If you need to make sure your computer isn’t being messed with, you’ll have a look at the log files. If something seems fishy, that’s grounds for further investigation. If you run a large network of computers, you’ll probably want to look over all of the logs, but you won’t want to run around to each computer individually. Setting up a central server to analyze the logs exposes an additional attack surface: the logs in transit. How do you make sure that the attackers aren’t also intercepting and sanitizing your log file reports?
The answer to this question, and nearly everything else, is blockchain! Or maybe it’s not, but in this short presentation from the 2019 Hackaday Superconference, Shanni Prutchi, Jeff Wood, and six other college students intend to find out. While Shanni “rolls her eyes” at much of blockchain technology along with the rest of us, you have to admit one thing: recursively hashing your log data to make sure they’re not tampered with doesn’t sound like such a bad idea. Continue reading “Bringing The Blockchain To Network Monitoring”→
In our community it is common for ancient laptops to be used way beyond their usual service life, held together by stickers and lovingly upgraded to their maximum capabilities. We hope it’s unusual for such a venerable machine to be stolen, but it seems that grab-and-run thefts are very much a thing for owners of much shinier hardware. [Michael Altfield] has a solution to this problem, in the form of a kill cord that when broken by the crook making off with the loot, triggers a set of scripts that can wipe the device or otherwise make it useless.
Hardware-wise it’s simple enough, a USB magnetic breakaway adapter and a USB extension cable to a drive clipped to the laptop owner’s belt. On the software side it’s as straightforward as a udev rule to launch the disaster script of your choice. Perhaps you could link it to something like a glitter bomb and fart spray. But we can’t help worrying that it might be too easy to get up and accidentally detach yourself from the laptop, making it deploy whatever anti-theft measure you’d installed in error. If this goes some way to reducing theft though, it has to be worth a second look.
Home automation is a popular project to undertake but its complexity can quickly become daunting, especially if you go further than controlling a few lights (or if you’re a renter). To test the waters you may want to start with something like this home safety monitor, which is an IoT device based on an Arduino. It allows remote monitoring of a home for things such as temperature, toxic gasses, light, and other variables, which is valuable even if you don’t need or want to control anything.
The device is built around an Arduino Nano 33 IOT which has WiFi and Bluetooth capabilities as well as some integrated security features. This build features a number of sensors including pressure/humidity, a gas/smoke detector, and a light sensor. To report all of the information it gathers around the home, an interface with Ubidots is configured to allow easy (and secure) access to the data gathered by the device.
The PCB and code for the project are all provided on the project page, and there are a number of other options available if Ubidots isn’t your preferred method of interfacing with the Internet of Things. You might even give Mozilla’s WebThings a shot if you’re so inclined.
All computers are vulnerable to attacks by viruses or black hats, but there are lots of steps that can be taken to reduce risk. At the extreme end of the spectrum is having an “air-gapped” computer that doesn’t connect to a network at all, but this isn’t a guarantee that it won’t get attacked. Even transferring files to the computer with a USB drive can be risky under certain circumstances, but thanks to some LED lights that [Robert Fisk] has on his drive, this attack vector can at least be monitored.
Using a USB drive with a single LED that illuminates during a read OR write operation is fairly common, but since it’s possible to transfer malware unknowingly via USB drives, one that has a separate LED specifically for writing operations will help alert a user to any write operations that might be trying to fly under the radar. A recent article by [Bruce Schneier] pointed out this flaw in USB drives, and [Robert] was up to the challenge. His build returns more control to the user by showing them when their drive is accessed and in what way, which can also be used to discover unique quirks of one’s chosen operating system.
[Robert] is pretty familiar with USB drives and their ups and downs as well. A few years ago he built a USB firewall that was able to decrease the likelihood of BadUSB-type attacks. Be careful going down the rabbit hole of device security, though, or you will start seeing potential attacks hidden almost everywhere.
[Editor’s note: There’s an ongoing back-and-forth about this “spyware” right now. We haven’t personally looked into it on any phones, and decoded Wireshark caps of what the cleaner software sends home seem to be lacking — it could be innocuous. We’re leaving our original text as-run below, but you might want to take this with a grain of salt until further evidence comes out. Or keep us all up to date in the comments. But be wary of jumping to quick conclusions.]
Samsung may have the highest-end options for hardware if you want an Android smartphone, but that hasn’t stopped them from making some questionable decisions on the software they sometimes load on it. Often these phones come with “default” apps that can’t be removed through ordinary means, or can’t even be disabled, and the latest discovery related to pre-loaded software on Samsung phones seems to be of a pretty major security vulnerability.
This software in question is a “storage cleaner” in the “Device Care” section of the phone, which is supposed to handle file optimization and deletion. This particular application is made by a Chinese company called Qihoo 360 and can’t be removed from the phone without using ADB or having root. The company is known for exceptionally bad practices concerning virus scanning, and the software has been accused of sending all information about files on the phone to servers in China, which could then turn all of the data it has over to the Chinese government. This was all discovered through the use of packet capture and osint, which are discussed in the post.
These revelations came about recently on Reddit from [kchaxcer] who made the original claims. It seems to be fairly legitimate at this point as well, and another user named [GeorgePB] was able to provide a temporary solution/workaround in the comments on the original post. It’s an interesting problem that probably shouldn’t exist on any phone, let alone a flagship phone competing with various iPhones, but it does highlight some security concerns we should all have with our daily use devices when we can’t control the software on the hardware that we supposedly own. There are some alternatives though if you are interested in open-source phones.
Making something that has to get into others’ hands involves solving a lot of different problems, many of which have nothing at all to do with actually building the dang things. [Conor Patrick] encountered them when he ran a successful Kickstarter campaign for an open-source USB security key that was not only shipped to backers, but also made available as an ongoing product for sale. There was a lot of manual and tedious work that could have been avoided, and so [Conor] laid out all the things he wishes he had done when first setting up a product line.
Turning these unprogrammed boards into finished products then shipping them is a big job.
If the whole process is a river, then the more “upstream” an issue is, the bigger its potential impact on everything that comes afterwards. One example is the product itself: the simplest and most easily managed product line is one that has only one product with no variations. That not only minimizes errors but makes supply, production, and shipping more straightforward. Striving for a minimum number of products and variations is also an example of something [Conor] didn’t do. In their crowdfunding campaign they offered the SoloKeys USB device — an implementation of the FIDO2 authentication token — as either USB-A or USB-C. There were also two types of key: NFC-capable (for tapping to a smartphone) and USB only. That is four products so far.
Offering keys in an unlocked state for those who want to tamper makes it eight different products. On top of that, they offered color choices which not only adds complexity to production, but also makes it harder to keep track of what everyone ordered. [Conor] also observed that the Kickstarter platform and back end are really not set up like a store, and it is clunky at best to try to offer (and manage) different products and variations from within it.
Another major point is fulfillment and in [Conor]’s opinion, unless the quantities are small, an order fulfillment company is worth partnering with. He says there are a lot of such companies out there, and it can be very time consuming to find the right one, but it will be nothing compared to the time and effort needed to handle, package, address, and ship several hundreds (or thousands!) of orders personally. His team did their own fulfillment for a total of over 2000 units, and found it a long and tedious process filled with hidden costs and challenges.
There’s good advice and background in [Conor]’s writeup, and this isn’t his first rodeo. He also shared his thoughts on taking electronics from design to production and the more general advice remains the same for it all: be honest and be open. Under-promise and over-deliver, especially when it comes to time estimates.
Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.
One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.
Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.
[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.
