Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool

May 6, 2022 by Dan Maloney 45 Comments

Despite their claims of innocence, we all know that the big tech firms are listening to us. How else to explain the sudden appearance of ads related to something we’ve only ever spoken about, seemingly in private but always in range of a phone or smart speaker? And don’t give us any of that fancy “confirmation bias” talk — we all know what’s really going on.

And now, to make matters worse, it turns out that just listening to your keyboard clicks could be enough to decode what’s being typed. To be clear, [Georgi Gerganov]’s “KeyTap3” exploit does not use any of the usual RF-based methods we’ve seen for exfiltrating data from keyboards on air-gapped machines. Rather, it uses just a standard microphone to capture audio while typing, building a cluster map of the clicks with similar sounds. By analyzing the clusters against the statistical likelihood of certain sequences of characters appearing together — the algorithm currently assumes standard English, and works best on clicky mechanical keyboards — a reasonable approximation of the original keypresses can be reconstructed.

If you’d like to see it in action, check out the video below, which shows the algorithm doing a pretty good job decoding text typed on an unplugged keyboard. Or, try it yourself — the link above implements KeyTap3 in-browser. We gave it a shot, but as a member of the non-mechanical keyboard underclass, it couldn’t make sense of the mushy sounds it heard. Then again, our keyboard inferiority affords us some level of protection from the exploit, so there’s that.

Editors Note: Just tried it on a mechanical keyboard with Cherry MX Blue switches and it couldn’t make heads or tails of what was typed, so your mileage may vary. Let us know if it worked for you in the comments.

What strikes us about this is that it would be super simple to deploy an exploit like this. Most side-channel attacks require such a contrived scenario for installing the exploit that just breaking in and stealing the computer would be easier. All KeyTap needs is a covert audio recording, and the deed is done.

Continue reading “Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool” →

Major Bug Grants Root For All Major Linux Distributions

January 26, 2022 by Bryan Cockfield 66 Comments

One of the major reasons behind choosing Linux as an operating system is that it’s much more secure than Windows. There are plenty of reasons for this including appropriate user permissions, installing software from trusted sources and, of course, the fact that most software for Linux including the Linux kernel itself is open source which allows anyone to review the code for vulnerabilities. This doesn’t mean that Linux is perfectly secure though, as researchers recently found a major bug found in most major Linux distributions that allows anyone to run code as the root user.

The exploit is a memory corruption vulnerability in Polkit, a framework that handles the privilege level of various system processes. It specifically impacts the program pkexec. With the proof-of-concept exploit (file download warning) in hand, all an attacker needs to do to escalate themselves to root is to compile the program on the computer and run it as the default user. An example is shown by [Jim MacDonald] on Twitter for those not willing to try this on their own machines.

As bad as this sounds, it seems as though all of the major distributions that this impacts have already released updates that patch the issue, including Debian, Ubuntu, Red Hat, Fedora, open SUSE, and Arch. There is also a temporary workaround that removes read/write permission from the pkexec program so it can’t run at all. That being said, it might be best to check that your Linux systems are all up-to-date and that no strangers have been typing random commands into the terminal recently.

Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers

October 27, 2021 by Dan Maloney 30 Comments

Good news, everyone! Security researcher [Mordechai Guri] has given us yet another reason to look askance at our computers and wonder who might be sniffing in our private doings.

This time, your suspicious gaze will settle on the lowly Ethernet cable, which he has used to exfiltrate data across an air gap. The exploit requires almost nothing in the way of fancy hardware — he used both an RTL-SDR dongle and a HackRF to receive the exfiltrated data, and didn’t exactly splurge on the receiving antenna, which was just a random chunk of wire. The attack, dubbed “LANtenna”, does require some software running on the target machine, which modulates the desired data and transmits it over the Ethernet cable using one of two methods: by toggling the speed of the network connection, or by sending raw UDP packets. Either way, an RF signal is radiated by the Ethernet cable, which was easily received and decoded over a distance of at least two meters. The bit rate is low — only a few bits per second — but that may be all a malicious actor needs to achieve their goal.

To be sure, this exploit is quite contrived, and fairly optimized for demonstration purposes. But it’s a pretty effective demonstration, but along with the previously demonstrated hard drive activity lights, power supply fans, and even networked security cameras, it adds another seemingly innocuous element to the list of potential vectors for side-channel attacks.

[via The Register]

Razer Mouse Grants Windows Admin Privileges

August 26, 2021 by Bryan Cockfield 50 Comments

As the common saying goes, “all networked computers are vulnerable to exploits, but some networked computers are more vulnerable than others”. While not the exact wording from Animal Farm, the saying does have plenty of merit nonetheless. Sure, there are some viruses and issues with Linux distributions but by far most of the exploits target Windows, if only because more people use it daily than any other operating system. The latest Windows 10 exploit, discovered by [jonhat], is almost comically easy too, and involves little more than plugging in a mouse.

While slightly comforting in that an attacker would need physical access to the device rather than simple network access, it is very concerning how simple this attack is otherwise. Apparently plugging in a Razer mouse automatically launches Windows Update, which installs a driver for the mouse. The installation is run with admin privileges, and a Power Shell can be opened by the user simply by pressing Shift and right-clicking the mouse. While [jonhat] originally tried to let the company know, they weren’t responsive until he made the exploit public on Twitter, and are now apparently working on solving the issue.

Others have confirmed the exploit does in fact work, so hopefully there is a patch released soon that solves the issue. In the meantime, we recommend not allowing strangers to plug any devices into your personal computers as a general rule, or plugging in anything where its origins are unknown. Also remember that some attacks don’t required physical or network access at all, like this one which remotely sniffs keystrokes from a wireless keyboard with less than stellar security, also coincidentally built by Microsoft.

Newest PlayStation Exploit Skips The Disc

April 10, 2021 by Tom Nardi 17 Comments

Last month we brought you word of tonyhax, a clever exploit for the original Sony PlayStation that leveraged a buffer overflow in several of the games from the Tony Hawk Pro Skater series to load arbitrary code from a specially prepared memory card. But now [Bradlin] has taken that idea a step further and developed a software exploit for Sony’s iconic console that doesn’t need to be triggered from a game.

The exploit is considerably more complex this time around, but [Bradlin] does an excellent job of breaking it down for those who want the gritty details. The short version is that missing boundary checks in the PlayStation’s built-in memory card handling routines mean a carefully formatted “block” on the memory card can get the console to execute a small 128 byte payload. That’s not a lot of room to work with, but it ends up being just enough to load up additional code stored elsewhere on the memory card and really kick things off.

Unlike tonyhax, which was designed specifically to allow the user to swap their retail Tony Hawk disc with a game burned to a CD-R, [Bradlin]’s FreePSXBoot is presented as more of a generic loader. As of right now, it doesn’t allow you to actually play burned games, although its inevitable that somebody will connect those last few dots soon.

If you want to check out the progress so far, all you need is wire a PlayStation memory card up to an Arduino, write the provided image to it, and stick it in the slot. [Bradlin] says the exploit doesn’t work 100% of the time (something else that will surely be addressed in future releases), but it shouldn’t take too many attempts before you’re greeted with the flashing screen that proves Sony’s 27 year old console has now truly been bested.

Continue reading “Newest PlayStation Exploit Skips The Disc” →

PlayStation Unlocked With New Software Hack

March 15, 2021 by Tom Nardi 41 Comments

The original PlayStation might be pushing 30 years old now, but that doesn’t mean hackers have given up on chipping away at it. A new exploit released by [Marcos Del Sol Vives] allows users to run copied games on all but the earliest hardware revisions of this classic console, and all you need to trigger it is a copy of Tony Hawk’s Pro Skater 2.

Aptly named tonyhax, this exploit uses a classic buffer overflow found in the “Create Skater” mode in Tony Hawk 2, 3, and 4. When the game sees a custom character saved on the memory card it will automatically load the name field to show it on the screen, but it turns out the developers didn’t think to check the length of the name before loading it. Thanks to this oversight, a long and carefully crafted name can be used to load an executable payload into the console’s memory.

The name contains the memory address of the payload.

That payload could be anything, such as a homebrew game, but in this case [Marcos] went all in and developed a simple tool that unlocks the console’s optical drive so it will play games burned to CD-Rs. Once the tonyhax exploit has been loaded, you simply swap the authentic Tony Hawk disc for whatever burned title you want to play. So far every game tested has worked, even those that span across multiple discs.

[Marcos] is providing not only the save files ready to load on your PlayStation memory card (either through a PC tool, or with the help of a hacked PS2), as well as the complete source code for tonyhax. This opens the door to the exploit being used to load other tools, emulators, and indie games, but as the PlayStation homebrew scene is relatively limited when compared to newer consoles, the demand might be limited.

Compared to the traditional physical modifications used to play copied games on the PlayStation, this new software approach is far more accessible. Expect to see memory cards with this exploit preinstalled hit your favorite import site in the very near future.

Continue reading “PlayStation Unlocked With New Software Hack” →

Hackaday Links: October 18, 2020

October 18, 2020 by Dan Maloney 2 Comments

Remember subliminal advertising? The idea was that a movie theater operator would splice a single frame showing a bucket of hot buttered popcorn into a movie, which moviegoers would see and process on a subconcious level and rush to the concession stand to buy the tub o’ petrochemical-glazed starch they suddenly craved. It may or may not work on humans, but it appears to work on cars with advanced driver assistance, which can be spoofed by “phantom street signs” flashed on electronic billboards. Security researchers at Ben Gurion University stuck an image of a stop sign into a McDonald’s ad displayed on a large LCD screen by the side of the road. That was enough to convince a Tesla Model X to put on the brakes as it passed by the sign. The phantom images were on the screen anywhere from an eighth of a second to a quarter second, so these aren’t exactly subliminal messages, but it’s still an interesting attack that bears looking into. And while we’re skeptical about the whole subliminal advertising thing in the first place, for some reason we really want a bacon cheeseburger right now.

Score one for the good guys in the battle against patent trolls. Mycroft AI, makers of open-source voice assistants, proudly announced their latest victory against what they claim are patent trolls. This appears to be one of those deals where a bunch of investors get together and buy random patents, and then claim that a company that actually built something infringes on their intellectual property. Mycroft got a letter from one such entity and decided to fight it; they’ve won two battles so far against the alleged trolls and it looks pretty good going forward. They’re not pulling their punches, either, since Mycroft is planning to go after the other parties for legal expenses and punitive damages under the State of Missouri’s patent troll legislation. Here’s hoping this sends a message to IP squatters that it may not be worth the effort and that their time and money are better spent actually creating useful things.

Good news from Mars — The Mole is finally completely buried! We’ve been following the saga of the HP³, or “Heat Flow and Physical Properties Package” aboard NASA’s Mars InSight lander for quite a while. The self-drilling “Mole”, which is essentially the guts of an impact screwdriver inside a streamlined case, has been having trouble dealing with the Martian regolith, which is simultaneously too soft to offer the friction needed to keep the penetrator in its hole, but also too hard to pierce in places where there is a “duricrust” of chemically amalgamated material below the surface. It took a lot of delicate maneuvers with the lander’s robotic arm to get the Mole back on track, and it’s clearly not out of the woods yet — it needs to get down to three meters depth or so to do the full program of science it was designed for.

If watching Martian soil experiments proceed doesn’t scratch your itch for space science, why not try running your own radio astronomy experiments? Sure, you could build your own radio telescope to do that, but you don’t even have to go that far — just log into PICTOR, the free-to-use radio telescope. It’s a 3.2-m parabolic dish antenna located near Athens, Greece that’s geared toward hydrogen line measurements of the galaxy. You can set up an observation run and have the results mailed back to you for later analysis.

Here’s a fun, quick hack for anyone who hates the constant drone of white noise coming from fans. Build Comics apparently numbers themselves among that crowd, and decided to rig up a switch to turn on their fume extractor only when the soldering iron is removed from its holder. This hack was executed on a classic old Weller soldering station, but could easily be adapted to Hakko or other irons

And finally, if you’ve never listened to a Nobel laureate give a lecture, here’s your chance. Andrea Ghez, co-winner of the 2020 Nobel Prize in physics for her work on supermassive black holes, will be giving the annual Maria Goeppert Mayer lecture at the University of Chicago. She’ll be talking about exactly what she won the Nobel for: “The Monster at the Heart of Our Galaxy”, the supermassive black hole Sagittarius A*. We suspect the talk was booked before the Nobel announcement, so in normal times the room would likely be packed. But one advantage to the age of social distancing is that everything is online, so you can tune into a livestream of the lecture on October 22.