Slider

4980 Articles

How To Hack A Portable Bluetooth Speaker By Skipping The Bluetooth

February 4, 2020 by 54 Comments

Portable Bluetooth speakers have joined the club of ubiquitous personal electronics. What was once an expensive luxury is now widely accessible thanks to a prolific landscape of manufacturers mass producing speakers to fit every taste and budget. Some have even become branded promotional giveaway items. As a consequence, nowadays it’s not unusual to have a small collection of them, a fertile field for hacking.

But many surplus speakers are put on a shelf for “do something with it later” only to collect dust. Our main obstacle is a side effect of market diversity: with so many different speakers, a hack posted for one speaker wouldn’t apply to another. Some speakers are amenable to custom firmware, but only a small minority have attracted a software development community. It doesn’t help that most Bluetooth audio modules are opaque, their development toolchains difficult to obtain.

So what if we just take advantage of the best parts of these speakers: great audio fidelity, portability, and the polished look of a consumer good, to serves as the host for our own audio-based hacks. Let’s throw the Bluetooth overboard but embrace all those other things. Now hacking these boxes just requires a change of mindset and a little detective work. I’ll show you how to drop an Arduino into a cheap speaker as the blueprint for your own audio adventures.

Continue reading “How To Hack A Portable Bluetooth Speaker By Skipping The Bluetooth”

Linux Fu: The Linux Shuffle

February 3, 2020 by 35 Comments

Computers are known to be precise and — usually — repeatable. That’s why it is so hard to get something that seems random out of them. Yet random things are great for games, encryption, and multimedia. Who wants the same order of a playlist or slide show every time?

It is very hard to get truly random numbers, but for a lot of cases, it isn’t that important. Even better, if you programming or using a scripting language, there are lots of things that you can use to get some degree of randomness that is sufficient for many purposes. Continue reading “Linux Fu: The Linux Shuffle”

The Internet Of Football

January 31, 2020 by 37 Comments

While football in the United States means something totally different from what it means in the rest of the world, fans everywhere take it pretty seriously. This Sunday is the peak of U.S. football frenzy, the Super Bowl, and it is surprisingly high-tech. The NFL has invested in a lot of technology and today’s football stats are nothing like those of the last century thanks to some very modern devices.

It is kind of interesting since, at the core, the sport doesn’t really need a lot of high tech. A pigskin ball, some handkerchiefs, and a field marked off with some lime and a yardstick will suffice. However, we’ve seen a long arc of technology in scoreboards, cameras — like instant replay — and in the evolution of protective gear. But the last few years have seen the rise of data collection. It’s being driven by RFID tags in the player’s shoulder pads.

These aren’t the RFID chips in your credit card. These are long-range devices and in the right stadium, a computer can track not only the player’s position, but also his speed, acceleration, and a host of other statistics.

Continue reading “The Internet Of Football”

This Week In Security: OpenSMTPD, Kali Release, Scareware, Intel, And Unintended Consequences

January 31, 2020 by 15 Comments

If you run an OpenBSD server, or have OpenSMTPD running on a server, go update it right now. Version 6.6.2, released January 28th, fixes an exploit that can be launched locally or remotely, simply by connecting to the SMTP service. This was found by Qualys, who waited till the update was released to publish their findings.

It’s a simple logic flaw in the code that checks incoming messages. If an incoming message has either an invalid sender’s username, or invalid domain, the message is sent into error handling logic. That logic checks if the domain is an empty string, in which case, the mail is processed as a local message, sent to the localhost domain. Because the various parts of OpenSMTPD operate by executing commands, this logic flaw allows an attacker to inject unexpected symbols into those commands. The text of the email serves as the script to run, giving an attacker plenty of room to totally own a system as a result.

Browser Locker

“Your browser has been locked to prevent damage from a virus. Please call our Windows help desk immediately to prevent further damage.” Sound familiar? I can’t tell you how many calls I’ve gotten from freaked-out customers, who stumbled upon a scare-ware site that locked their browser. This sort of scam is called a browlock, and one particular campaign was pervasive enough to catch the attention of the researchers at Malwarebytes (Note, the picture at the top of their article says “404 error”, a reference to a technique used by the scam. Keep reading, the content should be below that.).

“WOOF”, Malwarebyte’s nickname for this campaign, was unusual both in its sophistication and the chutzpah of those running it. Browsers were hit via ads right on the MSN homepage and other popular sites. Several techniques were used to get the malicious ads onto legitimate sites. The most interesting part of the campaign is the techniques used to only deliver the scareware payload to target computers, and avoid detection by automated scanners.

It seems that around the time Malwarebytes published their report, the central command and control infrastructure behind WOOF was taken down. It’s unclear if this was a coincidence, or was a result of the scrutiny they were under from the security community. Hopefully WOOF is gone for good, and won’t simply show up at a different IP address in a few days.

Kali Linux

Kali Linux, the distribution focused on security and penetration testing, just shipped a shiny new release. A notable new addition to the Kali lineup is a rootless version of their Android app. Running an unrooted Android, and interested in having access to some security tools on the go? Kali now has your back.

Not all the tools will work without root, particularly those that require raw sockets, and sending malformed packets. It’s still a potentially useful tool to put into your toolbox.

Cacheout, VRD, and Intel iGPU Leaks

Intel can’t catch a break, with three separate problems to talk about. First up is cacheout, or more properly, CVE-2020-0549, also known as L1DES. It’s a familiar song and dance, just a slightly different way to get there. On a context switch, data in the Level 1 cache isn’t entirely cleared, and known side-channel attacks can be used to read that data from unprivileged execution.

VRD, Vector Register Sampling, is another Intel problem just announced. So far, it seems to be a less exploitable problem, and microcode updates are expected soon to fix the issue.

The third issue is a bit different. Instead of the CPU, this is a data leak via the integrated GPU. You may be familiar with the most basic form of this problem. Some video games will flash garbage on the screen for a few moments while loading. In some cases, rather than just garbage, images, video stills, and other graphics can appear. Why? GPUs don’t necessarily have the same strict separation of contexts that we expect from CPUs. A group of researchers realized that the old assumptions no longer apply, as nearly every application is video accelerated to some degree. They published a proof of concept, linked above, that demonstrates the flaw. Before any details were released, Phoronix covered the potential performance hit this would cause on Linux, and it’s not great.

Unintended Legal Consequences

Remember the ransomware attack that crippled Baltimore, MD? Apparently the Maryland legislature decided to step in and put an end to ransomware, by passing yet another law to make it illegal. I trust you’ll forgive my cynicism, but the law in question is a slow-moving disaster. Among other things, it could potentially make the public disclosure of vulnerabilities a crime, all while doing absolutely nothing to actually make a difference.

GE Medical Equipment Scores 10/10

While scoring a 10 out of 10 is impressive, it’s not something to be proud of, when we’re talking about a CVE score, where it’s the most critical rating. GE Healthcare, subsidiary of General Electric, managed five separate 10.0 CVEs in healthcare equipment that they manufacture, and an 8.5 for a sixth. Among the jewels are statements like:

In the case of the affected devices, the configuration also contains a private key. …. The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products.

The rest of the vulnerabilities are just as crazy. Hard-coded SMB passwords, a network KVM that has no credential checking, and ancient VNC versions. We’ve known for quite some time that some medical equipment is grossly insecure. It will apparently take a security themed repeat of the Therac-25 incident before changes take place.

Odds’n’ends

The Windows 7 saga continues, as Microsoft’s “last” update for the venerable OS broke many users’ desktop backgrounds. Microsoft plans to release a fix.

Firefox purged almost 200 extensions from their official portal over the last few weeks. It was found that over 100 extensions by 2Ring was secretly pulling and running code from a central server.

The Citrix problems we discussed last week has finally been addressed, and patches released, but not soon enough to prevent the installation of future-proof backdoors on devices in the wild. There are already plenty of reports of compromised devices. Apparently the exploitation has been so widespread, that Citrix has developed a scanning tool to check for the indicators of compromise (IoCs) on your devices. Apply patch, check for backdoors.

Retrotechtacular: Teasmade

January 30, 2020 by 70 Comments

We’re used to our domestic appliances being completely automated in 2020, but not so long ago they were much simpler affairs. Not everything required a human to run it though, an unexpected piece of electromechanical automation could be found in British bedrooms. This is the story of the Goblin Teasmade, an alarm clock with a little bit extra.

Continue reading “Retrotechtacular: Teasmade”

The Spitzer Space Telescope Ends Its Incredible Journey

January 30, 2020 by 34 Comments

Today, after 16 years of exemplary service, NASA will officially deactivate the Spitzer Space Telescope. Operating for over a decade beyond its designed service lifetime, the infrared observatory worked in tandem with the Hubble Space Telescope to reveal previously hidden details of known cosmic objects and helped expand our understanding of the universe. In later years, despite never being designed for the task, it became an invaluable tool in the study of planets outside our own solar system.

While there’s been no cataclysmic failure aboard the spacecraft, currently more than 260 million kilometers away from Earth, the years have certainly taken their toll on Spitzer. The craft’s various technical issues, combined with its ever-increasing distance, has made its continued operation cumbersome. Rather than running it to the point of outright failure, ground controllers have decided to quit while they still have the option to command the vehicle to go into hibernation mode. At its distance from the Earth there’s no danger of it becoming “space junk” in the traditional sense, but a rogue spacecraft transmitting randomly in deep space could become a nuisance for future observations.

From mapping weather patterns on a planet 190 light-years away in the constellation Ursa Major to providing the first images of Saturn’s largest ring, it’s difficult to overstate the breadth of Spitzer’s discoveries. But these accomplishments are all the more impressive when you consider the mission’s storied history, from its tumultuous conception to the unique technical challenges of long-duration spaceflight.

Continue reading “The Spitzer Space Telescope Ends Its Incredible Journey”

DDR-5? DDR-4, We Hardly Knew Ye

January 29, 2020 by 32 Comments

This month’s CES saw the introduction of max speed DDR5 memory from SK Hynix. Micron and other vendors are also reportedly sampling similar devices. You can’t get them through normal channels yet, but since you also can’t get motherboards that take them, that’s not a big problem. We hear Intel’s Xeon Sapphire Rapids will be among the first boards to take advantage of the new technology. But that begs the question: what is it?

SDRAM Basics

Broadly speaking, there are two primary contenders for a system that needs RAM memory: static and dynamic. There are newer technologies like FeRAM and MRAM, but the classic choice is between static and dynamic. Static RAM is really just a bunch of flip flops, one for each bit. That’s easy because you set it and forget it. Then later you read it. It can also be very fast. The problem is a flip flop usually takes at least four transistors, and often as many as six, so there’s only so many of them you can pack into a certain area. Power consumption is often high, too, although modern devices can do pretty well.

Continue reading “DDR-5? DDR-4, We Hardly Knew Ye”