This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps”

Old Time Traffic Signal Revived With A Raspberry Pi Controller

Anyone with even a passing familiarity with the classic animated shorts of the 1940s will recognize the traffic signal in the image above. Yes, such things actually existed in the real world, not just in the Looney world of [Bugs Bunny] et al. As sturdy as such devices were, they don’t last forever, though, which is why a restoration of this classic Acme traffic signal was necessary for a California museum. Yes, that Acme.

When you see a traffic signal from the early days of the automotive age like this one, it becomes quickly apparent how good the modern equivalent has become. Back in the day, with a mix of lights distributed all over the body of the signal, arms that extend out, and bells that ring when the state changes, it’s easy to see how things could get out of hand at an intersection. That complexity made the restoration project by¬†[am1034481] and colleagues at the Southern California Traffic Museum all the more difficult. Each signal has three lights, a motor for the flag, and an annunciator bell, each requiring a relay. What’s more, the motor needs to run in both directions, so a reversing relay is needed, and the arm has a mechanism to keep it in position when motor power is removed, which needs yet another relay. With two signals, everything was doubled, so the new controller used a 16-channel relay board and a Raspberry Pi to run through various demos. To keep induced currents from wreaking havoc, zero-crossing solid state relays were used on the big AC motors and coils in the signal. It looks like a lot of work, but the end results are worth it.

Looking for more information on traffic signal controls? We talked about that a while back.