This Week In Security: M1RACLES, The Full Half-Double, And Patch Gaps

May 28, 2021 by 10 Comments

We occasionally make fun of new security vulnerabilities that have a catchy name and shiny website. We’re breaking new ground here, though, in covering a shiny website that makes fun of itself. So first off, this is a real vulnerability in Apple’s brand-new M1 chip. It’s got CVE-2021-30747, and in some very limited cases, it could be used for something malicious. The full name is M1ssing Register Access Controls Leak EL0 State, or M1RACLES. To translate that trying-too-hard-to-be-clever name to English, a CPU register is left open to read/write access from unprivileged userspace. It happens to be a two-bit register that doesn’t have a documented purpose, so it’s perfect for smuggling data between processes.

Do note that this is an undocumented register. If it turns out that it actually does something important, this vulnerability could get more serious in a hurry. Until then, thinking of it as a two-bit vulnerability seems accurate. For now, however, the most we have to worry about is that two processes can use this to pass information back and forth. This isn’t like Spectre or Rowhammer where one process is reading or writing to an unrelated process, but both of them have to be in on the game.

The discoverer, [Hector Martin], points out one example where this could actually be abused: to bypass permissions on iOS devices. It’s a clever scenario. Third party keyboards have always been just a little worrying, because they run code that can see everything you type, passwords included. The long-standing advice has been to never use such a keyboard, if it asks for network access permissions. Apple has made this advice into a platform rule — no iOS keyboards get network access. What if a device had a second malicious app installed, that did have Internet access permissions? With a covert data channel, the keyboard could shuffle keystrokes off to its sister app, and get your secrets off the device.

So how much should you care about CVE-2021-30747? Probably not much. The shiny site is really a social experiment to see how many of us would write up the vulnerability without being in on the joke. Why go to the hassle? Apparently it was all an excuse to make this video, featuring the appropriate Bad Apple!! music video.

Half-Double’ing Down on Rowhammer

A few days ago, Google announced the details of Half-Double, and the glass is definitely Half-Double full with all the silly puns that come to mind. The concept is simple: If Rowhammer works because individual rows of ram are so physically close together, does further miniaturization enable attacks against bits two rows away? The answer is a qualified yes.

Quick refresher, Rowhammer is an attack first demonstrated against DDR3 back in 2014, where rapid access to one row of memory can cause bit-flip errors in the neighboring row. Since then, there have been efforts by chip manufacturers to harden against Rowhammer, including detection techniques. At the same time, researchers have kept advancing the art through techniques like Double-Sided Rowhammer, randomizing the order of reads, and attempts to synchronize the attack with the ram’s refresh intervals. Half-Double is yet another way to overcome the protections built into modern ram chips.

We start by specifying a particular ram row as the victim (V). The row right beside it will be the near aggressor row (N), and the next row over we call the far aggressor row (F). A normal Rowhammer attack would simply alternate between reading from the near aggressor and a far-off decoy, rapidly toggling the row select line, which degrades the physical charge in neighboring bits. The Half-Double attack instead alternates between the far aggressor and a decoy row for 1000 cycles, and then reads from the near aggressor once. This process is repeated until the victim row has a bit flip, which often happens within a few dozen iterations. Because the hammering isn’t right beside the victim row, the built-in detection applies mitigations to the wrong row, allowing the attack to succeed in spite of the mitigations.

More Vulnerable Windows Servers

We talked about CVE-2021-31166 two weeks ago, a wormable flaw in Windows’ http.sys driver. [Jim DeVries] started wondering something as soon as he heard about the CVE. Was Windows Remote Management, running on port 5985, also vulnerable? Nobody seemed to know, so he took matters into hiis own hands, and confirmed that yes, WinRM is also vulnerable to this flaw. From what I can tell, this is installed and enabled by default on every modern Windows server.

And far from his optimistic assertion that surely no-one would expose that to the Internet… It’s estimated that there over 2 million IPs doing just that.

More Ransomware

On the ransomware front, there is an interesting story out of The Republic of Ireland. The health system there was hit by Conti ransomware, and the price for decryption set at the equivalent of $20 million. It came as a surprise, then, when a decryptor was freely published. There seems to be an ongoing theme in ransomware, that the larger groups are trying to manage how much attention they draw. On the other hand, this ransomware attack includes a threat to release private information, and the Conti group is still trying to extort money to prevent it. It’s an odd situation, to be sure.

Inside Baseball for Security News

I found a series of stories and tweets rather interesting, starting with the May Android updates at the beginning of the month. [Liam Tung] at ZDNet does a good job laying out the basics. First, when Google announced the May Android updates, they pointed out four vulnerabilities as possibly being actively exploited. Dan Goodin over at Ars Technica took umbrage with the imprecise language, calling the announcement “vague to the point of being meaningless”.

Shane Huntley jumped into the fray on Twitter, and hinted at the backstory behind the vague warning. There are two possibilities that really make sense here. The first is that exploits have been found for sale somewhere, like a hacker forum. It’s not always obvious if an exploit has indeed been sold to someone using it. The other possibility given is that when Google was notified about the active exploit, there was a requirement that certain details not be shared publicly. So next time you see a big organization like Google hedge their language in an obvious and seemingly unhelpful way, it’s possible that there’s some interesting situation driving that language. Time will tell.

The Patch Gap

The term has been around since at least 2005, but it seems like we’re hearing more and more about patch gap problems. The exact definition varies, depending on who is using the term, and what product they are selling. A good working definition is the time between a vulnerability being public knowledge and an update being available to fix the vulnerability.

There are more common reasons for patch gaps, like vulnerabilities getting dropped online without any coordinated disclosure. Another, more interesting cause is when an upstream problem gets fixed and publicly announced, and it takes time to get the fix pulled in. The example in question this week is Safari, and a fix in upstream WebKit. The bug in the new AudioWorklets feature is a type confusion that provides an easy way to do audio processing in a background thread. When initializing a new worker thread, the programmer can use their own constructor to build the thread object. The function that kicks off execution doesn’t actually check that it’s been given a proper object type, and the object gets cast to the right type. Code is executed as if it was correct, usually leading to a crash.

The bug was fixed upstream shortly after a Safari update was shipped. It’s thought that Apple ran with the understanding that this couldn’t be used for an actual RCE, and therefore hadn’t issued a security update to fix it. The problem there is that it is exploitable, and a PoC exploit has been available for a week. As is often the case, this vulnerability would need to be combined with at least one more exploit to overcome the security hardening and sandboxing built into modern browsers.

There’s one more quirk that makes this bug extra dangerous, though. On iOS devices, when you download a different browser, you’re essentially running Safari with a different skin pasted on top. As far as I know, there is no way to mitigate against this bug on an iOS device. Maybe be extra careful about what websites you visit for a few days, until this get fixed.

Via Ars Technica

PSA: Amazon Sidewalk Rolls Out June 8th

May 19, 2021 by 41 Comments

Whether you own any Amazon surveillance devices or not, we know how much you value your privacy. So consider this your friendly reminder that Amazon Sidewalk is going live in a few weeks, on June 8th. A rather long list of devices have this setting enabled by default, so if you haven’t done so already, here’s how to turn it off.

Don’t know what we’re talking about? Our own Jenny List covered the topic quite concretely a few months back. The idea behind it seems innocent enough on the surface — extend notoriously spotty Wi-Fi connectivity to devices on the outer bounds of the router’s reach, using Bluetooth and LoRa to talk between devices and share bandwidth. Essentially, when Amazon flips the switch in a few weeks, their entire fleet of opt-in-by-default devices will assume a kind of Borg hive-mind in that they’ll be able to share connectivity.

A comprehensive list of Sidewalk devices includes: Ring Floodlight Cam (2019), Ring Spotlight Cam Wired (2019), Ring Spotlight Cam Mount (2019), Echo (3rd Gen), Echo (4th Gen), Echo Dot (3rd Gen), Echo Dot (4th Gen), Echo Dot (3rd Gen) for Kids, Echo Dot (4th Gen) for Kids, Echo Dot with Clock (3rd Gen), Echo Dot with Clock (4th Gen), Echo Plus (1st Gen), Echo Plus (2nd Gen), Echo Show (1st Gen), Echo Show (2nd Gen), Echo Show 5, Echo Show 8, Echo Show 10, Echo Spot, Echo Studio, Echo Input, Echo Flex. — Amazon Sidewalk FAQ

Now this isn’t a private mesh network in your castle, it’s every device in the kingdom. So don’t hesitate, don’t wait, or it will be too late. Grab all your Things and opt-out if you don’t want your doorbell cam or Alexa machine on the party line. If you have the Alexa app, you can allegedly opt out on all your devices at once.

Worried that Alexa is listening to you more often than she lets on? You’re probably right.

Telemetry Debate Rocks Audacity Community In Open Source Dustup

May 17, 2021 by 107 Comments

Starting an open source project is easy: write some code, pick a compatible license, and push it up to GitHub. Extra points awarded if you came up with a clever logo and remembered to actually document what the project is supposed to do. But maintaining a large open source project and keeping its community happy while continuing to evolve and stay on the cutting edge is another story entirely.

Just ask the maintainers of Audacity. The GPLv2 licensed multi-platform audio editor has been providing a powerful and easy to use set of tools for amateurs and professionals alike since 1999, and is used daily by…well, it’s hard to say. Millions, tens of millions? Nobody really knows how many people are using this particular tool and on what platforms, so it’s not hard to see why a pull request was recently proposed which would bake analytics into the software in an effort to start answering some of these core questions.

Now, the sort of folks who believe that software should be free as in speech tend to be a prickly bunch. They hold privacy in high regard, and any talk of monitoring their activity is always going to be met with strong resistance. Sure enough, the comments for this particular pull request went south quickly. The accusations started flying, and it didn’t take long before the F-word started getting bandied around: fork. If Audacity was going to start snooping on its users, they argued, then it was time to take the source and spin it off into a new project free of such monitoring.

The situation may sound dire, but truth be told, it’s a common enough occurrence in the world of free and open source software (FOSS) development. You’d be hard pressed to find any large FOSS project that hasn’t been threatened with a fork or two when a subset of its users didn’t like the direction they felt things were moving in, and arguably, that’s exactly how the system is supposed to work. Under normal circumstances, you could just chalk this one up to Raymond’s Bazaar at work.

But this time, things were a bit more complicated. Proposing such large and sweeping changes with no warning showed a troubling lack of transparency, and some of the decisions on how to implement this new telemetry system were downright concerning. Combined with the fact that the pull request was made just days after it was announced that Audacity was to be brought under new management, there was plenty of reason to sound the alarm.

Continue reading “Telemetry Debate Rocks Audacity Community In Open Source Dustup”

Robotic Bartender Built With Industrial-Grade Hardware

May 15, 2021 by 12 Comments

Robotic bartenders are a popular project around these parts. If there’s one thing hackers love, after all, it’s automating tasks – as much for the challenge as for the actual time saved. This build from a group of [Teknic Servo] engineers is an impressive example of what can be done with some industrial-grade hardware.

The bartender is built as a demo project for the ClearCore controller, [Teknic’s] industrial-grade device capable of interfacing with a whole bunch of servomotors and sensors to get the job done. The controller is hooked up to a bunch of ClearPath servomotors that handle spinning the bottle carousel, muddling or stirring the beverage, or transporting the drinking glass through the machine. There’s also several interlocks to avoid the patron coming into contact with the bartender’s moving parts while it’s working, and a standard bar-style mixer dispenser actuated with solenoids to keep things simple. Drink selection and control is via a touch screen, with sliders for selecting preferences such as alcohol content and sweetness.

The bartender is certainly capable of producing a neat drink (pun intended), and serves as a great example of how easily a project can be put together with industrial-grade hardware. If you’ve got the budget, you might find using an industrial plug-and-play components quicker than assembling development boards, motor controller shields and other accessories on breakout boards. There’s always more than one way to get the job done, after all.

We’ve seen some great barbots over the years, from builds relying on robotic arms to those focused on ultimate speed. Video after the break.

Continue reading “Robotic Bartender Built With Industrial-Grade Hardware”

Pool Temperature Monitor Mollifies Fortunate But Frustrated Children

May 2, 2021 by 25 Comments

Who needs the city pool when you can party in the private pool over at Grandma and Grandpa’s house? No need to wait until Memorial Day weekend when it hits 90° F in the first week of May. But how can you placate grandchildren who want to know each and every day if it’s finally time to go swimming, and the pool itself is miles away? Although grandparents probably love to hear from you more often there’s no need to bother them with hourly phone calls. You just have to build a floating, remote pool temperature monitor which broadcasts every 30 minutes to an Adafruit MagTag sitting at kid’s eye level on the refrigerator.

Between the cost of commercial pool temperature monitors and all the reviews that mention iffy Wi-Fi connections, it sounds like [Blake] is better off rolling his own solution. Inside the floating part is an ESP32, a DS18B temperature sensor, and a 18650 cell. Most of the body is PVC, except for the 3D-printed torus that holds some foam for buoyancy. A handful of BBs in the bottom keep the thing pointed upright. For now, it shows the water temperature, but [Blake]’s ultimate goal is to show the air temperature as well.

Maybe it’s still too cold to swim, but the sun shines brightly most days. Why not harness its energy to heat up the water?

Clever Gas Mixer Gets Just The Right Blend For Homebrew Laser Tubes

April 28, 2021 by 11 Comments

[Lucas] over at Cranktown City on YouTube has been very busy lately, but despite current appearances, his latest project is not a welder. Rather, he built a very clever gas mixer for filling his homemade CO2 laser tubes, which only looks like a welding machine. (Video, embedded below.)

We’ve been following [Lucas] on his journey to build a laser cutter from scratch — really from scratch, as he built his own laser tube rather than rely on something off-the-shelf. Getting the right mix of gas to fill the tube has been a bit of a pain, though, since he was using a party balloon to collect carbon dioxide, helium, and nitrogen at measuring the diameter of the ballon after each addition to determine the volumetric ratio of each. His attempt at automating the process centers around a so-called AirShim, which is basically a flat inflatable bag made of sturdy material that’s used by contractors to pry, wedge, lift, and shim using air pressure.

[Lucas]’ first idea was to measure the volume of gas in the bag using displacement of water and some photosensors, but that proved both impractical and unnecessary. It turned out to be far easier to sense when the bag is filled with a simple microswitch; each filling yields a fixed volume of gas, making it easy to figure out how much of each gas has been dispensed. An Arduino controls the pump, which is a reclaimed fridge compressor, monitors the limit switch and controls the solenoid valves, and calculates the volume of gas dispensed.

Judging by the video below, the mixer works pretty well, and we’re impressed by its simplicity. We’d never seriously thought about building our own laser tube before, but seeing [Lucas] have at it makes it seem quite approachable. We’re looking forward to watching his laser project come together.

Continue reading “Clever Gas Mixer Gets Just The Right Blend For Homebrew Laser Tubes”

Exploring The World Of Nintendo 3DS Homebrew

April 28, 2021 by 20 Comments

When Nintendo officially ended production of the 3DS in September 2020, it wasn’t exactly a surprise. For one thing, some variation of the handheld system had been on the market since 2011. Which is not to say the product line had become stagnant: the system received a considerable mid-generation refresh, and there was even a more affordable variant introduced that dropped the eponymous stereoscopic 3D effect, but nearly a decade is still a fairly long life in the gaming industry. Of course Nintendo’s focus on the Switch, a hybrid device that blurs the line between console and handheld games, undoubtedly played a part in the decision to retire what could effectively be seen as a competing product.

While putting the 3DS out to pasture might have been the logical business move, a quick check on eBay seems to tell a different story. Whether it’s COVID keeping people indoors and increasing the demand for at-home entertainment, or the incredible library of classic and modern games the system has access to, the fact is that a used 3DS in good condition is worth more today than it was when it was brand new on the shelf this time last year.

I’ve certainly made more expensive mistakes.

In short, this was the worst possible time for me to decide that I finally wanted to buy a 3DS. Then one day I noticed the average price for a Japanese model was far lower than that of its American counterpart. I knew the hardware was identical, but could the firmware be changed?

An evening’s worth of research told me the swap was indeed possible, but inadvisable due to the difficulty and potential for unexpected behavior. Of course, that’s never stopped me before.

So after waiting the better part of a month for my mint condition 3DS to arrive from the land of the rising sun, I set out to explore the wide and wonderful world of Nintendo 3DS hacking.

Continue reading “Exploring The World Of Nintendo 3DS Homebrew”