Flipper Zero tool reading bank card, displaying data on LCD

What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

October 4, 2021 by Donald Papp 29 Comments

The Flipper Zero is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

Drawing of Flipper Zero and a variety of RFID tags — Popular 125 kHz protocols: EM-Marin, HID Prox II, and Indala

Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

For example, 125 kHz tags have an antenna made from many turns of very fine wire, with no visible space between the loops. High-frequency tags on the other hand will have antennas with fewer loops, and visible space between them. To tell them apart, a bright light is often enough to see the antenna structure through thin plastic.

Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

Like many others, we’re looking forward to it becoming available, sadly there is just no getting around component shortages that seem to be affecting everyone.

Flaw In AMD Platform Security Processor Affects Millions Of Computers

October 1, 2021 by Lewin Day 30 Comments

Another day, another vulnerability. This time, it’s AMD’s turn, with a broad swathe of its modern CPU lines falling victim to a dangerous driver vulnerability that could leave PCs open to all manner of attacks.

As reported by TechSpot, the flaw is in the driver for AMD Platform Security Processor (PSP), and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory. Today, we’ll take a look at what the role of the PSP is, and how this vulnerability can be used against affected machines.

Continue reading “Flaw In AMD Platform Security Processor Affects Millions Of Computers” →

This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea

October 1, 2021 by Jonathan Bennett 13 Comments

We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format, .dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in dbfview, but that wasn’t enough.

Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.

Normally we’d wrap by telling you to go get the update, but OpenOffice doesn’t have a stable release with this fix in it. There is a release candidate that does contain the fix, but every stable install of OpenOffice in the world is currently vulnerable to this RCE. The vulnerability report was sent way back on May 4th, over 90 days before full disclosure. And what about LibreOffice, the fork of OpenOffice? Surely it is also vulnerable? Nope. LibreOffice fixed this in routine code maintenance back in 2014. The truth of the matter is that when the two projects forked, the programmers who really understood the codebase went to LibreOffice, and OpenOffice has had a severe programmer shortage ever since. I’ve said it before: Use LibreOffice, OpenOffice is known to be unsafe. Continue reading “This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea” →

Adversarial Makeup: Your Contouring Skills Could Defeat Facial Recognition

September 24, 2021 by Lewin Day 30 Comments

Facial recognition is everywhere these days. Cloud servers churn through every picture uploaded to social media, phone cameras help put faces to names, and CCTV systems are being used to trace citizens in their day-to-day lives. You might want to dodge this without arousing suspicion, just for a little privacy now and then. As it turns out, common makeup techniques can help you do just that.

In research from a group at the Ben-Gurion University of the Negev, the team trialled whether careful makeup contouring techniques could fool a facial recognition system. There are no wild stripes or dazzle patterns here; these techniques are about natural looks and are used by makeup artists every day.

The trick is to use a surrogate facial recognition system and a picture of the person who intends to evade. Digital techniques are used to alter the person’s appearance until it fools the facial recognition system. This is then used as a guide for a makeup artist to recreate using typical contouring techniques.

The theory was tested with a two-camera system in a corridor. The individual was identified correctly in 47.57% of frames in which a face was detected when wearing no makeup. With random makeup, this dropped to 33.73%, however with the team’s intentionally-designed makeup scheme applied, the attacker was identified in just 1.22% of frames. (PDF)

The attack relies on having a good surrogate of the facial recognition system one wishes to fool. Else, it’s difficult to properly design appropriate natural-look makeup to fool the system. However, it goes to show the power of contouring to completely change one’s look, both in front of humans and the machines!

Facial recognition remains a controversial issue, but nothing is stopping its rollout across the world. Indeed, your facial profile may already be out there.

This Week In Security: Somebody’s Watching, Microsoft + Linux, DDoS

September 24, 2021 by Jonathan Bennett 23 Comments

In case you needed yet another example of why your IoT devices shouldn’t be exposed to the internet, a large swath of Hikvision IP Cameras have a serious RCE vulnerability. CVE-2021-36260 was discovered by the firm Watchful_IP in the UK. In Hikvision’s disclosure, they refer to the problem as a command injection vulnerability in the device’s web interface. The vuln is pre-authentication, and requires no user interaction. This could be something as simple as a language chooser not sanitizing the inputs on the back-end, and being able to use backticks or a semicolon to trigger an arbitrary command.

Now you’re probably thinking, “I don’t use Hikvision cameras.” The sneaky truth is that a bunch of cameras with different brand names are actually Hikvision hardware, with their firmware based on the Hikvision SDK. The outstanding question about this particular vulnerability is whether it’s present in any of the re-labelled cameras. Since the exact vulnerability has yet to be disclosed, it’s hard to know for sure whether the relabeled units are vulnerable. But if we were betting… Continue reading “This Week In Security: Somebody’s Watching, Microsoft + Linux, DDoS” →

Bluetooth Vulnerability: Arbitrary Code Execution On The ESP32, Among Others

September 23, 2021 by Lewin Day 21 Comments

Bluetooth has become widely popular since its introduction in 1999. However, it’s also had its fair share of security problems over the years. Just recently, a research group from the Singapore University of Technology and Design found a serious vulnerability in a large variety of Bluetooth devices. Having now been disclosed, it is known as the BrakTooth vulnerability.

Full details are not yet available; the research team is waiting until October to publicly release proof-of-concept code in order to give time for companies to patch their devices. The basic idea however, is in the name. “Brak” is the Norweigan word for “crash,” with “tooth” referring to Bluetooth itself. The attack involves repeatedly attempting to crash devices to force them into undesired operation.

The Espressif ESP32 is perhaps one of the worst affected. Found in all manner of IoT devices, the ESP32 can be fooled into executing arbitrary code via this vulnerability, which can do everything from clearing the devices RAM to flipping GPIO pins. In smart home applications or other security-critical situations, this could have dire consequences.

Other chipsets are affected to varying degrees, including parts from manufacturers like Texas Instruments and Cypress Semiconductor. Some parts are vulnerable to denial of service, while audio devices may be frozen up or shut down by the attack. The group claims over 1400 products could be affected by the bug.

Firmware patches are being rolled out, and researcher [Matheus E. Garbelini] has released code to build a sniffer device for the vulnerability on GitHub. If you’re involved with the design or manufacture of Bluetooth hardware, it might pay to start doing some homework on this one! Concerned vendors can apply for proof-of-concept test code here.

This Week In Security: Office 0-day, ForcedEntry, ProtonMail, And OMIGOD

September 17, 2021 by Jonathan Bennett 10 Comments

A particularly nasty 0-day was discovered in the wild, CVE-2021-40444, a flaw in how Microsoft’s MSHTML engine handled Office documents. Not all of the details are clear yet, but the result is that opening a office document can trigger a remote code execution. It gets worse, though, because the exploit can work when simply previewing a file in Explorer, making this a potential 0-click exploit. So far the attack has been used against specific targets, but a POC has been published.

It appears that there are multiple tricks that should be discrete CVEs behind the exploit. First, a simple invocation of mshtml:http in an Office document triggers the download and processing of that URL via the Trident engine, AKA our old friend IE. The real juicy problem is that in Trident, an iframe can be constructed with a .cpl URI pointing at an inf or dll file, and that gets executed without any prompt. This is demonstrated here by [Will Dormann]. A patch was included with this month’s roundup of fixes for Patch Tuesday, so make sure to update. Continue reading “This Week In Security: Office 0-day, ForcedEntry, ProtonMail, And OMIGOD” →