What do potato chips and lost car keys have in common? On the surface, it would seem not much, unless you somehow managed to lose your keys in a bag of chips, which would be embarrassing enough that you’d likely never speak of it. But there is a surprising link between the two, and Samy Kamkar makes the association in his newly published 2019 Superconference talk, which he called “FPGA Glitching and Side-Channel Attacks.”
The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.
So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.
But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.
We’re going to warn you right up front that this is not a hack. Or at least that’s how it turned out after [LiveOverflow] did some digital forensics on a mysterious device found lurking in a college library. The path he took to come to the conclusion that nothing untoward was going on was interesting and informative, though, as is the ultimate purpose of the unknown artifacts.
As [LiveOverflow] tells us in the video below, he came upon a Reddit thread – of which we can now find no trace – describing a bunch of odd-looking devices stashed behind garbage cans, vending machines, and desks in a college library. [LiveOverflow] recognized the posted pictures as Raspberry Pi Zeroes with USB WiFi dongles attached; curiosity piqued, he reached out to the OP and offered to help solve the mystery.
The video below tells the tale of the forensic fun that ensued, including some questionable practices like sticking the device’s SD card into the finder’s PC. What looked very “hackerish” to the finder turned out to be quite innocuous after [LiveOverflow] went down a remote-diagnosis rabbit hole to discern the purpose of these devices. We won’t spoil the reveal, but suffice it to say they’re part of a pretty clever system with an entirely non-nefarious purpose.
We thought this was a fun infosec romp, and instructive on a couple of levels, not least of which is keeping in mind how “civilians” might see gear like this in the wild. Hardware and software that we deal with every day might look threatening to the general public. Maybe the university should spring for some labels describing the gear next time.
There have been many news stories lately about companies misusing your data, including your e-mails. What’s more, these giant repositories of data are favorite targets for hackers. Even if you trust the big corporations, you are also betting on their security. Criptext claims they have (possibly) the most private e-mail service ever. It uses the open Signal protocol and stores private keys and encrypted mail only on your device. All the applications to access your mail are open source, so presumably, someone would eventually spot any backdoors or open holes.
At the moment the service is free and the company reports that even when a paid offering is ready, there will still be a free tier. Of course, you can send and receive normal e-mail, too. You can also use a passphrase you send to someone else (presumably not by e-mail) so they can read an encrypted message.
Saturday’s talk schedule at the HOPE conference was centered around one thing: the on-stage interview with Chelsea Manning. Not only was a two-hour session blocked out (almost every other talk has been one hour) but all three stages were reserved with live telecast between the three rooms.
I was lucky enough to get a seat very close to the stage in the main hall. The room was packed front to back. Even the standing room — mapped out on the carpet in tape and closely policed by conference “fire marshals” — was packed with people standing shoulder to shoulder. The audience was alive with energy, and I think everyone lucky enough to be here today shares my feeling that moments like these tie our community together and help us all focus on what is important in life, as individuals and as a society.
Chelsea was very recently released from prison. So recently, that the last time this conference was held back in 2016, she and her close circle of friends were under the impression that she was very far from the end of her sentence. One such friend, Yan Zhu, joined Chelsea on stage in a comfortable armchair-setting to guide the interview.
Chelsea Manning was sentenced to serve 35 years in Leavenworth maximum-security prison, having been convicted in 2013 of violating the Espionage Act. This talk (and the article I’m writing now) was not about the events leading up to that conviction, but rather about Chelsea’s life since being released, with a bit of background on the experience of being incarcerated. Her early release came as the result of a commutation of sentence by President Barack Obama that returned her freedom just over one year ago.
Last month, Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists invited to the event were given a press kit containing a bottle of water, various paper goods, and a fan that plugs into a USB port.
Understandably, the computer security crowd on Twitter had a great laugh. You shouldn’t plug random USB devices into a computer, especially if you’re a journalist, especially if you’re in a foreign country, and especially if you’re reporting on the highest profile international summit in recent memory. Doing so is just foolhardy.
This is not a story about a USB fan, the teardown thereof, or of spy agencies around the world hacking journalists’ computers. This a story of the need for higher awareness on what we plug into our computers. In this case nothing came of it — the majority of USB devices are merely that and nothing more. One of the fans was recently torn down (PDF) and the data lines are not even connected. (I’ll dive into that later on in this article). But the anecdote provides an opportunity to talk about USB security and how the compulsion to plug every USB device into a computer should be interrupted by a few seconds of thoughtfulness first.
This year’s LayerOne conference is May 25-27 in Los Angeles and Hackaday will be there! Hurry and get your ticket now as today is the last day for pre-registration.
As the InfoSec community takes over the Pasadena Hilton next weekend you’ll wish you had a week instead of just three days to take part in all that is offered. There are organized talks and workshops on pen testing, being the bad guy, and DevOps Security. Learn or improve on your lockpicking skills in the Lockpicking Village. The conference hardware badge will be hacking in every direction in the Hardware Village, and new this year is an Internet of Things Village.
If you ask us, the L1 Demo Party is where it’s at. We love seeing what kind of audio and video demos can be squeezed out of a microcontroller board. If you want one of your own, LayerOne is selling the L1 Demoscene Board on Tindie, and you can dig into the hardware on the Hackaday.io page. Take a look back at the results of the 2015 Demo Party for some of the highlights.
This con has an incredible community supporting it, many of the people you’ll meet have been at every LayerOne since it started back in 2004. Supplyframe, Hackaday’s parent company, has been a sponsor since 2015 and is once again proud to support the event and sponsor the hardware badge. Members of the Hackaday and Tindie crew will be on site so come say hello and don’t be afraid to bring a hack to show off!