This Week In Security: Secure Boot Bypass, Attack On Titan M, KASLR Weakness

It’s debatable just how useful Secure Boot is for end users, but now there’s yet another issue with Secure Boot, or more specifically, a trio of signed bootloaders. Researchers at Eclypsium have identified problems in the Eurosoft, CryptoPro, and New Horizon bootloaders. In the first two cases, a way-too-flexible UEFI shell allows raw memory access. A startup script doesn’t have to be signed, and can easily manipulate the boot process at will. The last issue is in the New Horizon Datasys product, which disables any signature checking for the rest of the boot process — while still reporting that secure boot is enabled. It’s unclear if this requires a config option, or is just totally broken by default.

The real issue is that if malware or an attacker can get write access to the EFI partition, one of these signed bootloaders can be added to the boot chain, along with some nasty payload, and the OS that eventually gets booted still sees Secure Boot enabled. It’s the perfect vehicle for really stealthy infections, similar to CosmicStrand, the malicious firmware we covered a few weeks ago.
Continue reading “This Week In Security: Secure Boot Bypass, Attack On Titan M, KASLR Weakness”

2022 Hackaday Supercon Tickets On Sale Now

Did I tell you about the time that [Spetku] turned the schwag bottle into a Jacob’s Ladder?
Supercon Tickets go on sale right now! And the true-believer tickets usually sell out fast, so if you’re as excited about the thought of a real-life Supercon as we are, get yours now for a healthy discount.

We might be biased, but Supercon is our favorite conference of the year. Smaller than most and hardware-focused, you really can’t beat the signal/noise ratio of the crowd in attendance and the talks on the stage. People bring their projects, their great ideas, and their big dreams with them. And we have a cool badge to boot. It’s Hackaday, but in real life. And you should join us!

The conference starts on Friday Nov. 4th with registration, a mellow afternoon of badge-hacking, and a party to kick things off right. Saturday and Sunday are the main show, with a hacker village in the alley, workshops aplenty, and of course all of the talks. It’s only a weekend, but it’s one you’ll keep going back to in your mind for the whole year.

The Nitty Gritty Details

One hundred (100) True-believer Tickets are on sale now for $128 apiece, or until Aug. 29th. We call them True-believer Tickets because we haven’t even finished the call for proposals yet, much less selected the talks, but trust us, it’s going to be a good slate. (In past years, the True-believer tickets have sold out in as little as a day, so don’t sleep on this!) After that, regular admission is $256.

Of course, there’s always a back door if you want to sneak in for free. In our opinion, the coolest way to attend a conference is to give a talk, and you’ll get a complimentary ticket to boot! And even if you don’t get selected, we’ll give everyone who submits a serious talk proposal a ticket at the discounted price, so don’t hesitate. Volunteers also get in free, and we’ll be putting out the call on Aug 29th.

No matter how you get yourself a ticket, get one, and get to Supercon. We’re excited to see you in person again!

Starlink Ground Stations Successfully Hacked

Belgian security researcher [Lennert Wouters] has gotten his own code running on the Starlink “Dishy McFlatface” satellite terminals, and you can too! The hack in question is a “modchip” with an RP2040 and a MOSFET that crowbars the power rails, browning out the main CPU exactly when it’s verifying the firmware’s validity and bypassing that protection entirely. [Lennert] had previously figured out how to dump the Starlink firmware straight from the eMMC, and with the ability to upload it back, the circle of pwnership is closed. This was a talk at DEFCON, and you can check out the slides here. (PDF)

The mod chip itself was a sweet piece of work, being tailored to fit into the Starlink’s motherboard just so, and taking good advantage of the RP2040’s PIOs, which are probably the microcontroller’s superpower.

[Lennert] says he submitted his glitch attack to Starlink and they took some precautions to make the glitching harder. In particular, [Lennert] was triggering his timing off of the USART port coming up on the Starlink unit, so Starlink just shut that down. But it’s not like he couldn’t trigger on some other timing-relevant digital signal, so he chose the eMMC’s D0 data line: they’re not going to be able to boot up without it, so this hack is probably final. No shade against Starlink here. It’s almost impossible to shield a device against an attacker who has it on their bench, and [Lennert] concludes that he found no low-hanging fruit and was impressed that he had to work so hard to get root.

What can you do with this? Not much, yet. But in principle, it could be used to explore the security of the rest of the Starlink network. As reported in Wired, Starlink says that they’ve got a defence-in-depth system and that just getting into the network doesn’t really get you very far. We’ll see!

Thanks [jef] for the tip!

Svelte VR Headsets Coming?

According to Standford and NVidia researchers, VR adoption is slowed by the bulky headsets required. They want to offer a slim solution. A SIGGRAPH paper earlier this year lays out their plan or you can watch the video below. There’s also a second video, also below, covers some technical questions and answers.

The traditional headset has a display right in front of your eyes. Special lenses can make them skinnier, but this new method provides displays that can be a few millimeters thick. The technology seems pretty intense and appears to create a hologram at different apparent places using a laser, a geometric phase lens, and a pupil-replicating waveguide.

Continue reading “Svelte VR Headsets Coming?”

Fusion 360 Logo

Local Simulation Feature To Be Removed From All Autodesk Fusion 360 Versions

The removal of features from Autodesk products would appear to be turning into something of a routine at this point, with the announced removal of local simulations the latest in this series. Previously Autodesk had severely cut down the features available with a Personal Use license, but these latest changes (effective September 6) affect even paying customers, no matter which tier.

While previously executed local simulations on designs will remain accessible, any updates to these simulations, as well as any new simulations will have to use Autodesk’s cloud-based solver. This includes the linear stress, modal frequencies, thermal, and thermal stress simulation types, with each type of simulation study costing a number of Cloud Tokens.

Solving a linear simulation should initially cost 0 tokens, but the other types between 3 – 6 tokens, with the exact cost per token likely to vary per region. This means that instead of solving simulations for free on one’s own hardware, the only option in a matter of weeks will be solely through Autodesk’s cloud-based offerings.

Naturally, we can see this change going over exceedingly well with Fusion 360 users and we’re looking forward to seeing how Autodesk will spin the inevitable backlash.

(Thanks, [Jeremy Herbert] for the tip)

This Week In Security: Breaches, ÆPIC, SQUIP, And Symbols

So you may have gotten a Slack password reset prompt. Something like half a percent of Slack’s userbase had their password hash potentially exposed due to an odd bug. When sending shared invitation links, the password hash was sent to other members of the workspace. It’s a bit hard to work out how this exact problem happened, as password hashes shouldn’t ever be sent to users like this. My guess is that other users got a state update packet when the link was created, and a logic error in the code resulted in too much state information being sent.

The evidence suggests that the first person to catch the bug was a researcher who disclosed the problem mid-July. Slack seems to use a sane password policy, only storing hashed, salted passwords. That may sound like a breakfast recipe, but just means that when you type your password in to log in to slack, the password goes through a one-way cryptographic hash, and the results of the hash are stored. Salting is the addition of extra data, to make a precomputation attack impractical. Slack stated that even if this bug was used to capture these hashes, they cannot be used to directly authenticate as an affected user. The normal advice about turning on 2-factor authentication still applies, as an extra guard against misuse of leaked information. Continue reading “This Week In Security: Breaches, ÆPIC, SQUIP, And Symbols”

KachiChan_Sisyphus_RobotArms-On-A-Platform

Robot Repeatedly Rearranges Remnants In The Round

Sisyphus is an art installation by [Kachi Chan] featuring two scales of robots engaged in endless cyclic interaction. Smaller robots build brick arches while a giant robot pushes them down. As [Kachi Chan] says “this robotic system propels a narrative of construction and deconstruction.” The project was awarded honorary mention at the Ars Electronica’s Prix Ars 2022 in the Digital Communities category. Watch the video after the break to see the final concept.

KachiChan_Sisyphus_RobotArms-On-A-Platform_detail-view

[Kachi Chan] developed the installation in pre-visualizations and through a series of prototypes shown in a moody process film, the second video after the break. While the film is quite short on details, you’ll see iterations of the robot arm and computer vision system. According to this article on the project [Kachi Chan] used Cinema 4D to simulate the motion, ROS for control, PincherX150 robotic arms modified with Dynamixel XM 430 & XL430 servo motors, and custom 3D prints.

We’ve covered another type of Sisyphus project, sand tables like this and the Sisyphish. Continue reading “Robot Repeatedly Rearranges Remnants In The Round”