This Week In Security: More WhatsApp, Nextcry, Hover To Crash, And Android Permissions Bypass

November 22, 2019 by Jonathan Bennett 7 Comments

There is another WhatsApp flaw, but instead of malicious GIFs, this time it’s malicious mp4 files. Facebook announced the vulnerability late last week. An update has been released, so first go make sure WhatsApp is updated. Facebook’s advisory is a bit light on the details, simply saying that a “stack-based buffer overflow” was possible as a result of “parsing the elementary stream metadata of an mp4 file”.

Shortly after the bug was announced, a GitHub repository popped up, with a claimed proof-of-concept mp4 file for CVE-2019-11931. (Thanks to [justtransit] on Reddit for the link.) I can’t easily test the PoC file, but we can take a look at it to see what the vulnerability is. What tools do we need to take a look? A hex editor is a good start. I’m using GHex, simply because it was available and easily installed on Fedora. Continue reading “This Week In Security: More WhatsApp, Nextcry, Hover To Crash, And Android Permissions Bypass” →

Starlink Satellites Posing Issues For Astronomers

November 20, 2019 by Lewin Day 119 Comments

Spotting satellites from the ground is a popular pastime among amateur astronomers. Typically, the ISS and Iridium satellites have been common sightings, with their orbits and design causing them to appear sufficiently bright in the sky. More recently, SpaceX’s mass launches of Starlink satellites have been drawing attention for the wrong reasons.

A capture from the Cerro Telolo observatory, showing the many Starlink satellite tracks spoiling the exposure.

Starlink is a project run by SpaceX to provide internet via satellite, using a variety of techniques to keep latency down and bandwidth high. There’s talk of inter-satellite laser communications, autonomous obstacle avoidance, and special designs to limit the amount of space junk created. We’ve covered the technology in a comprehensive post earlier this year.

The Starlink craft have long worried astronomers, who rely on a dark and unobstructed view of the sky to carry out their work. There are now large numbers of the satellites in relatively low orbits, and the craft have a high albedo, meaning they reflect a significant amount of the sunlight that hits them. With the craft also launching in a closely-packed train formation, there have already been impacts on research operations.

There is some hope that as the craft move to higher orbits when they enter service, this problem will be reduced. SpaceX are also reportedly considering modifications to the design to reduce albedo, helping to keep the astronomy community onside. Regardless, with plans on the table to launch anywhere from 12,000 to 42,000 satellites, it’s likely this isn’t the last we’ll hear about the issue.

The ESP32, Laid Bare

November 17, 2019 by Jenny List 31 Comments

Most readers will be familiar with the ESP32, Espressif’s dual-core processor with integrated WiFi and Bluetooth. Few of us though will have explored all of its features, including its built-in encryption facilities and secure booting capability. With these, a developer can protect and secure their code, and keep their devices secure.

That sense of security may now be illusory though, thanks to [LimitedResults] who has developed a series of attacks on the chip that compromise its crypto core, secure boot, and flash encryption. This enables both the chance of arbitrary code execution and firmware extraction on locked-down ESP32 devices.

To achieve all this he used a glitching technique on the device’s power supply, inserting a carefully timed glitch in the rail to coincide with a particular instruction being executed. For those of us who are not experts in this technique, he provides a basic primer with a description of his home-made glitcher made using a CMOS switch chip.

It appears that there is no solution to this attack short of new silicon, however, it should be borne in mind that it’s something that depends upon a specialist hacker with a well-equipped bench, and is thus only likely to be a significant headache to manufacturers. But it undermines a key feature of a major line of microcontrollers, and as such it remains a significant piece of work.

This Week In Security: Fuzzing Fixes, Foul Fonts, TPM Timing Attacks, And More!

November 15, 2019 by Jonathan Bennett 11 Comments

An issue was discovered in libarchive through Google’s ClusterFuzz project. Libarchive is a compression and decompression library, widely used in utilities. The issue here is how the library recovers from a malformed archive. Hitting an invalid header causes the memory in use to be freed. The problem is that it’s possible for file processing to continue even after that working memory has been freed, leading to all kinds of problems. So far an actual exploit hasn’t been revealed, but it’s likely that one is possible. The problem was fixed back in May, but the issue was just announced to give time for that update to percolate down to users.

Of note is the fact that this issue was found through Google’s fuzzing efforts. Google runs the oss-fuzz project, which automatically ingests nightly builds from around 200 open source projects and runs ClusterFuzz against them. This process of throwing random data at programs and functions has revealed over 14,000 bugs.
Continue reading “This Week In Security: Fuzzing Fixes, Foul Fonts, TPM Timing Attacks, And More!” →

Best Buy’s IoT Goes Dark, Leaving Some “Smart” Products Dumbfounded

November 14, 2019 by Al Williams 95 Comments

Bad news if you bought several Insignia-branded smart devices from Best Buy. The company has decided to shut down the back end systems that make them work — or at least work as a smart device. On the chopping block are smart outlets, switches, a security camera, and an upright freezer. If you bought, say, the freezer, it will still keep things cold. But the security camera will apparently be of no use at all now that the backend systems have gone dark. The company is offering an unspecified partial refund to users of the affected devices.

Best Buy announced this in September, and the shutdown date was last week on November 6th. Not all Insignia products are impacted, just the ones that rely on their app.

Anytime we talk about cloud-based technology, there are always a few people who say something like, “I’ll never rely on anything in the cloud!” Perhaps they have a point — certainly in this case they were right. There are really two things to consider: hardware devices that rely on the cloud, and data that resides in the cloud. In some cases, one product — like a camera — might have both.

Continue reading “Best Buy’s IoT Goes Dark, Leaving Some “Smart” Products Dumbfounded” →

Azobenzene Stores Solar Energy

November 12, 2019 by Al Williams 30 Comments

Probably the most efficient way to convert solar energy into electricity is the old fashioned way, heating water into steam and turning a turbine. This remains a messy affair though and you don’t really want a steam boiler on your roof, so solar cells are popular. However, there’s some new research showing how a molecule can absorb solar energy, store it, and then release the heat on demand years later. This could offer new ways to collect and even transport solar power. This new molecule, derived from azobenzene, holds immense promise to change the way we work with solar power.

Continue reading “Azobenzene Stores Solar Energy” →

HF Propagation And Earthquakes

November 12, 2019 by Dan Maloney 25 Comments

For all the successes of modern weather forecasting, where hurricanes, blizzards, and even notoriously unpredictable tornadoes are routinely detected before they strike, reliably predicting one aspect of nature’s fury has eluded us: earthquakes. The development of plate tectonic theory in the middle of the 20th century and the construction of a worldwide network of seismic sensors gave geologists the tools to understand how earthquakes happened, and even provided the tantalizing possibility of an accurate predictor of a coming quake. Such efforts had only limited success, though, and enough false alarms that most efforts to predict earthquakes were abandoned by the late 1990s or so.

It may turn out that scientists were looking in the wrong place for a reliable predictor of coming earthquakes. Some geologists and geophysicists have become convinced that instead of watching the twitches and spasms of the earth, the state of the skies above might be more fruitful. And they’re using the propagation of radio waves from both space and the ground to prove their point that the ionosphere does some interesting things before and after an earthquake strikes.

Continue reading “HF Propagation And Earthquakes” →