Almost all of modern society is built around various infrastructure, whether that’s for electricity, water and sewer, transportation, or even communication. These vast networks aren’t immune from failure though, and at least as far as communication goes, plenty will reach for a radio of some sort to communicate when Internet or phone services are lacking. It turns out that certain LoRa devices are excellent for local communication as well, and this system known as LoraType looks to create off-grid text-based communications networks wherever they might be needed.
The project is based around the ESP32 platform with an E22 LoRa module built-in to allow it to operate within its UHF bands. It also includes a USB-based battery charger for its small battery, an e-paper display module to display the text messages without consuming too much power, and a keyboard layout for quickly typing messages. The device firmware lets it be largely automated; it will seek out other devices on the local mesh network automatically and the user can immediately begin communicating with other devices on that network as soon as it connects.
There are a few other upsides of using a device like this. Since it doesn’t require any existing communications infrastructure to function, it can be used wherever there are no other easy options, such as in the wilderness, during civil unrest where the common infrastructure has been shut down, or simply for local groups which do not have access to cell networks or Internet. LoRa is a powerful tool for these use cases, and it’s even possible to network together larger base stations to extend the range of devices like these.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
Arrrrr
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
Want to experience the Hackaday Superconference from the comfort of your own workshop? Just follow us on YouTube or on Facebook as two days of live streaming talks begin this Saturday morning.
This weekend is the Hackaday Superconference, the greatest hardware conference on Earth. While the Superconference is the most amazing gatherings of engineers and engineering enthusiasts, we realize that not everyone can make it out to our ultimate hardware conference. This year, we’re doing something special for everyone who can’t make it out — we’re opening up live streams and live chat to those who can’t attend. This is your chance to take part in the Superconference, even if you’re thousands of miles away.
You are invited to the chat room for the event. Join the Superconference chat right now and be part of the culture of the Hacker Village that springs to life during Supercon.
We’ve become used to seeing LoRa appearing in projects on these pages, doing its job as a low-bandwidth wireless data link with a significant range. Usually these LoRa projects take the form of a client that talks to a central Internet connected node, allowing a remote wireless-connected device to connect through that node to the Internet.
It’s interesting then to see a modest application from [Mark C], a chat application designed to use a set of LoRa nodes as a peer-to-peer network. In effect LoRa becomes the network, instead of simply being a tool to access it. He optimistically describes peer-to-peer LoRa networks as the new FidoNet in his tip email to us, which might be a bold statement, but we can certainly see some parallel. It’s important to note that the application is merely a demonstrable proof-of-concept as it stands, however we’d agree that it has some potential.
The hardware used for the project is the Heltec ESP32-based LoRa board, which comes with a handy OLED screen on which the messages appear. As it stands a PC connection is required to provide text input via serial, however it’s not impossible to imagine other more stand-alone interfaces. If it interests you the code can be downloaded from the GitHub repository, so maybe this can become the seed for wider peer-to-peer LoRa networks.
When it comes to chat, you have many choices. Facebook Messenger, Google Talk, Whatsapp, Kik, and Slack are all viable options. However, all of these choices are proprietary, and require you to use servers that you can’t run yourself. They’re highly centralized, closed source tools.
In the open source world, IRC has been the go to solution for chat for many years, and for good reason. Anyone can run a server, there’s many clients, and it’s built on open standards. But IRC comes from a pre-mobile world, and relies on clients to maintain persistent connections to the server. It’s not the best experience on a phone.
Matrix.org and Vector.im aim to be a modern solution to chat. Matrix is a standard for passing messages around, and Vector is a chat solution built on top, with support for iOS, Android, and your browser.
What makes this solution different is the concept of Homeservers. A Homeserver manages messages for users, recording them when they are received and providing them to users when they connect. Homeservers also “federate” to communicate amongst each other. This means anyone can run a Homeserver and connect it to the greater network of Matrix, providing a distributed approach to building a chat network.
Under the hood, Matrix is just HTTP. You send messages into the network with POST requests, and receive new messages by polling with GET requests. This means no persistent connections are required, which is perfect for mobile and low power devices.
On the topic of devices, Matrix is designed for general purpose messaging, not just chat. It should be pretty simple to connect hardware up to Matrix, which would provide a simple way to get data in and out of connected devices. Since it’s all HTTP, a device based on the ESP8266 could hop into your chat room with relative ease.
Matrix and Vector are very much in beta, but are definitely usable and worth a try. To get started, you can create an account on Vector.im and start chatting. We’re awaiting some of the features in the works, including end-to-end encryption, and hope to see some future hacks talking to the Matrix infrastructure.
Things get started on Wednesday, July 1st at 6:30pm PDT (UTC-7). Hundreds of hackers will be on hand discussing what they’re building, all the stuff happening in the hacker-sphere these days, and joining forces for that next great hack!
All are invited to take part. Head on over the Hackaday Prize Hacker Channel right now and click on the left sidebar link that says “Request to join this project”.
We highly recommend adding a custom avatar (if you haven’t already) so that others in the Collabatorium will be able to put a picture to your personality. The interface is ready for chat, links, images, code and much more so bring your questions and share your knowledge.
Now that you’ve clicked for an invite, while away the hours until it begins by heading over to VOTE in this week’s Astronaut or Not. And soon after you run through your 50 votes we’re sure you’ll also figure out you don’t have to wait for us to get the conversation started in the Hacker Channel ;-)
We’ve been riding the runaway train that is Hackaday.io for about fourteen months. With over 60k registered user and hundreds of thousands of visitors a month it’s hard to remember how we got from humble beginnings to where we stand now. But a big part of this is all the suggestions we’ve been hearing from you. On the top of that list have been numerous requests for more collaborative features. This week we’ve pushed an update that will change the way you interact with your fellow hackers.
This brand new messaging interface is beyond what we dreamed when we started development. Our goal with Hackaday has long been to form the Virtual Hackerspace, and this is it. Shown above is group messaging for the alt.hackaday.io project. You can see that thread selected on the left among many other threads in progress. On the right is the list of the team collaborators. Each project on Hackaday.io has group messaging availalbe, all you need to do is add your collaborators.
Need skills that you don’t have to finish the project? Just want to brainstorm the next big project? Jump on Hackaday.io and get into it. Head over to one of your projects, invite some collaborators if you don’t already have them, and click the “Group Messaging” button in the left column.
This is not private messaging and it’s not just chat. This is new. It’s persistent, it’s instant, it’s long, it’s short, it is what you need to work with other hackers. We don’t even know what to call it yet. You can help with that and you can tell us what you find to do with it. We’ve designed it for creative abuse.
Configurable Notifications
When loading up the message page for the first time you’ll see a bar across the top requesting desktop notification access. This feature gives you a pop-up message when the tab with the messaging interface is not active.
If you don’t have the interface open you will receive an email when new messages come in. This can be toggled globally for all of your chats but we do have plans to configure these emails per-chat thread. Thanks to [jlbrian7] for the tip that users of Firefox on Linux need an extension to enable notifications. I’m using Chrome on Mint and it work just fine without adding packages.
Dude, Mobile
This Virtual Hackerspace goes with you and we’re not just talking out of the house. How many times have you been sitting at the bench wondering what the heck you’re doing wrong? Whip out your phone, snap a picture and post it so the collaborators on your team can help out. Right now it’s rock-solid on iPhone. Android requires a very quick double-tap on the image icon to trigger but we’ll have that fixed in a jiffy.
Of course images work from the computer interface as well, and there’s a code tool to embed snippets in your messages.
Team Invites and Requests
The only part we don’t have working is the ability to talk to yourself but that is coming. For now you must have collaborators to enable group messaging and this update makes that simple.
Each project has a team list in the left hand column. You’ll notice that a text box has been added to invite members. Just type their hacker name and click the invite button. They’ll get a private message with instructions for accepting your invitation.
Give it a Spin Right Now
We’ve set up the official Hackaday Prize Hacker Channel so that you can try it out right away. Casual conversation is welcome, but this is also a great opportunity to find team members for your Hackaday Prize entry. We’ll also be hosting regular events on the channel. More on that soon!
