android

359 Articles

This Week In Security: More WhatsApp, Nextcry, Hover To Crash, And Android Permissions Bypass

November 22, 2019 by 7 Comments

There is another WhatsApp flaw, but instead of malicious GIFs, this time it’s malicious mp4 files. Facebook announced the vulnerability late last week. An update has been released, so first go make sure WhatsApp is updated. Facebook’s advisory is a bit light on the details, simply saying that a “stack-based buffer overflow” was possible as a result of “parsing the elementary stream metadata of an mp4 file”.

Shortly after the bug was announced, a GitHub repository popped up, with a claimed proof-of-concept mp4 file for CVE-2019-11931. (Thanks to [justtransit] on Reddit for the link.) I can’t easily test the PoC file, but we can take a look at it to see what the vulnerability is. What tools do we need to take a look? A hex editor is a good start. I’m using GHex, simply because it was available and easily installed on Fedora. Continue reading “This Week In Security: More WhatsApp, Nextcry, Hover To Crash, And Android Permissions Bypass”

This Week In Security: The Robots Are Watching, Insecure VPNs, Graboids, And Biometric Fails

October 25, 2019 by 10 Comments

A Japanese hotel chain uses robots for nearly everything. Check in, room access, and most importantly, bedside service. What could possibly go wrong with putting embedded Android devices, complete with mics and cameras, right in every hotel room? While I could imagine bedside robots ending badly in many ways, today we’re looking at the possibility that a previous guest installed an app that can spy on the room. The kiosk mode used on these devices left much to be desired. Each bot has an NFC reader, and all it takes is an URL read by that reader to break out of the kiosk jail. From there, a user has full access to the Android system underneath, and can install whatever software they wish.

[Lance Vick] discovered this potential problem way back in July, and after 90 days of inaction has released the vulnerability. More of these hotels are being rolled out for the 2020 Olympics, and this sort of vulnerability is sure to be present in other similar kiosk devices.

VPN Compromise

In March 2018, a server in a Finnish data center was compromised through a remote management system. This was probably a Baseboard Management Controller (BMC), which is as dangerous as it is useful. Most BMCs have their own Ethernet adapter, not controlled by the host computer, and allows a remote user to access the machine just as if they had a monitor and keyboard connected to it. This particularly server was one rented by NordVPN, who was apparently not notified of the data center breach.

So what was captured from this server? Apparently the OpenVPN credentials stored on that server, as well as a valid TLS key. (Document mirror via TechCrunch) It’s been noted that this key is now expired, which does mean that it’s not being actively exploited. There were, however, about 7 months between the server break-in and the certificate expiration, during which time it could have been used for man-in-the-middle attacks.

NordVPN has confirmed the breach, and tried to downplay the potential impact. This report doesn’t seem to entirely match the leaked credentials. An attacker with this data and root access to the server would have likely been able to decrypt VPN traffic on the fly.

Graboid

Named in honor of a certain sci-fi worm, Graboid is an unusual piece of malware aimed at Docker instances. It is a true worm, in that compromised hosts are used to launch attacks against other vulnerable machines. Graboid isn’t targeting a Docker vulnerability, but simply looking for an unsecured Docker daemon exposed to the internet. The malware downloads malicious docker images, one of which is used for crypto-currency mining, while another attempts to compromise other servers.

Graboid has an unusual quirk — the quirk that earned it the name: It doesn’t constantly mine or attempt to spread, but waits over a minute between bursts of activity. This was likely an attempt to mask the presence of mining malware. It’s notable that until discovered, the malicious Docker images were hosted on the Docker Hub. Be careful what images you trust, and look for the “Docker Official Image” tag.

Iran and Misdirection

Remember a couple weeks ago, when we discussed the difficulty of attack attribution? It seems a healthy dose of such paranoia might be warranted. The American NSA and British NCSC revealed that they now suspect Russian actors compromised Iranian infrastructure and deployed malware developed by Iranian coders. The purpose of this seems to have been redirection — to compromise targets and put the blame on Iran. To date it’s not certain that this particular gambit fooled any onlookers, but this is likely not the only such effort.

Android Biometrics

New Android handsets have had a rough week. First, the Samsung Galaxy S10 had an issue with screen protectors interfering with the under-the-screen fingerprint reader. This particular problem seems to only affect fingerprints that are enrolled after a screen protector has been applied. With the protector still in place, anyone’s fingerprint is able to unlock the device. What’s happening here seems obvious. The ultrasonic fingerprint scanner isn’t able to penetrate the screen protector, so it’s recording an essentially blank fingerprint. A patch to recognize these blank prints has been rolled out to devices in Samsung’s home country of South Korea, with the rest of the world soon to follow.

The second new handset is the Google Pixel 4, which includes a new Face Unlock feature. While many have praised the feature, there is trouble in paradise. The Pixel’s Face Unlock works even when the user is asleep or otherwise unmoving. To their credit, Apple’s Face ID also checks for user alertness, trying to avoid unlocking unless the user is intentionally doing so.

The humorous scenario is a child or spouse unlocking your phone while you’re asleep, but a more sobering possibility is your face being used against you unwillingly, or even while unconscious or dead. Based on leaks, it’s likely that there was an “eyes open” mode planned but cut before launch. Hopefully the bugs can be worked out of that feature, and it can be re-added in a future update. Until then, it’s probably best not to use Google’s Face Unlock on Pixel 4 devices.

Finally Run Useful Apps On A Windows Phone

September 26, 2019 by 30 Comments

Not every piece of technology or software can succeed, even with virtually unlimited funding and marketing. About the same number of people are still playing Virtual Boys as are using Google Plus, for example. In recent memory, the Windows Phone occupies the same space as these infamous failures, potentially because it was late to the smartphone game but primarily because no one wanted to develop software for it. But now, you can run Android apps on Windows Phones now. (Google Translate from German)

To be clear, this doesn’t support all Android apps or all Windows Phones, and it will take a little bit of work to get it set up at all. But if you still have one laying around you might want to go grab it. First you’ll need to unlock the phone, and then begin sending a long string of commands to the device which sends the required software to the device. If that works, you can begin loading Android apps on the phone via a USB connection to a PC.

This hack came to us via Windows Central and Reddit. It seems long and involved but if you have any experience with a command line you should be fine. It’s an interesting way to get some more use out of your old Windows Phone if it’s just gathering dust in a closet somewhere. If not, don’t worry; Windows Phones were rare even when they were at their most popular. We could only find one project in our archives that uses one, and that was from 2013.

Voice Chess Uses Phone, Arduino, And An Electromagnet

August 30, 2019 by 6 Comments

[Diyguypt] may be an altruist to provide the means for people who can’t manipulate chess pieces to play the game. Or he may just have his hands too busy with food and drink to play. Either way, his voice command chessboard appears to work, although it has a lot of moving parts both figuratively and literally. You can check out the video below to see how it works.

The speech part is handled by an Android phone and uses Google’s voice services, so if you don’t want Google listening to your latest opening gambit, you’ll want to pass this one up. The phone uses an app that talks to the Arduino via Bluetooth, which means the Arduino needs a Bluetooth module.

Continue reading “Voice Chess Uses Phone, Arduino, And An Electromagnet”

A Better Embroidery Machine, With 3D Printing And Common Parts

August 7, 2019 by 31 Comments

In concept, an everyday sewing machine could make embroidery a snap: the operator would move the fabric around in any direction they wish while the sewing machine would take care of slapping down stitches of colored thread to create designs and filled areas. In practice though, getting good results in this way is quite a bit more complex. To aid and automate this process, [sausagePaws] has been using CNC to take care of all the necessary motion control. The result is the DIY Embroidery Machine V2 which leverages 3D printed parts and common components such as an Arduino and stepper drivers for an economical DIY solution.

It’s not shown in the photo here, but we particularly like the 3D printed sockets that are screwed into the tabletop. These hold the sewing machine’s “feet”, and allow it to be treated like a modular component that can easily be removed and used normally when needed.

The system consists of a UI running on an Android tablet, communicating over Bluetooth to an Arduino. The Arduino controls the gantry which moves the hoop (a frame that holds a section of fabric taut while it is being embroidered), while the sewing machine lays down the stitches.

[sausagePaws]’s first version worked well, but this new design really takes advantage of 3D printing as well as the increased availability of cheap and effective CNC components. It’s still a work in progress that is a bit light on design details, but you can see it all in action in the video embedded below.

Continue reading “A Better Embroidery Machine, With 3D Printing And Common Parts”

Taking A Peek Inside Amazon’s Latest Dot

July 29, 2019 by 37 Comments

Like a million or so other people, [Brian Dorey] picked up a third generation Echo Dot during Amazon’s big sale a couple weeks ago. Going for less than half its normal retail price, he figured it was the perfect time to explore Amazon’s voice assistant offerings. But the low price also meant that he didn’t feel so bad tearing into the thing for our viewing pleasure.

By pretty much all accounts, the Echo Dot line has been a pretty solid performer as far as corporate subsidized home espionage devices go. They’re small, fairly cheap, and offer the baseline functionality that most people expect. While there was nothing precisely wrong with the earlier versions of the Dot, Amazon has used this latest revision of the device to give the gadget a more “premium” look and feel. They’ve also tried to squeeze a bit better audio out of the roughly hockey puck sized device. But of course, some undocumented changes managed to sneak in there as well.

For one thing, the latest version of the Dot deletes the USB port. Hackers had used the USB port on earlier versions of the hardware to try and gain access to the Android (or at least, Amazon’s flavor of Android) operating system hiding inside, so that’s an unfortunate development. On the flip side, [Brian] reports there’s some type of debug header on the bottom of the device. A similar feature allowed hackers to gain access to some of Amazon’s other voice assistants, so we’d recommend hopeful optimism until told otherwise.

The Echo Dot is powered by a quad-core Mediatek MT8516BAAA 64-bit ARM Cortex-A35 processor and the OS lives on an 8GB Samsung KMFN60012M-B214 eMMC. A pair of Texas Instruments LV320ADC3101 ADCs are used to process the incoming audio from the four microphones arranged around the edge of the PCB, and [Brian] says there appears to be a Fairchild 74LCX74 flip-flop in place to cut the audio feed when the user wants a bit of privacy.

Of course, the biggest change is on the outside. The new Dot is much larger than the previous versions, which means all the awesome enclosures we’ve seen for its predecessor will need to be reworked if they want to be compatible with Amazon’s latest and greatest.

Installing Android On Your Nintendo Switch, Because Why Not?

July 26, 2019 by 19 Comments

In a continuing trend of ‘but does it run Android?’, enterprising folk over at the XDA-Developers forum have found a way to get LineageOS (the successor to CyanogenMod) installed and running on the Nintendo Switch using Switchroot source code. Promising to release the necessary files to replicate this effort has obviously made other people at XDA-Developers forum as well as on Reddit rather excited.

As for the question of ‘why?’, one has to remember that internally the Nintendo Switch is an Nvidia Tegra X1-based system with a Maxwell GPU, making it definitely one of the nicer ARM-based portable systems out there if one wants to do some Android-based gaming. Even better, the entire Nvidia Shield TV-derived ROM runs from the SD card, so just popping out this SD card is sufficient to return to playing Switch games.

Currently a few nagging issues still have to be worked out with this ROM, such as touchscreen issues, sleep mode not working, auto-rotation not working as communication with the sensor needs to be figured out, and so on. This should make it clear that it won’t be a production ready piece of software, but definitely something that should be used at your own risk.

While it shouldn’t harm the Switch, one should probably not try it on a Switch one cares deeply about. Just in case.