In the early days of the internet, online conversations were an event. The technology was novel, and it was suddenly possible to socialize with a whole bunch of friends at a distance, all at once. No more calling your friends one by one, you could talk to them all at the same time!
Many of us would spend hours on IRC, or pull all-nighters bantering on MSN Messenger or AIM. But then, something happened, and many of us found ourselves having shorter conversations online, if we were having any at all. Thinking back to my younger days, and comparing them with today, I think I’ve figured out what it is that’s changed.
Almost all of modern society is built around various infrastructure, whether that’s for electricity, water and sewer, transportation, or even communication. These vast networks aren’t immune from failure though, and at least as far as communication goes, plenty will reach for a radio of some sort to communicate when Internet or phone services are lacking. It turns out that certain LoRa devices are excellent for local communication as well, and this system known as LoraType looks to create off-grid text-based communications networks wherever they might be needed.
The project is based around the ESP32 platform with an E22 LoRa module built-in to allow it to operate within its UHF bands. It also includes a USB-based battery charger for its small battery, an e-paper display module to display the text messages without consuming too much power, and a keyboard layout for quickly typing messages. The device firmware lets it be largely automated; it will seek out other devices on the local mesh network automatically and the user can immediately begin communicating with other devices on that network as soon as it connects.
There are a few other upsides of using a device like this. Since it doesn’t require any existing communications infrastructure to function, it can be used wherever there are no other easy options, such as in the wilderness, during civil unrest where the common infrastructure has been shut down, or simply for local groups which do not have access to cell networks or Internet. LoRa is a powerful tool for these use cases, and it’s even possible to network together larger base stations to extend the range of devices like these.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
Want to experience the Hackaday Superconference from the comfort of your own workshop? Just follow us on YouTube or on Facebook as two days of live streaming talks begin this Saturday morning.
This weekend is the Hackaday Superconference, the greatest hardware conference on Earth. While the Superconference is the most amazing gatherings of engineers and engineering enthusiasts, we realize that not everyone can make it out to our ultimate hardware conference. This year, we’re doing something special for everyone who can’t make it out — we’re opening up live streams and live chat to those who can’t attend. This is your chance to take part in the Superconference, even if you’re thousands of miles away.
You are invited to the chat room for the event. Join the Superconference chat right now and be part of the culture of the Hacker Village that springs to life during Supercon.
We’ve become used to seeing LoRa appearing in projects on these pages, doing its job as a low-bandwidth wireless data link with a significant range. Usually these LoRa projects take the form of a client that talks to a central Internet connected node, allowing a remote wireless-connected device to connect through that node to the Internet.
It’s interesting then to see a modest application from [Mark C], a chat application designed to use a set of LoRa nodes as a peer-to-peer network. In effect LoRa becomes the network, instead of simply being a tool to access it. He optimistically describes peer-to-peer LoRa networks as the new FidoNet in his tip email to us, which might be a bold statement, but we can certainly see some parallel. It’s important to note that the application is merely a demonstrable proof-of-concept as it stands, however we’d agree that it has some potential.
The hardware used for the project is the Heltec ESP32-based LoRa board, which comes with a handy OLED screen on which the messages appear. As it stands a PC connection is required to provide text input via serial, however it’s not impossible to imagine other more stand-alone interfaces. If it interests you the code can be downloaded from the GitHub repository, so maybe this can become the seed for wider peer-to-peer LoRa networks.
When it comes to chat, you have many choices. Facebook Messenger, Google Talk, Whatsapp, Kik, and Slack are all viable options. However, all of these choices are proprietary, and require you to use servers that you can’t run yourself. They’re highly centralized, closed source tools.
In the open source world, IRC has been the go to solution for chat for many years, and for good reason. Anyone can run a server, there’s many clients, and it’s built on open standards. But IRC comes from a pre-mobile world, and relies on clients to maintain persistent connections to the server. It’s not the best experience on a phone.
Matrix.org and Vector.im aim to be a modern solution to chat. Matrix is a standard for passing messages around, and Vector is a chat solution built on top, with support for iOS, Android, and your browser.
What makes this solution different is the concept of Homeservers. A Homeserver manages messages for users, recording them when they are received and providing them to users when they connect. Homeservers also “federate” to communicate amongst each other. This means anyone can run a Homeserver and connect it to the greater network of Matrix, providing a distributed approach to building a chat network.
Under the hood, Matrix is just HTTP. You send messages into the network with POST requests, and receive new messages by polling with GET requests. This means no persistent connections are required, which is perfect for mobile and low power devices.
On the topic of devices, Matrix is designed for general purpose messaging, not just chat. It should be pretty simple to connect hardware up to Matrix, which would provide a simple way to get data in and out of connected devices. Since it’s all HTTP, a device based on the ESP8266 could hop into your chat room with relative ease.
Matrix and Vector are very much in beta, but are definitely usable and worth a try. To get started, you can create an account on Vector.im and start chatting. We’re awaiting some of the features in the works, including end-to-end encryption, and hope to see some future hacks talking to the Matrix infrastructure.
Things get started on Wednesday, July 1st at 6:30pm PDT (UTC-7). Hundreds of hackers will be on hand discussing what they’re building, all the stuff happening in the hacker-sphere these days, and joining forces for that next great hack!
All are invited to take part. Head on over the Hackaday Prize Hacker Channel right now and click on the left sidebar link that says “Request to join this project”.
We highly recommend adding a custom avatar (if you haven’t already) so that others in the Collabatorium will be able to put a picture to your personality. The interface is ready for chat, links, images, code and much more so bring your questions and share your knowledge.
Now that you’ve clicked for an invite, while away the hours until it begins by heading over to VOTE in this week’s Astronaut or Not. And soon after you run through your 50 votes we’re sure you’ll also figure out you don’t have to wait for us to get the conversation started in the Hacker Channel ;-)