Possible Spyware On Samsung Phones

January 9, 2020 by Bryan Cockfield 118 Comments

[Editor’s note: There’s an ongoing back-and-forth about this “spyware” right now. We haven’t personally looked into it on any phones, and decoded Wireshark caps of what the cleaner software sends home seem to be lacking — it could be innocuous. We’re leaving our original text as-run below, but you might want to take this with a grain of salt until further evidence comes out. Or keep us all up to date in the comments. But be wary of jumping to quick conclusions.]

Samsung may have the highest-end options for hardware if you want an Android smartphone, but that hasn’t stopped them from making some questionable decisions on the software they sometimes load on it. Often these phones come with “default” apps that can’t be removed through ordinary means, or can’t even be disabled, and the latest discovery related to pre-loaded software on Samsung phones seems to be of a pretty major security vulnerability.

This software in question is a “storage cleaner” in the “Device Care” section of the phone, which is supposed to handle file optimization and deletion. This particular application is made by a Chinese company called Qihoo 360 and can’t be removed from the phone without using ADB or having root. The company is known for exceptionally bad practices concerning virus scanning, and the software has been accused of sending all information about files on the phone to servers in China, which could then turn all of the data it has over to the Chinese government. This was all discovered through the use of packet capture and osint, which are discussed in the post.

These revelations came about recently on Reddit from [kchaxcer] who made the original claims. It seems to be fairly legitimate at this point as well, and another user named [GeorgePB] was able to provide a temporary solution/workaround in the comments on the original post. It’s an interesting problem that probably shouldn’t exist on any phone, let alone a flagship phone competing with various iPhones, but it does highlight some security concerns we should all have with our daily use devices when we can’t control the software on the hardware that we supposedly own. There are some alternatives though if you are interested in open-source phones.

Thanks to [kickaxe] for the tip!

Photo from Pang Kakit [CC BY-SA 3.0 DE (https://creativecommons.org/licenses/by-sa/3.0/de/deed.en)]

Tales (and Advice) From Setting Up A Product Line

January 2, 2020 by Donald Papp 5 Comments

Making something that has to get into others’ hands involves solving a lot of different problems, many of which have nothing at all to do with actually building the dang things. [Conor Patrick] encountered them when he ran a successful Kickstarter campaign for an open-source USB security key that was not only shipped to backers, but also made available as an ongoing product for sale. There was a lot of manual and tedious work that could have been avoided, and so [Conor] laid out all the things he wishes he had done when first setting up a product line.

Turning these unprogrammed boards into finished products then shipping them is a big job.

If the whole process is a river, then the more “upstream” an issue is, the bigger its potential impact on everything that comes afterwards. One example is the product itself: the simplest and most easily managed product line is one that has only one product with no variations. That not only minimizes errors but makes supply, production, and shipping more straightforward. Striving for a minimum number of products and variations is also an example of something [Conor] didn’t do. In their crowdfunding campaign they offered the SoloKeys USB device — an implementation of the FIDO2 authentication token — as either USB-A or USB-C. There were also two types of key: NFC-capable (for tapping to a smartphone) and USB only. That is four products so far.

Offering keys in an unlocked state for those who want to tamper makes it eight different products. On top of that, they offered color choices which not only adds complexity to production, but also makes it harder to keep track of what everyone ordered. [Conor] also observed that the Kickstarter platform and back end are really not set up like a store, and it is clunky at best to try to offer (and manage) different products and variations from within it.

Another major point is fulfillment and in [Conor]’s opinion, unless the quantities are small, an order fulfillment company is worth partnering with. He says there are a lot of such companies out there, and it can be very time consuming to find the right one, but it will be nothing compared to the time and effort needed to handle, package, address, and ship several hundreds (or thousands!) of orders personally. His team did their own fulfillment for a total of over 2000 units, and found it a long and tedious process filled with hidden costs and challenges.

There’s good advice and background in [Conor]’s writeup, and this isn’t his first rodeo. He also shared his thoughts on taking electronics from design to production and the more general advice remains the same for it all: be honest and be open. Under-promise and over-deliver, especially when it comes to time estimates.

36C3: All Wireless Stacks Are Broken

December 30, 2019 by Elliot Williams 29 Comments

Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.

One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.

Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.

[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.

Hackaday Links: December 29, 2019

December 29, 2019 by Dan Maloney 25 Comments

The retrocomputing crowd will go to great lengths to recreate the computers of yesteryear, and no matter which species of computer is being restored, getting it just right is a badge of honor in the community. The case and keyboard obviously playing a big part in that look, so when a crowdfunding campaign to create new keycaps for the C64 was announced, Commodore fans jumped to fund it. Sadly, more than four years later, the promised keycaps haven’t been delivered. One disappointed backer, Jim Drew, decided he was sick of waiting, so he delved into the world of keycaps injection molding and started his own competing campaign. Jim details his adventures in his ~~Kickstarter~~ Indiegogo campaign, which makes for good reading even if you’re not into Commodore refurbishment. Here’s hoping Jim has better luck than the competition did.

Looking for anonymity in our increasingly surveilled world? You’re not alone, and in fact, we predict facial recognition spoofing products and methods will be a growth industry in the new decade. Aside from the obvious – and often illegal – approach of wearing a mask that blocks most of the features machine learning algorithms use to quantify your face, one now has another option, in the form of a colorful pattern that makes you invisible to the YOLOv2 algorithm. The pattern, which looks like a soft-focus crowd scene rendered in Mardi Gras colors, won’t make the algorithm think you’re someone else, but it will prevent you from being classified as a person. It won’t work with any other AI algorithm, but it’s still an interesting phenomenon.

We saw a great hack come this week about using an RTL-SDR to track down a water leak. Clayton’s water bill suddenly skyrocketed, and he wanted to track down the source. Luckily, his water meter uses the encoder receive-transmit (ERT) protocol on the 900 MHz ISM band to report his usage, so he threw an SDR dongle and rtlamr at the problem. After logging his data, massaging it a bit with some Python code, and graphing water consumption over time, he found that water was being used even when nobody was home. That helped him find the culprit – leaky flap valves in the toilets resulting in a slow drip that ran up the bill. There were probably other ways to attack the problem, but we like this approach just fine.

Are your flex PCBs making you cry? Friend of Hackaday Drew Fustini sent us a tip on teardrop pads to reduce the mechanical stress on traces when the board flexes. The trouble is that KiCad can’t natively create teardrop pads. Thankfully an action plugin makes teardrops a snap. Drew goes into a bit of detail on how the plugin works and shows the results of some test PCBs he made with them. It’s a nice trick to keep in mind for your flexible design work.

2019: As The Hardware World Turns

December 27, 2019 by Tom Nardi 31 Comments

Well, this is it. The end of the decade. In a few days the 2010s will be behind us, and a lot of very smug people will start making jokes on social media about how we’re back in the “Roaring 20s” again. Only this time around there’s a lot more plastic, and drastically less bathtub gin. It’s still unclear as to how much jazz will be involved.

Around this time we always say the same thing, but once again it bears repeating: it’s been a fantastic year for Hackaday. Of course, we had our usual honor of featuring literally thousands of incredible creations from the hacking and making community. But beyond that, we also bore witness to some fascinating tech trends, moments that could legitimately be called historic, and a fair number of blunders which won’t soon be forgotten. In fact, this year we’ve covered a wider breadth of topics than ever before, and judging by the record setting numbers we’ve seen in response, it seems you’ve been just as excited to read it as we were to write it.

To close out the year, let’s take a look at a few of the most popular and interesting stories of 2019. It’s been a wild ride, and we can’t wait to do it all over again in 2020.

Continue reading “2019: As The Hardware World Turns” →

Amazon Ring: Neighbors Leaking Data On Neighbors

December 21, 2019 by Jenny List 31 Comments

For a while now a series of stories have been circulating about Amazon’s Ring doorbell, an Internet-connected camera and entry system that lets users monitor and even interact with visitors and delivery people at their doors. The adverts feature improbable encounters with would-be crooks foiled by the IoT-equipped homeowner, but the stories reveal a much darker side. From reports of unhindered access by law enforcement to privately-held devices through mass releases of compromised Ring account details to attackers gaining access to children via compromised cameras, it’s fair to say that there’s much to be concerned about.

One cause for concern has been the location data exposed by the associated Amazon Neighbors crowd-sourced local crime paranoia app, and for those of us who don’t live and breathe information security there is an easy-to-understand Twitter breakdown of its vulnerabilities from [Elliot Alderson] that starts with the app itself and proceeds from there into compromising Ring accounts by finding their passwords. We find that supposedly anonymized information in the app sits atop an API response with full details, that there’s no defense against brute-forcing a Ring password, and that a tasty list of API and staging URLs is there for all to see embedded within the app. Given all that information, there’s little wonder that the system has proven to be so vulnerable.

As traditional appliance makers have struggled with bringing Internet connectivity into their products there have been a few stories of woeful security baked into millions of homes. A defense could be made that a company with roots outside the Internet can be forgiven for such a gaffe, but in the case of Amazon whose history has followed that of mass Web adoption and whose infrastructure lies behind so much of the services we trust, this level of lax security is unforgivable. Hackaday readers will be aware of the security issues behind so-called “smart” devices, but to the vast majority of customers they are simply technological wonders that are finally delivering a Jetsons-style future. If some good comes of these Ring stories it might be that those consumers finally begin to wake up to IoT security, and use their new-found knowledge to demand better.

Header image: Ring [CC BY-SA 4.0]

Kerry Scharfglass Secures Your IoT Things

December 20, 2019 by Elliot Williams 6 Comments

We’ve all seen the IoT device security trainwrecks: those gadgets that fail so spectacularly that the comment section lights up with calls of “were they even thinking about the most basic security?” No, they probably weren’t. Are you?

Hackaday Contributor and all around good guy Kerry Scharfglass thinks about basic security for a living, and his talk is pitched at the newcomer to device security. (Embedded below.) Of course “security” isn’t a one-size-fits-all proposition; you need to think about what threats you’re worried about, which you can ignore, and defend against what matters. But if you’ve never worked through such an exercise, you’re in for a treat here. You need to think like a maker, think like a breaker, and surprisingly, think like an accountant in defining what constitutes acceptable risks. Continue reading “Kerry Scharfglass Secures Your IoT Things” →