News

3649 Articles

HP Laptops Turn Up Keylogger Where You Wouldn’t Expect It

May 12, 2017 by 58 Comments

Keyloggers are nasty little things that have the potential to steal the credit card numbers of you and everyone you care about. Usernames and passwords can be easily stolen this way, so they’re a useful tool for the black hats out there. One would generally expect to find a keylogger in a dodgy movie torrent or perhaps a keygen for pirated software, but this week a keylogger was found in an audio driver for an HP laptop.

The logger was found by Swiss security researchers modzero. The Conexant HD Audio Driver Package version 1.0.0.46 and earlier apparently logs keystrokes in order to monitor things like the laptop’s volume up and down keys. The real killer here is that it feels the need to log all keystrokes detected to a readily accessible file, for reasons we can’t possibly fathom. It’s a huge security risk, but it doesn’t stop there – the driver also exposes the keystrokes through an API as well, creating an even wider attack surface for malicious actors. One can in principle access the keystroke log remotely.

There’s no word from the company yet, but we really want to know – why save the keystrokes to a file at all? Code left over from debugging, perhaps? Speculate in the comments.

Templates Speed Up Arduino I/O

May 11, 2017 by 25 Comments

It is easy to forget, but the Arduino does use C++. Typically, the C++ part is in the libraries and the framework and most people just tend to code their main programs using a C-style just using the library objects like C-language extensions. [Fredllll] recently created a template library to speed up Arduino I/O and he shared it on GitHub.

If you’ve ever done anything serious with the Arduino, you probably know that while digitalWrite is handy, it does a lot of work behind the scenes to make sure the pin is setup and this adds overhead to every call. [Fredllll’s] template versions can switch a pin’s state in two cycles. You can cut that in half if you don’t mind bothering the state of other pins on the same port.

Continue reading “Templates Speed Up Arduino I/O”

Git Shell Bypass, Less Is More

May 10, 2017 by 4 Comments

We’ve always been a fans of wargames. Not the movie (well, also the movie) but I’m referring to hacking wargames. There are several formats but usually you have access to an initial shell account somewhere, which is level0, and you have to exploit some flaw in the system to manage to get level1 permissions and so forth. Almost always there’s a level where you have to exploit a legitimate binary (with some shady permissions) that does more than what the regular user thinks.

In the case of CVE-2017-8386, less is more.

[Timo Schmid] details how the git-shell, a restricted shell meant to be used as the upstream peer in a git remote session over a ssh tunnel, can be abused in order to achieve arbitrary file read, directory listing and somewhat restricted file write. The git-shell basic idea is to restrict the allowed commands in an ssh session to the ones required by git (git-receive-pack, git-upload-pack, git-upload-archive). The researcher realized he could pass parameters to these commands, like the flag –help:

$ ssh git@remoteserver "git-receive-pack '--help'"

GIT-RECEIVE-PACK(1)            Git Manual             GIT-RECEIVE-PACK(1)

NAME
 git-receive-pack - Receive what is pushed into the repository
[...]

What the flag does is make the git command open the man page of git, which is passed on to a pager program, usually less. And this is where it get interesting. The less command, if running interactively, can do several things you would expect like searching for text, go to a line number, scroll down and so on. What it can also do is open a new file (:e), save the input to a file (s) and execute commands (!). To make it run interactively, you have to force the allocation of a PTY in ssh like so:

$ ssh -t git@remoteserver "git-receive-pack '--help'"

GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1)

NAME
 git-receive-pack - Receive what is pushed into the repository

 Manual page git-receive-pack(1) line 1 (press h for help or q to quit)
 

Press h for help and have fun. One caveat is that usual installations the code execution will not really execute arbitrary commands, since the current running login shell is the git-shell, restricted to only some white listed commands. There are, however, certain configurations where this might happen, such as maintaining bash or sh as a login shell and limit the user in ways that they can only use git (such as in shared environments without root access). You can see such example here.

The quickest solution seems to be to enable the no-pty flag server-side, in the sshd configuration. This prevents clients from requesting a PTY so less won’t run in an interactive mode.

$ man less

LESS(1) General Commands Manual LESS(1)

NAME
less - opposite of more

Ironic, isn’t it?

The SHA2017 Badge Revealed

May 8, 2017 by 19 Comments

It’s that excellent time of year in which one slowly comes to the realisation that the summer’s eagerly anticipated events are now no longer at some impossibly distant point in the future, but in fact only a matter of a few months or even weeks away. For our European readers, this means that August’s SHA2017 hacker camp is appearing on the horizon, four days of outdoor technological indulgence for our community in a scout camp on the Dutch polders.

As it is a tradition of such events to have an electronic badge incorporating ever more impressive levels of computing power, it follows that the pre-production announcement of an event badge has become an important milestone in the countdown to the day. SHA2017 is no exception, and thus today we see the announcement of their take on the essentials for a hacker camp badge in 2017.

The most immediately obvious thing about the badge is its 296×128 pixel e-ink display, which should provide an immediate benefit in terms of battery life. There are the usual plethora of interfaces, GPIOs, USB, and Neopixels, and the user input is via a set of capacitive buttons. Powering the device is an ESP32, and a key design goal was to have a network for the badges that does not put pressure on the 2.4GHz infrastructure. We’re guessing they’re doing this using raw WiFi packets in the same way as the MAGfest swadge. On the software front it will provide a straightforward development route via MicroPython, and there will be an app library for those without the inclination to code their own. You can get an early look at the schematic from the project repo (PDF).

Their target is to have the badge ready and with stable software on day 1 of the event, a laudable aim if they can manage it.

Members of the Hackaday team will be making the trip to the Netherlands for SHA2017, we look forward to seeing you if you attend too, and please show us anything interesting you do with your badges! Keep your eyes peeled for the Jolly Wrench, and come say hello. You’ll find me with the OxHack contingent and giving a talk on the kit biz which I have also published in the Project to Kit series of articles.

We’ve covered so many badges here at Hackaday that we could almost serve of a retrospective exhibition of the art form. Of particular interest to us though is our own [Voja Antonic]’s badge for last year’s Hackaday SuperConference.

Thanks [Sebastius] for the tip.

The Dangers Of Engineering While Unlicensed

May 8, 2017 by 243 Comments

Citizen engineers, beware the Beaver State. If you want to discuss engineering in a public setting, you’d better have a license. If you don’t, you could end up like Oregon resident Mats Järlström — paying a $500 fine and being threatened with even larger civil penalties and jail time.

The story of how Järlström became ensnared in this unfortunate series of events begins innocently enough, and it’s a story that any Hackaday reader can probably relate to. After his wife received a traffic ticket in the mail from a red-light camera in the town of Beaverton, Järlström began pondering the math of traffic signal timing. After a little digging, he found the formula used for calculating the time traffic signals stay in the yellow stage. Moreover, he found a flaw in the formula, which dates back to 1959, that could lead to incorrect violations issued by automated traffic cameras.

Continue reading “The Dangers Of Engineering While Unlicensed”

DARPA Plans To Begin Hacking Human Brains

May 5, 2017 by 26 Comments

So [DARPA] wants to start hacking human brains, With the help of the biomedical device center at the university of Texas in Dallas. This does sound a bit crazy but DARPA does crazy. Conspiracy theorists are going to have a field day with this one.

The initial plans to turn us all into mindless zombies seem to be shelved for now, however they are working on what they call Targeted Neuroplasticity Training (TNT), which they explain means using the body’s nervous system to enhance and speed up the learning process. This could be achieved by using a process known as ‘synaptic plasticity‘ which opens and closes the brains synapses with electrical stimulation. They hope that by tuning the neural networks responsible for cognitive function it will enhance learning. Let’s just hope they don’t turn any humans into DARPA falling robots.

Ultrasonic Tracking Beacons Rising

May 4, 2017 by 41 Comments

An ultrasonic beacon is an inaudible sound with encoded data that can be used by a listening device to receive information on just about anything. Beacons can be used, for example, inside a shop to highlight a particular promotion or on a museum for guided tours where the ultrasonic beacons can encode the location. Or they can be used to track people consumers. Imagine if Google find outs… oh, wait… they already did, some years ago. As with almost any technology, it can be used to ‘do no harm’ or to serve other purposes.

Researchers from the Technische Universitat Braunschweig in Germany presented a paper about Ultrasonic Side Channels on Mobile Devices and how can they be abused in a variety of scenarios , ranging from simple consumer tracking to deanonymization. These types of ultrasonic beacons work in the 18 kHz – 20 kHz range, which the human being doesn’t have the ability to hear, unless you are under twenty years old, due to presbycusis. Yes, presbycusis. This frequency range can played via almost any speaker and can be picked up easily by most mobile device microphones, so no special hardware is needed. Speakers and mics are almost ubiquitous nowadays, so there is a real appeal to the technology.

Continue reading “Ultrasonic Tracking Beacons Rising”