News

3649 Articles

This Week In Security: LogoFail, National DNS Poison, And DNA

December 8, 2023 by 3 Comments

When there’s a vulnerability in a system library, we install updates, and go on with our lives. When there’s a vulnerability in a Java library, jars get rebuilt, and fixed builds slowly roll out. But what happens when there’s a vulnerability in a library used in firmware builds? And to make it even more fun, it’s not just a single vulnerability. All three major firmware vendors have problems when processing malicious images. And LogoFail isn’t limited to x86, either. UEFI Arm devices are vulnerable, too.
Continue reading “This Week In Security: LogoFail, National DNS Poison, And DNA”

The Latest John Deere Repair Lawsuit Now Has The Go-Ahead

December 8, 2023 by 50 Comments

Long time readers will have followed the twists and turns of the John Deere repair saga, in which the agricultural machinery manufacturer has used DRM to restrict the repair of its tractors. It may be hot stuff on the prairies, but it matters to everyone because it’s a key right-to-repair battleground. Now the company’s attempt to throw out the latest class-action lawsuit, this time in Illinois. has failed, paving the way for a meaningful challenge.

This lawsuit is special because has the aim of determining whether or not Deere conspired to drive up the cost of repair and edge out independent mechanics. It comes against a backdrop in which their promised access to repair software which we reported on back in January has failed to materialize, and this is likely to figure as an act of bad faith.

A failing of corporate culture is that the organisation can in its own eyes, never be wrong. In Deere’s case they have accrued plenty of bad publicity in the years they’ve pursued this ill-advised business model, and in case that weren’t enough they’ve alienated their core customers out on the farms to the extent that a second-hand Deere from before the DRM era has more value than its newer counterparts. Deere genuinely do make very good tractors, so for farmers loyal for generations to turn their backs on them is a very significant story indeed. One has to ask, how much bad publicity and how many lawsuits do they have to have before someone at head office in Moline figures out that DRM in tractors (or anything else for that matter) isn’t the great idea they once thought it was? Maybe this one will finally herald the moment when that happens.

Header image: Nheyob / CC BY-SA 4.0

An image of the inside of a vehicle wheel. An outer ring gear is attached to two articulated sets of three small helical gears attached to a central sun gear. A shaft from the right side enters into the sun gear.

A Revolution In Vehicle Drivetrains?

December 6, 2023 by 47 Comments

Power delivery in passenger vehicle drivetrains hasn’t changed much since the introduction of the constant velocity (CV) joint in the 1930s. Most electric vehicles still deliver power via the same system used by internal combustion cars. Hyundai/Kia has now revealed a system they think will provide a new paradigm with their Universal Wheel Drive System (Uni Wheel). [via Electrek]

What appears at first to be a hub motor is in fact a geared wheel that keeps the motor close without the problem of high unsprung weight. Power is fed into a sun gear which can move independently of the wheel allowing the system to maintain a more consistent driveline and avoid power variability over the range of suspension travel like you’d find in a CV joint experiencing high deflection.

We have some concerns about the durability of such a system when compared with the KISS and long development history of CV joints, but we can’t deny that moving the motors of an electric vehicle out to the corners would allow more packaging flexibility for the cargo and passenger areas. We’re also excited to see open source replicas make their way into smaller robotics projects now that the images have been released. If you’ve already made one in CAD, send us a tip at tips@hackaday.com.

Looking for more interesting innovations in electric cars? How about an off-grid camper van? If you think automakers are overcomplicating something that should be simple, read the Minimal Motoring Manifesto.

Continue reading “A Revolution In Vehicle Drivetrains?”

Update On The BLUFFS Bluetooth Vulnerability

December 2, 2023 by 14 Comments

As we first reported in yesterday’s weekly security post, researchers at EURECOM have revealed the details (PDF, references) of a new man-in-the-middle (MITM) attack on Bluetooth 4.2 through 5.4, which has been assigned CVE-2023-24023. Like preceding CVEs, it concerns the session authentication between Bluetooth devices, where the attacker uses spoofed paired or bonded devices to force the use of a much shorter encryption key length.

The name of this newly discovered vulnerability is BLUFFS (Bluetooth Forward and Future Secrecy), where forward and future secrecy are important terms that refer to the protection of secure sessions against compromise in the past (forward, FoS) and future (FuS). The CVE presentation notes that the Bluetooth specification does not cover either FuS or FoS. In total two new architectural vulnerabilities were discovered, both of which attack the security key.

The Bluetooth SIG has released a statement regarding this attack method. Although serious, it would seem that the core issue is that some implementations allow for encryption key lengths below 7 octets:

Continue reading “Update On The BLUFFS Bluetooth Vulnerability”

This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints

December 1, 2023 by 18 Comments

We’re back! And while the column took a week off for Thanksgiving, the security world didn’t. The most pressing news is an issue in Owncloud, that is already under active exploitation.

The problem is a library that can be convinced to call phpinfo() and include the results in the page response. That function reveals a lot of information about the system Owncloud is running on, including environment variables. In something like a Docker deployment, those environment variables may contain system secrets like admin username and password among others.

Now, there is a bit of a wrinkle here. There is a public exploit, and according to research done by Greynoise Labs, that exploit does not actually work against default installs. This seems to describe the active exploitation attempts, but the researcher that originally found the issue has stated that there is a non-public exploit that does work on default installs. Stay tuned for this other shoe to drop, and update your Owncloud installs if you have them. Continue reading “This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints”

End Of An Era: Popular Science Shutters Magazine

November 30, 2023 by 69 Comments

Just three years after the iconic magazine abandoned its print version and went all-digital, Popular Science is now halting its subscription service entirely. The brand itself will live on — their site will still run tech stories and news articles, and they have two podcasts that will keep getting new episodes — but no more quarterly releases. While you can’t complain too much about a 151 year run, it’s still sad to see what was once such an influential publication slowly become just another cog in the content mill.

Started as a monthly magazine all the way back in 1872, Popular Science offered a hopeful vision of what was over the horizon. It didn’t present a fanciful version of what the next 100 years would look like, but rather, tried to read the tea leaves of cutting edge technology to offer a glimpse of what the next decade or so might hold. Flip through a few issues from the 1950s and 60s, and you won’t see pulpy stories about humanity conquering the stars or building a time machine. Instead the editors got readers ready for a day when they’d drive cars with warbird-derived turbochargers, and enjoy more powerful tools once transistor technology allowed for widespread use of small brushless motors. It wasn’t just armchair engineering either, issues would often include articles written by the engineers and researchers that were on the front lines. Continue reading “End Of An Era: Popular Science Shutters Magazine”

Iowa Demolishes Its First 3D Printed House

November 29, 2023 by 130 Comments

It sounds like a headline from the future: the weekend before Thanksgiving, a bulldozer came for the first example of a printed home that was supposed to help the housing crisis in the city of Muscatine. Fortunately, it hadn’t been completed and sold yet.

Printing of this first house began in May 2023, and nine more were to be completed by the end of the year. Unfortunately, when tested for compressive strength, the cement mixture this first home was printed out of failed to meet the 5,000 PSI minimum required for the project. Rather than compromise on safety, the parties involved decided to knock it down and start over.

The goal now is to find out why the mixture, which met the strength requirements in laboratory testing, didn’t behave the same on-site. Currently, the plan is to start building the originally-planned second house in the spring, and begin construction on this first site after that.

The project is a collaborative effort between the Community Federation of Greater Muscatine (CFGM), Muscatine Community College, and Alquist 3D. Want to know more about the state of 3D printing when it comes to housing? Check out our handy guide.

Editors Note: The initial post initially indicated that the failed cement mixture contained hemp, but that has since found to be incorrect and the post has been edited accordingly.

Continue reading “Iowa Demolishes Its First 3D Printed House”