This Week In Security: Blame The Feds, Emergency Patches, And The DMA

March 8, 2024 by Jonathan Bennett No comments

The temptation to “take the money and run” was apparently too much for the leadership of the AlphV ransomware crime ring. You may have heard of this group as being behind the breach of Change Healthcare, and causing payment problems for nearly the entire US Healthcare system. And that hack seems to be key to what’s happened this week.

It’s known that a $22 million payment made it through the bitcoin maze to the AlphV wallet on the 1st. It’s believed that this is a payment from Change Healthcare to recover ransomed files. An important detail here is that AlphV is a ransomware-as-a-service provider, and the actual hacking is done by “affiliates”, who use that service, and AlphV handles the infrastructure, maintaining the actual malware, and serving as a payment processor. That last one is key here.

A couple days after that big payment landed in the AlphV account, a seizure notice went up on the AlphV TOR site, claiming that it had been taken down by the FBI and associated agencies. There was something a bit odd about it, though. See, the FBI did seize the AlphV Tor site back in December. The seizure notice this time was an exact copy, as if someone had just done a “save page as”, and posted the copy.

There is precedent for a ransomware group to close up shop and disappear after hitting a big score. The disruption AlphV enabled in the US health care system painted a big target on them, and it didn’t take a tactical genius to realize it might be good to lay low for a while. Pocketing the entire $22 million ransom probably didn’t hurt either. The particularly nasty part is that the affiliate that actually pulled off the attack still claims to have four terabytes of sensitive data, and no incentive to not release it online. It’s not even entirely clear that Change Healthcare actually received a decryption key for their data. You do not want to deal with these people.

Continue reading “This Week In Security: Blame The Feds, Emergency Patches, And The DMA” →

Extracting SecOC Keys From A 2021 Toyota RAV4 Prime

March 8, 2024 by Maya Posch 7 Comments

With the recently introduced SecOC (Secure Onboard Communication) standard, car manufacturers seek to make the CAN bus networks that form the backbone of modern day cars more secure. This standard adds a MAC (message authentication code) to the CAN messages, which can be used to validate that these messages come from a genuine part of the car, and not from a car thief or some third-party peripheral.

To check that it isn’t possible to circumvent SecOC, [Willem Melching] and [Greg Hogan] got their hands on the power steering (EPS) unit of a Toyota RAV4 Prime, as one of the first cars to implement this new security standard.

As noted by [Willem], the ultimate goal is to be able to run the open source driver assistance system openpilot on these SecOC-enabled cars, which would require either breaking SecOC, or following the official method of ‘rekeying’ the SecOC gateway.

After dumping the firmware of the EPS Renesas RH850/P1M-E MCU via a voltage fault injection, the AES-based encryption routines were identified, but no easy exploits found in the main application. This left the bootloader as the next target.

Ultimately they managed to reverse-engineer the bootloader to determine how the update procedure works, which enabled them to upload shellcode. This script then enabled them to extract the SecOC keys from RAM and send these over the CAN bus. With these keys the path is thus opened to allow any device to generate CAN messages with valid SecOC MACs, effectively breaking encryption. Naturally, there are many caveats with this discovery.

Continue reading “Extracting SecOC Keys From A 2021 Toyota RAV4 Prime” →

Beverage Coaster Indicates Ideal Drinking Temperature

March 8, 2024 by Kristina Panos 9 Comments

When temperatures plummet, there’s nothing like a hot beverage to keep you warmed up inside. [Palingenesis] aka [Tim] sure does fancy a nice cuppa, but only within a certain temperature range is it ideal to drink. In an attempt to signal when the time is just right, he created various iterations of a hot beverage coaster.

To be clear, this is a plywood sandwich that does not keep the beverage warm, though that would be an interesting addition to the project. Rather, it indicates when the beverage’s temperature is just right using LEDs. When it’s too hot, the red LEDs are lit. The green LEDs flash while it’s just right, and once [Tim]’s tea has gone cold, the blue LEDs take center stage.

The brains of the operation is an STM8S103F module, aka the Blue Pill, which is paired with a DS18B20 temperature sensor. [Tim]’s original coaster has one in a TO-92 package embedded in the top layer, but ultimately he went with the probe version as it reads a truer temperature by virtue of being directly in the liquid. Be sure to check out the video after the break which covers planning the original version.

If you do want to keep you drink warm, here’s an ESP8266-based solution. If you’re more into looks, check out this blinkencoaster.

Continue reading “Beverage Coaster Indicates Ideal Drinking Temperature” →

A graph from the article, showing dead zones and error bars for the ESP32 ADC

RP2040, ESP32, And An Atmega Have An ADC-Off

March 7, 2024 by Arya Voronova 31 Comments

[Simon Monk] got frustrated with bad ADC performance when tinkering with an ESP32 board, and decided to put three of the nowadays-iconic boards to the test – a classic ESP32 devboard, a Pi Pico with an RP2040, and an Arduino Uno R3 with an ATmega328P. To do that, he took a bench PSU, added a filter circuit to it, went through the entire ADC range for each board, took a large number of samples at different points and plotted the results. The plots show us both linearity and precision, as well as ADC dead zones, and the results are quite surprising.

The ESP32 doesn’t only have the most limited ADC with maximum 1V input, it also produces the worst results out of all three, with large error bars and sizeable dead zones at both ends. The Pi Pico, despite being colloquially known for its subpar ADC, produces better results than the ESP32. However, both of them are dwarfed by the ATMega328P’s performance. If you need a dedicated ADC, it might just be a good idea to put an ATMega328P on your board.

The example code is provided, and we are wondering whether there are methodology errors. For instance, the ATMega328P code is written in Arduino-supplied C++, but ESP32 and RP2040 in particular used MicroPython, which does more than just running the code, and MicroPython for ESP32 in particular creates a WiFi access point – something known to induce noise into ADC readings. Nevertheless, this is a fun comparison, and we like when hackers do microcontroller standoffs like that – for instance, check out this review from 2017 which pits a dozen microcontrollers of the time against each other!

Raspinamp: It Really Replicates Questionable Activities Involving Llamas

March 7, 2024 by Bryan Cockfield 23 Comments

In the late 90s as MP3s and various file sharing platforms became more common, most of us were looking for better players than the default media players that came with our operating systems, if they were included at all. To avoid tragedies like Windows Media Center, plenty of us switched to Winamp instead, a much more customizable piece of software that helped pave the way for the digital music revolution of that era. Although there are new, official versions of Winamp currently available, nothing really tops the nostalgia of the original few releases of the software which this project faithfully replicates in handheld form.

The handheld music player uses a standard Raspberry Pi (in this case, a 3B) and a 3.5″ TFT touchscreen display, all enclosed in a clear plastic case. With all of the Pi configuration out of the way, including getting the touchscreen working properly, the software can be set up. It uses QMMP as a media player with a Winamp skin since QMMP works well on Linux systems with limited resources. After getting it installed there’s still some configuration to do to get the Pi to start it at boot and also to fit the player perfectly into the confines of the screen without any of the desktop showing around the edges.

Although it doesn’t use the original Winamp software directly, as that would involve a number of compatibility layers and/or legacy hardware at this point, we still think it’s a faithful recreation of how the original looked and felt on our Windows 98 machines. With a battery and a sizable SD card, this could have been the portable MP3 player many of us never knew we wanted until the iPod came out in the early 00s, and would certainly still work today for those of us not chained to a streaming service. A Raspberry Pi is not the only platform that can replicate the Winamp experience, though. This player does a similar job with the PyPortal instead.

Continue reading “Raspinamp: It Really Replicates Questionable Activities Involving Llamas” →

Probes connected from a Pi Pico board to the SPI flash chip, with other end of the probes connected tot the level shifter circuit resistors

Motherboard Revived With Simplest 1.8V SPI Shifter Ever

March 7, 2024 by Arya Voronova 15 Comments

If you have ever had to fix a modern desktop motherboard, you might have noticed that the BIOS (UEFI) SPI flash is 1.8V – which means you can no longer use a Raspberry Pi or a CH341 adapter directly, and you’d need to use a 1.8V level shifter of some sort. Now, some of us can wait for a 1.8V level shifter adapter from an online store of your choosing, but [treble] got a “BIOS flash failed” motherboard from Facebook Marketplace, and decided to make it work immediately.

She tells us a story about reviving the motherboard, and there’s one thing she shows that is interesting in particular – a very simple way to level shift 3.3V signals from a serprog-flashed Pi Pico down to the 1.8V that the flash chip required, something you are guaranteed to be able to build out of the parts in your parts bin, only requiring nine resistors and an NPN transistor. If you ever need to reflash BIOS on a modern motherboard, take note. As for 1.8V rail, she ended up tapping the 1.8V power pin of the SPI chip the motherboard itself to power the chip while programming it.

In the end, after swapping the two BIOS chips places and fixing a broken trace mishap, the motherboard booted, and works wonderfully to this day, a much-needed upgrade to [treble]’s toolkit that allows her to do RISC-V cross-compiling with ease nowadays. This is not the first time we see people reflash modern boards with 1.8V chips – if you want to learn more, check out this incredibly detailed writeup! Need to do some further debugging? Use your Pico as a POST card!

A multifactor authentication device showing TOTP codes

An ESP32 MultiFactor TOTP Generator

March 7, 2024 by Dave Rowntree 22 Comments

MFA, or multifactor authentication, is a standard security feature these days. However, it can be a drag to constantly reach into one’s pocket, scroll to Google Authenticator (other MFA applications are available!), and find the correct TOTP code to log in to a site for a short while. [Allan Oricil] felt this pain point, so they took the problem by the horns and created a desktop MFA TOTP generator to make life just that little bit easier.

TOTP, which stands for Time-based One-Time Password, is a security measure that uses a device or application to provide unique codes that expire after a short time. Two-factor authentication requires a physical item (something you have), such as a key or swipe card, and knowledge of a fact (something you know), like a password, rather than relying on a single factor. This approach ensures a higher level of security. [Allan]’s project is a physical thing one would use with a password or key file.

Continue reading “An ESP32 MultiFactor TOTP Generator” →