Hackaday Columns

4566 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

September 6, 2019 by 15 Comments

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.

3D Printering: The Search For Better Search

September 5, 2019 by 48 Comments

There’s no question that a desktop 3D printer is at its most useful when it’s producing parts of your own design. After all, if you’ve got a machine that can produce physical objects to your exacting specifications, why not give it some? But even the most diligent CAD maven will occasionally defer to an existing design, as there’s no sense spending the time and effort creating their own model if a perfectly serviceable one is already available under an open source license.

But there’s a problem: finding these open source models is often more difficult than it should be. The fact of the matter is, the ecosystem for sharing 3D printable models is in a very sorry state. Thingiverse, the community’s de facto model repository, is antiquated and plagued with technical issues. Competitors such as Pinshape and YouMagine are certainly improvements on a technical level, but without the sheer number of models and designers that Thingiverse has, they’ve been unable to earn much mindshare. When people are looking to download 3D models, it stands to reason that the site with the most models will be the most popular.

It’s a situation that the community is going to have to address eventually. As it stands, it’s something of a minor miracle that Thingiverse still exists. Owned and operated by Makerbot, the company that once defined the desktop 3D printer but is today all but completely unknown in a market dominated by low-cost printers from the likes of Monoprice and Creality, it seems only a matter of time before the site finally goes dark. They say it’s unwise to put all of your eggs in one basket, and doubly so if the basket happens to be on fire.

So what will it take to get people to consider alternatives to Thingiverse before it’s too late? Obviously, snazzy modern web design isn’t enough to do it. Not if the underlying service operates on the same formula. To really make a dent in this space, you need a killer feature. Something that measurably improves the user experience of finding the 3D model you need in a sea of hundreds of thousands. You need to solve the search problem.

Continue reading “3D Printering: The Search For Better Search”

BornHack 2019, A Laid-Back Hacker Camp In A Danish Forest

September 4, 2019 by 11 Comments

This is a fantastic summer for hacker camps and I was very happy to make it to BornHack this year. This week-long camp attracts hackers from all over Europe and the mix of a few hundred friends and soon-to-be friends who gathered on the Danish island of Fyn delivered a unique experience for the curious traveller.

The camp takes place at the Hylkedam Danish scout camp, located in a forest amid the rolling Danish famland not too far from the small town of Gelsted. It’s a few kilometres from a motorway junction, but easy enough to find after the long haul up from the UK via the Channel Tunnel. As an aside, every bored cop between France and the Danish border wanted to stop my 20-year-old right-hand-drive Volkswagen on UK plates, but soon lost interest after walking up to the passenger side and finding no driver. It seems Brits are considered harmless, which is good to hear. Continue reading “BornHack 2019, A Laid-Back Hacker Camp In A Danish Forest”

Clean Water Technologies Hack Chat

September 3, 2019 by 2 Comments

Join us on Wednesday, September 4th at noon Pacific for the Clean Water Technologies Hack Chat with Ryan Beltrán!

Access to clean water is something that’s all too easy to take for granted. When the tap is turned, delivering water that won’t sicken or kill you when you drink it, we generally stop worrying. But for millions around the world, getting clean water is a daily struggle, with disease and death often being the penalty for drinking from a compromised source. Thankfully, a wide range of water technologies is available to help secure access to clean water. Most are expensive, though, especially at the scale needed to supply even a small village.

Seeing a need to think smaller, Ryan started MakeWater.org, a non-profit program that seeks to give anyone the power to make clean water through electrocoagulation, or the use of electric charge to precipitate contaminants from water. There’s more to MakeWater than electrocoagulation kits, though. By partnering with STEM students and their teachers, MakeWater seeks to crowdsource improvements to the technology, incorporating student design changes into the next version of the kit. They also hope to inspire students to develop the skills they need to tackle real-world problems and make a difference in the lives of millions.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, September 4 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: September 1, 2019

September 1, 2019 by 10 Comments

The sun may be spotless, but that doesn’t mean it isn’t doing interesting things. A geomagnetic storm is predicted for this weekend, potentially giving those at latitudes where the Northern Lights are not common a chance to see a cosmic light show. According to SpaceWeather.com, a coronal hole, a gap in the sun’s atmosphere that can let the solar wind escape, is about to line up with Earth. The last time this hole was on the Earth-facing side of the sun, the resultant storm gave aurora as far south as Colorado. So if you’re in any of the northern tier states, you might want to find somewhere with dark skies and a good view to the north this weekend.

It’s not only space weather that’s in the news, but weather-weather too. Hurricane Dorian will probably make landfall as a Category 4 storm, probably along Florida’s Atlantic coast, and probably in the middle of the night on Monday. That’s a lot of uncertainty, but one thing’s for sure: amateur radio operators will be getting into the action. The Hurricane Watch Net will activate their net for Dorian on Saturday afternoon at 5:00 PM Eastern time, ready to take reports from stations in the affected area. Not a ham? You can still listen to the live feed once the net activates.

Hams aren’t the only ones getting geared up for Dorian, though. Weather satellite enthusiasts are pointing their SDRs at the sky and grabbing some terrifyingly beautiful pictures of Dorian as it winds up. Some of the downloaded images are spectacular, and if you’ve got an SDR dongle and a couple of pieces of coat hanger wire, you too can spy on Dorian from any number of satellites.

Speaking of which, over on r/RTLSDR, someone has done a little data mining and shown that NOAA 15 is still very much alive. u/amdorj plotted the scan motor current draw and found that it steadily decreased over time, possibly indicating that the bearings aren’t as worn as previously thought. We recently covered the story of the plucky satellite that’s almost two decades past its best-by date; here’s hoping our report on its death was greatly exaggerated.

In one of the weirder bits of marketing we’ve seen lately, NASA decided to name a rock on Mars after septuagenarian rockers The Rolling Stones. The golf ball size rock was blasted about a meter across the Martian landscape when the Mars InSight lander touched down in 2018, leaving a small scar in the dust. The stone had obviously rolled, so phone calls were made and one thing led to another, and before you know it, Robert Downey Jr. is making the announcement before a Stones concert at the Rose Bowl, right in JPL’s backyard. There’s even a cute animation to go along with it. It’s a nice piece of marketing, but it’s not the first time the Stones have been somewhat awkwardly linked to the technology world. We dare you not to cringe.

We’ll finish up today with something not related to space. As Al Williams recently covered, for about fifty bucks you can now score a vector network analyzer (VNA) that will do all sorts of neat RF tricks. The NanoVNA sounds like a great buy for anyone doing RF work, but its low price point and open-source nature mean people are finding all kinds of nifty uses for it. One is measuring the length of coax cables with time-domain reflectometry, or TDR. Phasing antenna arrays? the NanoVNA sounds like the perfect tool for the job.

Hackaday Podcast 033: Decompressing From Camp, Nuclear Stirling Engines, Carphone Or Phonecar, And ArduMower

August 30, 2019 by 4 Comments

Hackaday Editors Mike Szczys and Elliot Williams are back from Chaos Communication Camp, and obviously had way too much fun. We cover all there was to see and do, and dig into the best hacks from the past week. NASA has a cute little nuclear reactor they want to send to the moon, you’ve never seen a car phone quite like this little robot, and Ardupilot (Ardurover?) is going to be the lawn mowing solution of the future. Plus you need to get serious about debugging embedded projects, and brush up on your knowledge of the data being used to train facial recognition neural networks.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 033: Decompressing From Camp, Nuclear Stirling Engines, Carphone Or Phonecar, And ArduMower”

This Week In Security: VPN Gateways, Attacks In The Wild, VLC, And An IP Address Caper

August 30, 2019 by 7 Comments

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.

CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.

The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder.  This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.

A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.

More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.

Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.

Exploitation in the Wild

But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.

Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.

VLC is Actually Vulnerable This Time

The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.

Gray Market IP Addresses

With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?