Careful Drilling Keeps Stadia From Listening In

January 10, 2021 by Tom Nardi 89 Comments

Google’s fledgling Stadia service leverages the Chrome ecosystem to deliver streamed PC games on mobile devices, web browsers, and TVs. While not strictly required, the company even offers a dedicated Stadia controller that connects directly to the streaming servers over its own WiFi connection to reduce overall system latency. Of course, being a Google product, the controller has a tiny microphone ~~that’s always listening in~~ for interacting with the voice assistant.

[Heikki Juva] didn’t like the privacy implications of this, but unfortunately, there appears to be no way to turn off this “feature” in software. He decided the most expedient solution would be to simply remove the microphone from the controller, but it turns out there was a problem. By researching previous teardowns, he found out that it’s nearly impossible to take the controller apart without damaging it.

So [Heikki] came up with a bold idea. Knowing roughly the position of the microphone, he would simply drill through the controller’s case to expose and ultimately remove the device. The operation was complicated by the fact that, from the teardown video he saw, he knew he’d also have to drill through the PCB to get to the microphone mounted to the opposite side. The only bright spot was that the microphone was on its own separate PCB, so physically destroying it probably wouldn’t take the whole controller out with it.

Now we don’t have to explain why drilling into a gadget powered by an internal lithium-ion battery is dangerous, and we’re not necessarily vouching for the technique [Heikki] used here. But when presented with a sealed unit like this, we admit there weren’t a lot of good options. The fact that the user should have to go to such ridiculous lengths to disable the microphone in a game controller is a perfect example of why we should try to avoid these adversarially designed devices, but that’s a discussion for another time.

In the end, with a steady and and increasingly larger bits, [Heikki] was able to put a 7 mm hole in the back of the Stadia controller that allowed him to extract the microphone in one piece. Removing the microphone seems to have had no adverse effect on the device as, surprisingly enough, it turns out that a game controller doesn’t actually need to listen to the player. Who knew?

As our devices get smarter, hidden microphones and cameras are unfortunately becoming more common. Thankfully a few manufacturers out there are taking the hint and including hardware kill switches for these intrusive features, but until that becomes the norm, hackers will have to come up with their own solutions.

Update 1/10/21: This article originally indicated that the microphone is always listening. While there is no hardware switch to disable the mic, there is a button which must be pressed to trigger the voice assistant functions. We have used strike through above to indicate the change to what was originally published.

Continue reading “Careful Drilling Keeps Stadia From Listening In” →

Hackaday Links: January 3, 2021

January 3, 2021 by Dan Maloney 28 Comments

Last week we featured a story on the new rules regarding drone identification going into effect in the US. If you missed the article, the short story is that almost all unmanned aircraft will soon need to transmit their position, altitude, speed, and serial number, as well as the position of its operator, likely via WiFi or Bluetooth. The FAA’s rule change isn’t sitting well with Wing, the drone-based delivery subsidiary of megacorporation Alphabet. In their view, local broadcast of flight particulars would be an invasion of privacy, since observers snooping in on Remote ID traffic could, say, infer that a drone going between a pharmacy and a neighbor’s home might mean that someone is sick. They have a point, but how a Google company managed to cut through the thick clouds of irony to complain about privacy concerns and the rise of the surveillance state is mind boggling.

Speaking of regulatory burdens, it appears that getting an amateur radio license is no longer quite the deal that it once was. The Federal Communications Commission has adopted a $35 fee for new amateur radio licenses, license renewals, and changes to existing licenses, like vanity call signs. While $35 isn’t cheap, it’s not the end of the world, and it’s better than the $50 fee that the FCC was originally proposing. Still, it seems a bit steep for something that’s largely automated. In any case, it looks like we’re still good to go with our “$50 Ham” series.

Staying on the topic of amateur radio for a minute, it looks like there will be a new digital mode to explore soon. The change will come when version 2.4.0 of WSJT-X, the program that forms the heart of digital modes like WSPR and FT8, is released. The newcomer is called Q65, and it’s basically a follow-on to the current QRA64 weak-signal mode. Q65 is optimized for weak, rapidly fading signals in the VHF bands and higher, so it’s likely to prove popular with Earth-Moon-Earth fans and those who like to do things like bounce their signals off of meteor trails. We’d think Q65 should enable airliner-bounce too. We’ll be keen to give it a try whenever it comes out.

Look, we know it’s hard to get used to writing the correct year once a new one rolls around, and that time has taken on a relative feeling in these pandemic times. But we’re pretty sure it isn’t April yet, which is the most reasonable explanation for an ad purporting the unholy coupling of a gaming PC and mass-market fried foods. We strongly suspect this is just a marketing stunt between Cooler Master and Yum! Brands, but taken at face value, the KFConsole — it’s not a gaming console, it’s at best a pre-built gaming PC — is supposed to use excess heat to keep your DoorDashed order of KFC warm while you play. In a year full of incredibly stupid things, this one is clearly in the top five.

And finally, it looks like we can all breathe a sigh of relief that our airline pilots, or at least a subset of them, aren’t seeing things. There has been a steady stream of reports from pilots flying in and out of Los Angeles lately of a person in a jetpack buzzing around. Well, someone finally captured video of the daredevil, and even though it’s shaky and unclear — as are seemingly all videos of cryptids — it sure seems to be a human-sized biped flying around in a standing position. The video description says this was shot by a flight instructor at 3,000 feet (914 meters) near Palos Verdes with Catalina Island in the background. That’s about 20 miles (32 km) from the mainland, so whatever this person is flying has amazing range. And, the pilot has incredible faith in the equipment — that’s a long way to fall in something with the same glide ratio as a brick.

Hackaday Links: December 20, 2020

December 20, 2020 by Dan Maloney 11 Comments

If development platforms were people, Google would be one of the most prolific serial killers in history. Android Things, Google’s attempt at an OS for IoT devices, will officially start shutting down on January 5, 2021, and the plug will be pulled for good a year later. Android Things, which was basically a stripped-down version of the popular phone operating system, had promise, especially considering that Google was pitching it as a secure alternative in the IoT space, where security is often an afterthought. We haven’t exactly seen a lot of projects using Android Things, so the loss is probably not huge, but the list of projects snuffed by Google and the number of developers and users left high and dry by these changes continues to grow. Continue reading “Hackaday Links: December 20, 2020” →

Google Meddling With URLs In Emails, Causing Security Concerns

October 21, 2020 by Lewin Day 58 Comments

Despite the popularity of social media, for communication that actually matters, e-mail reigns supreme. Crucial to the smooth operation of businesses worldwide, it’s prized for its reliability. Google is one of the world’s largest e-mail providers, both with its consumer-targeted Gmail product as well as G Suite for business customers [Jeffrey Paul] is a user of the latter, and was surprised to find that URLs in incoming emails were being modified by the service when fetched via the Internet Message Access Protocol (IMAP) used by external email readers.

This change appears to make it impossible for IMAP users to see the original email without logging into the web interface, it breaks verification of the cryptographic signatures, and it came as a surprise.

Security Matters

A test email sent to verify the edits made by Google’s servers. Top, the original email, bottom, what was received.

For a subset of users, it appears Google is modifying URLs in the body of emails to instead go through their own link-checking and redirect service. This involves actually editing the body of the email before it reaches the user. This means that even those using external clients to fetch email over IMAP are affected, with no way to access the original raw email they were sent.

The security implications are serious enough that many doubted the initial story, suspecting that the editing was only happening within the Gmail app or through the web client. However, a source claiming to work for Google confirmed that the new feature is being rolled out to G Suite customers, and can be switched off if so desired. Reaching out to Google for comment, we were directed to their help page on the topic.

The stated aim is to prevent phishing, with Google’s redirect service including a link checker to warn users who are traveling to potentially dangerous sites. For many though, this explanation doesn’t pass muster. Forcing users to head to a Google server to view the original URL they were sent is to many an egregious breach of privacy, and a security concern to boot. It allows the search giant to further extend its tendrils of click tracking into even private email conversations. For some, the implications are worse. Cryptographically signed messages, such as those using PGP or GPG, are broken by the tool; as the content of the email body is modified in the process, the message no longer checks out with respect to the original signature. Of course, this is the value of signing your messages — it becomes much easier to detect such alterations between what was sent and what was received.

Inadequate Disclosure

Understandably, many were up in arms that the company would implement such a measure with no consultation or warning ahead of time. The content of an email is sacrosanct, in many respects, and tampering with it in any form will always be condemned by the security conscious. If the feature is a choice for the user, and can be turned off at will, then it’s a useful tool for those that want it. But this discovery was a surprise to many, making it hard to believe it was adequately disclosed before roll-out. The question unfolded in the FAQ screenshot above hints at this being part of Google’s A/B test and not applied to all accounts. Features being tested on your email account should be disclosed yet they are not.

Protecting innocent users against phishing attacks is a laudable aim, and we can imagine many business owners enabling such a feature to avoid phishing attacks. It’s another case where privacy is willingly traded for the idea of security. While the uproar is limited due to the specific nature of the implementation thus far, we would expect further desertion of Google’s email services by the tech savvy if such practices were to spread to the mainstream Gmail product. Regardless of what happens next, it’s important to remember that the email you read may not be the one you were sent, and act accordingly.

Update 30/10/2020: It has since come to light that for G Suite users with Advanced Protection enabled, it may not be possible to disable this feature at all.

Should You Build For Windows, Mac, IOS, Android, Or Linux? Yes!

October 1, 2020 by Al Williams 36 Comments

The holy grail of computer languages is to write code once and have it deploy effortlessly everywhere. Java likes to take credit for the idea, but UCSD P-Code was way before that and you could argue that mainframes had I/O abstraction like Fortran unit numbers even earlier. More modern efforts include Qt, GTK, and other things. Naturally, all of these fall short in some way. Now Google enters the fray with Flutter.

Flutter isn’t new, but in the past, it only handled Android and iOS. Now it can target desktop platforms and can even produce JavaScript. We haven’t played with the system enough to say how successful it is, but you can try it in your browser if you want some first-hand experience.

Continue reading “Should You Build For Windows, Mac, IOS, Android, Or Linux? Yes!” →

Google Turns Android Up To 11 With Latest Update

September 9, 2020 by Tom Nardi 32 Comments

Just going by the numbers, it’s a pretty safe bet that most Hackaday readers own an Android device. Even if Google’s mobile operating system isn’t running on your primary smartphone, there’s a good chance it’s on your tablet, e-reader, smart TV, car radio, or maybe even your fridge. Android is everywhere, and while the development of this Linux-based OS has been rocky at times, the general consensus is that it seems to have been moving in the right direction over the last few years. Assuming your devices actually get the latest and greatest update, anyway.

So it’s not much of a surprise that Android 11, which was officially released yesterday, isn’t a huge update. There’s no fundamental changes in the core OS, because frankly, there’s really not a whole lot that really needs changing. Android has become mature enough that from here on out we’re likely to just see bug fixes and little quality of life improvements. Eventually Google will upset the apple cart (no pun intended) with a completely new mobile OS, but we’re not there yet.

Of course, that’s not to say there aren’t some interesting changes in Android 11. Or more specifically, changes that may actually be of interest to the average Hackaday reader. Let’s take a look at a handful of changes and tweaks worth noting for the more technical crowd.

Continue reading “Google Turns Android Up To 11 With Latest Update” →

This Week In Security: XCode Infections, Freepik, And Crypto Fails

August 28, 2020 by Jonathan Bennett 8 Comments

There is a scenario that keep security gurus up at night: Malware that can detect software compilation and insert itself into the resulting binary. A new Mac malware, XCSSET (PDF), does just that, running whenever Xcode is used to build an application. Not only is there the danger of compiled apps being malicious, the malware also collects data from the developer’s machine. It seems that the malware spreads through infected Xcode projects.

WordPress Plugins

WordPress has a complicated security track record. The core project has had very few serious vulnerabilities over the years. On the other hand, WordPress sites are routinely compromised. How? Generally through vulnerable plugins. Case in point? Advanced Access Manager. It’s a third party WordPress plugin with an estimate 100,000 installations. The problem is that this plugin requires user levels, a deprecated and removed WordPress feature. The missing feature had some unexpected results, like allowing any user to request administrator privileges.

The issue has been fixed in 6.6.2 of the plugin, so if you happen to run the Advanced Access Manager plugin, make sure to get it updated. Beyond that, maybe it’s time to do an audit on your WordPress site. Uninstall unused plugins, and make sure the rest are up to date, along with the WordPress installation itself. Continue reading “This Week In Security: XCode Infections, Freepik, And Crypto Fails” →