This Week In Security: Camera Feeds, Python 2, FPGAs

Networked cameras keep making the news, and not in the best of ways. First it was compromised Ring accounts used for creepy pranks, and now it’s Xiaomi’s stale cache sending camera images to strangers! It’s not hard to imagine how such a flaw could happen: Xiaomi does some video feed transcoding in order to integrate with Google’s Hub service. When a transcoding slot is re-purposed from one camera to another, the old data stays in the buffer until it is replaced by the new camera’s feed. The root cause is probably the same as the random images shown when starting some 3D games.

Python is Dead, Long Live Python

Python 2 has finally reached End of Life. While there are many repercussions to this change, the security considerations are important too. The Python 2 environment will no longer receive updates, even if a severe security vulnerability is found. How often is a security vulnerability found in a language? Perhaps not very often, but the impact can be far-reaching. Let’s take, for instance, this 2016 bug in zipimport. It failed to sanitize the header of a ZIP file being processed, causing all the problems one would expect.

It is quite possible that because of the continued popularity and usage of Python2, a third party will step in and take over maintenance of the language, essentially forking Python. Unless such an event happens, it’s definitely time to migrate away from Python2.
Continue reading “This Week In Security: Camera Feeds, Python 2, FPGAs”

Building A Mechanical Oscillator, Tesla Style

Before Tesla devised beautifully simple rotary machinery, he explored other methods of generating alternating current. One of those was the mechanical oscillator, and [Integza] had a go at replicating the device himself. (Video, embedded below the break.)

Initial attempts to reproduce the technology using 3D-printed parts were a failure. The round cylinder had issues sealing, and using O-ring seals introduced too much friction to allow the device to oscillate properly. A redesign that used external valving and a square cylinder proved more successful.

Once the oscillator was complete, the output shaft was fitted with magnets and a coil to generate electricity. After generating a disappointing 0.14 volts, [Integza] went back and had a look at the Maxwell-Faraday equations. Using this to guide the design, a new coil was produced with more turns, and the magnetic flux was maximised. With this done, the setup could generate seven volts, enough to light several LEDs.

While it’s not a particularly efficient generator, it’s a great proof-of-concept. Yes, Tesla’s invention worked, but it’s easy to see why he moved on to rotary designs when it came to real-world applications. We’ve seen [Integza] take on other builds too, like the ever-popular Tesla turbine.

Continue reading “Building A Mechanical Oscillator, Tesla Style”

This Week In Security:Malicious Previews, VNC Vulnerabilities, Powerwall, And The 5th Amendment

Malware embedded in office documents has been a popular attack for years. Many of those attacks have been fixed, and essentially all the current attacks are unworkable when a document is opened in protected view. There are ways around this, like putting a notice at the top of a document, requesting that the user turn off protected view. [Curtis Brazzell] has been researching phishing, and how attacks can work around mitigations like protected view. He noticed that one of his booby-trapped documents phoned home before it was opened. How exactly? The preview pane.

The Windows Explorer interface has a built-in preview pane, and it helpfully supports Microsoft Office formats. The problem is that the preview isn’t generated using protected view, at least when previewing Word documents. Generating the preview is enough to trigger loading of remote content, and could feasibly be used to trigger other vulnerabilities. [Curtis] notified Microsoft about the issue, and the response was slightly disappointing. His discovery is officially considered a bug, but not a vulnerability.

VNC Vulnerabilities

Researchers at Kaspersky took a hard look at several VNC implementations, and uncovered a total of 37 CVEs so far. It seems that several VNC projects share a rather old code-base, and it contains a plethora of potential bugs. VNC should be treated similarly to RDP — don’t expose it to the internet, and don’t connect to unknown servers. The protocol wasn’t written with security in mind, and none of the implementations have been sufficiently security hardened.

Examples of flaws include: Checking that a message doesn’t overflow the buffer after having copied it into said buffer. Another code snippet reads a variable length message into a fixed length buffer without any length checks. That particular function was originally written at AT&T labs back in the late 90s, and has been copied into multiple projects since then.

There is a potential downside to open source that is highlighted here. Open source allows poorly written code to spread. This isn’t a knock against open source, but rather a warning to the reader. Just because code or a project uses an OSS license doesn’t mean it’s secure or high quality code. There are more vulnerabilities still in the process of being fixed, so watch out for the rest of this story. Continue reading “This Week In Security:Malicious Previews, VNC Vulnerabilities, Powerwall, And The 5th Amendment”

Texas Tesla Tower Titillates

One of the nice things about a road trip is you often get to see something that really surprises you. A recent trip through Texas may have resulted in my second most surprising sighting. There’s a strange tower that looks oddly like a Tesla tower in the middle of rural Texas, right off the main interstate. What is it? Although Google did answer the question — sort of — I’m still not sure how legitimate its stated purpose is.

First Sighting

I was driving between Wimberly and Frisco — two towns that aren’t exactly household names outside of Texas. Near Milford, there’s a very tall structure that looks like a giant mechanical mushroom on top of a grain silo. If the mushroom were inverted or pointing towards the horizon, it would be easy to imagine it was some very odd antenna. This dish, however, is pointed right down its own odd-shaped mast. The top of the thing sure looks like the top of a Van de Graf generator.

Continue reading “Texas Tesla Tower Titillates”

Tesla’s Smart Summon – Gimmick Or Greatness?

Tesla have always aimed to position themselves as part automaker, part tech company. Their unique offering is that their vehicles feature cutting-edge technology not available from their market rivals. The company has long touted it’s “full self-driving” technology, and regular software updates have progressively unlocked new functionality in their cars over the years.

The latest “V10” update brought a new feature to the fore – known as Smart Summon. Allowing the driver to summon their car remotely from across a car park, this feature promises to be of great help on rainy days and when carrying heavy loads. Of course, the gulf between promises and reality can sometimes be a yawning chasm.

How Does It Work?

Holding the “Come To Me” button summons the vehicle to the user’s location. Releasing the button stops the car immediately.

Smart Summon is activated through the Tesla smartphone app. Users are instructed to check the vehicle’s surroundings and ensure they have line of sight to the vehicle when using the feature. This is combined with a 200 foot (61 m) hard limit, meaning that Smart Summon won’t deliver your car from the back end of a crowded mall carpark. Instead, it’s more suited to smaller parking areas with clear sightlines.

Once activated, the car will back out of its parking space, and begin to crawl towards the user. As the user holds down the button, the car moves, and will stop instantly when let go. Using its suite of sensors to detect pedestrians and other obstacles, the vehicle is touted to be able to navigate the average parking environment and pick up its owners with ease.

No Plan Survives First Contact With The Enemy

With updates rolled out over the air, Tesla owners jumped at the chance to try out this new functionality. Almost immediately, a cavalcade of videos began appearing online of the technology. Many of these show that things rarely work as well in the field as they do in the lab.

As any driver knows, body language and communication are key to navigating a busy parking area. Whether it’s a polite nod, an instructional wave, or simply direct eye contact, humans have become well-rehearsed at self-managing the flow of traffic in parking areas. When several cars are trying to navigate the area at once, a confused human can negotiate with others to take turns to exit the jam. Unfortunately, a driverless car lacks all of these abilities.

This situation proved all too much for the Tesla, and the owner was forced to intervene.

A great example is this drone video of a Model 3 owner attempting a Smart Summon in a small linear carpark. Conditions are close to ideal – a sunny day, with little traffic, and a handful of well-behaved pedestrians. In the first attempt, the hesitation of the vehicle is readily apparent. After backing out of the space, the car simply remains motionless, as two human drivers are also attempting to navigate the area. After backing up further, the Model 3 again begins to inch forward, with seemingly little ability to choose between driving on the left or the right. Spotting the increasing frustration of the other road users, the owner is forced to walk to the car and take over. In a second attempt, the car is again flummoxed by an approaching car, and simply grinds to a halt, unable to continue. Communication between autonomous vehicles and humans is an active topic of research, and likely one that will need to be solved sooner rather than later to truly advance this technology.

Pulling straight out of a wide garage onto an empty driveway is a corner case they haven’t quite mastered yet.

An expensive repair bill, courtesy of Smart Summon.

Other drivers have had worse experiences. One owner had their Tesla drive straight into the wall of their garage, an embarrassing mistake even most learner drivers wouldn’t make. Another had a scary near miss, when the Telsa seemingly failed to understand its lack of right of way. The human operator can be seen to recognise an SUV approaching at speed from the vehicle’s left, but the Tesla fails to yield, only stopping at the very last minute. It’s likely that the Smart Summon software doesn’t have the ability to understand right of way in parking environments, where signage is minimal and it’s largely left up to human intuition to figure out.

This is one reason why the line of sight requirement is key – had the user let go of the button when first noticing the approaching vehicle, the incident would have been avoided entirely. Much like other self-driving technologies, it’s not always clear how much responsibility still lies with the human in the loop, which can have dire results. And more to the point, how much responsibility should the user have, when he or she can’t know what the car is going to decide to do?

More amusingly, an Arizona man was caught chasing down a Tesla Model 3 in Phoenix, seeing the vehicle rolling through the carpark without a driver behind the wheel. While the embarassing incident ended without injury, it goes to show that until familiarity with this technology spreads, there’s a scope for misunderstandings to cause problems.

It’s Not All Bad, Though

Some users have had more luck with the feature. While it’s primarily intended to summon the car to the user’s GPS location, it can also be used to direct the car to a point within a 200 foot radius. In this video, a Tesla can be seen successfully navigating around a sparsely populated carpark, albeit with some trepidation. The vehicle appears to have difficulty initially understanding the structure of the area, first attempting a direct route before properly making its way around the curbed grass area. The progress is more akin to a basic line-following robot than an advanced robotic vehicle. However, it does successfully avoid running down its owner, who attempts walking in front of the moving vehicle to test its collision avoidance abilities. If you value your limbs, probably don’t try this at home.

No, not like that!

Wanting to explore a variety of straightforward and oddball situations, [DirtyTesla] decided to give the tech a rundown himself. The first run in a quiet carpark is successful, albeit with the car weaving, reversing unnecessarily, and ignoring a stop sign. Later runs are more confident, with the car clearly choosing the correct lane to drive in, and stopping to check for cross traffic. Testing on a gravel driveway was also positive, with the car properly recognising the grass boundaries and driving around them. That is, until the fourth attempt, when the car gently runs off the road and comes to a stop in the weeds. Further tests show that dark conditions and heavy rain aren’t a show stopper for the system, but it’s still definitely imperfect in operation.

Reality Check

Fundamentally, there’s plenty of examples out there that suggest this technology isn’t ready for prime-time. Unlike other driver-in-the-loop aids, like parallel parking assists, it appears that users put a lot more confidence in the ability of Smart Summon to detect obstacles on its own, leading to many near misses and collisions.

If all it takes is a user holding a button down to drive a 4000 pound vehicle into a wall, perhaps this isn’t the way to go. It draws parallels to users falling asleep on the highway when using Tesla’s AutoPilot – drivers are putting ultimate trust in a system that is, at best, only capable when used in combination with a human’s careful oversight. But even then, how is the user supposed to know what the car sees? Tesla’s tools seem to have a way of lulling users into a false sense of confidence, only to be betrayed almost instantly to the delight of Youtube viewers around the world.

While it’s impossible to make anything truly foolproof, it would appear that Tesla has a ways to go to get Smart Summon up to scratch. Combine this with the fact that in 90% of videos, it would have been far quicker for an able-bodied driver to simply walk to the vehicle and drive themselves, and it definitely appears to be more of a gimmick than a useful feature. If it can be improved, and limitations such as line-of-sight and distance can be negated, it will quickly become a must-have item on luxury vehicles. That may yet be some years away, however. Watch this space, as it’s unlikely other automakers will rest for long!

Converting A Tesla To A Pickup Truck

The renowned inventor of useless robots [Simone Giertz] has outdone herself this time. She, along with a team of engineers featuring [Rich Rebuilds], [Laura Kampf], and [Marcos Ramirez], recently decided to convert a Tesla into a pickup truck, and make a video along the way, all while salvaging what remains they can of the back of the car and making the final product roadworthy. Yeah, this is a couple weeks old now, and yeah, it’s kind of a commercial, but really: [Simone Giertz] and Co. rock.

In her vlog of the experience, the team starts by gutting out the interior of the car in order to find out the weight distribution and form of the outer frame. Essentially, in order to create the pickup truck, a portion of the back of the car needs to be removed, with additional beams and support welded in depending on the consequent structural integrity. With a sawzall and angle grinder, the top portion of the frame is cut and taken out, but not before a worrying glance brings about the realization that the car needs exterior support during its modifications.

After the cushions, glass, wiring, and all other accessories are removed, they install a truck bed from another sacrificial pickup truck, as well as a roof rack to complete the look. Amidst the deconstruction and reconstruction, there are moments when the car encounters a “Safety restraint system fault” or when the team accidentally lines the inside of the car with fiberglass right before shooting their video. Between complaints of the different clip sizes used and the clear time pressure of the project, it’s a funny and informative look into a pretty unique car mod.

The final commercial they made of their Tesla-pickup hybrid, dubbed Truckla, is available on [Giertz]’s YouTube channel.

Continue reading “Converting A Tesla To A Pickup Truck”

Worn Out EMMC Chips Are Crippling Older Teslas

It should probably go without saying that the main reason most people buy an electric vehicle (EV) is because they want to reduce or eliminate their usage of gasoline. Even if you aren’t terribly concerned about your ecological footprint, the fact of the matter is that electricity prices are so low in many places that an electric vehicle is cheaper to operate than one which burns gas at $2.50+ USD a gallon.

Another advantage, at least in theory, is reduced overal maintenance cost. While a modern EV will of course be packed with sensors and complex onboard computer systems, the same could be said for nearly any internal combustion engine (ICE) car that rolled off the lot in the last decade as well. But mechanically, there’s a lot less that can go wrong on an EV. For the owner of an electric car, the days of oil changes, fouled spark plugs, and the looming threat of a blown head gasket are all in the rear-view mirror.

Unfortunately, it seems the rise of high-tech EVs is also ushering in a new era of unexpected failures and maintenance woes. Case in point, some owners of older model Teslas are finding they’re at risk of being stranded on the side of the road by a failure most of us would more likely associate with losing some documents or photos: a disk read error.

Continue reading “Worn Out EMMC Chips Are Crippling Older Teslas”