This Week In Security: The Robots Are Watching, Insecure VPNs, Graboids, And Biometric Fails

October 25, 2019 by Jonathan Bennett 10 Comments

A Japanese hotel chain uses robots for nearly everything. Check in, room access, and most importantly, bedside service. What could possibly go wrong with putting embedded Android devices, complete with mics and cameras, right in every hotel room? While I could imagine bedside robots ending badly in many ways, today we’re looking at the possibility that a previous guest installed an app that can spy on the room. The kiosk mode used on these devices left much to be desired. Each bot has an NFC reader, and all it takes is an URL read by that reader to break out of the kiosk jail. From there, a user has full access to the Android system underneath, and can install whatever software they wish.

[Lance Vick] discovered this potential problem way back in July, and after 90 days of inaction has released the vulnerability. More of these hotels are being rolled out for the 2020 Olympics, and this sort of vulnerability is sure to be present in other similar kiosk devices.

VPN Compromise

In March 2018, a server in a Finnish data center was compromised through a remote management system. This was probably a Baseboard Management Controller (BMC), which is as dangerous as it is useful. Most BMCs have their own Ethernet adapter, not controlled by the host computer, and allows a remote user to access the machine just as if they had a monitor and keyboard connected to it. This particularly server was one rented by NordVPN, who was apparently not notified of the data center breach.

So what was captured from this server? Apparently the OpenVPN credentials stored on that server, as well as a valid TLS key. (Document mirror via TechCrunch) It’s been noted that this key is now expired, which does mean that it’s not being actively exploited. There were, however, about 7 months between the server break-in and the certificate expiration, during which time it could have been used for man-in-the-middle attacks.

NordVPN has confirmed the breach, and tried to downplay the potential impact. This report doesn’t seem to entirely match the leaked credentials. An attacker with this data and root access to the server would have likely been able to decrypt VPN traffic on the fly.

Graboid

Named in honor of a certain sci-fi worm, Graboid is an unusual piece of malware aimed at Docker instances. It is a true worm, in that compromised hosts are used to launch attacks against other vulnerable machines. Graboid isn’t targeting a Docker vulnerability, but simply looking for an unsecured Docker daemon exposed to the internet. The malware downloads malicious docker images, one of which is used for crypto-currency mining, while another attempts to compromise other servers.

Graboid has an unusual quirk — the quirk that earned it the name: It doesn’t constantly mine or attempt to spread, but waits over a minute between bursts of activity. This was likely an attempt to mask the presence of mining malware. It’s notable that until discovered, the malicious Docker images were hosted on the Docker Hub. Be careful what images you trust, and look for the “Docker Official Image” tag.

Iran and Misdirection

Remember a couple weeks ago, when we discussed the difficulty of attack attribution? It seems a healthy dose of such paranoia might be warranted. The American NSA and British NCSC revealed that they now suspect Russian actors compromised Iranian infrastructure and deployed malware developed by Iranian coders. The purpose of this seems to have been redirection — to compromise targets and put the blame on Iran. To date it’s not certain that this particular gambit fooled any onlookers, but this is likely not the only such effort.

Android Biometrics

New Android handsets have had a rough week. First, the Samsung Galaxy S10 had an issue with screen protectors interfering with the under-the-screen fingerprint reader. This particular problem seems to only affect fingerprints that are enrolled after a screen protector has been applied. With the protector still in place, anyone’s fingerprint is able to unlock the device. What’s happening here seems obvious. The ultrasonic fingerprint scanner isn’t able to penetrate the screen protector, so it’s recording an essentially blank fingerprint. A patch to recognize these blank prints has been rolled out to devices in Samsung’s home country of South Korea, with the rest of the world soon to follow.

The second new handset is the Google Pixel 4, which includes a new Face Unlock feature. While many have praised the feature, there is trouble in paradise. The Pixel’s Face Unlock works even when the user is asleep or otherwise unmoving. To their credit, Apple’s Face ID also checks for user alertness, trying to avoid unlocking unless the user is intentionally doing so.

The humorous scenario is a child or spouse unlocking your phone while you’re asleep, but a more sobering possibility is your face being used against you unwillingly, or even while unconscious or dead. Based on leaks, it’s likely that there was an “eyes open” mode planned but cut before launch. Hopefully the bugs can be worked out of that feature, and it can be re-added in a future update. Until then, it’s probably best not to use Google’s Face Unlock on Pixel 4 devices.

How Power Over Ethernet (PoE) Works

October 24, 2019 by Sharon Lin 24 Comments

A remote Ethernet device needs two things: power and Ethernet. You might think that this also means two cables, a beefy one to carry the current needed to run the thing, and thin little twisted pairs for the data. But no!

Power over Ethernet (PoE) allows you to transmit power and data over to network devices. It does this through a twisted pair Ethernet cabling, which allows a single cable to drive the two connections. The main advantage of using PoE as opposed to having separate lines for power and data is to simplify the process of installation – there’s fewer cables to keep track of and purchase. For smaller offices, the hassle of having to wire new circuits or a transformer for converted AC to DC can be annoying.

PoE can also be an advantage in cases where power is not easily accessible or where additional wiring simply is not an option. Ethernet cables are often run in the ceiling, while power runs near the floor. Furthermore, PoE is protected from overload, short circuiting, and delivers power safely. No additional power supplies are necessary since the power is supplied centrally, and scaling the power delivery becomes a lot easier.

Devices Using PoE

VoIP phones are becoming increasingly prevalent as offices are opting to provide power for phones from a central supply rather than hosting smaller power supplies to supply separate phones. Smart cameras – or IP cameras – already use Ethernet to deliver video data, so using PoE simplifies the installation process. Wireless access points can be easily connected to Ethernet through a main router, which is more convenient than seeking out separate power supplies.

Other devices that use PoE include RFID readers, IPTV decoders, access control systems, and occasionally even wall clocks. If it already uses Ethernet, and it doesn’t draw too much power, it’s a good candidate for PoE.

On the supply side, given that the majority of devices that use PoE are in some form networking devices, it makes sense that the main device to provide power to a PoE system would be the Ethernet switch. Another option is to use a PoE injector, which works with non-PoE switches to ensure that the device is able to receive power from another source than the switch.

How it Works

Historically, PoE was implemented by simply hooking extra lines up to a DC power supply. Early power injectors did not provide any intelligent protocol, simply injecting power into a system. The most common method was to power a pair of wires not utilized by 100Base-TX Ethernet. This could easily destroy devices not designed to accept power, however. The IEEE 802.3 working group started their first official PoE project in 1999, titled the IEE 802.3af.

This standard delivered up to 13 W to a powered device, utilizing two of the four twisted pairs in Ethernet cabling. This was adequate power for VoIP phones, IP cameras, door access control units, and other devices. In 2009, the IEEE 802.3 working group released the second PoE standard, IEEE 802.3at. This added a power class that could deliver up to 25.5 W, allowing for pan and tilt cameras to use the technology.

While further standards haven’t been released, proprietary technologies have used the PoE term to describe their methods of power delivery. A new project from the IEEE 802.3 working group was the 2018 released IEEE 802.3bt standard that utilizes all four twisted pairs to deliver up to 71 W to a powered device.

But this power comes at a cost: Ethernet cables simply don’t have the conductive cross-section that power cables do, and resistive losses are higher. Because power loss in a cable is proportional to the squared current, PoE systems minimize the current by using higher voltages, from 40 V to 60 V, which is then converted down in the receiving device. Even so, PoE specs allow for 15% power loss in the cable itself. For instance, your 12 W remote device might draw 14 W at the wall, with the remaining 2 W heating up your crawlspace. The proposed 70 W IEEE 802.3bt standard can put as much as 30 W of heat into the wires.

The bigger problem is typically insufficient power. The 802.4af PoE standard maximum power output is below 15.4 W (13 W delivered), which is enough to provide power for most networking devices. For higher power consumption devices, such as network PTZ cameras, this isn’t the case.

Although maximum power supply is specified in the standards, having a supply that supplied more power is necessary will not affect the performance of the device. The device will draw as much current as necessary to operate, so there is no risk of overload, just hot wires.

So PoE isn’t without its tradeoffs. Nevertheless, there’s certainly a lot of advantages to accepting PoE for devices, and of course we welcome a world with fewer wires. It’s fantastic for routers, phones, and their friends. But when your power-hungry devices are keeping you warm at night, it’s probably time to plug them into the wall.

Grind Your Welds With Pride, If That’s The Way You Do It

October 22, 2019 by Jenny List 84 Comments

To grind or not to grind? What a question! It all depends on what you’re really trying to show, and in the case of welded joints, I often want to prove the integrity of the weld.

My ground-back piece of welded tube. Eagle-eyed readers will spot that the grinding reveals a weld that isn't perfect. — My ground-back piece of welded tube. Eagle-eyed readers will spot that the grinding reveals a weld that isn’t perfect.

Recently, I wrote a piece in which I talked about my cheap inverter welder and others like it. As part of it I did a lower-current weld on a piece of thin tube and before snapping a picture of the weld I ground it back flat. It turns out that some people prefer to see a picture of the weld bead instead — the neatness of the external appearance of the weld — to allow judgment on its quality. Oddly I believe the exact opposite, that the quality of my weld can only be judged by a closer look inside it, and it’s this point I’d like to explore.

Continue reading “Grind Your Welds With Pride, If That’s The Way You Do It” →

How To Make An Electric Scooter Chain Sprocket With Nothing But Hand Tools

October 21, 2019 by Lewin Day 33 Comments

Sometimes, mechanical parts can be supremely expensive, or totally unavailable. In those cases, there’s just one option — make it yourself. It was this very situation in which I found myself. My electric scooter had been ever so slightly bested by a faster competitor, and I needed redemption. A gearing change would do the trick, but alas, the chain sprocket I needed simply did not exist from the usual online classifieds.

Thus, I grabbed the only tools I had, busied myself with my task. This is a build that should be replicable by anyone comfortable using a printer, power drill, and rotary tool. Let’s get to work!

Continue reading “How To Make An Electric Scooter Chain Sprocket With Nothing But Hand Tools” →

Open Hardware Month Hack Chat

October 21, 2019 by Dan Maloney No comments

Join us on Wednesday, October 23 at noon Pacific for the Open Hardware Month Hack Chat with Michael Weinberg!

It seems like everything and everyone has a special day set aside on the calendar. You know the drill – a headline declaring it National Grilled Cheese Day (sorry, you missed it – April 12) or National Bundt Pan Day (not even kidding, November 15). It seems only fair with all these silly recognition days floating around that we in the hacking community should have a day of our own, too, or even a whole month. That’s why the Open Source Hardware Association declared the entire month of October to be Open Hardware Month.

Open hardware is all about accessible, collaborative processes that let everyone see and understand the hardware they’re using. The technological underpinnings of our lives are increasingly hidden from us, locked away as corporate secrets. Open hardware tries to turn that on its head and open up devices to everyone, giving them the freedom to not only use their devices but to truly understand what’s happening in them, and perhaps repair, extend, and even modify them to do something new and useful. Celebrating that and getting the message out to the general public is certainly something worth doing.

Michael Weinberg is a board member at OSHWA, and he’ll be joining the Hack Chat on October 23 (National Boston Cream Pie Day) to discuss Open Hardware Month and open-source hardware in general. We’ll learn about some of the events planned for Open Hardware Month, how open hardware is perceived beyond the hacker community, and what’s on tap for the 10th anniversary Open Hardware Summit in 2020.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, October 23 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links: October 20, 2019

October 20, 2019 by Dan Maloney 13 Comments

It’s Nobel season again, with announcements of the prizes in literature, economics, medicine, physics, and chemistry going to worthies the world over. The wording of the Nobel citations are usually a vast oversimplification of decades of research and end up being a scientific word salad. But this year’s chemistry Nobel citation couldn’t be simpler: “For the development of lithium-ion batteries”. John Goodenough, Stanley Whittingham, and Akira Yoshino share the prize for separate work stretching back to the oil embargo of the early 1970s, when Goodenough invented the first lithium cathode. Wittingham made the major discovery in 1980 that adding cobalt improved the lithium cathode immensely, and Yoshino turned both discoveries into the world’s first practical lithium-ion battery in 1985. Normally, Nobel-worthy achievements are somewhat esoteric and cover a broad area of discovery that few ordinary people can relate to, but this is one that most of us literally carry around every day.

What’s going on with Lulzbot? Nothing good, if the reports of mass layoffs and employee lawsuits are to be believed. Aleph Objects, the Colorado company that manufactures the Lulzbot 3D printer, announced that they would be closing down the business and selling off the remaining inventory of products by the end of October. There was a reported mass layoff on October 11, with 90 of its 113 employees getting a pink slip. One of the employees filed a class-action suit in federal court, alleging that Aleph failed to give 60 days notice of terminations, which a company with more than 100 employees is required to do under federal law. As for the reason for the closure, nobody in the company’s leadership is commenting aside from the usual “streamlining operations” talk. Could it be that the flood of cheap 3D printers from China has commoditized the market, making it too hard for any manufacturer to stand out on features? If so, we may see other printer makers go under too.

For all the reported hardships of life aboard the International Space Station – the problems with zero-gravity personal hygiene, the lack of privacy, and an aroma that ranges from machine-shop to sweaty gym sock – the reward must be those few moments when an astronaut gets to go into the cupola at night and watch the Earth slide by. They all snap pictures, of course, but surprisingly few of them are cataloged or cross-referenced to the position of the ISS. So there’s a huge backlog of beautiful but unknown cities around the planet that. Lost at Night aims to change that by enlisting the pattern-matching abilities of volunteers to compare problem images with known images of the night lights of cities around the world. If nothing else, it’s a good way to get a glimpse at what the astronauts get to see.

Which Pi is the best Pi when it comes to machine learning? That depends on a lot of things, and Evan at Edje Electronics has done some good work comparing the Pi 3 and Pi 4 in a machine vision application. The SSD-MobileNet model was compiled to run on TensorFlow, TF Lite, or the Coral USB accelerator, using both a Pi 3 and a Pi 4. Evan drove around with each rig as a dashcam, capturing typical street scenes and measuring the frame rate from each setup. It’s perhaps no surprise that the Pi 4 and Coral setup won the day, but the degree to which it won was unexpected. It blew everything else away with 34.4 fps; the other five setups ranged from 1.37 to 12.9 fps. Interesting results, and good to keep in mind for your next machine vision project.

Have you accounted for shrinkage? No, not that shrinkage – shrinkage in your 3D-printed parts. James Clough ran into shrinkage issues with a part that needed to match up to a PCB he made. It didn’t, and he shared a thorough analysis of the problem and its solution. While we haven’t run into this problem yet, we can see how it happened – pretty much everything, including PLA, shrinks as it cools. He simply scaled up the model slightly before printing, which is a good tip to keep in mind.

And finally, if you’ve ever tried to break a bundle of spaghetti in half before dropping it in boiling water, you likely know the heartbreak of multiple breakage – many of the strands will fracture into three or more pieces, with the shorter bits shooting away like so much kitchen shrapnel. Because the world apparently has no big problems left to solve, a group of scientists has now figured out how to break spaghetti into only two pieces. Oh sure, they mask it in paper with the lofty title “Controlling fracture cascades through twisting and quenching”, but what it boils down to is applying an axial twist to the spaghetti before bending. That reduces the amount of bending needed to break the pasta, which reduces the shock that propagates along the strand and causes multiple breaks. They even built a machine to do just that, but since it only breaks a strand at a time, clearly there’s room for improvement. So get hacking!

Maker Spirit Alive And Well At The Philly Maker Faire

October 20, 2019 by Tom Nardi 12 Comments

For many of us, it’s difficult to imagine a world without Maker Faire. The flagship events in California and New York have served as a celebration of the creative spirit for a decade, giving hackers and makers a rare chance to show off their creations to a live audience numbering into the hundreds of thousands. It’s hard to overstate the energy and excitement of these events; for anyone who had the opportunity to attend one in person, it’s an experience not soon forgotten.

Unfortunately, a future without Maker Faire seemed a very real possibility just a few months ago. In May we first heard the events were struggling financially, and by June, we were saddened to learn that organizer Maker Media would officially be halting operations. It wasn’t immediately clear what would happen to the flagship Maker Faires, and when Maker Media reluctantly admitted that production of the New York Faire was officially “paused”, it seemed we finally had our answer.

But as the recent Philadelphia Maker Faire proved, the maker movement won’t give up without a fight. While technically an independent “Mini” Faire, it exemplifies everything that made the flagship events so special and attracted an impressive number of visitors. With the New York event left in limbo, the Philadelphia Faire is now arguably the largest event of its type on the East Coast, and has the potential for explosive growth over the next few years. There’s now a viable option for makers of the Northeast who might have thought their days of exhibiting at a proper Maker Faire were over.

We’ll be bringing you detailed coverage of some of the incredible projects that were on display at the Philadelphia Maker Faire over the coming days, but in the meantime, let’s take a quick look at some of the highlights from this very promising event.

Continue reading “Maker Spirit Alive And Well At The Philly Maker Faire” →