News

3649 Articles

COVID-tracing Framework Privacy Busted By Bluetooth

September 3, 2020 by 60 Comments

[Serge Vaudenay] and [Martin Vuagnoux] released a video yesterday documenting a privacy-breaking flaw in the Apple/Google COVID-tracing framework, and they’re calling the attack “Little Thumb” after a French children’s story in which a child drops pebbles to be able to retrace his steps. But unlike Hänsel and Gretl with the breadcrumbs, the goal of a privacy preserving framework is to prevent periodic waypoints from allowing you to follow anyone’s phone around. (Video embedded below.)

The Apple/Google framework is, in theory, quite sound. For instance, the system broadcasts hashed, rolling IDs that prevent tracing an individual phone for more than fifteen minutes. And since Bluetooth LE has a unique numeric address for each phone, like a MAC address in other networks, they even thought of changing the Bluetooth address in lock-step to foil would-be trackers. And there’s no difference between theory and practice, in theory.

In practice, [Serge] and [Martin] found that a slight difference in timing between changing the Bluetooth BD_ADDR and changing the COVID-tracing framework’s rolling proximity IDs can create what they are calling “pebbles”: an overlap where the rolling ID has updated but the Bluetooth ID hasn’t yet. Logging these allows one to associate rolling IDs over time. A large network of Bluetooth listeners could then trace people’s movements and possibly attach identities to chains of rolling IDs, breaking one of the framework’s privacy guarantees.

This timing issue only affects some phones, about half of the set that they tested. And of course, it’s only creating a problem for privacy within Bluetooth LE range. But for a system that’s otherwise so well thought out in principle, it’s a flaw that needs fixing.

Why didn’t the researchers submit a patch? They can’t. The Apple/Google code is mostly closed-source, in contrast to the open-source nature of most of the apps that are running on it. This remains troubling, precisely because the difference between the solid theory and the real practice lies exactly in those lines of uninspectable code, and leaves all apps that build upon them vulnerable without any recourse other than “trust us”. We encourage Apple and Google to make the entirety of their COVID framework code open. Bugs would then get found and fixed, faster.

Continue reading “COVID-tracing Framework Privacy Busted By Bluetooth”

“A Guy In A Jet Pack” Reported Flying Next To Aircraft Near LAX

September 1, 2020 by 63 Comments

In case you needed more confirmation that we’re living in the future, a flight on approach to Los Angeles International Airport on Sunday night reported “a guy in a jet pack” flying within about 300 yards of them. A second pilot confirmed the sighting. It’s worth watching the video after the break just to hear the recordings of the conversation between air traffic control and the pilots.

The sighting was reported at about 3,000 feet which is an incredible height for any of the jet packs powerful enough to carry humans we’ve seen. The current state of the art limits jet pack tech to very short flight times and it’s hard to image doing anything more than getting to that altitude and back to the ground safely. Without further evidence it’s impossible to say, which has been an ongoing problem with sightings of unidentified flying objects near airports.

While superheros (or idiots pretending to be superheros) flying at altitude over the skies of LA sounds far fetched, the RC super hero hack we saw nine years ago now comes to mind. At 300 yards, that human-shaped drone might pass for an actual person rather than a dummy. This is of course pure speculation and we don’t want to give the responsible members for the RC aircraft community a bad name. It could have just as easily been trash, balloons, aliens, or Mothra. Or perhaps the pilot was correct and it was “some guy” flying past at 3,000 feet. That’s not impossible.

We anxiously await the results of the FAA’s investigation on this one.

Continue reading ““A Guy In A Jet Pack” Reported Flying Next To Aircraft Near LAX”

What’s The Deal With Rolling Blackouts In California’s Power Grid?

August 31, 2020 by 148 Comments

A heat wave spreading across a large portion of the west coast of the United States is not surprising for this time of year, but the frequency and severity of these heat waves have been getting worse in recent years as the side effects from climate change become more obvious. In response to this, the grid operators in California have instituted limited rolling blackouts as electricity demand ramps up.

This isn’t California’s first run-in with elective blackouts, either. The electrical grid in California is particularly prone to issues like this, both from engineering issues and from other less obvious problems as well.

Continue reading “What’s The Deal With Rolling Blackouts In California’s Power Grid?”

Lithium Sulfur Batteries Slated For Takeoff

August 23, 2020 by 60 Comments

Spectrum recently published a post on a new lithium sulfur battery technology specifically targeting electric aviation applications. Although lots of electric vehicles could benefit from the new technology, airplanes are especially sensitive to heavy batteries and lithium-sulfur batteries can weigh much less than modern batteries of equivalent capacity. The Spectrum post is from Oxis Energy who is about to fly tests with the new batteries which they claim have twice the energy density of conventional lithium-ion batteries. The company also claims the batteries are safer, which is another important consideration when flying through the sky.

The batteries have a cathode comprised of aluminum foil coated with carbon and sulfur — which avoids the use of cobalt, a cost driver in traditional lithium cell chemistries. The anode is pure lithium foil. Between the two electrodes is a separator soaked in an electrolyte. The company says the batteries go through multiple stages as they discharge, forming different chemical compounds that continue to produce electricity through chemical action.

The safety factor is due to the fact that, unlike lithium-ion cells, the new batteries don’t form dendrites that short out the cell. The cells do degrade over time, but not in a way that is likely to cause a short circuit. However, ceramic coatings may provide protection against this degradation in the future which would be another benefit compared to traditional lithium batteries.

We see a lot of exciting battery announcements, but we rarely see real products with them. Time will tell if the Oxis and similar batteries based on this technology will take root.

FBI Reports On Linux Drovorub Malware

August 22, 2020 by 26 Comments

The FBI and the NSA released a report on the Russian-based malware that attacks Linux known as Drovorub (PDF) and it is an interesting read. Drovorub uses a kernel module rootkit and allows a remote attacker to control your computer, transfer files, and forward ports. And the kernel module takes extraordinary steps to avoid detection while doing it.

What is perhaps most interesting though, is that the agencies did the leg work to track the malware to its source: the GRU — Russian intelligence. The name Drovorub translates into “woodcutter” and is apparently the name the GRU uses for the program.

A look inside the code shows it is pretty mundane. There’s a server with a JSON configuration file and a MySQL backend. It looks like any other garden-variety piece of code. To bootstrap the client, a hardcoded configuration allows the program to make contact with the server and then creates a configuration file that the kernel module actively hides. Interestingly, part of the configuration is a UUID that contains the MAC address of the server computer.

The rootkit won’t persist if you have UEFI boot fully enabled (although many Linux computers turn UEFI signing off rather than work through the steps to install an OS with it enabled). The malware is easy to spot if you dump raw information from the network, but the kernel module makes it hard to find on the local machine. It hooks many kernel functions so it can hide processes from both the ps command and the /proc filesystem. Other hooks remove file names from directory listings and also hides sockets. The paper describes how to identify the malware and they are especially interested in detection at scale — that is, if you have 1,000 Linux PCs on a network, how do you find which ones have this infection?

This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.

Microsoft Flight Simulator’s Data Insanity Spawns Enormous Buildings And Anomalies From OpenStreetMap

August 21, 2020 by 33 Comments

The OpenStreetMap project is an excellent example of how powerful crowdsourced data can be, but that’s not to say the system is perfect. Invalid data, added intentionally or otherwise, can sometimes slip through the cracks and lead to some interesting problems. A fact that developers Asobo Studio are becoming keenly aware of as players explore their recently released Microsoft Flight Simulator 2020.

Like a Wiki, users can update OpenStreetMap and about a year ago, user nathanwright120 marked a 2 story building near Melbourne, Australia as having an incredible 212 floors (we think it’s this commit). The rest of his edits seem legitimate enough, so it’s a safe bet that it was simply a typo made in haste. The sort of thing that could happen to anyone. Not long after, thanks to the beauty of open source, another user picked up on the error and got it fixed up.

But not before some script written by Asobo Studio went through sucked up the OpenStreetMap data for Australia and implemented it into their virtual recreation of the planet. The result is that the hotly anticipated flight simulator now features a majestic structure in the Melbourne skyline that rises far above…everything.

The whole thing is great fun, and honestly, players probably wouldn’t even mind if it got left in as a Easter egg. It’s certainly providing them with some free publicity; in the video below you can see a player by the name of Conor O’Kane land his aircraft on the dizzying edifice, a feat which has earned him nearly 100,000 views in just a few days.

But it does have us thinking about filtering crowdsourced data. If you ask random people to, say, identify flying saucers in NASA footage, how do you filter that? You probably don’t want to take one person’s input as authoritative. What about 10 people? Or a hundred?

Continue reading “Microsoft Flight Simulator’s Data Insanity Spawns Enormous Buildings And Anomalies From OpenStreetMap”

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

August 21, 2020 by 4 Comments

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes”