Security Hacks

1533 Articles

One-Way Data Extraction For Logging On Airgapped Systems

November 27, 2025 by 49 Comments

If you want to protect a system from being hacked, a great way to do that is with an airgap. This term specifically refers to keeping a system off any sort of network or external connection — there is literally air in between it and other systems. Of course, this can be limiting if you want to monitor or export logs from such systems. [Nelop Systems] decided to whip up a simple workaround for this issue, creating a bespoke one-way data extraction method.

The concept is demonstrated with a pair of Raspberry Pi computers. One is hooked up to critical industrial control systems, and is airgapped to protect it against outside intruders. It’s fitted with an optocoupler, with a UART hooked up to the LED side of the device. The other side of the optocoupler is hooked up to another Raspberry Pi, which is itself on a network and handles monitoring and logging duties.

This method creates a reliable one-way transmission method from the airgapped machine to the outside world, without allowing data to flow in the other direction. Indeed, there is no direct electrical connection at all, since the data is passing through the optocoupler, which provides isolation between the two computers. Security aficionados will argue that the machine is no longer really airgapped because there is some connection between it and the outside world. Regardless, it would be hard to gain any sort of access through the one-way optocoupler connection. If you can conceive of a way that would work, drop it down in the comments.

Optocouplers are very useful things; we’ve seen them used and abused for all sorts of different applications. If you’ve found some nifty use for these simple parts, be sure to drop us a line!

This Week In Security: Cloudflare Wasn’t DNS, BADAUDIO, And Not A Vuln

November 21, 2025 by 8 Comments

You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.

Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.

That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout. Continue reading “This Week In Security: Cloudflare Wasn’t DNS, BADAUDIO, And Not A Vuln”

Browser Fingerprinting And Why VPNs Won’t Make You Anonymous

November 19, 2025 by 89 Comments

Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this  browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.

As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.

In the study multiple VPN services were used, each of which resulted in exactly the same fingerprint hash. This is based on properties retrieved from the browser, via JavaScript and other capabilities exposed by the browser, including WebGL and HTML5 Canvas.

Continue reading “Browser Fingerprinting And Why VPNs Won’t Make You Anonymous”

This Week In Security: Landfall, Imunify AV, And Sudo Rust

November 14, 2025 by 7 Comments

Let’s talk about LANDFALL. That was an Android spyware campaign specifically targeted at Samsung devices. The discovery story is interesting, and possibly an important clue to understanding this particular bit of commercial malware. Earlier this year Apple’s iOS was patched for a flaw in the handling of DNG (Digital NeGative) images, and WhatsApp issued an advisory with a second iOS vulnerability, that together may have been used in attacks in the wild.

Researchers at Unit 42 went looking for real-world examples of this iOS threat campaign, and instead found DNG images that exploited a similar-yet-distinct vulnerability in a Samsung image handling library. These images had a zip file appended to the end of these malicious DNG files. The attack seems to be launched via WhatsApp messaging, just like the iOS attack. That .zip contains a pair of .so shared object files, that are loaded to manipulate the system’s SELinux protections and install the long term spyware payload.

The earliest known sample of this spyware dates to July of 2024, and Samsung patched the DNG handling vulnerability in April 2025. Apple patched the similar DNG problem in August of 2025. The timing and similarities do suggest that these two spyware campaigns may have been related. Unit 42 has a brief accounting of the known threat actors that could have been behind LANDFALL, and concludes that there just isn’t enough solid evidence to make a determination.

Not as Bad as it Looks

Watchtowr is back with a couple more of their unique vulnerability write-ups. The first is a real tease, as they found a way to leak a healthy chunk of memory from Citrix NetScaler machines. The catch is that the memory leak is a part of an error message, complaining that user authentication is disabled. This configuration is already not appropriate for deployment, and the memory leak wasn’t assigned a CVE.

There was a second issue in the NetScaler system, an open redirect in the login system. This is where an attacker can craft a malicious link that points to a trusted NetScaler machine, and if a user follows the link, the NetScaler will redirect the user to a location specified in the malicious link. It’s not a high severity vulnerability, but still got a CVE and a fix. Continue reading “This Week In Security: Landfall, Imunify AV, And Sudo Rust”

Android Developer Verification Starts As Google Partially Retreats On Measures

November 14, 2025 by 35 Comments

In a recent blog post Google announced that the early access phase of its Android Developer Verification program has commenced, as previously announced. In addition to this new announcement Google also claims to be taking note of the feedback it has been receiving, in particular pertaining to non-commercial developers for whom these new measures are incredibly inconvenient. Yet most notable is the ’empowering experienced users’ section, where Google admits that to developers and ‘power users’ the intensive handholding isn’t required and it’ll develop an ‘advanced flow’ where unverified apps can still be installed without jumping through (adb) hoops. Continue reading “Android Developer Verification Starts As Google Partially Retreats On Measures”

This Week In Security: Bogus Ransom, WordPress Plugins, And KASLR

November 7, 2025 by 16 Comments

There’s another ransomware story this week, but this one comes with a special twist. If you’ve followed this column for long, you’re aware that ransomware has evolved beyond just encrypting files. Perhaps we owe a tiny bit of gratitude to ransomware gangs for convincing everyone that backups are important. The downside to companies getting their backups in order is that these criminals are turning to other means to extort payment from victims. Namely, exfiltrating files and releasing them to the public if the victim doesn’t pay up. And this is the situation in which the Akira ransomware actors claim to have Apache’s OpenOffice project.

There’s just one catch. Akira is threatening to release 23 GB of stolen documents, which include employee information — and the Apache Software Foundation says those documents don’t exist. OpenOffice hasn’t received a demand and can’t find any evidence of a breach. It seems likely that Akira has hit some company, but not part of the Apache Software Foundation. Possibly someone that heavily uses OpenOffice, or even provides some level of support for that application. There is one more wrinkle here.

Since Apache OpenOffice is an open source software project, none of our contributors are paid employees for the project or the foundation…

Continue reading “This Week In Security: Bogus Ransom, WordPress Plugins, And KASLR”

ChatControl Gets Coup-De-Grace

November 1, 2025 by 37 Comments

Possibly the biggest privacy story of the year for Europeans and, by extension the rest of the world, has been ChatControl. Chatcontrol is a European Union proposal backed by Denmark for a mandatory backdoor in all online communications. As always with these things, it was touted as a think-of-the-children solution to online child abuse material, but as many opposed to it have warned, that concealed far more sinister possibilities. For now, it seems we can breathe easily as the Danes are reported to have formally backed away from the proposal after it was roundly condemned by the German government, sending it firmly into the political wilderness.

Hackaday readers are likely vastly more informed on this matter than many of the general public, so you’ll have no need for a primer on the obvious privacy and security concerns of such a move. From our point of view, it also suffered from the obvious flaw of being very unlikely to succeed in its stated aim. Even the most blinkered politician should understand that criminals would simply move their traffic to newly-illegal encrypted forms of communication without government backdoors. Perhaps it speaks volumes that it was the Germans who sounded its death-knell, given that state surveillance on that level is very much within living memory for many of them.

The mood in European hackerspaces has been gloomy of late on the subject, so it’s something of a cause for celebration on the continent. If only other governments on the same side of the Atlantic could understand that intrusive measures in the name of thinking of the children don’t work.

European flags: Šarūnas Burdulis, CC BY-SA 2.0 .