News

3649 Articles

This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings

February 23, 2024 by 7 Comments

For a smart home company with an emphasis on cloud-connected cameras, what could possibly be worse than accidentally showing active cameras to the wrong users? Doing it again, to far more users, less than 6 months after the previous incident.

The setup for this breach was an AWS problem, that caused a Wyze system outage last Friday morning. As the system was restored, the load spiked and a caching library took the brunt of the unintentional DDoS. This library apparently has a fail state of serving images and videos to the wrong users. An official report from Wyze mentions that this library had been recently added, and that the number of thumbnails shown to unauthorized users was around 13,000. Eek. There’s a reason we recommend picking one of the Open Source NVR systems here at Hackaday.

ScreenConnect Exploit in the Wild

A pair of vulnerabilities in ConnectWise ScreenConnect were announced this week, Proof of Concepts were released, and are already being used in active exploitation. The vulnerabilities are a CVSS 10.0 authentication bypass and a CVSS 8.4 path traversal bypass.

Huntress has a guide out, detailing how embarrassingly easy the vulnerabilities are to exploit. The authentication bypass is a result of a .Net quirk, that adding an additional directory on the end of a .aspx URL doesn’t actually change the destination, but is captured as PathInfo. This allows a bypass of the protections against re-running the initial setup wizard: hostname/SetupWizard.aspx/literallyanything

The second vulnerability triggers during extension unpack, as the unzipping process doesn’t prevent path traversal. The most interesting part is that the unzip happens before the extension installation finishes. So an attacker can compromise the box, cancel the install, and leave very little trace of exploitation. Continue reading “This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings”

2024 Hackaday Europe Call For Participation Extended

February 22, 2024 by 4 Comments

Good news, procrastineers! A few folks asked us for a little more time to get their proposals together for our upcoming 2024 Hackaday Europe event in Berlin, and we’re listening. So now you’ve got an extra week – get your proposals for talks or workshops in before February 29th.

[Joey Castillo]’s awesome custom touchpad
Hackaday Europe is a two-day event taking place April 13th and 14th in Berlin, Germany. Saturday the 13th is the big day, with a full day of badge hacking, talks, music, and everything else. We’ve got the place booked until 2 AM, so get your sleep the night before. Sunday is a half-day of brunch, lightning talks, and showing off the badge hacks from the day before. And if you’re in town on Friday the 12th, we’ll be going out in the evening for drinks and dinner, location TBA but hopefully closer than where we ended up last year!

The badge is going to be a re-spin of the Supercon badge for all of you who couldn’t fly out to the US last November. There are no secrets anymore, so get your pre-hacks started now. We’ve seen some sweet all-analog hacks, some complete revisions of the entire firmware loadout, and, of course, all sorts of awesome hardware bodged onto it. Heck, we even saw Asteroids and DOOM. But we haven’t seen any native Jerobeam Fenderson-style oscilloscope music. You’ve got your homework.

What to Bring?

A few other people have asked if they could bring in (art) projects to show and share. Of course! Depending on the scale, though, you may need to contact us beforehand. If it’s larger than a tower PC, get in touch with us, and we’ll work it out. Smaller hacks, projects in progress, and anything you want to bring along to show and inspire others with, are, of course, welcome without any strings attached.

What else might you need? A computer of your choice and a micro USB cable for programming the badge. There will be soldering stations, random parts, and someone will probably be able to lend you nearly any other piece of gear, so you can pack light if you want to. But you don’t have to.

If you’d like to attend but you don’t have tickets yet – get them soon! Space is limited, and we tend to sell out. Or better yet, submit a talk and sneak in the side door. We’d love to hear what you’ve got going on, and we can’t wait to see you all.

Our Home Automation Contest Starts Now!

February 20, 2024 by 32 Comments

Your home is your castle, and what’s better than a fully automatic castle? Nothing! That’s why we’re inviting you to submit your sweetest home automation hacks for a chance to win one of three $150 DigiKey gift certificates. The contest starts now and runs until April 16th.

Home buttons project, simple home automation display
[Matej]’s Home Buttons gets the job done in open-source style.
We love to play around with home automation setups and have seen our fair share, ranging from the simple “turn some lights on” to full-blown cyber-brains that learn your habits and adapt to them. Where is your project on this continuum?

Whether you’re focused on making your life easier, saving energy, gathering up all the data about your usage patterns, or simply stringing some random functions together and calling it a “system,” we’d like to see it. Nothing is too big or too small if it makes your home life easier.

Home is where the home automation is!

To enter, head over to Hackaday IO and start documenting your project there. We are, of course, interested in learning from what you’ve done, so the better the docs, the better your chances of winning. And if you need some inspiration, check out these honorable mention categories.

Honorable Mention Categories

Thanks again to DigiKey for sponsoring this with three gift certificates!

2024 Home Sweet Home Automation Contest

Measuring Trees Via Satellite Actually Takes A Great Deal Of Field Work

February 20, 2024 by 11 Comments

Figuring out what the Earth’s climate is going to do at any given point is a difficult task. To know how it will react to given events, you need to know what you’re working with. This requires an accurate model of everything from ocean currents to atmospheric heat absorption and the chemical and literal behavior of everything from cattle to humans to trees.

In the latter regard, scientists need to know how many trees we have to properly model the climate. This is key, as trees play a major role in the carbon cycle by turning carbon dioxide into oxygen plus wood. But how do you count trees at a continental scale? You’ll probably want to get yourself a nice satellite to do the job.

Continue reading “Measuring Trees Via Satellite Actually Takes A Great Deal Of Field Work”

This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!

February 16, 2024 by 7 Comments

Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.

Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.

To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.

Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.

The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised. Continue reading “This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!”

Why Stealing A Car With Flipper Zero Is A Silly Idea

February 15, 2024 by 27 Comments

In another regular installment of politicians making ridiculous statements about technology, Canada’s Minister of Innovation, Science and Industry, [François-Philippe Champagne], suggested banning Flipper Zero and similar devices from sale in the country, while accusing them of being used for ‘stealing cars’ and similar. This didn’t sit right with [Peter Fairlie] who put together a comprehensive overview video of how car thieves really steal cars. Perhaps unsurprisingly, the main method is CAN bus injection, for which a Flipper Zero is actually a terribly clumsy device. Rather you’d use a custom piece of kit that automates the process.

You can also find these devices being sold all over the internet as so-called ‘Emergency Start’ devices for sale all over the internet, all of which use weaknesses in the car’s CAN bus network. The common problem appears to be that with these days even the lights on the car being part of the CAN network, an attacker can gain access for injection purposes. This way no key fob is needed, and the ignition system can be triggered with the usual safeties and lockouts being circumvented.

Ultimately, although the Flipper Zero is a rather cutesy toy, it doesn’t do anything that cannot be done cheaper and more effectively by anyone with a bit of CAN bus knowledge and a disregard for the law.

Thanks to [Stephen Walters] for the tip.

Continue reading “Why Stealing A Car With Flipper Zero Is A Silly Idea”

Apple Pushes Back On Right To Repair Bill Due To Parts Pairing

February 14, 2024 by 66 Comments

After previously supporting one in California, Apple has made an about-face and is now pushing back against a “Right to Repair” bill (Senate Bill 1596) currently under consideration in Oregon. The reason for this appears to be due to this new bill making parts pairing illegal, as reported by [404media] and [PCMag].

The practice of parts pairing is becoming ever more prevalent with Apple devices, which links specific parts of a system such as cameras, displays, batteries, and fingerprint sensors to the mainboard. During the open hearing on the newly proposed Oregonian bill, Apple’s [John Perry] insisted that this parts pairing is done for user security, safety and privacy.

Even in we take that claim at face value, the fact remains that with parts pairing in place, only authorized Apple repair centers can routinely replace components — while user repairs are limited to specific devices with limited part availability. Even in the latter case the user still has to contact Apple to have them reauthorize the replaced part. This is becoming an issue with Apple’s MacBooks as well, where the lid angle sensor requires calibration using a proprietary tool.

During the same hearing, the director of an Oregon nonprofit organization noted that of the 15,000 iPhones which they had donated to them last year, only 300 could be refurbished due to parts pairing. The remainder of otherwise perfectly fine phones are discarded for recycling, which is terrible for everyone but Apple. Whether the parts pairing element of the bill survives it to the final form remains to be seen, but if it passes it’d set the trend for future bills in other states as well as amendments to existing ones.

Thanks to [paulvdh] for the tip.