This Week In Security: ToTok, Edgium, Chrome Checks Your Passwords, And More

Merry Christmas and happy New Year! After a week off, we have quite a few stories to cover, starting with an unexpected Christmas gift from Apple. Apple has run an invitation-only bug bounty program for years, but it only covered iOS, and the maximum payout topped out at $200K. The new program is open to the public, covers the entire Apple product lineup, and has a maximum payout of $1.5 million. Go forth and find vulnerabilities, and make sure to let us know what you find.


The United Arab Emirates had an odd policy regarding VoIP communications. At least on mobile networks, it seems that all VoIP calls are blocked — unless you’re using a particular app: ToTok. Does that sound odd? Is your “Security Spider Sense” tingling? It probably should. The New York Times covered ToTok, claiming it was actually a tool for spying on citizens.

While that coverage is interesting, more meat can be found in [Patrick Wardle]’s research on the app. What’s most notable, however, is the distinct lack of evidence found in the app itself. Sure, ToTok can read your files, uploads your contact book to a centralized server, and tries to send the device’s GPS coordinates. This really isn’t too far removed from what other apps already do, all in the name of convenience.

It seems that ToTok lacks end-to-end encryption, which means that calls could be easily decrypted by whoever is behind the app. The lack of malicious code in the app itself makes it difficult to emphatically call it a spy tool, but it’s hard to imagine a better way to capture VoIP calls. Since those articles ran, ToTok has been removed from both the Apple and Google’s app stores.

SMS Keys to the Kingdom

Have you noticed how many services treat your mobile number as a positive form of authentication? Need a password reset? Just type in the six-digit code sent in a text. Prove it’s you? We sent you a text. [Joakim Bech] discovered a weakness that takes this a step further: all he needs is access to a single SMS message, and he can control your burglar alarm from anywhere. Well, at least if you have a security system from Alert Alarm in Sweden.

The control messages are sent over SMS, making them fairly accessible to an attacker. AES encryption is used for encryption, but a series of errors seriously reduces the effectiveness of that encryption. The first being the key. To build the 128-bit encryption key, the app takes the user’s four-digit PIN, and pads it with zeros, so it’s essentially a 13 bit encryption key. Even worse, there is no message authentication built in to the system at all. An attacker with a single captured SMS message can brute force the user’s PIN, modify the message, and easily send spoofed commands that are treated as valid.

Microsoft Chrome

You may have seen the news, Microsoft is giving up on their Edge browser code, and will soon begin shipping a Chromium based Edge. While that has been a source of entertainment all on its own, some have already begun taking advantage of the new bug bounty program for Chromium Edge (Edgium?). It’s an odd bounty program, in that Microsoft has no interest in paying for bugs found in Google’s code. As a result, only bugs in the Edge-exclusive features qualify for payout from Microsoft.

As [Abdulrahman Al-Qabandi] puts it, that’s a very small attack surface. Even so, he managed to find a vulnerability that qualified, and it’s unique. One of the additions Microsoft has made to Edgium is a custom new tab page. Similar to other browsers, that new tab page shows the user their most visited websites. The problem is that the site’s title is shown on that page, but without any sanity checking. If your site’s title field happens to include Javascript, that too is injected into the new tab page.

The full exploit has a few extra steps, but the essence is that once a website makes it to the new tab page, it can take over that page, and maybe even escape the browser sandbox.

Chrome Password Checkup

This story is a bit older, but really grabbed my attention. Google has rolled a feature out in Chrome that automatically compares your saved passwords to past data breaches. How does that work without being a security nightmare? It’s clever. A three-byte hash of each username is sent to Google, and compared to the hashes of the compromised accounts. A encrypted database of potential matches is sent to your machine. Your saved passwords, already encrypted with your key, is encrypted a second time with a Google key, and sent back along with the database of possible matches, also encrypted with the same Google key. The clever bit is that once your machine decrypts your database, it now has two sets of credentials, both encrypted with the same Google key. Since this encryption is deterministic, the encrypted data can be compared without decryption. In the end, your passwords aren’t exposed to Google, and Google hasn’t given away their data set either.

The Password Queue

Password changes are a pain, but not usually this much of a pain. A university in Germany suffered a severe malware infection, and took the precaution of resetting the passwords for every student’s account. Their solution for bootstrapping those password changes? The students had to come to the office in person with a valid ID to receive their new passwords. The school cited German legal requirements as a primary cause of the odd solution. Still, you can’t beat that for a secure delivery method.

Plan Ahead: Roaming Charges Are A Killer

As the world gets more connected and computerized, it is easy to have an unintended consequence pop up and bite you. Especially because, so much of the time, today, things just work. The days of fretting over how to connect two computers, or how to store reasonable amounts of data are gone. Most of us never have to sift through assembly language programs finding three extra bytes to add a feature. Some Russian scientists recently found out about unintended consequences the hard way.

In the United States, the Eagle was long on the endangered species list, but apparently they have a similar problem in Russia. Scientists put a tracker on some migrating eagles in southern Russia and Kazakhstan. A few decades ago, this would have been a big technical challenge, but now you just use cellular technology and have the tracker text its location, right?

Continue reading “Plan Ahead: Roaming Charges Are A Killer”

Maps To SMS, When You’re Really Far Away

GPS is available on most smart phones, which is all well and good unless you drive out into a place with weak service. Unless you want to go into the before-time and buy a standalone GPS (and try to update the maps every so often) or go even further back and print out MapQuest directions, you’ll need another solution to get directions. Something like this project which sends Google Maps directions over SMS.

The project is called RouteMe by [AhadCove]. It runs on a Raspberry Pi at his home which is constantly monitoring an email inbox. Using Google Voice to forward incoming text messages as emails to the Pi, the system works when your phone has a cell signal but no data connection. The Pi listens for specific commands in that SMS-to-Email connection and is able to send directions back to the phone via text message. That’s actually a neat hack you may remember from the olden days where you can send email as SMS using the phone number as the address.

If you find yourself lost in the woods with just your phone often enough, [AhadCove] has all of the code and detailed directions on how to set this up on his GitHub site. But don’t discount this particular task, anything you can script on the Pi can now be controlled via SMS without relying on a service like Twilio.

This maps hack is a pretty ingenious solution to a problem that more than a few of us have had, and it uses a lot of currently-available infrastructure to run as well. If you want another way of navigating without modern tech, have a go at dead reckoning in a car.

Finally, A Rotary Cell Phone With Speed Dial

If you’re reading this, chances are good that you’re the family IT department. We do what we can to help them, but there’s just no changing the fact that smartphones are difficult to operate with aging eyes and hands. When [sideburn’s] dad started complaining, he took a different approach. Instead of helping his dad adapt, [sideburn] stuffed modern cell phone guts into a 1970s rotary phone — if all you want to use it for is phone calls, why not reach for a battle-tested handset?

[sideburn] figured out the most important part first, which is getting the thing to ring. The bells in those old phones are driven by a huge relay that requires a lot of voltage, so he boosted a 3.2V rechargeable to 34V. Then it was just a matter of getting the GSM module to play nice with the microcontroller, and programming a MOSFET to trigger the boost module that makes the beast jingle.

The worst thing about rotary phones is that they were never meant to be dialed in a hurry. But [sideburn] took care of that. Once Rotocell was up and working, he added an SMS interface that makes the phone a lot more useful. Dad can add contacts to Rotocell by texting the name and number to it from a modern phone. Once it’s in there, he can dial by name, speeding up the process a tiny bit.

The SMS interface can also report back the signal strength and battery level, and will send battery low alerts when it’s under 20%. You can see Rotocell in action after the break.

Got an old rotary or two lying about? If modernizing the internals to make calls doesn’t light up your circuits, try turning it into a voice-controlled assistant instead.

Continue reading “Finally, A Rotary Cell Phone With Speed Dial”

This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT

We often think of SIM cards as simple data storage devices, but in reality a SIM card is a miniature Universal integrated circuit card, or smart card. Subscriber data isn’t a simple text string, but a program running on the smart cards tiny processor, acting as a hardware cryptographic token. The presence of this tiny processor in everyone’s cell phone was eventually put to use in the form of the Sim application ToolKit (STK), which allowed cell phone networks to add services to very basic cell phones, such as mobile banking and account management.

Legacy software running in a place most of us have forgotten about? Sounds like it’s ripe for exploitation. The researchers at Adaptive Mobile Security discovered that exploitation of SMS messages has been happening for quite some time. In an era of complicated and sophisticated attacks, Simjacker seems almost refreshingly simple. An execution environment included on many sim cards, the S@T Browser, can request data from the cell phone’s OS, and even send SMS messages. The attacker simply sends an SMS to this environment containing instructions to request the phones unique identifier and current GPS location, and send that information back in another SMS message.

It’s questionable whether there is actually an exploit here, as it seems the S@T Browser is just insecure by design. Either way, the fact that essentially anyone can track a cell phone simply by sending a special SMS message to that phone is quite a severe problem. Continue reading “This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT”

Simple Decoder Serves As Solo Ham’s Test Buddy

For a hobby that’s ostensibly all about reaching out to touch someone, ham radio can often be a lonely activity. Lots of hams build and experiment with radio gear much more than they’re actually on the air, improving their equipment iteratively. The build-test-tweak-repeat cycle can get a little tedious, though, especially when you’re trying to assess signal strength and range and can’t find anyone to give you a report.

To close the loop on field testing, [WhiskeyTangoHotel] threw together a simple ham radio field confirmation unit that’s pretty slick. It relies on the fact that almost every ham radio designed for field use incorporates a DTMF encoder in the microphone or in the transceiver itself. Hams have used Touch Tones for in-band signaling control of their repeaters for decades, and even as newer digital control methods have been introduced, good old analog DTMF hangs in there. The device consists of a DTMF decoder attached to the headphone jack of a cheap handy talkie. When a DTMF tone is received, a NodeMCU connected to the decoder calls an IFTTT job to echo the key to [WTH]’s phone as an SMS message. That makes it easy to drive around and test whether his mobile rig is getting out. And since the receiver side is so portable, there’s a lot of flexibility in how tests can be arranged.

On the fence about ham as a hobby? We don’t blame you. But fun projects like this are the perfect excuse to go get licensed and start experimenting.

Continue reading “Simple Decoder Serves As Solo Ham’s Test Buddy”

GPS Tracker Gets SMS Upgrade

In May of 2000, then-President Bill Clinton signed a directive that would improve the accuracy of GPS for anyone. Before this switch was flipped, this ability was only available to the military. What followed was an onslaught of GPS devices most noticeable in everyday navigation systems. The large amount of new devices on the market also drove the price down to the point where almost anyone can build their own GPS tracking device from scratch.

The GPS tracker that [Vadim] created makes use not just of GPS, but of the GSM network as well. He uses a Neoway M590 GSM module for access to the cellular network and a NEO-6 GPS module. The cell network is used to send SMS messages that detail the location of the unit itself. Everything is controlled with an ATmega328P, and a lithium-ion battery and some capacitors round out the fully integrated build.

[Vadim] goes into great detail about how all of the modules operate, and has step-by-step instructions on their use that go beyond what one would typically find in a mundane datasheet. The pairing of the GSM and GPS modules seems to go match up well together, much like we have seen GPS and APRS pair for a similar purpose: tracking weather balloons.