News

3649 Articles

BadPower Vulnerability In Fast Chargers Might Make Phones Halt And Catch Fire

July 22, 2020 by 21 Comments

A few days ago, Chinese researchers from technology giant Tencent released a paper outlining a firmware vulnerability in several types of fast charger power bricks (translated). The attack is known as BadPower, and it works by altering the default parameters in the firmware of fast chargers to deliver more power to devices than they can handle, which can cause them to overheat, melt, or catch fire.

The ancient and basic USB charging spec provides 0.5 A at 5 V, which is equal to 2.5 W. In theory, that’s all you’ll ever get from those types of chargers. But the newer generation of chargers are different. When you plug your phone into a fast charger, it negotiates a voltage and charging speed with your phone before passing it any power.

Fast chargers can push power at 20 V or more to speed up the charging process, depending on the charger and connected device. If the phone doesn’t do fast charging, it will default to the 5 V standard. Researchers claim the BadPower attack is capable of harming devices whether or not they include a fast charging feature. When a capable device is connected, the charger will still negotiate for 5V, but instead give 20V and wreak havoc.

In the demo after the break, one of the team uses a malicious device disguised as a phone to push the BadPower firmware change to a fast charger that’s hooked up to a voltmeter. Before the attack, the charger gives 5V. After the attack, it gives 5V for a few seconds before jumping up near 20V. Then they connect the now-dirty charger to two identical illuminated magnifying glasses. In one the chip lets the smoke monster out rather violently, and the chips of the other emit sparks.

The researchers tested 35 of the 200+ fast charging bricks currently on the market and found that 18 of them were vulnerable to BadPower, including 11 that can be exploited through the charging port itself. They believe the issue is fixable with a firmware update.

What is not available is enough information to verify this research, or a list of brands/models that are vulnerable. Researchers say the findings were submitted to the China National Vulnerability Database (CNVD) on March 27th, so the absence of this information may be a product of manufacturers needing more time to patch the vulnerability.

What do you think? We say halfway decent chargers shouldn’t be open to firmware attacks from the devices they are charging. And any halfway decent phone should have built-in electrical protection, right?

Continue reading “BadPower Vulnerability In Fast Chargers Might Make Phones Halt And Catch Fire”

Apollo Missions Get Upgraded Video

July 21, 2020 by 31 Comments

July 20th marked the anniversary of the first human setting foot on the moon. If you were alive back then, you probably remember being glued to the TV watching the high-tech images of Armstrong taking that first step. But if you go back and watch the video today, it doesn’t look the way you remember it. We’ve been spoiled by high-density video with incredible frame rates. [Dutchsteammachine] has taken a great deal of old NASA footage and used their tools to update them to higher frame rates that look a lot better, as you can see below.

The original film from the moon landing ran between 12 frames per second and as low as 1 frame per second. The new video is interpolated to 24 frames per second. Some of the later Apollo mission film is jacked up to 60 frames per second. The results are great.

Continue reading “Apollo Missions Get Upgraded Video”

The Real Story: How Samsung Blu Ray Players Were Bricked

July 19, 2020 by 84 Comments

In June, many owners of Samsung Blu Ray players found that their devices were no longer usable. Stuck in a boot loop, speculation was rife as to the cause of the issue. Now it seems that the issue has become clear – a badly formatted XML file may be responsible for the problems (via The Register).

The problem stems from the logging system that stores user data and passes it back to Samsung over the Internet. Which data is logged and sent back is managed by an XML file which contains the policy settings that control this behaviour. According to a source known only as “Gary” “Gray”, the XML file posted on Samsung’s servers on June 18 featured a malformed list element. This caused a crash in the player’s main software routine, leading the player to reboot.

The failure was exacerbated by the fact that the XML file is parsed very early in the boot sequence, even before checking for firmware updates or a new XML file. This has prevented Samsung from rolling out an update or fix over the air, and is why the player gets stuck in a loop of continuous reboots.

Reportedly, the file can be found at this URL, though is now an updated version that shouldn’t brick players. Samsung have had to resort to a mail-in repair scheme, wherein technicians with service tools can manually remove the offending XML file from the player’s storage, allowing it to boot cleanly once again. While this shows our initial assumptions were off the mark, we’re glad to see a solution to the problem, albeit one that requires a lot of messing around.

[Thanks to broeckelmaier for the tip!]

This Week In Security: Twitter, Windows DNS, SAP RECON

July 17, 2020 by 8 Comments

Twitter just had their biggest security breach in years. Mike warned us about it on Wednesday, but it’s worth revisiting a few of the details. The story is still developing, but it appears that malicious actors used social engineering to access an internal Twitter dashboard. This dashboard, among other interesting things, allows directly changing the email address associated with an account. Once the address is changed to the attacker’s, it’s simple to do a password reset and gain access.

The bitcoin address used in the crypto scam ended up receiving nearly $120,000 USD worth of bitcoin, all of which has been shuffled off into different accounts. It’s an old and simple scam, but was apparently rather believable because the messages were posted by verified Twitter accounts.

Screenshot from Motherboard

A series of screenshots have been posted, claiming to be the internal Twitter dashboard used in the attack. More than a few eyebrows have been raised, as a result of that dashboard. First off, the fact that Twitter employees can directly change an account’s email address is asking for trouble. Even more interesting are the tags that can be added to an account. “Trends Blacklist” and “Search Blacklist” do call to mind the rumors of shadow-banning, but at this point it’s impossible to know the details. Motherboard is reporting that Twitter is removing that screenshot across the board when it’s posted, and even suspending accounts that post it. Of course, they’d do that if it were faked as well, so who knows? Continue reading “This Week In Security: Twitter, Windows DNS, SAP RECON”

Today’s Twitter Hack Is New Take On “Nigerian Prince” Scam

July 15, 2020 by 52 Comments

Don’t send bitcoin to celebrities… or to random people for that matter. This afternoon a number of high profile Twitter accounts were taken over, including Joe Biden, Bill Gates, Elon Musk, Apple, Jeff Bezos, and Kanye West, and the event appears to be ongoing. Each displayed a message saying they wanted to “give back” by doubling the bitcoin that they are sent. The messages all appear to have the same bitcoin wallet address.

This is reminiscent of the “Nigerian prince” scams, a form of advance-fee scam where an email asks for help with a small sum of money in order to obtain a larger sum. Those usually come in as spam emails which most people are wise to at this point. However, blindly following celebrities on Twitter may still deliver a good dose of naïveté when those platforms are misused.

Bitcoin transactions can be viewed publicly and this wallet is showing 11.8 BTC in and 5.8 BTC out in a total of 288 transactions. The net is roughly 6 bitcoin or $55k USD at the time of writing. Twitter’s response appears to have locked down all verified accounts from publishing new tweets. They retain the ability to retweet and delete existing tweets.

Main image screenshot sources:

The Many Methods Of Communicating With Submarines

July 15, 2020 by 36 Comments

It sometimes seems hard to believe that we humans have managed to explore so little of what we have so much of: the seas. Oceans cover something like 70 percent of the world’s surface, but we’ve only mapped 20 percent of the ocean floor. The 228,000 ocean-dwelling species that we know about represents about ten percent of the estimated total aquatic species. And almost all the life we know about, and the area that we’ve explored thoroughly, is limited to the first few hundred meters from the surface.

The paucity of our deep-water investigatory efforts has a lot to do with the hostility of the sea to those who haven’t evolved to survive in it. It takes extreme engineering and fantastically expensive machines to live and work even a few meters down, and even then submariners quickly become completely isolated from the rest of the world once they’re down there. Underwater communication is particularly challenging, since the properties of seawater confound efforts to use it as a communications medium.

Challenging though it may be, underwater communication is possible, and in this article we’ll take a look at a few modalities that have made operating under the sea possible, and a new technology that might just extend the Internet below the waves.

Continue reading “The Many Methods Of Communicating With Submarines”

Roboticist Grant Imahara Of Mythbusters Fame Dies Of Aneurysm At Age 49

July 14, 2020 by 45 Comments

We awake this morning to sad news of the premature passing of Grant Imahara at the age of 49 due to a brain aneurysm. Grant was best known for his role on the wildly popular Mythbusters television show on which he starred and built test apparatus for seasons three through twelve. He landed this role because he was a badass hardware hacker as much as he was an on-camera personality.

Grant received his degree in electrical engineering from USC in 1993 and landed a job with Lucasfilm, finding his way onto the Industrial Light and Magic team to work on blockbuster films like the Star Wars prequels (R2-D2 among other practical effects) and sequels to Terminator and The Matrix. Joining the Mythbusters team in 2005 was something of a move to rapid prototyping. Each of the 22-minute episodes operated on a 10-day build and a film cycle in which Grant was often tasked with designing and fabricating test rigs for repeatable testing with tightly controlled parameters.

After leaving the show, Grant pursued several acting opportunities, including the Kickstarter funded web series Star Trek Continues which we reported on back in 2013. But he did return to the myth busting genre with one season of The White Rabbit Project on Netflix. One of the most genuinely geeky appearances Grant made was on an early season of Battlebots where his robot ‘Deadblow’ sported a wicked spiked hammer. Video of his appearance in the quarter-finals is like a time-capsule in hacker history and guaranteed to bring a smile to your face.

Grant Imahara’s legacy is his advocacy of science and engineering. He was a role model who week after week proved that questioning how things work, and testing a hypothesis to find answers is both possible and awesome. At times he did so by celebrating destructive force in the machines and apparatus he built. But it was always done with observance of safety precautions and with a purpose in mind (well, perhaps with the exception of the Battlebots). His message was that robots and engineering are cool, that being a geek means you know what the heck you’re doing, and that we can entertain ourselves through creating. His message lives on through countless kids who have grown up to join engineering teams throughout the world.

Grant was the headliner at the first Hackaday Superconference in San Francisco back in 2015. I’ve embedded the fireside chat below where you can hear in his own words what inspired Grant, along with numerous stories from throughout his life.

Continue reading “Roboticist Grant Imahara Of Mythbusters Fame Dies Of Aneurysm At Age 49”