Security Hacks

1518 Articles

The Invisible Battlefields Of The Russia-Ukraine War

March 7, 2022 by 27 Comments

Early in the morning of February 24th, Dr. Jeffrey Lewis, a professor at California’s Middlebury Institute of International Studies watched Russia’s invasion of Ukraine unfold in realtime with troop movements overlaid atop high-resolution satellite imagery. This wasn’t privileged information — anybody with an internet connection could access it, if they knew where to look. He was watching a traffic jam on Google Maps slowly inch towards and across the Russia-Ukraine border.

As he watched the invasion begin along with the rest of the world, another, less-visible facet of the emerging war was beginning to unfold on an ill-defined online battlefield. Digital espionage, social media and online surveillance have become indispensable instruments in the tool chest of a modern army, and both sides of the conflict have been putting these tools to use. Combined with civilian access to information unlike the world has ever seen before, this promises to be a war like no other.

Modern Cyberwarfare

The first casualties in the online component of the war have been websites. Two weeks ago, before the invasion began en masse, Russian cyberwarfare agents launched distributed denial of service (DDoS) attacks against Ukrainian government and financial websites. Subsequent attacks have temporarily downed the websites of Ukraine’s Security Service, Ministry of Foreign Affairs, and government. A DDoS attack is a relatively straightforward way to quickly take a server offline. A network of internet-connected devices, either owned by the aggressor or infected with malware, floods a target with request, as if millions of users hit “refresh” on the same website at the same time, repeatedly. The goal is to overwhelm the server such that it isn’t able to keep up and stops replying to legitimate requests, like a user trying to access a website. Russia denied involvement with the attacks, but US and UK intelligence services have evidence they believe implicates Moscow. Continue reading “The Invisible Battlefields Of The Russia-Ukraine War”

This Week In Security: Ukraine, Nvidia, And Conti

March 4, 2022 by 11 Comments

The geopolitics surrounding the invasion of Ukraine are outside the scope of this column, but the cybersecurity ramifications are certainly fitting fodder. The challenge here is that almost everything of note that has happened in the last week has been initially linked to the conflict, but in several cases, the reported link hasn’t withstood scrutiny. We do know that the Vice Prime Minister of Ukraine put out a call on Twitter for “cyber specialists” to go after a list of Russian businesses and state agencies. Many of the sites on the list did go down for some time, the digital equivalent of tearing down a poster. In response, the largest Russian ISP stopped announcing BGP routes to some of the targeted sites, effectively ending any attacks against them from the outside.

A smattering of similar events have unfolded over the last week, like electric car charging stations in Russia refusing to charge, and displaying a political message, “GLORY TO UKRAINE”. Not all the attacks have been so trivial. Researchers at Eset have identified HermeticWiper, a bit of malware with no other purpose but to destroy data. It has been found on hundreds of high-value targets, likely causing much damage. It is likely the same malware that Microsoft has dubbed FoxBlade, and published details about their response. Continue reading “This Week In Security: Ukraine, Nvidia, And Conti”

Modules described in the article (two copies of the challenge shown, so, two lines of modules)

Spaceship Repair CTF Covers Hardware Hacker Essentials

March 3, 2022 by 15 Comments

At even vaguely infosec-related conferences, CTFs are a staple. For KernelCon 2021, [Tyler Rosonke] resolved to create a challenge breaking the traditions, entertaining and teaching people in a different way, while satisfying the constraints of that year’s remote participation plans. His imagination went wild in all the right places, and a beautifully executed multi-step hardware challenge was built – only in two copies!

Story behind the challenge? Your broken spaceship has to be repaired so that you can escape the planet you’re stuck on. The idea was to get a skilled, seasoned hacker solving challenges for our learning and amusement – and that turned out to be none other than [Joe “Kingpin” Grand]!

The modules themselves are what caught our attention. Designed to cover a wide array of hardware hacker skills, they cover soldering, signal sniffing, logic gates, EEPROM dumping and more – and you have to apply all of these successfully for liftoff. If you thought “there’s gotta be a 555 involved”, you weren’t wrong, either, there’s a module where you have to reconfigure a circuit with one!

KernelCon is a volunteer-driven infosec conference in Omaha, and its 2022 installment starts in a month – we can’t wait to see what it brings! Anyone doing hardware CTFs will have something to learn from their stories, it seems. The hacking session, from start to finish, was recorded for our viewing pleasure; linked below as an hour and a half video, it should be a great background for your own evening of reverse-engineering for leisure!

This isn’t the first time we’ve covered [Tyler]’s handiwork, either. In 2020, he programmed a batch of KernelCon badges while employing clothespins as ISP clips. Security conferences have most certainly learned just how much fun you can have with hardware, and if you ever need a case study for that, our review of 2019 CypherCon won’t leave you hanging.

Continue reading “Spaceship Repair CTF Covers Hardware Hacker Essentials”

You Break It, We Fix It

February 26, 2022 by 45 Comments

Apple’s AirTags have caused a stir, but for all the wrong reasons. First, they turn all iPhones into Bluetooth LE beacon repeaters, without the owner’s permission. The phones listen for the AirTags, encrypt their location, and send the data on to the iCloud, where the tag’s owner can decrypt the location and track it down. Bad people have figured out that this lets them track their targets without their knowledge, turning all iPhone users into potential accomplices to stalkings, or worse.

Naturally, Apple has tried to respond by implementing some privacy-protecting features. But they’re imperfect to the point of being almost useless. For instance, AirTags now beep once they’ve been out of range of their owner’s phone for a while, which would surely alert the target that they’re being tracked, right? Well, unless the evil-doer took the speaker out, or bought one with the speaker already removed — and there’s a surprising market for these online.

If you want to know that you’re being traced, Apple “innovated with the first-ever proactive system to alert you of unwanted tracking”, which almost helped patch up the problem they created, but it only runs on Apple phones. It’s not clear what they meant by “first-ever” because hackers and researchers from the SeeMoo group at the Technical University of Darmstadt beat them to it by at least four months with the open-source AirGuard project that runs on the other 75% of phones out there.

Along the way, the SeeMoo group also reverse engineered the AirTag system, allowing anything that can send BLE beacons to play along. This opened the door for [Fabian Bräunlein]’s ID-hopping “Find You” attack that breaks all of the tracker-detectors by using an ESP32 instead of an AirTag. His basic point is that most of the privacy guarantees that Apple is trying to make on the “Find My” system rely on criminals using unmodified AirTags, and that’s not very likely.

To be fair, Apple can’t win here. They want to build a tracking network where only the good people do the tracking. But the device can’t tell if you’re looking for your misplaced keys or stalking a swimsuit model. It can’t tell if you’re silencing it because you don’t want it beeping around your dog’s neck while you’re away at work, or because you’ve planted it on a luxury car that you’d like to lift when its owners are away. There’s no technological solution for that fundamental problem.

But hackers are patching up the holes they can, and making the other holes visible, so that we can at least have a reasonable discussion about the tech’s tradeoffs. Apple seems content to have naively opened up a Pandora’s box of privacy violation. Somehow it’s up to us to figure out a way to close it.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

This Week In Security: Updraft, Termux, And Magento

February 25, 2022 by 7 Comments

One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, that contain a potentially important fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged-in WordPress user. This bug was found by the guys at Jetpack, who have a nice write-up on it. It’s a combination of instances of a common problem — endpoints that lacked proper authentication. The heartbeat function allows any user to access it, and it returns the latest backup nonce.

A cryptographic nonce is a value that’s not exactly a cryptographic secret, but is only used once. In some cases, this is to mitigate replay attacks, or is used as an initialization vector. In the case of UpdraftPlus, the nonce works as a unique identifiers for individual backups. The data leak can be combined with another weak validation in the maybe_download_backup_from_email() function, to allow downloading of a backup. As WordPress backups will contain sensitive information, this is quite the problem. There are no known in-the-wild instances of this attack being used, but as always, update now to stay ahead of the game.

Continue reading “This Week In Security: Updraft, Termux, And Magento”

Pixelating Text Not A Good Idea

February 23, 2022 by 63 Comments

People have gotten much savvier about computer security in the last decade or so. Most people know that sending a document with sensitive information in it is a no-no, so many people try to redact documents with varying levels of success. A common strategy is to replace text with a black box, but you sometimes see sophisticated users pixelate part of an image or document they want to keep private. If you do this for text, be careful. It is possible to unredact pixelated images through software.

It appears that the algorithm is pretty straightforward. It simply guesses letters, pixelates them, and matches the result. You do have to estimate the size of the pixelation, but that’s usually not very hard to do. The code is built using TypeScript and while the process does require a little manual preparation, there’s nothing that seems very difficult or that couldn’t be automated if you were sufficiently motivated.

Continue reading “Pixelating Text Not A Good Idea”

No Privacy: Cloning The AirTag

February 22, 2022 by 55 Comments

You’ve probably heard of the infamous rule 34, but we’d like to propose a new rule — call it rule 35: Anything that can be used for nefarious purposes will be, even if you can’t think of how at the moment. Case in point: apparently there has been an uptick in people using AirTags to do bad things. People have used them to stalk people or to tag cars so they can be found later and stolen. According to [Fabian Bräunlein], Apple’s responses to this don’t consider cases where clones or modified AirTags are in play. To prove the point, he built a clone that bypasses the current protection features and used it to track a willing experimental subject for 5 days with no notifications.

According to the post, Apple says that AirTags have serial numbers and beep when they have not been around their host Apple device for a certain period. [Fabian] points out that clone tags don’t have serial numbers and may also not have speakers. There is apparently a thriving market, too, for genuine tags that have been modified to remove their speakers. [Fabian’s] clone uses an ESP32 with no speaker and no serial number.

The other protection, according to Apple, is that if they note an AirTag moving with you over some period of time without the owner, you get a notification. In other words, if your iPhone sees your own tag repeatedly, that’s fine. It also doesn’t mind seeing someone else’s tags if they are near you. But if your phone sees a tag many times and the owner isn’t around, you get a notification. That way, you can help identify random tags, but you’ll know if someone is trying to track you. [Fabian] gets around that by cycling between 2,000 pre-loaded public keys so that the tracked person’s device doesn’t realize that it is seeing the same tag over and over. Even Apple’s Android app that scans for trackers is vulnerable to this strategy.

Even for folks who aren’t particularly privacy minded, it’s pretty clear a worldwide network of mass-market devices that allow almost anyone to be tracked is a problem. But what’s the solution? Even the better strategies employed by AirGuard won’t catch everything, as [Fabian] explains.

This isn’t the first time we’ve had a look at privacy concerns around AirTags. Of course, it is always possible to build a tracker. But it is hard to get the worldwide network of Bluetooth listeners that Apple has.