News

3619 Articles

WiFi Meets LoRa For Long Range

October 7, 2024 by 20 Comments

What do you get when you cross WiFi and LoRa? Researchers in China have been doing this, and they call the result WiLo. They claim to get reliable connections over about half a kilometer. Typical WiFi runs 40 to 60 meters, barring any Pringle’s cans or other exotic tricks.

According to [Michelle Hampson] writing in IEEE Spectrum, the researchers manipulated Wi-Fi’s OFDM multiplexing to emulate LoRa’s chirp-spreading signal. The advantage is that existing WiFi hardware can use the protocol to increase range.

Continue reading “WiFi Meets LoRa For Long Range”

This Week In Security: Zimbra, DNS Poisoning, And Perfctl

October 4, 2024 by 6 Comments

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along. Continue reading “This Week In Security: Zimbra, DNS Poisoning, And Perfctl”

Voyager 2’s Plasma Spectrometer Turned Off In Power-Saving Measure

October 2, 2024 by 24 Comments

The Voyager 2 spacecraft’s energy budget keeps dropping by about 4 Watt/year, as the plutonium in its nuclear power source is steadily dropping as the isotope decays. With 4 Watt of power less to use by its systems per year, the decision was made to disable the plasma spectrometer (PLS) instrument. As also noted by the NASA Voyager 2 team on Twitter, this doesn’t leave the spacecraft completely blind to plasma in the interstellar medium as the plasma wave subsystem (PWS) is still active. The PLS was instrumental in determining in 2018 that Voyager 2 had in fact left the heliosphere and entered interstellar space. The PLS on Voyager 1 had already broken down in 1980 and was turned off in 2007.

After saving the Voyager 1 spacecraft the past months from a dud memory chip and switching between increasingly clogged up thrusters, it was now Voyager 2’s turn for a reminder of the relentless march of time and the encroaching end of the Voyager missions. Currently Voyager 2 still has four active instruments, but by the time the power runs out, they’ll both be limping along with a single instrument, probably somewhere in the 2030s if their incredible luck holds.

This incredible feat was enabled both by the hard work and brilliance of the generations of teams behind the two spacecraft, who keep coming up with new tricks to save power, and the simplicity of the radioisotope generators (RTGs) which keep both Voyagers powered and warm even in the depths of interstellar space.

This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9

September 27, 2024 by 15 Comments

It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws. Continue reading “This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9”

British Commuters Get Their WiFi Hacked

September 27, 2024 by 24 Comments

As if there weren’t enough worrying global news stories already, today the British press and media have been full of a story involving the public WiFi networks at some major railway stations. Instead of being faced with the usual don’t-be-naughty terms and conditions page, commuters were instead faced with a page that definitely shouldn’t have been there.

Hackaday readers will immediately have guessed what is likely to have happened. This is probably more of a compromise of the page than of the network itself, and, indeed, the BBC are reporting that it may have come via an administrator account at Network Rail’s er… network provider. Fortunately, it seems the intent was to spread a political message rather than malware, so perhaps those travelers got off lightly. The various companies involved have all got the proverbial egg on their faces, and we’re glad we don’t work in the IT department concerned.

Continue reading “British Commuters Get Their WiFi Hacked”

2024 Hackaday Superconference Speakers, Round Two

September 25, 2024 by 1 Comment

It’s honestly amazing the range of fascinating talks we have lined up for this year’s Supercon. From art robots that burp and belch to gliders returning from near-space, from hardcore DSP to DIY PCBs, and sketching with machines, Hackaday’s Supercon is like nothing else out there.

And in case you’re already coming, you don’t have a talk slot reserved, but you’ve still got something that you want to say, please sign yourself up for a Lightning Talk! In the spirit of the Lightning, we’ll be taking submissions up to the absolute last minute, and we will fit in as many short talks as possible, but when it does fill up, we’ll be giving priority to those who got in first.

We’ve got one more speaker announce coming up, and of course our keynote speaker and the badge reveal. Supercon will sell out so get your tickets now before it’s too late. So without further ado, here is our next round of stellar speakers!

Continue reading “2024 Hackaday Superconference Speakers, Round Two”

2024 Hackaday Supercon Workshop Tickets Go On Sale Now

September 24, 2024 by 8 Comments

Our workshop ticket sales go live today at 8 AM PDT! If you’re coming to Supercon, and you’re interested, go get your workshop ticket before they all sell out!

There will be a change to this year’s workshop ticket limits. We heard our community’s feedback, and in the spirit of giving as many people as possible the opportunity to enjoy a workshop, we are limiting sign up to one workshop per attendee. If there are extra tickets by October 18th, we will allow folks to sign up for additional workshops.

If you register for more than one workshop we will refund you the ticket for the others based on the timestamp that you registered for each ticket (leaving only the ticket for the first workshop you registered for). We hope everyone understands our goal is to allow more people to experience a Supercon workshop due to limited space.

And of course, you can’t join in the workshops at Supercon without coming to Supercon. So get your tickets now if you haven’t already.

Stay tuned tomorrow for more speaker announcements!

Continue reading “2024 Hackaday Supercon Workshop Tickets Go On Sale Now”