News

3615 Articles

Owning A ShortWave Radio Is Once Again A Subversive Activity

March 17, 2022 by 149 Comments

An abiding memory for a teen fascinated by electronics and radio in the 1970s and 1980s is the proliferation of propaganda stations that covered the shortwave spectrum. Some of them were slightly surreal such as Albania’s Radio Tirana which would proudly inform 1980s Western Europe that every village in the country now possessed a telephone, but most stations were the more mainstream ideological gladiating of Voice of America and Radio Moscow.

It’s a long-gone era as the Cold War is a distant memory and citizens East and West get their info from the Internet, but perhaps there’s an echo of those times following the invasion of the Ukraine. With most external news agencies thrown out of Russia and their websites blocked, international broadcasters are launching new shortwave services to get the news through. Owning a shortwave radio in Russia may once again be a subversive activity. Let’s build one!

Continue reading “Owning A ShortWave Radio Is Once Again A Subversive Activity”

Hackers Beware: Shenzhen Is Closing

March 14, 2022 by 43 Comments

If you’re among those of us with immediate plans for a PCB or parts order from China, watch out – Shenzhen just recently got put on a week-long lockdown. Factories, non-essential stores and public places are closed, and people are required to spend time at home – for a city that makes hardware thrive, this sounds like a harsh restriction. Work moves to remote where possible, but some PCB fabs and component warehouses might not be at our service for at least a week.

It might be puzzling to hear that the amount of cases resulting in closures is as low as 121, for a city of 12.6 million people. The zero-tolerance policy towards COVID has been highly effective for the city, with regular testing, adhered-to masking requirements and vaccinations – which is how we’ve been free to order any kinds of boards and components we needed throughout the past two years. In fact, 121 cases in one day is an unprecedented number for Shenzhen, and given their track record and swift reaction, it is reasonable to expect the case count dropping back to the regular (under 10 cases per day) levels soon.

Not all manufacturing facilities are located in Shenzhen, either. Despite what certain headlines might have you believe, supply chain shortages aren’t a certainty from here. A lot of the usual suspects like PCBWay and JLCPCB are merely reporting increased lead times as they reallocate resources, and while some projects are delayed for now, a lot of fabs you’d use continue operating with minor delays at most. SeeedStudio has its operations impacted more severely, and your Aliexpress orders might get shipped a bit later than usual – but don’t go around calling this a Chinese New Year v2 just yet. For those who want to keep a closer eye on the situation and numbers, the [Shenzhen Pages] Twitter account provides from-the-ground updates on the situation.

Wondering how your supply chain might be affected? We’ve talked about this way back in February 2020, addressing then-warranted worries that Chinese New Year would grow into a longer disruption than planned due to COVID becoming into a factor to manage. If you’re yet to discover the significance of Shenzhen, books have been written on this marvellous city, where you can build a successful hardware company in a week’s time. We’ve even had a meetup there once!

Header image: Charlie fong, CC BY-SA 4.0.

This Week In Security: DDoS Techniques, Dirty Pipe, And Lapsus$ Continued

March 11, 2022 by 26 Comments

Denial-of-Service (DoS) amplification. Relatively early in the history of the Internet — it was only 14 years old at the time — the first DoS amplification attack was discovered. [TFreak] put together smurf.c, likely in 1997, though it’s difficult to nail the date down precisely.

The first real DoS attack had only happened a year before, in 1996. Smurf worked by crafting ICMP packets with spoofed source addresses, and sending those packets to a network’s broadcast address. A host that received the request would send the packet to the target, and if multiple hosts responded, you got a bigger DoS attack for free. Fast forward to 1999, and the first botnet pulled off a Distributed DoS, DDoS, attack. Ever since then, there’s been an ongoing escalation of DDoS traffic size and the capability of mitigations.

DNS and NTP quickly became the popular choice for amplification, with NTP requests managing an amplification factor of 556, meaning that for every byte an attacker sent, the amplifying intermediary would send 556 bytes on to the victim. You may notice that so far, none of the vulnerable services use TCP. The three-way handshake of TCP generally prevents the sort of misdirection needed for an amplified attack. Put simply, you can’t effectively spoof your source address with TCP.

There are a pair of new games in town, with the first being a clever use of “middleboxes”, devices like firewalls, Intrusion Prevention Systems, and content filters. These devices watch traffic and filter content or potential attacks. The key here is that many such devices aren’t actually tracking TCP handshakes, it would be prohibitively memory and CPU intensive. Instead, most such devices just inspect as many packets as they can. This has the unexpected effect of defeating the built-in anti-spoofing of TCP.

An attacker can send a spoofed TCP packet, no handshake required, and a vulnerable middlebox will miss the fact that it’s spoofed. While that’s interesting in itself, what’s really notable is what happens when the packet appears to be a request for a vulnerable or blocked resource. The appliance tries to interrupt the stream, and inject an error message back to the requester. Since the requestor can be spoofed, this allows using these devices as DDoS amplifiers. As some of these services respond to a single packet with what is essentially an entire web page to convey the error, the amplification factor is literally off the charts. This research was published August 2021, and late February of this year, researchers at Akamai have seen DDoS attacks actually using this technique in the wild.

The second new technique is even more alien. Certain Mitel PBXs have a stress-test capability, essentially a speed test on steroids. It’s intended to only be used on an internal network, not an external target, but until a recent firmware update that wasn’t enforced. For nearly 3,000 of these devices, an attacker could send a single packet, and trigger the test against an arbitrary host. This attack, too, has recently been seen in the wild, though in what appears to be test runs. The stress test can last up to 14 hours at worst, leading to a maximum amplification factor if over four billion, measured in packets. The biggest problem is that phone systems like these a generally never touched unless there’s a problem, and there’s a decent chance that no one on site has the login credentials. That is to say, expect these to be vulnerable for a long time to come. Continue reading “This Week In Security: DDoS Techniques, Dirty Pipe, And Lapsus$ Continued”

Galaxy Users Accuse Samsung Of Throttling Performance And Benchmark Rigging

March 10, 2022 by 24 Comments

A lot of Samsung Galaxy users think that Samsung has been throttling smartphone performance, so much so that they don’t live up to their published specifications. At issue is the game optimizing service (GOS) which is intended to throttle the CPU while playing games to prevent overheating. S22 owners have recently discovered that it’s not only games that are throttled, but there’s a list of over 10,000 apps which are subject to GOS control, and there is no way to disable it.

What they’re really upset over is the fact that popular benchmarking apps are not subject to GOS throttling — something that’s hard to see as anything but a blatant attempt to game the system. In fact, this past weekend the folks at Geekbench banned four generations of Samsung Galaxy phones (S10, S20, S21, S22) for benchmark manipulation.

Admittedly, thermal management is critical on today’s incredibly powerful handheld devices, and the concept of throttling is an accepted solution in the industry. But people are upset at the opaqueness and lack of control of GOS, not to mention cherry picking apps in order to excel at benchmarks. Furthermore Samsung has removed their vapor chamber cooling system from recent models. This makes GOS even more important and looks like a cost-savings measure that may have backfired. Currently there’s a petition with the government claiming false advertising, and users are actively pursuing a lawsuit against Samsung.

The Invisible Battlefields Of The Russia-Ukraine War

March 7, 2022 by 27 Comments

Early in the morning of February 24th, Dr. Jeffrey Lewis, a professor at California’s Middlebury Institute of International Studies watched Russia’s invasion of Ukraine unfold in realtime with troop movements overlaid atop high-resolution satellite imagery. This wasn’t privileged information — anybody with an internet connection could access it, if they knew where to look. He was watching a traffic jam on Google Maps slowly inch towards and across the Russia-Ukraine border.

As he watched the invasion begin along with the rest of the world, another, less-visible facet of the emerging war was beginning to unfold on an ill-defined online battlefield. Digital espionage, social media and online surveillance have become indispensable instruments in the tool chest of a modern army, and both sides of the conflict have been putting these tools to use. Combined with civilian access to information unlike the world has ever seen before, this promises to be a war like no other.

Modern Cyberwarfare

The first casualties in the online component of the war have been websites. Two weeks ago, before the invasion began en masse, Russian cyberwarfare agents launched distributed denial of service (DDoS) attacks against Ukrainian government and financial websites. Subsequent attacks have temporarily downed the websites of Ukraine’s Security Service, Ministry of Foreign Affairs, and government. A DDoS attack is a relatively straightforward way to quickly take a server offline. A network of internet-connected devices, either owned by the aggressor or infected with malware, floods a target with request, as if millions of users hit “refresh” on the same website at the same time, repeatedly. The goal is to overwhelm the server such that it isn’t able to keep up and stops replying to legitimate requests, like a user trying to access a website. Russia denied involvement with the attacks, but US and UK intelligence services have evidence they believe implicates Moscow. Continue reading “The Invisible Battlefields Of The Russia-Ukraine War”

Greedy Receivers: FCC Considers Regulating Receivers After Altimeter Showdown

March 7, 2022 by 94 Comments

Recently, the media was filled with articles about how turning on 5G transmissions in the C-band could make US planes fall out of the sky. While the matter was ultimately resolved without too much fuss, this conflict may have some long-term consequences, with the FCC looking to potentially address and regulate the root of the problem, as reported by Ars Technica.

At the heart of the whole issue is that while transmitters are regulated in terms of their power and which part of the spectrum they broadcast on, receivers are much less regulated. This means that in the case of the altimeters in airplanes for example, which use the 4.2 GHz – 4.4 GHz spectrum, some of their receivers may be sensitive to a part of the 5G C-band (3.7 GHz -3.98 GHz), despite the standard 200 MHz guard band (upped to 400 MHz in the US) between said C-band and the spectrum used by altimeters.

What the FCC is currently doing is to solicit ways in which it could regulate the performance and standards for receivers. This would then presumably not just pertain to 5G and altimeters, but also to other receivers outside of avionics. Since the FCC already did something similar back in 2003 with an inquiry, but closed it back in 2007 without any action taken, it remains to be seen whether this time will be different. One solid reason would be the wasted spectrum: a 400 MHz guard band is a very large chunk.

Thanks to [Chris Muncy] for the tip.

This Week In Security: Ukraine, Nvidia, And Conti

March 4, 2022 by 11 Comments

The geopolitics surrounding the invasion of Ukraine are outside the scope of this column, but the cybersecurity ramifications are certainly fitting fodder. The challenge here is that almost everything of note that has happened in the last week has been initially linked to the conflict, but in several cases, the reported link hasn’t withstood scrutiny. We do know that the Vice Prime Minister of Ukraine put out a call on Twitter for “cyber specialists” to go after a list of Russian businesses and state agencies. Many of the sites on the list did go down for some time, the digital equivalent of tearing down a poster. In response, the largest Russian ISP stopped announcing BGP routes to some of the targeted sites, effectively ending any attacks against them from the outside.

A smattering of similar events have unfolded over the last week, like electric car charging stations in Russia refusing to charge, and displaying a political message, “GLORY TO UKRAINE”. Not all the attacks have been so trivial. Researchers at Eset have identified HermeticWiper, a bit of malware with no other purpose but to destroy data. It has been found on hundreds of high-value targets, likely causing much damage. It is likely the same malware that Microsoft has dubbed FoxBlade, and published details about their response. Continue reading “This Week In Security: Ukraine, Nvidia, And Conti”