This Week In Security: ToTok, Edgium, Chrome Checks Your Passwords, And More

January 3, 2020 by Jonathan Bennett 11 Comments

Merry Christmas and happy New Year! After a week off, we have quite a few stories to cover, starting with an unexpected Christmas gift from Apple. Apple has run an invitation-only bug bounty program for years, but it only covered iOS, and the maximum payout topped out at $200K. The new program is open to the public, covers the entire Apple product lineup, and has a maximum payout of $1.5 million. Go forth and find vulnerabilities, and make sure to let us know what you find.

ToTok

The United Arab Emirates had an odd policy regarding VoIP communications. At least on mobile networks, it seems that all VoIP calls are blocked — unless you’re using a particular app: ToTok. Does that sound odd? Is your “Security Spider Sense” tingling? It probably should. The New York Times covered ToTok, claiming it was actually a tool for spying on citizens.

While that coverage is interesting, more meat can be found in [Patrick Wardle]’s research on the app. What’s most notable, however, is the distinct lack of evidence found in the app itself. Sure, ToTok can read your files, uploads your contact book to a centralized server, and tries to send the device’s GPS coordinates. This really isn’t too far removed from what other apps already do, all in the name of convenience.

It seems that ToTok lacks end-to-end encryption, which means that calls could be easily decrypted by whoever is behind the app. The lack of malicious code in the app itself makes it difficult to emphatically call it a spy tool, but it’s hard to imagine a better way to capture VoIP calls. Since those articles ran, ToTok has been removed from both the Apple and Google’s app stores.

SMS Keys to the Kingdom

Have you noticed how many services treat your mobile number as a positive form of authentication? Need a password reset? Just type in the six-digit code sent in a text. Prove it’s you? We sent you a text. [Joakim Bech] discovered a weakness that takes this a step further: all he needs is access to a single SMS message, and he can control your burglar alarm from anywhere. Well, at least if you have a security system from Alert Alarm in Sweden.

The control messages are sent over SMS, making them fairly accessible to an attacker. AES encryption is used for encryption, but a series of errors seriously reduces the effectiveness of that encryption. The first being the key. To build the 128-bit encryption key, the app takes the user’s four-digit PIN, and pads it with zeros, so it’s essentially a 13 bit encryption key. Even worse, there is no message authentication built in to the system at all. An attacker with a single captured SMS message can brute force the user’s PIN, modify the message, and easily send spoofed commands that are treated as valid.

Microsoft Chrome

You may have seen the news, Microsoft is giving up on their Edge browser code, and will soon begin shipping a Chromium based Edge. While that has been a source of entertainment all on its own, some have already begun taking advantage of the new bug bounty program for Chromium Edge (Edgium?). It’s an odd bounty program, in that Microsoft has no interest in paying for bugs found in Google’s code. As a result, only bugs in the Edge-exclusive features qualify for payout from Microsoft.

As [Abdulrahman Al-Qabandi] puts it, that’s a very small attack surface. Even so, he managed to find a vulnerability that qualified, and it’s unique. One of the additions Microsoft has made to Edgium is a custom new tab page. Similar to other browsers, that new tab page shows the user their most visited websites. The problem is that the site’s title is shown on that page, but without any sanity checking. If your site’s title field happens to include Javascript, that too is injected into the new tab page.

The full exploit has a few extra steps, but the essence is that once a website makes it to the new tab page, it can take over that page, and maybe even escape the browser sandbox.

Chrome Password Checkup

This story is a bit older, but really grabbed my attention. Google has rolled a feature out in Chrome that automatically compares your saved passwords to past data breaches. How does that work without being a security nightmare? It’s clever. A three-byte hash of each username is sent to Google, and compared to the hashes of the compromised accounts. A encrypted database of potential matches is sent to your machine. Your saved passwords, already encrypted with your key, is encrypted a second time with a Google key, and sent back along with the database of possible matches, also encrypted with the same Google key. The clever bit is that once your machine decrypts your database, it now has two sets of credentials, both encrypted with the same Google key. Since this encryption is deterministic, the encrypted data can be compared without decryption. In the end, your passwords aren’t exposed to Google, and Google hasn’t given away their data set either.

The Password Queue

Password changes are a pain, but not usually this much of a pain. A university in Germany suffered a severe malware infection, and took the precaution of resetting the passwords for every student’s account. Their solution for bootstrapping those password changes? The students had to come to the office in person with a valid ID to receive their new passwords. The school cited German legal requirements as a primary cause of the odd solution. Still, you can’t beat that for a secure delivery method.

Ask Hackaday: How Do You Keep The 3D Printer From Becoming EWaste

January 2, 2020 by Jenny List 94 Comments

One thing we sometimes forget in our community is that many of the tecniques and machines that we take for granted are still something close to black magic for many outsiders. Here’s a tip: leave a 3D printer running next time you take a group of visitors round a hackerspace, and watch their reaction as a Benchy slowly emerges from the moving extruder. To us it’s part of the scenery, but to them it’s impossibly futuristic and their minds are blown.

Just because something says it's a Prusa i3, doesn't mean it is a Prusa i3. — Just because something *says* it’s a Prusa i3, doesn’t mean it is a Prusa i3.

Nearly 15 years after the dawn of the RepRap project we have seen a huge advancement in the capabilities of affordable 3D printers, and now a relatively low three-figure sum will secure a machine from China that will churn out prints whose quality would amaze those early builders. We’ve reached the point in our community at which many people are on their third or fourth printer, and this has brought with it an unexpected side-effect. Where once a hackerspace might have had a single highly prized 3D printer, now it’s not unusual to find a pile of surplus older printers on a shelf. My hackerspaces both have several, and it’s a sight I’ve frequently seen on my travels around others. Perhaps it’s a sign of a technology maturing when it becomes ewaste, and thus it seems affordable 3D printing has matured. Continue reading “Ask Hackaday: How Do You Keep The 3D Printer From Becoming EWaste” →

Fail Of The Week: Ambitious Vector Network Analyzer Fails To Deliver

December 31, 2019 by Dan Maloney 18 Comments

If you’re going to fail, you might as well fail ambitiously. A complex project with a lot of subsystems has a greater chance of at least partial success, as well as providing valuable lessons in what not to do next time. At least that’s the lemonade [Josh Johnson] made from his lemon of a low-cost vector network analyzer.

For the uninitiated, a VNA is a versatile test instrument for RF work that allows you to measure both the amplitude and the phase of a signal, and it can be used for everything from antenna and filter design to characterizing transmission lines. [Josh] decided to port a lot of functionality for his low-cost VNA to a host computer and concentrate on the various RF stages of the design. Unfortunately, [Josh] found the performance of the completed VNA to be wanting, especially in the phase measurement department. He has a complete analysis of the failure modes in his thesis, but the short story is poor filtering of harmonics from the local oscillator, unexpected behavior by the AD8302 chip at the heart of his design, and calibration issues. Confounding these issues was the time constraint; [Josh] might well have gotten the issues sorted out had the clock not run out on the school year.

After reading through [Josh]’s description of his project, which was a final-year project and part of his thesis, we feel like his rating of the build as a failure is a bit harsh. Ambitious, perhaps, but with a spate of low-cost VNAs coming on the market, we can see where he got the inspiration. We understand [Josh]’s disappointment, but there were a lot of wins here, from the excellent build quality to the top-notch documentation.

Linux Fu: Leaning Down With Exec

December 30, 2019 by Al Williams 11 Comments

Shell scripting is handy and with a shell like bash it is very capable, too. However, shell scripting isn’t always very efficient. Think about it. If you run grep or tr or sort to do some operation in a shell script, you are spawning a whole new process. That takes time and resources. But there are some answers to reducing — but not eliminating — the problem.

Have you ever written a program like this (in any language, but I’ll use C):

int foo(void)
{
  ...
  bar();

}

You hope the compiler doesn’t write assembly code like this:

_foo: 
....

      call _bar
      ret

Most optimizers should pick up on the fact that you can convert a call like this to a jump and let the ret statement in _bar return to foo’s caller. However, shell scripts are not that smart. If you have a shell script called MungeData and it calls another program or shell script called PostProcess on its last line, then you will have at one time three processes in play: your original shell, the shell running MungeData, and either the PostProcess program or a shell running the script. Not to mention, the processes to do things inside post process. So what do you do?

Continue reading “Linux Fu: Leaning Down With Exec” →

Hackaday Links: December 29, 2019

December 29, 2019 by Dan Maloney 25 Comments

The retrocomputing crowd will go to great lengths to recreate the computers of yesteryear, and no matter which species of computer is being restored, getting it just right is a badge of honor in the community. The case and keyboard obviously playing a big part in that look, so when a crowdfunding campaign to create new keycaps for the C64 was announced, Commodore fans jumped to fund it. Sadly, more than four years later, the promised keycaps haven’t been delivered. One disappointed backer, Jim Drew, decided he was sick of waiting, so he delved into the world of keycaps injection molding and started his own competing campaign. Jim details his adventures in his ~~Kickstarter~~ Indiegogo campaign, which makes for good reading even if you’re not into Commodore refurbishment. Here’s hoping Jim has better luck than the competition did.

Looking for anonymity in our increasingly surveilled world? You’re not alone, and in fact, we predict facial recognition spoofing products and methods will be a growth industry in the new decade. Aside from the obvious – and often illegal – approach of wearing a mask that blocks most of the features machine learning algorithms use to quantify your face, one now has another option, in the form of a colorful pattern that makes you invisible to the YOLOv2 algorithm. The pattern, which looks like a soft-focus crowd scene rendered in Mardi Gras colors, won’t make the algorithm think you’re someone else, but it will prevent you from being classified as a person. It won’t work with any other AI algorithm, but it’s still an interesting phenomenon.

We saw a great hack come this week about using an RTL-SDR to track down a water leak. Clayton’s water bill suddenly skyrocketed, and he wanted to track down the source. Luckily, his water meter uses the encoder receive-transmit (ERT) protocol on the 900 MHz ISM band to report his usage, so he threw an SDR dongle and rtlamr at the problem. After logging his data, massaging it a bit with some Python code, and graphing water consumption over time, he found that water was being used even when nobody was home. That helped him find the culprit – leaky flap valves in the toilets resulting in a slow drip that ran up the bill. There were probably other ways to attack the problem, but we like this approach just fine.

Are your flex PCBs making you cry? Friend of Hackaday Drew Fustini sent us a tip on teardrop pads to reduce the mechanical stress on traces when the board flexes. The trouble is that KiCad can’t natively create teardrop pads. Thankfully an action plugin makes teardrops a snap. Drew goes into a bit of detail on how the plugin works and shows the results of some test PCBs he made with them. It’s a nice trick to keep in mind for your flexible design work.

2019: As The Hardware World Turns

December 27, 2019 by Tom Nardi 31 Comments

Well, this is it. The end of the decade. In a few days the 2010s will be behind us, and a lot of very smug people will start making jokes on social media about how we’re back in the “Roaring 20s” again. Only this time around there’s a lot more plastic, and drastically less bathtub gin. It’s still unclear as to how much jazz will be involved.

Around this time we always say the same thing, but once again it bears repeating: it’s been a fantastic year for Hackaday. Of course, we had our usual honor of featuring literally thousands of incredible creations from the hacking and making community. But beyond that, we also bore witness to some fascinating tech trends, moments that could legitimately be called historic, and a fair number of blunders which won’t soon be forgotten. In fact, this year we’ve covered a wider breadth of topics than ever before, and judging by the record setting numbers we’ve seen in response, it seems you’ve been just as excited to read it as we were to write it.

To close out the year, let’s take a look at a few of the most popular and interesting stories of 2019. It’s been a wild ride, and we can’t wait to do it all over again in 2020.

Continue reading “2019: As The Hardware World Turns” →

Ask Hackaday: Drone Swarms Replace Fireworks; Where Are The Hackers?

December 26, 2019 by Al Williams 27 Comments

Your mom always warned you that those fireworks could put an eye out. However, the hottest new thing in fireworks displays is not pyrotechnic at all. Instead, a swarm of coordinated drones take to the sky with different lighting effects. This makes some pretty amazing shows possible, granting full control of direction, color, and luminosity of each light source in a mid-air display. It also has the side benefit of being safer — could this be the beginning of the end for fireworks accident videos blazing their way across social media platforms?

For an idea of what’s possible with drone swarm displays, check out the amazing pictures found on this site (machine translation) that show off the 3D effects quite well. Note that although it appears the camera is moving during many of these, the swam itself could be rotated relative to a stationary viewer for a similar effect.

What I couldn’t find was much going on here in the hobby space. Granted, in the United States, restrictive drone laws might hamper your ability to do things like this. But it seems that in a purely technical terms this wouldn’t be super hard to do — at least for simple designs. Besides, there must be some way to do this in US airspace since drone performances have been at the Super Bowl, Los Angeles, New York, Miami, and Folsom, CA.

So if the regulations were sorted, what would it take to build a swarm of your own performing drones?

Continue reading “Ask Hackaday: Drone Swarms Replace Fireworks; Where Are The Hackers?” →