or other wireless key with the vehicle’s security system. By using a man-in-the-middle attack the protocol between the phone and the car can be duplicated and the doors unlocked. Not only that, but this can be done without being physically close to the car as long as a network of some sort is available.

[Kevin2600] successfully performed these attacks on a Tesla Model 3 and a few other vehicles using the seven-year-old gattacker software and methods first discovered by security researcher [Martin Herfurt]. Some other vehicles seem to have patched these vulnerabilities as well, and [Kevin2600] didn’t have universal success with every vehicle, but it does remind us of some other vehicle-based attacks we’ve seen before.

The Chipwhisperer adapter plugged into a ChipWhisperer, with the STM chip mentiuoned soldered on

ChipWhisperer Adapter Helps Reverse-Engineer A Controversial Game Cartridge

February 1, 2023 by 7 Comments

The ChipWhisperer has been a breakthrough in hobbyist use of power analysis and glitching attacks on embedded hardware. If you own one, you surely have seen the IDC and SMA sockets on it – usable for connecting custom breakouts housing a chip you’re currently probing. Today, [MAVProxyUser] brings us a ChipWhisperer adapter for STM32F446ZEJx, which comes in a UFBGA144 package – and the adapter has quite a backstory to it.

In retro gaming world, a crowdfunding campaign for a game called PAPRIUM has seen a huge success getting funded in 2017. However, the campaign has grossly underdelivered throughout the last five years, and out of those rare cartridges delivered to backers, quite a few have faulty hardware. Getting replacements isn’t realistic at this point, so the repair attempts and game preservation efforts have been ongoing. Trouble is – there are protection mechanisms against dumping the cartridges, and one of the protection mechanisms is the built-in flash read protection of the aforementioned STM32 found on the cartridge. This board adapts the chip to a ChipWhisperer interface for protection bypass exploration, and has quite a few configuration jumpers anyone facing a similar chip is able to use – Eagle files are out there as well, in case your chip needs a slightly different approach.

With reverse-engineering underway, are we likely to see this cartridge’s defenses fall? Our assessment is ‘yes’ – it’s not like there’s a shortage of mechanisms for bypassing security ; from modchips to EMP attacks to blasting the die with a laser, hardware-reliant security is, still, quite bypassable. All in all, despite the drama around the project, this is one more reference design for the ChipWhisperer, and a fun journey to look forward to.

FPS Game Engine Built In Ancient Macintosh HyperCard Software

January 27, 2023 by 14 Comments

Wolfenstein 3D and Doom are great examples of early FPS games. Back in that era, as Amiga was slowly losing its gaming supremacy to the PC, Apple wasn’t even on the playing field. However, [Chris Tully] has used the 90s HyperCard platform to create an FPS of his own, and it’s charming in what it achieves.

If you’re not familiar with it, HyperCard was a strange combination of database, programming language, and graphical interface system all rolled into one. It made developing GUI apps for the Macintosh platform simpler, with some limitations. It was certainly never intended for making pseudo-3D video games, but that just makes [Chris’s] achievement all the more impressive.

At this stage, [Chris’s] game doesn’t feature any NPCs, weapons, or items yet. It’s thus more of a First Person Walker than First Person Shooter. It features four small rooms with perpendicular, vertical walls, rendered either greyscale or 8-bit color. Now that he’s got the basic engine running, [Chris] is looking to recreate a bit of a Doom RPG experience, rather than copying Doom itself. He hopes to add everything from monsters to weapons, lava, and working HUD elements. If you want to dive in to the code, you can – HyperCard “stacks”, as they’re known, are made up of readily editable scripts.

[Chris] built the project to celebrate the aesthetic and limitations of the original Mac platform. While it could technically run on original hardware, it would run incredibly slowly. It currently takes several seconds to update the viewport on an emulated Mac Plus with 4MB of RAM. Thankfully, emulation on a modern PC can be sped up a lot to help the framerate.

We love seeing HyperCard pushed far beyond its original limits. We’ve seen it before, too, such as when it was used on a forgotten 90s Apple phone prototype. If you’ve been hacking away on retro software yourself, we’d love to see your projects on the tipsline!

Wii Turned Expansion Card For Broadcast Monitor

January 22, 2023 by 9 Comments

For the proper retro gaming aesthetic, plenty of gamers look to old CRT displays. Older games can look better on these displays because the original programmers took their visual characteristics into account. Finding a CRT from the 90s or early 2000s is one option, but an even better option is a broadcast video monitor (BVM) which were extremely high quality CRTs with some other features, like the ability to install a Wii straight to an expansion port on the monitor itself (Nitter).

These monitors were, as their name implies, made for broadcast TV productions. As such, they don’t have the typical video connections that might be found on a consumer unit. Instead, they used modular cards to interface with the monitor. Thanks to an open design for cards made for Sony monitors, [ShankMods] was able to make one for the Wii by “trimming” away the unnecessary parts of the console’s PCB and mapping its video and audio outputs to the slot connector.

While the Wii might not be everyone’s idea of retro, it was still a console that came out when plenty of people still had CRTs as their primary home television. It isn’t as necessary to have a CRT for a Wii as some of the older consoles, but it was very easily adaptable to this single-board design. If you don’t have a CRT and still want the CRT feel, there are ways of retrofitting a more modern display to get this effect, though.

Thanks to [Jonas] for the tip!

All About USB-C: High-Speed Interfaces

January 17, 2023 by 40 Comments

One amazing thing about USB-C is its high-speed capabilities. The pinout gives you four high-speed differential pairs and a few more lower-speed pairs, which let you pump giant amounts of data through a connector smaller than a cent coin. Not all devices take advantage of this capability, and they’re not required to – USB-C is designed to be accessible for every portable device under the sun. When you have a device with high-speed needs exposed through USB-C, however, it’s glorious just how much USB-C can give you, and how well it can work.

The ability to get a high-speed interface out of USB-C is called an Alternate Mode, “altmode” for short. The three altmodes you can encounter nowadays are USB3, DisplayPort and Thunderbolt, there’s a few that have faded into obscurity like HDMI and VirtualLink, and some are up and coming like USB4. Most altmodes require digital USB-C communication, using a certain kind of messages over the PD channel. That said, not all of them do – the USB3 is the simplest one. Let’s go through what makes an altmode tick. Continue reading “All About USB-C: High-Speed Interfaces”