This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace

OK, that headline is a bit of a cheap shot. But if you run the curl binary that Apple ships, you’re in for a surprise if you happen to use the --cacert flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.

What’s weird here is that on a MacOS, using the Apple provided curl binary, --cacert doesn’t limit the program to the single certificate file. On an Apple system, the verification falls back to the system’s certificate store. This is an intentional choice by Apple, but not one that’s aimed particularly at curl. The real magic is in Apple’s SSL library, which forces the use of the system keychain.

The current state of things is that this option is simply not going to do the right thing in the Apple provided binary. It’s documented with the note that “this option is supported for backward compatibility with other SSL engines, but it should not be set.” It’s an unfortunate situation, and we’re hopeful that a workaround can be found to restore the documented function of this option.

Jenkins, Bring Me a File

The Jenkins continuous delivery server has a critical issue, CVE-2024-23897. It’s an arbitrary file read that clocks in with a 9.8 CVSS score. The one quirk about the way this works is the vulnerable function does the file read as strings, and loses quite a bit of the raw binary in the process. And many of the interesting files, like the .Secret files, use binary encoding. And on a Linux or Mac system, the default character encoding is UTF-8, which renders half of that 32-byte key unreadable. Far too many missing bytes to be useful.

But hang on. There’s a caveat here. Because of US cryptography export restrictions, JDK ships with only 128-bit encryption keys, truncating the rest of the bits. That means we’ve only got 16 byte keys, and an attacker can recover half the bits via this vulnerability. We may have a problem.

And wait, there’s more! Because the bytes have had an attempt at interpretation as UTF-8, we know more about the missing bytes than one might think. Check out the breakdown by [Guillaume Quéré] for more details, but the short version is that with just a little luck, one of these keys can be brute-forced in minutes or hours on a single desktop. More missing bytes means more processing time, but this is not an attack outside the realm of possibility, particularly for a determined adversary.

Big. Really big

There are some thresholds where things change. Doing security for yourself looks much different from doing security for a small business. It’s different again when at the enterprise level. But what does security posture look like for a company that competes for the top-ten list of largest companies in the world? We get a bit of a peak behind the curtain, at how the Alphabet (Google) migration to BeyondCorp Managed Non-Privileged (MNP) network went.

The basic idea of BeyondCorp is that inside the network offers no benefits or privileges. Every user and device gets authenticated, and has limited capabilities. It sounds great, but runs into the issues you might expect at a technical shop like Google. That’s things like employees needing access to an IRC chat for emergency communications, lots of SSH use, and plenty other niche network needs that’s hard to put into a simple category, and handle through MNP networks. Lots to chew on here, learning about how the really big teams work.

Tor Has a New Toy

One of the fun cat-and-mouse games we get to watch is the constant battle between the folks behind Tor trying to stay a step ahead of various regimes and their attempts to block access. Well Tor has a new tool ready for use, the WebTunnel. The concept is pretty simple in concept — just make it look like all the other HTTPS traffic. Part of the magic here is that all the Tor WebTunnel bridges are also normal web sites, and the Tor traffic is handled by a reverse proxy. So when a sophisticated packet inspection system like the Great Firewall investigates the hidden Tor connection, the website at the remote end checks out.

The weak points here are the same as the rest of the hidden Tor entry node schemes: A user has to have unfettered Internet access to fetch a node address. The system has to stay under the radar enough to prevent an adversary from just grabbing the list of endpoints and blocking them. We’re hoping for the best for Tor and WebTunnels.

GhostRace

There’s a new speculative execution bug, GhostRace. Though more properly, this might be best thought of as a new class of gadgets that enable the Spectre attack. GhostRace is the realization that thread synchronization checkpoints like mutexes and spinlocks can work as conditional branches. The other interesting observation is that an Inter-Process Interrupt (IPI) storm can be used to freeze execution at the proper point in code, extending the window to abuse GhostRace indefinitely.

There’s a mitigation that could be applied to the kernel, but at a performance cost of 5% globally, it’s been opted against for now. In the words of Linux Torvalds, “There’s security, and then there’s just being ridiculous.” The IPI storm is being treated as a problem, and has been fixed, cutting down on the issue’s exposure for abuse.

Bits and Bytes

There’s a clever attack against Tesla customers, where a fake WiFi access point presents a Captive Portal, that prompts the user to sign in with a valid Tesla account. That’s a phishing portal, and the sign-in is then used to add a new “phone key”, which gives full access to the vehicle. The hack was originally pulled off using a Flipper Zero, which fed into the pandemonium about that particular device. This is your reminder that this is a simple WiFi trick, and any laptop running a bit of software could also pull it off. And more people have laptops.

We’re big fans of the Termux command line tool for Android. While yes, tapping on the tiny keyboard on your mobile screen is a terrible experience, bringing your entire toolkit of command line tools along in your pocket is awesome!. And here’s another tool that belongs on the mobile. APKDeepLense is specifically designed for scanning APKs to look for vulnerable apps. With Termux, we have the added bonus of doing the scan locally. Neat!

With just a bit of know-how and curiosity, you don’t have to look far to find exploitable bugs. [Stefán] was looking at a travel website, and was annoyed by a disabled checkbox that was pre-selected, and labeled as a mandatory fee. That’s nothing to a skilled hacker with access to elite tools like… Google Chrome’s built-in devtools. Remove the flag on the checkbox, deselect it, and the price dropped accordingly. But that’s just user facing, surely the transaction wouldn’t complete for the lower price, right? It completed for the lower price. There’s no trains, but the story covers ferries and automobiles for more fun.

And finally, have you ever wanted an in-depth look at a Ruby exploit chain? Include Security brings us the goods, with a walk-through of how to go from a deserialization bug all the way to arbitrary code execution. The takeaway? Don’t do unsafe deserialization on user-provided payloads!

Hackaday Links Column Banner

Hackaday Links: February 4, 2024

Things may not have gone as planned last week for the flying cellphone on Mars, but just because Ingenuity‘s flying career is over doesn’t mean there’s no more work to do. NASA announced this week that it’s going to try a series of “wiggle” maneuvers on Ingenuity‘s rotors, in an attempt to get a better look at the damage to the blade tips and possibly get some clues as to what went wrong. The conjecture at the moment seems to be that a large area of relatively featureless terrain confused the navigation system, which uses down-facing cameras to track terrain features. If the navigation program couldn’t get a bead on exactly how far above the ground it was, it’s possible the copter came in too hard and caused the rotor tips to dig into the regolith. There seems to be some photographic suggestion of that, with what looks like divots in the ground about where you’d expect the rotor tips to dig in, and even scraps of material that look out of place and seem to be about the same color as the rotor blades. All this remains to be seen, of course, and we’re sure that NASA and JPL are poring over all available data to piece together what happened. As much as we hate to say goodbye to Ingenuity, we eagerly await the post-mortem.

Continue reading “Hackaday Links: February 4, 2024”

Getting Root Access On A Tesla

A growing number of manufacturers are locking perfectly good hardware behind arbitrary software restrictions. While this ought to be a bigger controversy, people seem to keep paying for things like printers with ink subscriptions, cameras with features disabled in firmware, or routers with speed restrictions, ensuring that this practice continues. Perhaps the most blatant is car manufacturers that lock features such as heated seats or even performance upgrades in the hopes of securing a higher price for their vehicles. This might be a thing of the past for Teslas, whose software has been recently unlocked by Berlin IT researchers.

Researchers from Technische Universität Berlin were able to unlock Tesla’s driving assistant by inducing a two-microsecond voltage drop on the processor which allowed root access to the Autopilot software. Referring to this as “Elon mode” since it drops the requirement for the driver to keep their hands on the steering wheel, they were able to access the full self-driving mode allowing autonomous driving without driver input. Although this might be a bad idea based on the performance of “full self-driving” in the real world, the hack at least demonstrates a functional attack point and similar methods could provide free access to other premium features.

While the attack requires physical access to the vehicle’s computer and a well-equipped workbench, in the short term this method might allow for owners of vehicles to use hardware they own however they would like, and in the long term perhaps may make strides towards convincing manufacturers that “features as a service” isn’t a profitable strategy. Perhaps that’s optimistic, but at least for Teslas it’s been shown that they’re not exactly the most secured system on four wheels.

Tesla’s Plug Moves Another Step Closer To Dominance

Charging an EV currently means making sure you find a station with the right plug. SAE International has now published what could be the end to the mishmash of standards in North America with the J3400 North American Charging Standard.

The SAE J3400TM North American Charging Standard (NACS) Electric Vehicle Coupler Technical Information Report (TIR), which just rolls off the tongue, details the standard formerly only available on Tesla vehicles. We previously talked about the avalanche of support from other automakers this year for the connector, and now that the independent SAE standard has come through, the only major holdout is Stellantis.

Among the advantages of the NACS standard over the Combined Charging System (CCS) or CHAdeMO is a smaller number of conductors given the plug’s ability to carry DC or AC over the same wires. Another benefit is the standard using 277 V which means that three separate Level 2 chargers can be placed on a single 3-phase commercial line with no additional step down required. Street parkers can also rejoice, as the standard includes provisions for lampost-based charger installations with a charge receptacle plug instead of the attached cable required by J1772 which leads to maintenance, clutter, and ADA concerns.

Now that J3400/NACS is no longer under the purview of a single company, the Federal Highway Administration has announced that it will be looking into amending the requirements for federal charger installation subsidies. Current rules require CCS plugs be part of the installation to qualify for funds from the Bipartisan Infrastructure Bill.

If you want to see how to spice up charging an EV at home, how about this charging robot or maybe try fast charging an e-bike from an electric car plug?

Hackaday Links Column Banner

Hackaday Links: December 3, 2023

Sure, it does less than originally promised, but hey — at least it’s more expensive. That about sums up Tesla fans’ feelings after the long-awaited Cybertruck reveal at the Texas Gigafactory on Thursday, where Elon Musk himself handed over the keys — or their Cyber equivalent — to a few new owners. These are expensive machines — $61,000 for the two-motor model, and just shy of $100,000 for the three-motor all-wheel-drive model with all the bells and whistles. That’s considerably more than they were expected to cost back in 2019, a fact which may be at least partially behind the drop in Tesla shares after the launch.

Continue reading “Hackaday Links: December 3, 2023”

A Few New Car Owners Will Join The 48V Future

Leaving aside all the annoying hype surrounding Tesla’s Cybertruck, there’s a little technical detail which might be of more interest to readers than the automotive behemoth itself. It’s one of very few vehicles on the road to eschew 12 volt electrics for not 24 volt, but 48 volt. This has been one of those automotive innovations promised as just around the corner for many years, and it seems finally we’ll see it in practice.

The reason that there’s nothing new in the prospect of moving on from 12 volt electrics has been brewing for decades now. A typical car has plenty of motorized gadgets from seat adjusters to sunroofs, as well as at least one heated windscreen or other surface. These devices take a lot of power, and at the lower voltage require significant current to operate. The 48 volt system will require much less in the way of copper to get the power where it’s needed, so the surprise is that we’ve not yet seen it in run-of-the-mill vehicles from the likes of Ford or Volkswagen.

What we’re guessing is that other manufacturers will be watching from the sidelines as to whether 48 volt electrics cause any problems for the Tesla, and it’s not impossible we could see it becoming the new hotness. There are many choice words we could say relating to the hype around Tesla and its supposed level of innovation, but it could be that this time they’ve really been first with something the whole industry will go for. If so we should rejoice, because it’s likely to push down the prices of 48 volt lithium-ion packs.

Header image: Mliu92, CC BY-SA 3.0.

Tesla Claims To Have Open Sourced The Roadster

In an interesting step for anyone who follows electric car technology, the automaker Tesla has released a trove of information about its first-generation Roadster car into the public domain. The documents involved include service manuals, circuit diagrams, and technical details, and Elon Musk himself Tweeted posted on X that “All design & engineering of the original @Tesla Roadster is now fully open source.

We like the idea and there’s plenty of interesting stuff there, but we can’t find an open-source licence anywhere and we have to take issue with his “Whatever we have, you now have” comment. What we have is useful maintenance information and presents a valuable window into 2010’s cutting edge of electric vehicles, but if it’s everything they have then something must have gone very wrong in the Tesla archives. It’s possible someone might take a Lotus Elise and produce something close to a Roadster replica with this info, but it’s by no means enough to make a car from. Instead we’re guessing it may be a prelude to reducing support for what is a low-production car from over a decade ago.

When it comes to electric vehicle manufacturers open-sourcing their older models we already have a model in the form of Renault’s open-source version of their Twizy runabout. This is a far more credible set of information that can be used to make a fully open-source version of the car, rather than a set of workshop manuals.

Tesla Roadster, cytech, CC BY 2.0.