This Week In Security: BGP Bogons, Chrome Zero Day, And Save Game Attacks

November 8, 2019 by Jonathan Bennett 24 Comments

Our own [Pat Whetman] wrote about a clever technique published by the University of Michigan, where lasers can be used to trigger a home assistant device. It’s an interesting hack, and you should go read it.

Borrowing IP Addresses

We’ve lived through several IPv4 exhaustion milestones, and the lack of available addresses is really beginning to show, even for trolls and scammers. A new approach takes advantage of the weak security of the Border Gateway Protocol, and allows bad actors to temporarily take over reserved address blocks. These particular providers operate out of Russia, operating network services they advertise as “bulletproof”, or immune to takedown requests. What better way to sidestep takedowns than to use IP addresses that aren’t really yours to begin with?

BGP spoofing has been at the center of other types of attacks and incidents, like in 2018 when a misconfiguration in a Nigerian ISP’s BGP tables routed traffic intended for Google’s servers through Chinese and Russian infrastructure. In that case it appeared to be a genuine mistake, but little prevents malicious BGP table poisoning.

Chrome Zero-day

Google released an update to Chrome on the 31st that addresses two CVEs, one of which is being actively exploited. That vulnerability, CVE-2019-13720, is a race condition resulting in a potential use-after-free. Kaspersky Labs found this one being actively used on a Korean news site. The attack runs entirely from Javascript, and simply visiting a malicious site is enough for compromise, so update Chrome if it’s installed.

Anti-anti-doping

What do you do when you feel you’ve been unfairly targeted by an anti-doping investigation? Apparently hacking the investigating agency and releasing stolen information is an option. It seems like this approach is more effective when there are shenanigans revealed in the data dump. In this case, the data being released seems rather mundane.

Firefox Blocking Sideload Extensions

Mozilla made a controversial announcement on the 31st. They intend to block “sideload” browser extensions. Until this change, it was possible to install browser extensions by copying them to a particular folder on the computer. Some legitimate extensions used this installation method, but so did malware, adware, and other unwanted software. While this change will block some malicious add-ons, it does present a bit of a challenge to a user installing an extension that isn’t on the official Mozilla store or signed by Mozilla.

As you might imagine, the response has been… less than positive. While making malware harder to install is certainly welcome, this makes some use cases very difficult. An example that comes to mind is a Linux package that includes a browser extension. It remains to be seen exactly how this change will shake out.

Save Games as Attack Vector

An oddball vulnerability caught my eye, published by [Denis Andzakovic] over at Pulse Security. He discovered that a recent indy game, Untitled Goose Game, can be manipulated into running arbitrary code as a result of loading a maliciously modified save file. The vulnerability is rooted in a naive deserialization routine.

If you’re interested in a deeper dive into .net deserialization bugs, a great paper was submitted to Blackhat 2012 discussing the topic. The short version is that if a programmer isn’t careful, the deserialization routine can overwrite variables in unexpected ways, potentially leading to code execution.

At first glance, a vulnerability triggered by a malicious save file seems relatively harmless. The level of access needed to modify a save file on a hard drive is enough to compromise that computer in a multitude of better ways. Enter cloud save synchronization. Steam, for instance, will automatically sync save games across a user’s install locations. This is a very useful feature for those of us that might play the same game on a laptop and a desktop. Having the save game automatically synced to all your devices is quite useful, but if an attacker compromised your Steam account, your save games could be manipulated. This leads to the very real possibility that an attacker could use a save game vulnerability to turn a Steam account compromise into an attack on all your machines with Steam installs.

Found Footage: Elliot Williams Talks Nexus Technologies

November 7, 2019 by Tom Nardi 25 Comments

Back at the 2017 Superconference, Hackaday Managing Editor Elliot Williams started his talk about the so-called “Internet of Things” by explaining the only part he doesn’t like about the idea is the Internet… and the things. It’s a statement that most of us would still agree with today. If anything, the situation has gotten worse in the intervening years. Commercial smart gadgets are now cheaper and more plentiful than they’ve ever been, but it seems like precious little has been done to improve their inherent privacy and security issues.

But his talk doesn’t serve to bash the companies producing these devices or even the services that ultimately folded and left their customers with neigh useless gadgets. That’s not his style. The central theme of “Nexus Technologies: Or How I Learned to Love WiFi” is that a smart home can be wonderful thing, assuming it works the way you want it to. Elliot argues that between low-cost modular hardware and open source software, the average hacker has everything they need to build their own self-contained home automation ecosystem. One that’s not only cheaper than what they’re selling at the Big Box electronics store, but also doesn’t invite any of the corporate giants to the party.

Of course, it wasn’t always so. A decade ago it would have been all but impossible, and five years ago it would have been too expensive to be practical. As Elliot details his journey towards a truly personal smart home, he explains the advances in hardware and software that have made it not just possible on the DIY level, but approachable. The real takeaway is that once more people realize how cheap and easy it is to roll your own smart home gadgets, they may end up more than willing to kick Big Brother to the curb and do IoT on their own terms.

This previously unpublished recording somehow slipped between the cracks of the editing room floor but upon recent discovery, it’s still just as relevant today. Take a look at Elliot’s view on Nexus Technologies, then join us after the break for a deeper dive. Make sure to subscribe to Hackaday’s YouTube channel to get in on the 2019 Hackaday Superconference live stream starting Saturday, November 16th.

Continue reading “Found Footage: Elliot Williams Talks Nexus Technologies” →

Supercon Keynote: Dr. Megan Wachs On RISC-V

November 6, 2019 by Elliot Williams 28 Comments

Hackaday has open-source running deep in our veins — and that goes for hardware as well as software. After all, it’s great to run open-source software, but if it’s running on black-box hardware, the system is only half open. While software has benefited mightily from all of the advantages of community development, the hardware world has been only recently catching up. And so we’ve been following the RISC-V open-source CPU development with our full attention.

Our keynote speaker for the 2019 Hackaday Superconference is Dr. Megan Wachs, the VP of Engineering at SiFive, the company founded by the creators of the RISC-V instruction-set architecture (ISA). She has also chaired the RISC-V Foundation Debug Task Group, so it’s safe to say that she knows RISC-V inside and out. If there’s one talk we’d like to hear on the past, present, and future of the architecture, this is it.

The RISC-V isn’t a particular chip, but rather it’s a design for how a CPU works, and a standard for the lowest-level language that the machine speaks. In contrast to proprietary CPUs, RISC-V CPUs from disparate vendors can all use the same software tools, unifying and opening their development. Moreover, open hardware implementations for the silicon itself mean that new players can enter the space more easily, bring their unique ideas to life faster, and we’ll all benefit. We can all work together.

It’s no coincidence that this year’s Supercon badge has two RISC-V cores running in its FPGA fabric. When we went shopping around for an open CPU core design, we had a few complete RISC-V systems to pick from, full compiler and development toolchains to write code for them, and of course, implementations in Verilog ready to flash into the FPGA. The rich, open ecosystem around RISC-V made it a no-brainer for us, just as it does for companies making neural-network peripherals or even commodity microcontrollers. You’ll be seeing a lot more RISC-V systems in the near future, on your workbench and in your pocket.

We’re tremendously excited to hear more about the project from the inside, and absolutely looking forward to Megan’s keynote speech!

The Hackaday Superconference is completely sold out, but that doesn’t mean that you have to miss out. We’ll be live-streaming the keynote and all other talks on the Supercon main stage, so subscribe our YouTube channel and you won’t miss a thing.

The Murky Business Of Stopping Oil Spills

November 5, 2019 by Kristina Panos 35 Comments

Six years before Deepwater Horizon exploded in April 2010, the force of Hurricane Ivan blew an offshore drilling platform off its legs and into the Gulf of Mexico. For the last 14 years, that well’s pipes, long buried in mud and debris have been spilling oil into the Gulf every single day. That makes it the longest-running spill in history. Every day for fourteen years. Let that sink in for a bit.

Taylor Energy’s platform sat just 10 miles off the coast, much closer to the Louisiana shore than Deepwater Horizon was. Since the hurricane hit, Taylor has tried a number of unsuccessful things to stop the spill. They’ve only been able to plug 9 of the 25 broken pipes so far. The rest are buried deep in mud and debris. Why on Earth haven’t you heard about this before? Taylor spent six years covering it up. And they might have gotten away with it, too, if it weren’t for pesky watchdog groups surveying the Gulf after Deepwater Horizon exploded.

So how are oil spills stopped, anyway? The answer depends on many things. Most immediately, the answer depends whether the spill happened onshore or offshore, and the inciting incident that caused the spill. Underwater oil spills are much more difficult to stop because of the weight and existence of the ocean. In Taylor Energy’s case, the muddy Gulf bed has become a murky tomb for the broken and buried pipes, which makes it even more messy.

Continue reading “The Murky Business Of Stopping Oil Spills” →

Circuit Sculpture Hack Chat

November 4, 2019 by Dan Maloney 7 Comments

Join us on Wednesday, November 6 at noon Pacific for the Circuit Sculpture Hack Chat with Mohit Bhoite!

For all the effort engineers put into electronic design, very few people ever get to appreciate it. All the hard work that goes into laying out a good PCB and carefully selecting just the right components is hidden the moment the board is slipped into an enclosure, only to be interacted with again through a user interface that gets all the credit for the look and feel of the product.

And yet there are some who design circuits purely as works of art. They may do something interesting or useful, but function is generally secondary to form for these circuit sculptors. Often consisting of skeletons of brass wire bent at precise angles to form intricate structures, circuit sculptures are the zen garden of electronic design: they’re where the designer turns to quiet the madness of making deadlines and meeting specs by focusing on the beauty of components themselves and putting them on display for all to enjoy.

By day, our host Mohit designs and builds hardware at Particle. By night, however, the wires and pliers come out, and he makes circuit sculptures that come alive. Check out his portfolio; you won’t be disappointed. This Hack Chat will be your chance to find out everything that goes into making these sculptures. Find out where Mohit gets his inspiration, learn his secrets for such precise, satisfyingly crisp wire-bending, and see what it takes to turn silicon into art.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, November 6 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Circuit Sculpture Hack Chat” →

Hackaday Links: November 3, 2019

November 3, 2019 by Dan Maloney 17 Comments

Depending on how you look at it, the Internet turned 50 years old last week. On October 29, 1969, the first message was transmitted between two of the four nodes that made up ARPANET, the Internet’s predecessor network. ARPANET was created after a million dollars earmarked for ballistic missile defense was diverted from the Advanced Research Projects Agency budget to research packet-switched networks. It’s said that ARPANET was designed to survive a nuclear war; there’s plenty of debate about whether that was a specific design goal, but if it was, it certainly didn’t look promising out of the gate, since the system crashed after only two characters of the first message were sent. So happy birthday, Internet, and congratulations: you’re now old enough to start getting junk mail from the AARP.

Good news for space nerds: NASA has persuaded Boeing to livestream an upcoming Starliner test. This won’t be a launch per se, but a test of the pad abort system intended to get astronauts out of harm’s way in the event of a launch emergency. The whole test will only last about 90 seconds and never reach more than 1.5 kilometers above the White Sands Missile Range test site, but it’s probably a wise move for Boeing to be as transparent as possible at this point in their history. The test is scheduled for 9:00 AM Eastern time — don’t forget Daylight Savings Time ends this weekend in most of the US — and will air on NASA Television.

Speaking of space, here’s yet another crowd-sourced effort you might want to consider getting in on if you’re of an astronomical bent. The Habitable Exoplanet Hunting Project is looking for a new home for humanity, and they need more eyes on the skies to do it. An introductory video explains all about it; we have to admit being surprised to learn that the sensitive measurements needed to see exoplanets transiting their stars are possible for amateur astronomers, but it seems doable with relatively modest equipment. Such are the advances in optics, CCD cameras, and image processing software, it seems. The project is looking for exoplanets within 100 light-years of Earth, perhaps on the hope that a generation ship will have somewhere to go to someday.

Space may be hard, but it’s nothing compared to running a hackerspace right here on Earth. Or at least it seems that way at times, especially when those times include your building collapsing, a police raid, and being forced to operate out of a van for months while searching for a new home, all tragedies that have befallen the Cairo Hackerspace over the last few years. They’re finally back on their feet, though, to the point where they’re ready to host Egypt’s first robotics meetup this month. If you’re in the area, stop by and perhaps consider showing off a build or even giving a talk. This group knows a thing or two about persistence, and they’ve undoubtedly got the coolest hackerspace logo in the world.

And finally, no matter how bad your job may be, it’s probably not as bad as restoring truck batteries by hand. Alert reader [rasz_pl] tipped us off to this video, which shows an open-air shop in Pakistan doing the dirty but profitable work of gutting batteries and refurbishing them. The entire process is an environmental and safety nightmare, with used electrolyte tossed into the gutter, molten lead being slung around by the bucketful, and not a pair of safety glasses or steel-toed shoes (or any-toed, for that matter) to be seen. But the hacks are pretty cool, like pouring new lead tabs onto the plates, or using a bank of batteries to heat an electrode for welding the plates together. We’ve talked about the recyclability of lead-acid batteries before and how automated plants can achieve nearly 100% reuse; there’s nothing automated here, though, and the process is so labor-intensive that only three batteries can be refurbished a day. It’s still fascinating to watch.

Continue reading “Hackaday Links: November 3, 2019” →

Eth0 Autumn 2019: Tiny Camp, Creative Badge

November 3, 2019 by Jenny List 12 Comments

The Dutch organisation eth0 has run a series of informal small camps over the years, never with an attendance too far into three figures, and without pre-planned events or entertainment. What happens is at the instigation of the attendees, and the result is a weekend of much closer socialising and working together on projects than the large camps where you spend your time running around to catch everything.

The largest of hacker camps offer all the lights, robots, tschunk, and techno music you can stomach; they can be a blast but also overwhelming. I made my way eth0 over the past week weekend, enjoying the more intimate size and coming away having made friendships from spending time with great people at a large private camping hostel near Lichtenvoorde. This is in the far east of the country near the German border, to which in the company of a British hardware hacker friend I traveled in the tiny European hatchback. Netherlands roads are so easy to navigate!

A prototype tensegrity structure. Image: Igor Nikolic.

At the event was the usual array of activities, though since it was a restricted photography affair I’m short on wider shots that would include people. This year’s hit came from surplus flipdot displays from retired German buses, with plenty of glitches as their quirks were figured out by our friends Lucy Fauth and Jana Marie Hemsing. Something tells me I’ll be seeing a lot of those fluorescent circles in the future.

I’d brought along the nucleus of a textile village, and RevSpace in the Hague had added their embroidery machine to my overlocker and sewing machines. Its operator was Boekenwuurm from Hackalot in Eindhoven who was kind enough to embroider a Wrencher for me, and now I want one of these 600-Euro machines even if I can’t afford one. She and RevSpace’s Igor Nikolic were experimenting with inflatables and tensegrity structures, creating prototypes with an eye to more impressive installations at future camps.

An entertaining tale of a couple of days hanging out with friends in the Netherlands countryside could probably be spun into a reasonable tale, but there was something more interesting still at this camp. It had a badge, courtesy of the prolific badge.team Dutch badge crew. It didn’t come with their trademark ESP32 firmware though, instead in keeping with the budget of the event it was a prototyping board on which attendees could create their own badges. What came forth from that was extremely impressive, and continued after the event.

Continue reading “Eth0 Autumn 2019: Tiny Camp, Creative Badge” →