News

3654 Articles

This Week In Security: Psychic Paper, Spilled Salt, And Malicious Captchas

May 8, 2020 by 10 Comments

Apple recently patched a security problem, and fixed the Psychic Paper 0-day. This was a frankly slightly embarrasing flaw that [Siguza] discovered in how iOS processed XML data in an application’s code signature that allowed him access to any entitlement on the iOS system, including running outside a sandbox.

Entitlements on iOS are a set of permissions that an application can request. These entitlements range from the aforementioned com.apple.private.security.no-container to platform-application, which tells the system that this is an official Apple application. As one would expect, Apple controls entitlements with a firm grip, and only allows certain entitlements on apps hosted on their official store. Even developer-signed apps are extremely limited, with only two entitlements allowed.

This system works via an XML list document that is part of the signed application. XML is a relative of HTML, but with a stricter set of rules. What [Siguza] discovered is that iOS contains 4 different XML parsers, and they deal with malformed XML slightly differently. The kicker is that one of those parsers does the security check, while a different parser is used for that actual permission implementation. Is it possible that this mismatch could contain a vulnerability? Of course there is.
Continue reading “This Week In Security: Psychic Paper, Spilled Salt, And Malicious Captchas”

Ask Hackaday: Wink Hubs, Extortion As A Service?

May 7, 2020 by 142 Comments

Wink Labs just announced that their home automation hub, the Wink Hub, is “transitioning to a $4.99 monthly subscription, starting on May 13, 2020.” Should you fail to pay the fiver every month, you will lose access to their app, voice control, and automations, which is everything it does as far as we can tell.

This is an especially bitter pill to swallow for Hub users, because the device was just that — a hub. It speaks Bluetooth, Z-Wave, ZigBee, WiFi, Kidde, and a couple other specific device protocols, interfaces with Amazon’s Alexa, has a handy Android master panel app, and had a nice “robot” system that made the automation side of “home automation” simple for normal people. In short, with its low one-time purchase price, compatibility with many devices, nice phone app, and multiple radios, it was a great centerpiece for a home-automation setup.

“Nice home automation system you’ve got there. Would be a shame if anything happened to it.”

Continue reading “Ask Hackaday: Wink Hubs, Extortion As A Service?”

What Will You Do With An Extra 1.2 Gigahertz?

May 7, 2020 by 27 Comments

While our collective minds have been turned towards the global pandemic it’s refreshing to hear that in some quarters life has continued, and events that would have made the news in more normal times have continued to take place while they have been replaced in coverage by more urgent considerations.

In the last few weeks there has been a piece of routine American bureaucracy that flew under the radar but which will have a significant effect on global technology; the United States’ Federal Communication Commission first proposed, then ratified, the allocation of an extra 1200 MHz of spectrum in the 6 GHz band to ISM usage. This allocation process is likely to be repeated by other regions worldwide, freeing up another significant piece of spectrum for unlicensed usage.

In practice this means that there will be a whole new set of WiFi channels created, and we’ll all have a little more spectrum to play around with, so it’s worth examining in a little more detail. Continue reading “What Will You Do With An Extra 1.2 Gigahertz?”

EARN IT: Privacy, Encryption, And Policing In The Information Age

May 6, 2020 by 40 Comments

You may have heard about a new bill working its way through the US congress, the EARN IT act. That’s the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020”. (What does that mean? It means someone really wanted their initials to spell out “EARN IT”.)

EARN IT is a bipartisan bill that claims to be an effort to put a dent in child exploitation online. It’s also managed to catch the attention of the EFF, Schneier, and a variety of news outlets. The overwhelming opinion has been that EARN IT is a terrible idea, will make implementing end-to-end encryption impossible, and violates the First and Fourth Amendments. How does a bill intended to combat child pornography and sex trafficking end up on the EFF bad list? It’s complicated.

Continue reading “EARN IT: Privacy, Encryption, And Policing In The Information Age”

Arm Gives Gift To Startups: Zero Cost

May 4, 2020 by 24 Comments

Who hasn’t dreamed of pulling together some gadget in their garage and turning it into a big business? Of course, most gadgets today have a CPU in them, and Arm CPUs power just about any kind of embedded device you can think of. If you just want to use a chip, that’s easy. You buy them from a licensee and you use their tools for development. But if you want to integrate ARM’s devices into your own chips, that’s a different story. You have to pay fees, buy tools, and pay licenses on each chip you produce. Until now. Arm’s flexible access for startups program will let you apply to get all of that free.

To qualify, you have to be an “early stage silicon startup with limited funding.” Normally, flexible access costs about $75,000 to $200,000 a year and that doesn’t cover your license fees and royalties. The plan offered to qualifying startups is the $75,000 package, but that still includes access to nearly all Arm products, technical support, a few introductory training credits, and development tools. After your first tape-out, though, it looks as though you’ll have to pony up.

Continue reading “Arm Gives Gift To Startups: Zero Cost”

The Vaccine Factory Inside You: RNA Vaccine Basics

May 4, 2020 by 19 Comments

As the world pulls back from the acute phase of the COVID-19 pandemic, it enters what will be perhaps a more challenging time: managing the long-term presence of the SARS-CoV-2 virus that causes the disease. In the roughly two-century history of modern vaccination practices, we’ve gotten pretty good at finding ways to protect ourselves from infectious diseases, and there’s little doubt that we’ll do the same for SARS-CoV-2. But developing a vaccine against any virus or bacterium takes time, and in a pandemic situation, time is exactly what’s at a premium.

In an effort to create an effective vaccine against this latest viral threat, scientists and physicians around the world have been taking a different approach to inoculation. Rather than stimulating the immune system in the usual way with a weakened sample of the virus, they’re trying to use the genetic material of the virus to stimulate an immune response. These RNA vaccines are a novel approach to a novel infection, and understanding how they work will be key to deciding whether they’ll be the right way to attack this pandemic.

Continue reading “The Vaccine Factory Inside You: RNA Vaccine Basics”

Using Smartphone Cameras To Make Sure Drivers Are Looking At The Road

May 3, 2020 by 25 Comments

Most of us are probably quite aware of the damage that a car can inflict when driven by a distracted driver. In an ideal world, people who are driving a car would not allow something like their phone to distract them from their primary task of being the primary navigation system for the 1+ metric ton vehicle which they are controlling.

Many smartphone apps as well as in-car infotainment systems have added features over the years that try to prevent a driver from using them, but they run into the issue that it’s hard to distinguish between passenger and driver. As it turns out, asking the human driver whether they are the driver doesn’t always get the expected result. This is where [Rushil Khurana] and his team at Carnegie Mellon University (CMU) have come up with a more fool-proof approach.

In their paper (PDF), they cover the algorithm and software implementation that uses the smartphone’s own front (selfie) and back cameras to determine from the car’s interior which side of the car the user is sitting in, and deducing from that whether the user is sitting in the driver’s seat or not.  From there it is a fairly safe assumption to make that if the user is sitting in the driver’s seat, and the car is moving, that this user should not be looking at the phone’s screen.

In a test involving 16 different cars and 33 users, they achieved an overall accuracy of 94% with the phone held in the hand, and 92.2% while docked. This is more reliable than the other approaches covered in the paper, and as a benefit does not require any extra hardware. Who knows, upcoming smartphones may include a feature like this, so that apps can easily determine what feature set should be made available to a driver, if any.

Continue reading “Using Smartphone Cameras To Make Sure Drivers Are Looking At The Road”