This Week In Security: Zen Jailbreak, Telegram Exploit, And VMware Hyperjack

The fine researchers at Google have released the juicy details on EntrySign, the AMD Zen microcode issue we first covered about a month ago. And to give away the punchline: cryptography is hard. It’s hard in lots of ways, but the AMD problem here is all about keeping track of the guarantees provided by cryptographic primitives.
Continue reading “This Week In Security: Zen Jailbreak, Telegram Exploit, And VMware Hyperjack”

An excerpt from the website, showing the nRootTag block diagram and describing its structure

Hijacking AirTag Infrastructure To Track Arbitrary Devices

In case you weren’t aware, Apple devices around you are constantly scanning for AirTags. Now, imagine you’re carrying your laptop around – no WiFi connectivity, but BLE’s on as usual, and there’s a little bit of hostile code running at user privileges, say, a third-party app. Turns out, it’d be possible to make your laptop or phone pretend to be a lost AirTag – making it and you trackable whenever an iPhone is around.

The nroottag website isn’t big on details, but the paper ought to detail more; the hack does require a bit of GPU firepower, but nothing too out of the ordinary. The specific vulnerabilities making this possible have been patched in newer iOS and MacOS versions, but it’s still possible to pull off as long as an outdated-firmware Apple device is nearby!

Of course, local code execution is often considered a game over, but it’s pretty funny that you can do this while making use of the Apple AirTag infrastructure, relatively unprivileged, and, exfiltrate location data without any data connectivity whatsoever, all as long as an iPhone is nearby. You might also be able to exflitrate other data, for what it’s worth – here’s how you can use AirTag infrastructure to track new letter arrivals in your mailbox!

Here’s A Spy Movie-Grade Access Card Sniffing Implant

Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it when you next walk up the door? [Jakub Kramarz] brings us perhaps the best design on the DIY market, called The Tick – simple, flexible, cheap, tiny, and fully open-source.

Take off the reader, tap into the relevant wires and power pins (up to 25V input), and just leave the board there. It can do BLE or WiFi – over WiFi, you get a nice web UI showing you the data collected so far, and letting you send arbitrary data. It can do Wiegand like quite a few open-source projects, but it can also do arbitrary clock+data protocols, plus you can just wire it up quickly, and it will figure out the encoding.

We could imagine such a board inside a Cyberpunk DnD rulebook or used in Mr Robot as a plot point, except that this one is real and you can use it today for red teaming and security purposes. Not to say all applications would be NSA-catalog-adjacent pentesting – you could use such a bug to reverse-engineer your own garage door opener, for one.

Screenshot of the REPL running on the Flipper, importing the flipper API library and calling infrared receive function out of it with help of autocomplete

A MicroPython Interpreter For Flipper Zero

Got a Flipper Zero? Ever wanted to use a high-level but powerful scripting language on it? Thanks to [Oliver] we now have a MicroPython application for the Flipper, complete with a library for hardware and software feature support. Load it up, start it up, connect over USB, and you’ve got the ever-so-convenient REPL at your disposal. Or, upload a Python script to your Flipper and run them directly from Flipper’s UI at your convenience!

In the API docs, we’re seeing support for every single primitive you could want – GPIO (including the headers at the top, of course), a healthy library for LCD and LCD backlight control, button handling, SD card support, speaker library for producing tones, ADC and PWM, vibromotor, logging, and even infrared transmit/receive support. Hopefully, we get support for Flipper’s wireless capabilities at some point, too!

Check out the code examples, get the latest release from the Flipper app portal or GitHub, load it up, and play! Mp-flipper has existed for the better half of a year now, so it’s a pretty mature application, and it adds quite a bit to Flipper’s use cases in our world of hardware hacking. Want to develop an app for the Flipper in Python or otherwise? Check out this small-screen UI design toolkit or this editor we’ve featured recently!

A PCR machine with its side cover taken off exposing its guts, and the tray extended out

Making A PCR Machine Crypto Sign Its Results

Money, status, or even survival – there’s no shortage of incentives for faking results in the scientific community. What can we do to prevent it, or at least make it noticeable? One possible solution is cryptographic signing of measurement results.

Here’s a proof-of-concept from [Clement Heyd] and [Arbion Halili]. They took a ThermoFisher Scientific 7500 Fast PCR (Polymerase Chain Reaction) machine, isolated its daughter-software, and confined it into a pipeline that automatically signs each result with help of a HSM (Hardware Security Module).

A many machines do, this one has to be paired to a PC, running bespoke software. This one’s running Windows XP, at least! The software got shoved into a heavily isolated virtual machine running XP, protected by TEE (Trusted Execution Environment). The software’s output is now piped into a data diode virtual serial port out of the VM, immediately signed with the HSM, and signed data is accessible through a read-only interface. Want to verify the results’ authenticity? Check them against the system’s public key, and you’re golden – in theory.

This design is just a part of the puzzle, given a typical chain of custody for samples in medical research, but it’s a solid start – and it happens to help make the Windows XP setup more resilient, too.

Wondering what PCR testing is good for? Tons of things all over the medical field, for instance, we’ve talked about PCR in a fair bit of detail in this article about COVID-19 testing. We’ve also covered a number of hacker-built PCR and PCR-enabling machines, from deceivingly simple to reasonably complex!

This Week In Security: Malicious Themes, Crypto Heists, And Wallbleed

It’s usually not a good sign when your downloaded theme contains obfuscated code. Yes, we’re talking about the very popular Material Theme for VSCode. This one has a bit of a convoluted history. One of the authors wanted to make some money from all those downloads. The original Material Theme was yanked from the VSCode store, the source code (improperly) re-licensed as closed source, and replaced with freemium versions. And this week, those freemium versions have been pulled by Microsoft for containing malware.
Continue reading “This Week In Security: Malicious Themes, Crypto Heists, And Wallbleed”

This Week In Security: OpenSSH, JumbledPath, And RANsacked

OpenSSH has a newly fixed pair of vulnerabilities, and while neither of them are lighting the Internet on fire, these are each fairly important.

The central observation made by the Qualsys Threat Research Unit (TRU) was that OpenSSH contains a code paradigm that could easily contain a logic bug. It’s similar to Apple’s infamous goto fail; SSL vulnerability. The setup is this: An integer, r, is initialized to a negative value, indicating a generic error code. Multiple functions are called, with r often, but not always, set to the return value of each function. On success, that may set r to 0 to indicate no error. And when one of those functions does fail, it often runs a goto: statement that short-circuits the rest of the checks. At the end of this string of checks would be a return r; statement, using the last value of r as the result of the whole function.

Continue reading “This Week In Security: OpenSSH, JumbledPath, And RANsacked”