When monitors around the world display a “Blue Screen of Death” and you know it’s probably your fault, it’s got to be a terrible, horrible, no good, very bad day at work. That’s likely the situation inside CrowdStrike this weekend, as engineers at the cybersecurity provider struggle to recover from an update rollout that went very, very badly indeed. The rollout, which affected enterprise-level Windows 10 and 11 hosts running their flagship Falcon Sensor product, resulted in machines going into a boot loop or just dropping into restore mode, leaving hapless millions to stare at the dreaded BSOD screen on everything from POS terminals to transit ticketing systems.
AirTag12 Articles
Hackaday Links: June 9, 2024
We’ve been harping a lot lately about the effort by carmakers to kill off AM radio, ostensibly because making EVs that don’t emit enough electromagnetic interference to swamp broadcast signals is a practical impossibility. In the US, push-back from lawmakers — no doubt spurred by radio industry lobbyists — has put the brakes on the move a bit, on the understandable grounds that an entire emergency communication system largely centered around AM radio has been in place for the last seven decades or so. Not so in Japan, though, as thirteen of the nation’s 47 broadcasters have voluntarily shut down their AM transmitters in what’s billed as an “impact study” by the Ministry of Internal Affairs and Communications. The request for the study actually came from the broadcasters, with one being quoted in a hearing on the matter as “hop[ing] that AM broadcasting will be promptly discontinued.” So the writing is apparently on the wall for AM radio in Japan.
Apple AirTag: Antitheft Or Antistalking?
Occasionally, the extra features added to a product can negate some of the reasons you wanted to buy the thing in the first place. Take, for example, Apple’s AirTag — billed as an affordable way to link your physical stuff to your phone. If some light-fingered ne’er-do-well wanders by and half-inches your gear, you get notified. The thing is, the AirTag also has an anti-stalking measure, which after a while, notifies nearby iPhones, should the tag move but not be near your iPhone!
In a recent video, [David Manning] explains that this feature is great for preventing the device from being used to track people. But it also means that if said thief happens to own an iPhone, they will be notified of the nearby tag, and can find it and disable it. So in the end, it’s a bit less useful as an anti-theft measure!
The solution is to pop the back off the tag and yank out the little sounder module from the rear plastic. You lose the ability to locate the tag audibly, but you gain a little more chance of returning your stolen goods. Apple could easily remove this feature with a firmware update, but it’s a matter of picking your poison: antistalking or antitheft?
AirTags, Tiles, SmartTags And The Dilemmas Of Personal Tracking Devices
In an ideal world we would never lose our belongings, and not spend a single hour fruitlessly searching for some keys, a piece of luggage, a smartphone or one of the two dozen remote controls which are scattered around the average home these days. Since we do not live in this ideal world, we have had to come up with ways to keep track of our belongings, whether inside or outside our homes, which has led to today’s ubiquitous personal tracking devices.
Today’s popular Bluetooth-based trackers constantly announce their presence to devices set up to listen for them. Within a home, this range is generally enough to find the tracker and associated item using a smartphone, after which using special software the tracker can be made to sound its built-in speaker to ease localizing it by ear. Outside the home, these trackers can use mesh networks formed by smartphones and other devices to ‘phone home’ to paired devices.
This is great when it’s your purse. But this also gives anyone the ability to stick such a tracker device onto a victim’s belongings and track them without their consent, for whatever nefarious purpose. Yet it is this duality between useful and illegal that has people on edge when it comes to these trackers. How can we still use the benefits they offer, without giving stalkers and criminals free reign? A draft proposal by Apple and Google, submitted to the Internet Engineering Task Force (IETF), seeks to address these points but it remains complicated.
Continue reading “AirTags, Tiles, SmartTags And The Dilemmas Of Personal Tracking Devices”
This Week In Security: Oracle Opera, Passkeys, And AirTag RFC
There’s a problem with Opera. No, not that kind of opera. The Oracle kind. Oracle OPERA is a Property Management Solution (PMS) that is in use in a bunch of big-name hotels around the world. The PMS is the system that handles reservations and check-ins, talks to the phone system to put room extensions in the proper state, and generally runs the back-end of the property. It’s old code, and handles a bunch of tasks. And researchers at Assetnote found a serious vulnerability. CVE-2023-21932 is an arbitrary file upload issue, and rates at least a 7.2 CVSS.
It’s a tricky one, where the code does all the right things, but gets the steps out of order. Two parameters, jndiname
and username
are encrypted for transport, and the sanitization step happens before decryption. The username parameter receives no further sanitization, and is vulnerable to path traversal injection. There are two restrictions to exploitation. The string encryption has to be valid, and the request has to include a valid Java Naming and Directory Interface (JNDI) name. It looks like these are the issues leading Oracle to consider this flaw “difficult to exploit vulnerability allows high privileged attacker…”.
The only problem is that the encryption key is global and static. It was pretty straightforward to reverse engineer the encryption routine. And JDNI strings can be fetched anonymously from a trio of endpoints. This lead Assetnote to conclude that Oracle’s understanding of the flaw is faulty, and a much higher CVSS score is appropriate. Particularly with this Proof of Concept code, it is relatively straightforward to upload a web shell to an Opera system.
The one caveat there is that an attacker has to get network access to that install. These aren’t systems intended to be exposed to the internet, and my experience is that they are always on a dedicated network connection, not connected to the rest of the office network. Even the interconnect between the PMS and phone system is done via a serial connection, making this network flaw particularly hard to get to. Continue reading “This Week In Security: Oracle Opera, Passkeys, And AirTag RFC”
Hackaday Links: November 6, 2022
Remember the chip shortage? We sure do, mainly because as far as we can tell, it’s still going on, at least judging by the fact that you can’t get a Raspberry Pi for love or money. But that must just be noise, because according to a report in the Straits Times, the chip shortage is not only over, it’s reversed course enough that there’s now a glut of semiconductors out there. The article claims that the root cause of this is slowing demand for products like smartphones, an industry that’s seeing wave after wave of orders to semiconductor manufacturers like TSMC canceled. Chips for PCs are apparently in abundance now too, as the spasm of panic buying machine for remote working during the pandemic winds down. Automakers are still feeling the pinch, though, so much so that Toyota is now shipping only one smart key with new cars, instead of the usual two. So there seems to be some way to go before balance is restored to the market, but whatever — just call us when Amazon no longer has to offer financing on an 8 GB Pi.
Hackaday Links: October 23, 2022
There were strange doings this week as Dallas-Forth Worth Airport in Texas experienced two consecutive days of GPS outages. The problem first cropped up on the 17th, as the Federal Aviation Administration sent out an automated notice that GPS reception was “unreliable” within 40 nautical miles of DFW, an area that includes at least ten other airports. One runway at DFW, runway 35R, was actually closed for a while because of the anomaly. According to GPSjam.org — because of course someone built a global mapping app to track GPS coverage — the outage only got worse the next day, both spreading geographically and worsening in some areas. Some have noted that the area of the outage abuts Fort Hood, one of the largest military installations in the country, but there doesn’t appear to be any connection to military operations. The outage ended abruptly at around 11:00 PM local time on the 19th, and there’s still no word about what caused it. Loss of GPS isn’t exactly a “game over” problem for modern aviation, but it certainly is a problem, and at the very least it points out how easy the system is to break, either accidentally or intentionally.
In other air travel news, almost as quickly as Lufthansa appeared to ban the use of Apple AirTags in checked baggage, the airline reversed course on the decision. The original decision was supposed to have been based on “an abundance of caution” regarding the potential for disaster from its low-power transmitters, or should a stowed AirTag’s CR2032 battery explode. But as it turns out, the Luftfahrt-Bundesamt, the German civil aviation authority, agreed with the company’s further assessment that the tags pose little risk, green-lighting their return to the cargo compartment. What luck! The original ban totally didn’t have anything to do with the fact that passengers were shaming Lufthansa online by tracking their bags with AirTags while the company claimed they couldn’t locate them, and the sudden reversal is unrelated to the bad taste this left in passengers’ mouths. Of course, the reversal only opened the door to more adventures in AirTag luggage tracking, so that’s fun.
Energy prices are much on everyone’s mind these days, but the scale of the problem is somewhat a matter of perspective. Take, for instance, the European Organization for Nuclear Research (CERN), which runs a little thing known as the Large Hadron Collider, a 27-kilometer-long machine that smashes atoms together to delve into the mysteries of physics. In an average year, CERN uses 1.3 terawatt-hours of electricity to run the LHC and its associated equipment. Technically, this is what’s known as a hell of a lot of electricity, and given the current energy issues in Europe, CERN has agreed to shut down the LHC a bit early this year, shutting down in late November instead of the usual mid-December halt. What’s more, CERN has agreed to reduce usage by 20% next year, which will increase scientific competition for beamtime on the LHC. There’s only so much CERN can do to reduce the LHC’s usage, though — the cryogenic plant to cool the superconducting magnets draws a whopping 27 megawatts, and has to be kept going to prevent the magnets from quenching.
And finally, as if the COVID-19 pandemic hasn’t been weird enough, the fact that it has left in its wake survivors whose sense of smell is compromised is alarming. Our daily ritual during the height of the pandemic was to open up a jar of peanut butter and take a whiff, figuring that even the slightest attenuation of the smell would serve as an early warning system for symptom onset. Thankfully, the alarm hasn’t been tripped, but we know more than a few people who now suffer from what appears to be permanent anosmia. It’s no joke — losing one’s sense of smell can be downright dangerous; think “gas leak” or “spoiled food.” So it was with interest that we spied an article about a neuroprosthetic nose that might one day let the nasally challenged smell again. The idea is to use an array of chemical sensors to stimulate an array of electrodes implanted near the olfactory bulb. It’s an interesting idea, and the article provides a lot of fascinating details on how the olfactory sense actually works.