Shadowhammer, WPA3, and Alexa is Listening: This Week in Computer Security

Let’s get caught up on computer security news! The big news is Shadowhammer — The Asus Live Update Utility prompted users to download an update that lacked any description or changelog. People thought it was odd, but the update was properly signed by Asus, and antivirus scans reported it as safe.

Nearly a year later, Kaspersky Labs announced they had confirmed this strange update was indeed a supply chain attack — one that attacks a target by way of another vendor. Another recent example is the backdoor added to CCleaner, when an unknown actor compromised the build system for CCleaner and used that backdoor to target other companies who were using CCleaner. Interestingly, the backdoor in CCleaner has some similarities to the backdoor in the Asus updater. Combined with the knowledge that Asus was one of the companies targeted by this earlier breach, the researchers at Kaspersky Lab suggest that the CCleaner attack might have been the avenue by which Asus was compromised.

Shadowhammer sits quietly on the vast majority of machines it infects. It’s specifically targeted at a pool of about 600 machines, identified by their network card’s MAC address. We’ve not seen any reporting yet on who was on the target list, but Kaspersky is hosting a service to check whether your MAC is on the list.

While we’re still waiting for the full technical paper, researchers gave a nearly 30 minute presentation about Shadowhammer, embedded below the break along with news about Dragonblood, Amazon listening to your conversations, and the NSA delivering on Ghidra source code. See you after the jump!
Continue reading “Shadowhammer, WPA3, and Alexa is Listening: This Week in Computer Security”

Automate the Freight: Amazon Tackles the Last Mile Problem On Wheels

We’ve been occasionally exploring examples of what could be the killer application for self-driving vehicles: autonomous freight deliveries, both long-haul and local, as well as some special use cases. Some, like UAV delivery of blood and medical supplies in Kenya, have taken off and are becoming both profitable and potentially life-saving. Others, like driverless long-haul trucking, made an initial splash but appear to have gone quiet since then. This is to be expected, as the marketplace picks winners and losers in a neverending quest to maximize return on investment. But the whole field seems to have gotten a bit sleepy lately, with no big news of note for quite a while.

That changed last week with Amazon’s announcement of Scout, their autonomous delivery vehicle. Announced first on Amazon’s blog and later picked up by the popular and tech press who repeated the Amazon material almost verbatim, Scout appears at first glance to be a serious attempt by Amazon to own the “last mile” of delivery – the local routes that are currently plied by the likes of UPS, FedEx, and various postal services. Or is it?

Continue reading “Automate the Freight: Amazon Tackles the Last Mile Problem On Wheels”

Amazon Thinks ARM is Bigger than your Phone

As far as computer architectures go, ARM doesn’t have anything to be ashamed of. Since nearly every mobile device on the planet is powered by some member of the reduced instruction set computer (RISC) family, there’s an excellent chance these words are currently making their way to your eyes courtesy of an ARM chip. A userbase of several billion is certainly nothing to sneeze at, and that’s before we even take into account the myriad of other devices which ARM processors find their way into: from kid’s toys to smart TVs.

ARM is also the de facto architecture for the single-board computers which have dominated the hacking and making scene for the last several years. Raspberry Pi, BeagleBone, ODROID, Tinker Board, etc. If it’s a small computer that runs Linux or Android, it will almost certainly be powered by some ARM variant; another market all but completely dominated.

It would be a fair to say that small devices, from set top boxes down to smartwatches, are today the domain of ARM processors. But if we’re talking about what one might consider “traditional” computers, such as desktops, laptops, or servers, ARM is essentially a non-starter. There are a handful of ARM Chromebooks on the market, but effectively everything else is running on x86 processors built by Intel or AMD. You can’t walk into a store and purchase an ARM desktop, and beyond the hackers who are using Raspberry Pis to host their personal sites, ARM servers are an exceptional rarity.

Or at least, they were until very recently. At the re:Invent 2018 conference, Amazon announced the immediate availability of their own internally developed ARM servers for their Amazon Web Services (AWS) customers. For many developers this will be the first time they’ve written code for a non-x86 processor, and while some growing pains are to be expected, the lower cost of the ARM instances compared to the standard x86 options seems likely to drive adoption. Will this be the push ARM needs to finally break into the server and potentially even desktop markets? Let’s take a look at what ARM is up against.

Continue reading “Amazon Thinks ARM is Bigger than your Phone”

Buy Or Build An Autonomous Race Car To Take The Checkered Flag

Putting autonomous vehicles on public roads takes major resources beyond most of our means. But we can explore all the same general concepts at a smaller scale by modifying remote-control toy cars, limited only by our individual budgets and skill levels. For those of us whose interest and expertise lie in software, Amazon Web Services just launched AWS DeepRacer: a complete package for exploring machine learning on autonomous vehicles.

At a hardware level, the spec sheet makes it sound like they’ve bolted their AWS DeepLens machine vision computer on an 1/18th scale monster truck chassis. But the hardware is only the tip of the iceberg. The software behind DeepRacer is AWS RoboMaker, a set of tools for applying AWS to robot development. Everything from running digital simulations on AWS to training neural networks on AWS. Don’t know enough about machine learning? No problem! Amazon has also just opened up their internal training curriculum to the world. And to encourage participation, Amazon is running a DeepRacer League with races taking place both digitally online and physically at AWS Summit events around the world. They’ve certainly offered us a full plate at their re:Invent conference this week.

But maybe someone prefers not to use Amazon, or prefer to build their own hardware, or run their own competitions. Fortunately, Amazon is not the only game in town, merely the latest entry in an existing field. The DeepRacer’s League’s predecessor was the Robocar Rally, and the DeepRacer itself follows the Donkey Car. A do-it-yourself autonomous racing platform we first saw at Bay Area Maker Faire 2017, Donkey Car has since built up its documentation and software tools including a simulator. The default Donkey Car code is fairly specific to the car, but builders are certainly free to use something more general like the open source Robot Operating System and Gazebo robot simulator. (Which is what AWS RoboMaker builds on.)

So if the goal is to start racing little autonomous cars, we have options to buy pre-built hardware or enjoy the flexibility of building our own. Either way, it’s just another example of why this is a great time to get into neural networks, with or without companies like Amazon devising ways to earn our money. Of course, this isn’t the only Amazon project trying to build a business around an idea explored by an existing open source project. We had just talked about their AWS Ground Station offering which covers similar ground (sky?) as our 2014 Hackaday Prize winner SatNOGS.

Amazon Creates Distributed Satellite Ground Stations

Here’s an interesting thought: it’s possible to build a cubesat for perhaps ten thousand dollars, and hitch a ride on a launch for free thanks to a NASA outreach program. Tracking that satellite along its entire orbit would require dozens or hundreds of ground stations, all equipped with antennas and a connection to the Internet. Getting your data down from a cubesat actually costs more than building a satellite.

This is the observation someone at Amazon must have made. They’ve developed the AWS Ground Station, a system designed to downlink data from cubesats and other satellites across an entire orbit. Right now, Amazon only has two ground stations attached, but they plan to have a dozen in place by the middle of next year. Each of these ground stations are associated with a particular AWS region (there are a total of sixteen AWS regions, which might limit the orbital coverage of the AWS Ground Station system), and consists of an antenna, an alt-az mount, and a gigantic bank of servers and hard drives to capture data from satellites orbiting overhead.

The Amazon blog post goes over how easy it is to capture data from a satellite, and it’s as easy as getting a NORAD ID, logging into your AWS account, and clicking a few buttons.

It should go without mention that this is the exact same idea behind SatNOGS, an Open Source global network of satellite ground stations and winner of the 2014 Hackaday Prize. One of their ground stations is what’s pictured at the top if this article. Right now, SatNOGS has over seventy ground stations in the network, including a few stations that are in very useful locations like the Canary Islands. The SatNOGS network already has a lot more coverage than the maximum of sixteen locations where Amazon has their data centers — made possible by its open nature. Congrats to the SatNOGS team once again for creating something so useful, and doing it four years before Amazon.

Rooting the Amazon Fire TV Cube with an Arduino

Amazon might not be happy about it, but at least part of the success of their Fire TV Stick was due to the large hacking and modification scene that cropped up around the Android-powered device. A quick search on YouTube for “Fire Stick Hack” will bring up a seemingly endless array of videos, some with millions of views, which will show viewers how to install unofficial software on the little media dongle. Now it looks like their latest media device, the Fire TV Cube, is starting to attract the same kind of attention.

The team at [] has recently taken the wraps off their research which shows the new Fire TV Cube can be rooted with nothing more than an Arduino and an HDMI cable you’re willing to cut apart. Of course, it’s a bit more complicated than just that, but between the video they’ve provided and their WiKi, it looks like all the information is out there for anyone who wants to crack open their own Cube. Just don’t be surprised if it puts you on the Amazon Naughty List.

The process starts by putting the device’s Amlogic S905Z into Device Firmware Upgrade (DFU) mode, which is done by sending the string “boot@USB” to the board over the HDMI port’s I2C interface. That’s where the HDMI cable comes in: you can cut into one and wire it right up to your Arduino and run the sketch [] has provided to send the appropriate command. Of course, if you want to get fancy, you could use an HDMI breakout board instead.

With the board in DFU mode in you gain read and write access to the device’s eMMC flash, but that doesn’t exactly get you in because there’s still secure boot to contend with. But as these things tend to go, the team was able to identify a second exploit which could be used in conjunction with DFU mode to trick the device into disabling signature verification. Now with the ability to run unsigned code on the Fire TV Cube, [] implemented fastboot to make it easier to flash their custom rooted firmware images to the hardware.

As with the Fire TV Stick before it, make sure you understand the risks involved when you switch off a device’s security features. They’re often there to protect the end user as much as the manufacturer.

Continue reading “Rooting the Amazon Fire TV Cube with an Arduino”

New Part Day: Put An Alexa In Everything

The last great hope for electronics manufactures is smart home assistants. The Alexas and Siris and OK Googles are taking over homes across the country. At its best, it’s HAL 9000, only slightly less homicidal. It will entertain your children, and you can order cat litter just by saying you want cat litter. This is the future, whether we like it or not.

In an attempt to capture the market, Amazon has released the Alexa Connect Kit. This is an Amazon-Echo-On-a-Chip — a piece of hardware that adds Alexa to microwaves, blenders, and whatever other bit of home electronics you can imagine.

The Alexa Connect Kit is the hardware behind Amazon’s efforts to allow developers easy integration with Alexa. The options for adding Alexa to a product up until now have been using Zigbee to connect an Echo Show or Echo Plus, or simply giving a device the ability to connect to an Echo through Bluetooth. The Alexa Connect Kit, however, is a pure hardware solution that puts Alexa in anything.

Unfortunately you can’t get one yet. Right now, the Alexa Connect Kit is just a preview, and if you want to get your hands on one — or get any specs on this bit of hardware — you’ll need to apply to the developer program. We’ve signed up and will share and juicy details that come our way as part of the program.

According to the Wall Street Journal (try Google referral link if you hit the pay wall), several companies are already working on integrating the Alexa Connect Kit into their existing product lines. Hamilton Beach and Procter & Gamble are both working on something, although the press doesn’t say what kind of device will now be loaded up with a voice assistant. Amazon, however, has a microwave using the technology that the owner can, “command the microwave to do things like defrost a half-pound of chicken, or set it up to automatically reorder a favorite type of popcorn on Amazon”.

Despite the sparse details, this is relatively game-changing when it comes to the world of homebrew electronics. We’ve seen dozens of projects using hacked Raspberry Pis and other microcontrollers to at Alexa to hacked coffee machines, to shoot Nerf darts, and to control a projector. If you can actually get one of these Alexas-on-a-chip, all those projects could be done with one simple piece of hardware.