Hackaday Columns

4428 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: IOCONTROL, (Location) Leaking Cars, And Passkeys

January 3, 2025 by 11 Comments

Claroty’s TEAM82 has a report on a new malware strain, what they’re calling IOCONTROL. It’s a Linux malware strain aimed squarely at embedded devices. One of the first targets of this malware, surprisingly, is the Iraeli made Orpak gas station pumps. There’s a bit of history here, as IOCONTROL is believed to be used by CyberAv3ngers, a threat actor aligned with Iran. In 2023 a group aligned with Israel claimed to have compromised the majority of the gas stations in Iran. IOCONTROL seems to have been deployed as retribution.

There are a few particularly interesting aspects of this malware, and how TEAM82 went about analyzing it. The first is that they used unicorn to emulate the obscure ARM platform in question. This was quite an adventure, as they were running the malicious binary without the normal Linux OS under it, and had to re-implement system calls to make execution work. The actual configuration data was encrypted as the data section of the executable, presumably to avoid simple string matching detection and analysis.

Then to communicate with the upstream command and control infrastructure, the binary first used DNS-Over-HTTPS to resolve DNS addresses, and then used the MQTT message protocol for actual communications. Once in place, it has the normal suite of capabilities, like code execution, cleanup, lateral scanning, etc. An interesting speculation is that the level of control this malware had over these gas pumps, it was in a position to steal credit card information. This malware family isn’t limited to gas pumps, either, as it’s been spotted in IoT and SCADA devices from a whole host of vendors. Continue reading “This Week In Security: IOCONTROL, (Location) Leaking Cars, And Passkeys”

Programming Ada: Atomics And Other Low-Level Details

January 2, 2025 by 6 Comments

Especially within the world of multi-threaded programming does atomic access become a crucial topic, as multiple execution contexts may seek to access the same memory locations at the same time. Yet the exact meaning of the word ‘atomic’ is also essential here, as there is in fact not just a single meaning of the word within the world of computer science. One type of atomic access refers merely to whether a single value can be written or read atomically (e.g. reading or writing a 32-bit integer on a 32-bit system versus a 16-bit system), whereas atomic operations are a whole other kettle of atomic fish.

Until quite recently very few programming languages offered direct support for the latter, whereas the former has been generally something that either Just Worked™ if you know the platform you are on, or could often be checked fairly trivially using the programming language’s platform support headers. For C and C++ atomic operations didn’t become supported by the language itself until C11 and C++11 respectively, previously requiring built-in functions provided by the toolchain (e.g. GCC intrinsics).

In the case of Ada there has been a reluctance among the language designers to add support for atomic operations to the language, with the (GNU) toolchain offering the same intrinsics as a fallback. With the Ada 2022 standard there is now direct support in the System.Atomic_Operations library, however.

Continue reading “Programming Ada: Atomics And Other Low-Level Details”

Sony Vaio Revived: Power, The Second 80%

December 31, 2024 by 3 Comments

A bit ago, I’ve told you about how the Sony Vaio motherboard replacement started, and all the tricks I used to make it succeed on the first try. How do you plan out the board, what are good things to keep in mind while you’re sourcing parts, and how do you ensure you finish the design? This time, I want to tell you my insights about what it takes for your new board revision to stay on your desk until completion, whether it’s helping it not burn up, or making sure the bringup process is doable.

Uninterrupted, Granular Power

Power was generally comfortable to design, but I did have to keep some power budgets in mind. A good exercise for safeguarding your regulators is keeping a .txt file where you log consumers and their expected current consumption on each board power rail, making sure all of your power regulators, connectors, and tracks, can handle quite a bit more than that current. Guideline: increase current by 20%-50% when figuring out the specs for switching regulators and inductors, and, multiply by 10-20% when figuring out conversion losses going between downstream and upstream rails.

I did have a blunder in this department – not accounting for track current early on enough. I laid out the board using 0.5mm wide tracks for power – it looked spacious enough. Then, I put “0.5mm” into a track current calculator and saw a harrowing temperature increase for the currents I was expecting. At that point in routing, it took some time to shift tracks around to accomodate the trace width I actually needed, which is to say, I should’ve calculated it all way way earlier. Thankfully, things went well in the end.

Continue reading “Sony Vaio Revived: Power, The Second 80%”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Copycat Keyboard

December 30, 2024 by 1 Comment

This is Crater75, an almost completely from-scratch row-staggered wireless split board that [United_Parfait_6383] has been working on for a few months. Everything but the keycaps and switches is DIY.

The Crater75 split keyboard, which features OLEDs on the Function row.
Image by [United_Parfait_6383] via reddit
As cool as a keyboard full of screens might seem, can you imagine what it would be like to type at speed on a sea of slick surfaces? Not very nice, I’m thinking. But having them solely on the Function row seems like the perfect compromise. Here, the Function row keys interact with foreground applications, and change with whatever has focus. For the curious, those are 0.42″ OLEDs from Ali with a resolution of 72×40.

I’m not sure what’s going on internally, but the two sides connect with magnets, and either side’s USB-C can be used to charge the board. Both sides have a 2100 mAh Li-Po battery, and the average current of the OLED displays is low enough that the board can run for months on a single charge.

The switches are Gateron low-profiles and are wearing keycaps recycled from a Keychron, which add to the professional finish. Speaking of, the enclosures were manufactured by JLC3DP using the Nylon Multi-Jet Fusion process, but [United_Parfait_6383] says the left side feels too light, so the next revision will likely be CNC’d aluminium. Be sure to check out this short video of Crater75 in action.

Continue reading “Keebin’ With Kristina: The One With The Copycat Keyboard”

This Week In Security: License Plates, TP-Link, And Attacking Devs

December 27, 2024 by 22 Comments

We’re covering two weeks of news today, which is handy, because the week between Christmas and New Years is always a bit slow.

And up first is the inevitable problem with digital license plates. Unless very carefully designed to be bulletproof, they can be jailbroken, and the displayed number can be changed. And the Reviver plates were definitely not bulletproof, exposing a physical programming port on the back of the plate. While it’s not explicitly stated, we’re guessing that’s a JTAG port, given that the issue is considered unpatchable, and the port allows overwriting the firmware. That sort of attack can be hardened against with signed firmware, and using an MCU that enforces it.

This does invite comparisons to the James Bond revolving license plate — and that comparison does put the issue into context. It’s always been possible to swap license plates. If someone really wants to cause mischief, traditional plates can be stolen, or even faked. What a digital plate adds to the equation is the ability to switch plate numbers on the fly, without stopping or turning a screwdriver. Regardless, this seems like it will be an ongoing problem, as so many manufacturers struggle to create secure hardware.

Malicious RDP

There’s a clever attack, that uses Microsoft’s Remote Desktop Protocol (RDP), to give away way too much control over a desktop. That’s accomplished by sending the target a .rdp file that shares local resources like the clipboard, filesystem, and more. What’s new is that it seems this theoretical attack has now shown up in the wild.

The attack campaign has been attributed to APT29, CozyBear, a threat actor believed to be associated with Russia’s Foreign Intelligence Service. This attribution tracks with the victims of choice, like government, research, and Ukrainian targets in particular. To escape detection, the malicious RDP endpoints are set up behind RDP proxies, running on services like AWS. The proxies and endpoints are accessed through TOR and other anonymous proxies. The .rdp files were spread via spear-phishing emails sent through compromised mail servers. The big push, with about 200 targets, was triggered on October 22nd. Researchers at TrendMicro believe this was the end of a targeted campaign. The idea being that at the end of the campaign, it no longer matters if the infrastructure and methods get discovered, so aim for maximum impact.

Free* Mcdonalds?

Here we learn that while McDonald’s USA dosn’t have a bug bounty program, McDonald’s India does — and that’s why researcher [Eaton Zveare] looked there. And found a series of Broken Object Level Authorization (BOLA) bugs. That’s a new term to this column, but a concept we’ve talked about before. BOLA vulnerabilities happen when a service validates a user’s authentication token, but doesn’t properly check that the user is authorized to access the specific resources requested.

In the McDonald’s case, any user of the web app is issued a guest JWT token, and that token is then valid to access any Order ID in the system. That allows some interesting fun, like leaving reviews on other users’ orders, accessing delivery maps, and getting copies of receipts. But things got really interesting when creating an account, and then ordering food. A hidden, incomplete password login page allowed breaking the normal user verification flow, and creating an account. Then after food is added to the cart, the cart can be updated to have a total price of a single rupee, about the value of a penny.

This research earned [Eaton] a $240 Amazon gift card, which seems a little stingy, but the intent behind the gesture is appreciated. The fixes landed just over 2 months after reported, and while [Eaton] notes that this is slower than some companies, it’s significantly faster than some of the less responsive vendors that we’ve seen.

Banning TP-Link

The US Government has recently begun discussing a plan to ban TP-Link device purchases in the United States. The reported reason is that TP-Link devices have shipped with security problems. One notable example is a botnet that Microsoft has been tracking, that primarily consists of TP-Link devices.

This explanation rings rather hollow, particularly given the consistent security failings from multiple vendors that we’ve covered on this very column over the years. Where it begins to make more sense is when considered in light of the Chinese policy that all new vulnerabilities must first be reported to the Chinese government, and only then can fixes be rolled out. It suggests that the US Commerce Department suspects that TP-Link is still following this policy, even though it’s technically now a US company.

I’m no stranger to hacking TP-Link devices. Many years ago I wrote a simple attack to put the HTTPD daemon on TP-Link routers into debug mode, by setting the wifi network name. Because the name was used to build a command run with bash, it was possible to do command injection, build a script in the device’s /tmp space, and then execute that script. Getting to debug mode allowed upgrading to OpenWRT on the device. And that just happens to be my advice for anyone still using TP-Link hardware: install OpenWRT on it.

Developers Beware

We have two separate instances of malware campaigns directly targeting developers. The first is malicious VSCode extensions being uploaded to the marketplace. These fakes are really compelling, too, with lots of installs, reviews, and links back to the real pages. These packages seem to be droppers for malware payloads, and seem to be targeting cryptocurrency users.

If malware in your VSCode extensions isn’t bad enough, OtterCookie is a campaign believed to come from North Korea, spreading via fake job interviews. The interview asks a candidate to run a Node.js project, or install an npm package as part of prep. Those are malicious packages, and data stealers are deployed upon launch. Stay frosty, even on the job hunt.

Bits and Bytes

PHP has evolved over the years, but there are still a few quirks that might trip you up. One of the dangerous ones is tied up in $_SERVER['argv'], a quick way to test if PHP is being run from the command line, or on a server. Except, that relies on register_argc_argv set to off, otherwise query strings are enough to fool a naive application into thinking it’s running on the command line. And that’s exactly the footgun that caught Craft CMS with CVE-2024-56145.

Australia may know something we don’t, setting 2030 as the target for retiring cryptography primitives that aren’t quantum resistant. That’s RSA, Elliptic-curve, and even SHA-256. It’s a bit impractical to think that those algorithms will be completely phased out by then, but it’s an interesting development to watch.

Fuzzing is a deep subject, and the discovery of 29 new vulnerabilities found in GStreamer is evidence that there’s still plenty to discover. This wasn’t coverage-guided fuzzing, where the fuzzer mutates the fuzzing input to maximize. Instead, this work uses a custom corpus generator, where the generator is aware of how valid MP4 files are structured.

Battery-Electric Ships: Coming Soon To A Harbor Near You?

December 26, 2024 by 77 Comments

When ships moved from muscle- and wind power to burning coal and other fossil fuels for their propulsion, they also became significantly faster and larger. Today’s cargo ships and ferries have become the backbone of modern civilization, along with a range of boat types. Even though tugs and smaller pleasure vessels are a far cry from a multi-thousand ton cargo or cruise ship, one would be hard-pressed to convert these boats back to a pure muscle or wind-based version. In short, we won’t be going back to the Age of Sail, but at the same time the fossil fuel-burning engines in these boats and ship come with their own range of issues.

Even if factors like pollution and carbon emissions are not something which keep you up at night, fuel costs just might, with these and efficiency regulations increasing year over year. Taking a page from alternative propulsion systems in cars and trucks, the maritime industry has been considering a range of replacements for diesel and steam engines. Here battery-electric propulsion is somewhat of an odd duck, as it does not carry its own fuel and instead requires on-shore recharging stations. Yet if battery-electric vehicles (BEVs) can be made to work on land with accompanying low ‘refueling’ costs, why not ships and boats?

A recent study by Lawrence Berkeley National Laboratory (LBNL) researchers Hee Seung Moon et al. as published in Nature Energy claims that a significant part of US maritime traffic can be electrified this way. Yet as a theoretical model, how close does it hit to the harsh realities imposed by this physical world which we live in?

Continue reading “Battery-Electric Ships: Coming Soon To A Harbor Near You?”