Stranded Motorist Effects Own Rescue Using A Drone And A Cell Phone

If you’re looking for a good excuse to finally buy a drone, you probably can’t do better than claiming it can save your life.

Granted, you may never find yourself in the position of being stuck in a raging snowstorm in the middle of the Oregon wilderness, but if you do, this is a good one to keep in mind. According to news stories and the Lane County Sheriff Search and Rescue Facebook page, an unnamed motorist who was trying to negotiate an unmaintained road through the remote Willamette National Forest got stuck in the snow. This put him in a bad situation, because not only was he out of cell range, but nobody knew where he was or even that he was traveling, so he wouldn’t be missed for days.

Thankfully, the unlucky motorist played all his cards right. Rather than wandering off on foot in search of help, he stayed with his vehicle, which provided shelter from the elements. Conveniently, he also happened to have a drone along with him, which provided him with an opportunity to get some help. After typing a detailed text message to a friend describing his situation and exact location, he attached the phone to his drone and sent it straight up a couple of hundred feet — enough to get a line-of-sight connection to a cell tower. Note that the image above is a reenactment by the Search and Rescue team; it’s not clear how the resourceful motorist rigged up the drone, but we’re going to guess duct tape was involved.

When he brought the drone back down a few minutes later, he found that the queued text had been sent, and the cavalry was on the way. The Search and Rescue unit was able to locate him, and as a bonus, also found someone else nearby who had been stranded for days. So it was a win all around thanks to some clever thinking and a little technology.

The New-Phone Blues: A Reminder That Hackers Shouldn’t Settle

For all the convenience and indispensability of having access to the sum total of human knowledge in the palm of your hand, the actual process of acquiring and configuring a smartphone can be an incredibly frustrating experience. Standing in those endless queues at the cell phone store, jumping through the administrative hoops, and staring in sticker shock at device that’s going to end its life dunked in a toilet, contribute to the frustration.

But for my money, the real trouble starts once you get past all that stuff and start trying to set up the new phone just right. Sure, most phone manufacturers make it fairly easy to clone your old phone onto the new one, but there are always hiccups. And for something that gets as tightly integrated into the workflows of your daily life as cell phones do, that can be a real bummer. Especially when you find out that your shiny new phone can’t do something you absolutely depend on.

Continue reading “The New-Phone Blues: A Reminder That Hackers Shouldn’t Settle”

Inspecting a SIM card via MTM

Diving The Depths Of Ma Bell

The modern smartphone is a marvel of sensors, radios, inputs, outputs, and processing power. In particular, some of those radios, such as WiFi and cellular, have grown fiendishly complex over the years. Even when that complexity is compressed down for the user into the one-dimensional space of the signal strength bars at the top of your phone. So when [David Burgess] was asked to look at some cellphone records of text messages and figure out where some of the more mysterious messages were coming from, it led him down a rabbit hole into the dark arts behind the glowing phone screen.

The number in question was 1111340002, sent by a phone connected to AT&T at the time, and was crucial for a legal case around distracted driving. [David’s] tools in his investigation were YateBTS (a cellular network simulator), SimTrace2 (pictured above), and old reliable Wireshark. Since the number isn’t a specific phone number and is not reachable from the public phone network, it must be a unique number inside AT&T processed by one particular AT&T SMSC (Short Message service center). The SMSC in question is in Atlanta and isn’t a typical texting center, so it must have some particular purpose. The message’s payload is raw binary rather than text, and [David] has done a pretty good job of decoding the majority of the format.

The most exciting revelation in this journey is that the phone (in the traditional sense) does not send this message. The processor on the phone does not know this message and executes no code to send it. Instead, the SIM card itself sends it. The SIM card is connected directly to the baseband processor on the phone, and the baseband polls the sim every so often, asking for any commands. One of those commands is an SMS (though many other commands have worrying consequences).

The SMS that [David] was chasing is triggered whenever a SIM detects a new IMEI, and the message lets the network know what about the previous and current IMEI. However, in the case of this message, it was unlikely that the SIM changed phones, so what happened? After some additional lab work and the deposition of an AT&T employee, [David] showed that a baseband firmware update would also trigger this SMS.

It’s a fascinating journey into the fragmented world of a smartphone’s minds and [David] does a fantastic job on the writeup. If you’re interested in sniffing wireless accessories, you will enjoy this soundbar’s wireless protocol laid bare.

This Week In Security: XcodeSpy, Insecure SMS, And Partial Redactions

There seems to be a new trend in malware, targeting developers and their development and build processes. The appeal is obvious: rather than working to build and market a malicious application, an attacker just needs to infect a development machine. The hapless infected developers can now do the hard work to spread the malicious payload.

The newest example is XcodeSpy, discovered by a researcher who chose to remain anonymous. It works by using the Xcode IDE’s Run Script function to, well, run a script that completely backdoors your computer. The instance was found in a repackaged open source project, TabBarInteraction, but they’re just innocent victims. It was simple enough for someone to insert a script in the build process, and distribute the new, doped package. It’s probably not the only one out there, so watch out for Run Scripts with obfuscated payloads.

Continue reading “This Week In Security: XcodeSpy, Insecure SMS, And Partial Redactions”

Laundry Monitor Won’t Generate Static With Roommates

Laundry. It’s one of life’s inescapable cycles, but at least we have machines now. The downside of this innovation is that since we no longer monitor every step — the rock-beating, the river-rinsing, the line-hanging and -retrieving — the pain of laundry has evolved into the monotony of monitoring the robots’ work.

[Adam] shares his wash-bots with roommates, and they aren’t close enough to combine their lights and darks and turn it into a group activity. They needed an easy way to tell when the machines are done running, and whose stuff is even in there in the first place, so [Adam] built a laundry machine monitor that uses current sensing to detect when the machines are done running and sends a text to the appropriate person.

Each machine has a little Hall effect-sensing module that’s carefully zip-tied around its power cable. The signal from these three-wire boards goes high when the machine is running and low when it’s not. At the beginning of the load, the launderer simply presses their assigned button on the control box, and the ESP32 inside takes care of the rest.

Getting a text when your drawers are clean is about as private as it gets. Clean underwear, don’t care? Put it on a scrolling marquee.

GSM Module Does More Than Advertised

For many projects, a WiFi connection is overkill, too complicated, or too far away to work properly. Even though it’s relatively ubiquitous, sometimes the best choice for getting data to or from the real world is a connection to the cellular network, which can be done with the M590 module for about a dollar each. For that price, lots of people have had the opportunity to explore the module itself, and [marcrbarker] shows some of the extra, unadvertised, features it has.

Acting as a GSM module that can send and receive SMS messages is just the tip of the iceberg for this tiny device which we saw once before for a DIY GPS tracker. With a USB TTL serial data module, a lot more is on the table including answering voice calls and responding with DTMF tones, operate as a dial-up modem, connect with TCP, and even has some FTP capabilities. [marcrbarker] also suggests that it could do “call pranking” where it can send signals without being charged for a call.

There are a lot of details on the project site about all of this newfound functionality, and it reminds us of a time when it was discovered that not only was the ESP8266 a cheap WiFi module, but it could also run custom programs on its own. While the M590 probably can’t do all of that, it does seem to have a lot more locked away than most of us had thought before.

This Week In Security: ToTok, Edgium, Chrome Checks Your Passwords, And More

Merry Christmas and happy New Year! After a week off, we have quite a few stories to cover, starting with an unexpected Christmas gift from Apple. Apple has run an invitation-only bug bounty program for years, but it only covered iOS, and the maximum payout topped out at $200K. The new program is open to the public, covers the entire Apple product lineup, and has a maximum payout of $1.5 million. Go forth and find vulnerabilities, and make sure to let us know what you find.


The United Arab Emirates had an odd policy regarding VoIP communications. At least on mobile networks, it seems that all VoIP calls are blocked — unless you’re using a particular app: ToTok. Does that sound odd? Is your “Security Spider Sense” tingling? It probably should. The New York Times covered ToTok, claiming it was actually a tool for spying on citizens.

While that coverage is interesting, more meat can be found in [Patrick Wardle]’s research on the app. What’s most notable, however, is the distinct lack of evidence found in the app itself. Sure, ToTok can read your files, uploads your contact book to a centralized server, and tries to send the device’s GPS coordinates. This really isn’t too far removed from what other apps already do, all in the name of convenience.

It seems that ToTok lacks end-to-end encryption, which means that calls could be easily decrypted by whoever is behind the app. The lack of malicious code in the app itself makes it difficult to emphatically call it a spy tool, but it’s hard to imagine a better way to capture VoIP calls. Since those articles ran, ToTok has been removed from both the Apple and Google’s app stores.

SMS Keys to the Kingdom

Have you noticed how many services treat your mobile number as a positive form of authentication? Need a password reset? Just type in the six-digit code sent in a text. Prove it’s you? We sent you a text. [Joakim Bech] discovered a weakness that takes this a step further: all he needs is access to a single SMS message, and he can control your burglar alarm from anywhere. Well, at least if you have a security system from Alert Alarm in Sweden.

The control messages are sent over SMS, making them fairly accessible to an attacker. AES encryption is used for encryption, but a series of errors seriously reduces the effectiveness of that encryption. The first being the key. To build the 128-bit encryption key, the app takes the user’s four-digit PIN, and pads it with zeros, so it’s essentially a 13 bit encryption key. Even worse, there is no message authentication built in to the system at all. An attacker with a single captured SMS message can brute force the user’s PIN, modify the message, and easily send spoofed commands that are treated as valid.

Microsoft Chrome

You may have seen the news, Microsoft is giving up on their Edge browser code, and will soon begin shipping a Chromium based Edge. While that has been a source of entertainment all on its own, some have already begun taking advantage of the new bug bounty program for Chromium Edge (Edgium?). It’s an odd bounty program, in that Microsoft has no interest in paying for bugs found in Google’s code. As a result, only bugs in the Edge-exclusive features qualify for payout from Microsoft.

As [Abdulrahman Al-Qabandi] puts it, that’s a very small attack surface. Even so, he managed to find a vulnerability that qualified, and it’s unique. One of the additions Microsoft has made to Edgium is a custom new tab page. Similar to other browsers, that new tab page shows the user their most visited websites. The problem is that the site’s title is shown on that page, but without any sanity checking. If your site’s title field happens to include Javascript, that too is injected into the new tab page.

The full exploit has a few extra steps, but the essence is that once a website makes it to the new tab page, it can take over that page, and maybe even escape the browser sandbox.

Chrome Password Checkup

This story is a bit older, but really grabbed my attention. Google has rolled a feature out in Chrome that automatically compares your saved passwords to past data breaches. How does that work without being a security nightmare? It’s clever. A three-byte hash of each username is sent to Google, and compared to the hashes of the compromised accounts. A encrypted database of potential matches is sent to your machine. Your saved passwords, already encrypted with your key, is encrypted a second time with a Google key, and sent back along with the database of possible matches, also encrypted with the same Google key. The clever bit is that once your machine decrypts your database, it now has two sets of credentials, both encrypted with the same Google key. Since this encryption is deterministic, the encrypted data can be compared without decryption. In the end, your passwords aren’t exposed to Google, and Google hasn’t given away their data set either.

The Password Queue

Password changes are a pain, but not usually this much of a pain. A university in Germany suffered a severe malware infection, and took the precaution of resetting the passwords for every student’s account. Their solution for bootstrapping those password changes? The students had to come to the office in person with a valid ID to receive their new passwords. The school cited German legal requirements as a primary cause of the odd solution. Still, you can’t beat that for a secure delivery method.