This Week In Security: GitHub Actions, SHA-1 Retirement, And A Self-Worming Vulnerability

December 23, 2022 by 6 Comments

It should be no surprise that running untrusted code in a GitHub Actions workflow can have unintended consequences. It’s a killer feature, to automatically run through a code test suite whenever a pull request is opened. But that pull request is run in some part of the target’s development environment, and there’s been a few clever attacks found over the years that take advantage of that. There’s now another one, what Legit Security calls Github Environment Injection, and there were some big-name organizations vulnerable to it.

The crux of the issue is the $GITHUB_ENV file, which contains environment variables to be set in the Actions environment. Individual variables get added to this file as part of the automated action, and that process needs to include some sanitization of data. Otherwise, an attacker can send an environment variable that includes a newline and completely unintended environment variable. And an unintended, arbitrary environment variable is game over for the security of the workflow. The example uses the NODE_OPTIONS variable to dump the entire environment to an accessible output. Any API keys or other secrets are revealed.

This particular attack was reported to GitHub, but there isn’t a practical way to fix it architecturally. So it’s up to individual projects to be very careful about writing untrusted data into the $GITHUB_ENV file.

Continue reading “This Week In Security: GitHub Actions, SHA-1 Retirement, And A Self-Worming Vulnerability”

Arduboy Mini Is A Fresh Take On An 8-bit Favorite

December 22, 2022 by 8 Comments

We’ve always been big fans of the Arduboy here at Hackaday. When creator Kevin Bates showed us the original prototype back in 2014, the idea was to use his unique method of mounting components inside routed holes in the PCB to produce an electronic business card that was just 1.6 mm thick. But the Internet quickly took notice of the demos he posted online, and what started as a one-off project led to a wildly successful Kickstarter for a sleek handheld gaming system that used modern components and manufacturing techniques to pay homage to the 8-bit retro systems that came before it.

The original Arduboy prototype in 2014

It’s the sort of hacker success story that we live for around here, but it didn’t end there. After the Kickstarter, the Arduboy community continued to grow, thanks in no small part to Kevin never forgetting the open source principles the product was built on.

He took an active role in the growing community, and when some Arduboy owners started tinkering with adding external storage to their systems so they could hold hundreds of games at a time, he didn’t chastise them for exploring. Instead, he collaborated with them to produce not only a fantastic add-on modification for the original Arduboy, but a new version of the Arduboy that had the community-inspired modifications built in.

Now Kevin is back with the Arduboy Mini, which not only retains everything that made the original a success, but offers some exciting new possibilities. There’s little doubt that he’s got another success on his hands as well as the community’s backing — at the time of this writing, the Kickstarter campaign for the $29 USD Mini has nearly quadrupled its funding goal.

But even still, Kevin offered us a chance to go hands-on with a prototype of the Arduboy Mini so that anyone on the fence can get a third party’s view on the new system. So without further ado, let’s take a look at how this micro machine stacks up to its full-sized counterparts.

Continue reading “Arduboy Mini Is A Fresh Take On An 8-bit Favorite”

The Story Behind The TVGuardian Curse Catcher

December 14, 2022 by 23 Comments

The recent flurry of videos and posts about the TVGuardian foul language filter brought back some fond memories. I was the chief engineer on this project for most of its lifespan. You’ve watched the teardowns, you’ve seen the reverse engineering, now here’s the inside scoop.

Gumby is Born

TVG Model 101 Gumby (Technology Connections)

Back in 1999, my company took on a redesign project for the TVG product, a box that replaced curse words in closed-captioning with sanitized equivalents. Our first task was to take an existing design that had been produced in limited volumes and improve it to be more easily manufactured.

The original PCB used all thru-hole components and didn’t scale well to large quantity production. Replacing the parts with their surface mount equivalents resulted in Model 101, internally named Gumby for reasons long lost. If you have a sharp eye, you will have noticed something odd about two parts on the board as shown in [Ben Eater]’s video. The Microchip PIC and the Zilog OSD chip had two overlapping footprints, one for thru-hole and one for SMD. Even though we preferred SMD parts, sometimes there were supply issues. This was a technique we used on several designs in our company to hedge our bets. It also allowed us to use a socketed ICs for testing and development. Continue reading “The Story Behind The TVGuardian Curse Catcher”

Singapore Branches Out Into Internet Of Trees

December 8, 2022 by 18 Comments

Five years ago, a 38-year-old woman was enjoying an outdoor concert with her family with one of her twin infants in her arms. In the week prior, it had been windy and rainy, but today, the weather was nice, and the concert was crowded. Without warning, a 270-year-old tembusu tree fell on the woman, pinning and ultimately killing her after the other concertgoers couldn’t remove it in time. This tragedy happened in spite of twice-yearly inspections where the tree showed no visual signs of trouble.

It’s exactly this type of incident that Singaporean officials hope to avoid by building an Internet of Trees. The equatorial island nation is home to roughly 5.5 million people, and around 7 million trees — about 6 million of which are tracked by Singapore’s National Parks Board, so that they can be managed remotely with an app. (The Board only tracks trees once they’ve reached a certain size, so we’ll assume that the other million are too young to join the fun just yet.)

While tree-triggered deaths are fairly few and far between, there are plenty of other ‘tree incidents’ that can occur, such as a branch falling, or a tree trunk snapping or uprooting. Depending on the size of the branch, this can be a dangerous nuisance as it could block roads, obscure signage, or destroy property. Thanks to the efforts of the National Parks Board, these incidents have dropped from around 3,000 per year at the turn of the millennium to under 500 per year today.

Continue reading “Singapore Branches Out Into Internet Of Trees”

EV Chargers Could Be A Serious Target For Hackers

November 28, 2022 by 56 Comments

Computers! They’re in everything these days. Everything from thermostats to fridges and even window blinds are now on the Internet, and that makes them all ripe for hacking.

Electric vehicle chargers are becoming a part of regular life. They too are connected devices, and thus pose a security risk if not designed and maintained properly. As with so many other devices on the Internet of Things, the truth is anything but. 

Continue reading “EV Chargers Could Be A Serious Target For Hackers”

Hackaday Podcast 193: Found Computers, Internet Over WhatsApp, Two-Factor C64, Shifting Cars, And Self-Shooting Fighter Planes

November 18, 2022 by 4 Comments

This week, Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney review the literature on a hack-packed week of action. We’ll find a Linux machine inside just about anything, including curb-side TVs and surprisingly secure EV chargers. No Internet? No problem — just tunnel IP through WhatsApp! We’ll see that 3D printers can be repurposed for lab automation of the cheap, build the worst — but coolest — 2FA dongle of all time, and see how a teetering tower of cards can make your old motherboard think any ISA card is plugged into it. Worried that driving an EV is going to be a boring experience? Don’t be — maybe you’ll still get to jam through the gears. But if you do, rest assured there’ll be plenty of careful engineering done to see if it’s safe. Err, at least we hope so…

Download the podcast for safe keeping.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 193: Found Computers, Internet Over WhatsApp, Two-Factor C64, Shifting Cars, And Self-Shooting Fighter Planes”

A Raspberry Pi 3 with a black Raspberry Pi Camera PCB on top of it, looking at the camera taking this picture. There's a Jolly Wrencher in the background.

Make Your Pi Moonlight As A Security Camera

November 2, 2022 by 22 Comments

A decade ago, I was learning Linux through building projects for my own needs. One of the projects was a DIY CCTV system based on a Linux box – specifically, a user-friendly all-in-one package for someone willing to pay for it. I stumbled upon Zoneminder, and those in the know, already can tell what happened – I’ll put it this way, I spent days trying to make it work, and my Linux skills at the time were not nearly enough. Cool software like Motion was available back then, but I wasn’t up to the task of rolling an entire system around it. That said, it wouldn’t be impossible, now, would it?

Five years later, I joined a hackerspace, and eventually found out that its CCTV cameras, while being quite visually prominent, stopped functioning a long time ago. At that point, I was in a position to do something about it, and I built an entire CCTV network around a software package called MotionEye. There’s a lot of value in having working CCTV cameras at a hackerspace – not only does a functioning system solve the “who made the mess that nobody admits to” problem, over the years it also helped us with things like locating safety interlock keys to a lasercutter that were removed during a reorganization, with their temporary location promptly forgotten.

Being able to use MotionEye to quickly create security cameras became quite handy very soon – when I needed it, I could make a simple camera to monitor my bicycle, verify that my neighbours didn’t forget to feed my pets as promised while I was away, and in a certain situation, I could even ensure mine and others’ physical safety with its help. How do you build a useful always-recording camera network in your house, hackerspace or other property? Here’s a simple and powerful software package I’d like to show you today, and it’s called MotionEye.

Continue reading “Make Your Pi Moonlight As A Security Camera”