Slider

5040 Articles

This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT

September 13, 2019 by 20 Comments

We often think of SIM cards as simple data storage devices, but in reality a SIM card is a miniature Universal integrated circuit card, or smart card. Subscriber data isn’t a simple text string, but a program running on the smart cards tiny processor, acting as a hardware cryptographic token. The presence of this tiny processor in everyone’s cell phone was eventually put to use in the form of the Sim application ToolKit (STK), which allowed cell phone networks to add services to very basic cell phones, such as mobile banking and account management.

Legacy software running in a place most of us have forgotten about? Sounds like it’s ripe for exploitation. The researchers at Adaptive Mobile Security discovered that exploitation of SMS messages has been happening for quite some time. In an era of complicated and sophisticated attacks, Simjacker seems almost refreshingly simple. An execution environment included on many sim cards, the S@T Browser, can request data from the cell phone’s OS, and even send SMS messages. The attacker simply sends an SMS to this environment containing instructions to request the phones unique identifier and current GPS location, and send that information back in another SMS message.

It’s questionable whether there is actually an exploit here, as it seems the S@T Browser is just insecure by design. Either way, the fact that essentially anyone can track a cell phone simply by sending a special SMS message to that phone is quite a severe problem. Continue reading “This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT”

Watching The Watchers: The State Of Space Surveillance

September 12, 2019 by 34 Comments

By now you’ve almost certainly heard about the recent release of a high-resolution satellite image showing the aftermath of Iran’s failed attempt to launch their Safir liquid fuel rocket. The geopolitical ramifications of Iran developing this type of ballistic missile technology is certainly a newsworthy story in its own right, but in this case, there’s been far more interest in how the picture was taken. Given known variables such as the time and date of the incident and the location of the launch pad, analysts have determined it was likely taken by a classified American KH-11 satellite.

The image is certainly striking, showing a level of detail that far exceeds what’s available through any of the space observation services we as civilians have access to. Estimated to have been taken from a distance of approximately 382 km, the image appears to have a resolution of at least ten centimeters per pixel. Given that the orbit of the satellite in question dips as low as 270 km on its closest approach to the Earth’s surface, it’s likely that the maximum resolution is even higher.

Of course, there are many aspects of the KH-11 satellites that remain highly classified, especially in regards to the latest hardware revisions. But their existence and general design has been common knowledge for decades. Images taken from earlier generation KH-11 satellites were leaked or otherwise released in the 1980s and 1990s, and while the Iranian image is certainly of a higher fidelity, this is not wholly surprising given the intervening decades.

What we know far less about are the orbital surveillance assets that supersede the KH-11. The satellite that took this image, known by its designation USA 224, has been in orbit since 2011. The National Reconnaissance Office (NRO) has launched a number of newer spacecraft since then, with several more slated to be lifted into orbit between now and 2021.

So let’s take a closer look at the KH-11 series of reconnaissance satellites, and compare that to what we can piece together about the next generation or orbital espionage technology that’s already circling overhead might be capable of.

Continue reading “Watching The Watchers: The State Of Space Surveillance”

Books You Should Read: Exact Constraint: Machine Design Using Kinematic Principles

September 11, 2019 by 53 Comments

Surely, if you’re reading this website you’ve teased the thought of building your own 3D printer. I certainly did. But from my years of repeated rebuilds of my homebrew laser cutter, I learned one thing: machine design is hard, and parts cost money. Rather than jump the gun and start iterating on a few machine builds like I’ve done before, I thought I’d try to tease out the founding principles of what makes a rock-solid machine. Along the way, I discovered this book: Exact Constraint: Machine Design Using Kinematic Principles by Douglass L. Blanding.

This book is a casual but thorough introduction to the design of machines using the method of exact constraint. This methodology invites us to carefully assess how parts connect and move relative to each other. Rather than exclusively relying on precision parts, like linear guides or bearings, to limit a machine’s degrees of freedom, this book shows us a means of restricting degrees of freedom by looking at the basic kinematic connections between parts. By doing so, we can save ourselves cost by using precision rails and bearings only in the places where absolutely necessary.

While this promise might seem abstract, consider the movements made by a 3D printer. Many styles of this machine rely on motor-driven movement along three orthogonal axes: X, Y, and Z. We usually restrict individual motor movement to a single axis by constraining it using a precision part, like a linear rod or rail. However, the details of how we physically constrain the motor’s movements using these parts is a non-trivial task. Overconstrain the axis, and it will either bind or wiggle. Underconstrain it, and it may translate or twist in unwanted directions. Properly constraining a machine’s degrees of freedom is a fundamental aspect of building a solid machine. This is the core subject of the book: how to join these precision parts together in a way that leads to precision movement only in the directions that we want them.

Part of what makes this book so fantastic is that it makes no heavy expectations about prior knowledge to pick up the basics, although be prepared to draw some diagrams. Concepts are unfolded in a generous step-by-step fashion with well-diagrammed examples. As you progress, the training wheels come loose, and examples become less-heavily decorated with annotations. In this sense, the book is extremely coherent as subsequent chapters build off ideas from the previous. While this may sound daunting, don’t fret! The entire book is only about 140 pages in length.

Continue reading “Books You Should Read: Exact Constraint: Machine Design Using Kinematic Principles”

Lambdas For C — Sort Of

September 11, 2019 by 49 Comments

A lot of programming languages these days feature lambda functions, or what I would be just as happy to call anonymous functions. Some people make a big deal out of these but the core idea is very simple. Sometimes you need a little snippet of code that you only need in one place — most commonly, as a callback function to pass another function — so why bother giving it a name? Depending on the language, there can be more to it that, especially if you get into closures and currying.

For example, in Python, the map function takes a function as an argument. Suppose you have a list and you want to capitalize each word in the list. A Python string has a capitalize method and you could write a loop to apply it to each element in the list. However, map and a lambda can do it more concisely:

map(lambda x: x.capitalize(), ['madam','im','adam'])

The anonymous function here takes an argument x and calls the capitalize method on it. The map call ensures that the anonymous function is called once for each item.

Modern C++ has lambda expressions. However, in C you have to define a function by name and pass a pointer — not a huge problem, but it can get messy if you have a lot of callback functions that you use only one time. It’s just hard to think up that many disposable function names. However, if you use gcc, there are some nonstandard C features you can use to get most of what you want out of lambda expressions.

Continue reading “Lambdas For C — Sort Of”

Why Ada Is The Language You Want To Be Programming Your Systems With

September 10, 2019 by 168 Comments

The Ada programming language was born in the mid-1970s, when the US Department of Defense (DoD) and the UK’s Ministry Of Defence sought to replace the hundreds of specialized programming languages used for the embedded computer systems that increasingly made up essential parts of military projects.  Instead, Ada was designed to be be a single language, capable of running on all of those embedded systems, that offered the same or better level of performance and reliability.

With the 1995 revision, the language also targeted general purpose systems  and added support for object-oriented programming (OOP) while not losing sight of the core values of reliability, maintainability and efficiency. Today, software written in Ada forms the backbone of not only military hardware, but also commercial projects like avionics and air-traffic control systems. Ada code controls rockets like the Ariane 4 and 5, many satellites, and countless other systems where small glitches can have major consequences.

Ada might also be the right choice for your next embedded project. Continue reading “Why Ada Is The Language You Want To Be Programming Your Systems With”

Sensor Filters For Coders

September 6, 2019 by 35 Comments

Anybody interested in building their own robot, sending spacecraft to the moon, or launching inter-continental ballistic missiles should have at least some basic filter options in their toolkit, otherwise the robot will likely wobble about erratically and the missile will miss it’s target.

What is a filter anyway? In practical terms, the filter should smooth out erratic sensor data with as little time lag, or ‘error lag’ as possible. In the case of the missile, it could travel nice and smoothly through the air, but miss it’s target because the positional data is getting processed ‘too late’. The simplest filter, that many of us will have already used, is to pause our code, take about 10 quick readings from our sensor and then calculate the mean by dividing by 10. Incredibly simple and effective as long as our machine or process is not time sensitive – perfect for a weather station temperature sensor, although wind direction is slightly more complicated. A wind vane is actually an example of a good sensor giving ‘noisy’ readings: not that the sensor itself is noisy, but that wind is inherently gusty and is constantly changing direction.

It’s a really good idea to try and model our data on some kind of computer running software that will print out graphs – I chose the Raspberry Pi and installed Jupyter Notebook running Python 3.

The photo on the left shows my test rig. There’s a PT100 probe with it’s MAX31865 break-out board, a Dallas DS18B20 and a DHT22. The shield on the Pi is a GPS shield which is currently not used. If you don’t want the hassle of setting up these probes there’s a Jupyter Notebook file that can also use the internal temp sensor in the Raspberry Pi. It’s incredibly quick and easy to get up and running.

It’s quite interesting to see the performance of the different sensors, but I quickly ended up completely mangling the data from the DS18B20 by artificially adding randomly generated noise and some very nasty data spikes to really punish the filters as much as possible. Getting the temperature data to change rapidly was effected by putting a small piece of frozen Bockwurst on top of the DS18B20 and then removing it again.

Continue reading “Sensor Filters For Coders”

This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

September 6, 2019 by 15 Comments

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.