Evil Flippers, The Human-Brain-Machine, AMD CPUs, Hacking Teslas & Rubber Duckies – PSW #794
In the Security News: Hacking your Tesla to enable heated seats (and so much more), The Downfall of Intel CPUs, The Inception of AMD CPUs, that’s right we’re talking about 3 different hardware attacks in this episode! Intel issues patches and fixes stuff even though its hard to exploit, Rubber Ducky you’re the one, history of Wii hacking, don’t try this at home Linux updates, we are no longer calling about your vehicle warranty, cool hardware hacking stuff including building your own lightsaber, you Wifi keys are leaking again, the evil FlipperZero, Buskill, complaining publically works sometimes, these are not the CVSS 10.0 flaws you are looking for, when side channel attacks, dumpster diving for plane ticks, and go ahead, try and hack a robotaxi! All that and more on this episode of Paul’s Security Weekly!
Announcements
Follow Security Weekly Productions on LinkedIn for exclusive show clips, insights, and updates across our organization! Stay connected with our hosts and fellow community members, and join the conversation that's shaping the future of cybersecurity.
Hosts
- 1. Tesla infotainment jailbreak unlocks paid features, extracts secrets
A team of security researchers from Berlin were able to use voltage fault injection attacks against the AMD CPU in Tesla vehicles allowing them to "Jailbreak" the device and access the underlying Linux operating system. This allows attackers to recover the RSA key unique to the vehicle (and used to authenticate to the Tesla backend network), enable paid features (such as heated seats) without paying for them. Telsa is still working on a fix. More background information below:
- Blackhat Briefings Summary: Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater
- I believe this to be the previous research mentioned in the article: One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization
- Blackhat UE 2021 Presentation: One Glitch to Rule Them All: Fault Injection Attacks against AMD’s Secure Processor (Video Version)
- A Software Vulnerability in AMD's Chip Compromises Tesla's Paid Features
- 2. Downfall
- 3. INCEPTION: Exposing New Attack Surfaces with Training in Transient Execution
- 4. Intel BIOS Advisory – Memory Corruption in HID Drivers
This research used the leaked Intel BIOS source code to discover a vulnerability: "A remote attacker that is positioned within Bluetooth proximity to the victim device can corrupt BIOS memory by sending malformed HID Report structures." - However, exploitation is currently difficult: " Although I haven’t ruled out exploitation, I admit that it may be difficult to translate this out-of-bounds write into arbitrary code execution". However, I would still apply these patches (Ref: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00813.html)
- 5. Intel Addresses 80 Firmware, Software Vulnerabilities
"The most serious of the flaws, based on their CVSS score, are 18 high-severity issues allowing privilege escalation or, in a few cases, denial-of-service (DoS) attacks." - Please note these cover Downfall and the USB HID vulnerabilities from NCC Group.
- 6. My Favorite Vim Oneliners For Text Manipulation
Bram Moolenaar, the author of Vim, passed away last week. He released the first version of Vim in 1991 and was actively maintaining and developing it ever since. I thought it was important to remember Bram and his hard work and dedication. This article is a nice little how-to guide for Vim one-liners.
- 7. FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022
- 8. Meet the Finalists for the 2023 Pwnie Awards
- 9. NetHunter Hacker VI: Ultimate guide to HID attacks using Rubber Ducky scripts and Bad USB MITM attack – Mobile Hacker
Pretty nice breakdown of the threats posed by malicious USB devices. I've not performed some of these attacks in a while, and the available options have increased dramatically. This is also still a valid attack once you have physical access to a system. As a test, I created a "Rubber Ducky" from a Raspberry PI Pico W. The "Rubber Ducky" and the "Bash Bunny" are Hak5 creations, and both support their script format called "Ducky Scripts." For the Pico (which you can pick up for just $8), I loaded Circuit Python (version 7.3.3) and Pico-ducky. Pico-ducky is a set of Python scripts that will interpret and run ducky scripts. I modified a ducky script to open a Terminal in Linux and then added an SSH key to the authorized_keys file. It works. However, if a Terminal was already open, the script failed (I have more research to do). You can find ducky scripts on GitHub by the hundreds, and creating/modifying your own is pretty easy. Resources for this example:
- 10. How the Nintendo Wii Security Was Bypassed
Really great history and details of these attacks, break out the tweezers.
- 11. Use our suite of eBPF libraries
- 12. Updating Fedora the unsupported way
But its so much fun and entertaining! "You should not do this. I should not do this. This was a terrible idea. Any situation where you're binary patching your package manager to get it to let you do something is obviously a bad situation."
- 13. Microsoft shuts down rumors of a tool exploit banning Xbox accounts
- 14. FCC fines auto warranty robocallers nearly $300 million
"The nearly $300 million fine was levied after the FCC found the enterprise executed a scheme to make more than five billion robocalls to more than 500 million phone numbers during a three-month span in 2021." - Multiple federal laws were violated. And this is funny: "In 2022, the FCC directed all U.S.-based voice service providers to cease carrying traffic associated with the enterprise. As a result, these illegal auto warranty robocalls dropped by 99%."
- 15. LoShark
I found this to be really neat as many hackers are messing around with LoRa: "Next-gen USB LoRa debug tool. Runs mainline Linux on itself. Versatile JavaScript ES2015 interface allows access to every SX126x chip register easily. Up to 4GB flash storage allows long-time data collection. Works with any modern PC."
- 16. Raspberry Pi Lightsaber Puts the Force in Your Hands
Coolest Raspberry PI hack!
- 17. Poorly Purged Medical Devices Present Security Concerns After Sale on Secondary Market
Oh, just like the printers: "In at least eight of the 13 devices used in the study, WiFi PSK access credentials were discovered, offering attackers potential access to health organization networks."
- 18. Senate Votes To Let People Who’ve Used Marijuana Work At Intelligence Agencies Like CIA And NSA As Part Of Defense Bill
- 19. EXCLUSIVE: Hacking tool Flipper Zero is being tracked by intelligence agencies, who fear white nationalists may deploy it against power grid
"Police departments in major cities have been put on alert over the Flipper Zero hacking tool and expressed concern over its potential use by racially motivated extremists" - There will be a rant. I'm ranting. So silly that they make it about the "Weapon" and not the actual crime.
- 20. BrianKrebs (@[email protected])
"BeyondTrust has apparently found and is fixing a CVSS 10.0 flaw that allows an unauthenticated attacker to inject commands that run as the site user. The notice about this is hidden behind a customer portal" - I hate this
- 21. The ups and downs of 0-days
- 22. Millionaire in Minutes: Uncovering the Race Condition Exploit
- 23. Malware Reverse Engineering – Unraveling the Secrets of Encryption in Malware
- 24. CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability
- 25. Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform
- 26. 3D Printable BusKill Proof-of-Concept – BusKill
"BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer."
- 27. Microsoft Signing Key Stolen by Chinese – Schneier on Security
- 28. Cult of the Dead Cow Launches Encryption Protocol to Save Your Privacy
- 29. Post Tenable’s CEO blast of Microsoft, bug gets fixed
So, we should all complain loudly and publically to Microsoft?
- 30. Microsoft mitigates Power Platform Custom Code information disclosure vulnerability
- 31. New PaperCut Vulnerability Allows Remote Code Execution
- 32. Pixel Binary Transparency: verifiable security for Pixel devices
- 1. New acoustic attack steals data from keystrokes with 95% accuracy
A team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%. When Zoom was used for training the sound classification algorithm, the prediction accuracy dropped to 93%, which is still dangerously high, and a record for that medium.
- 2. Language Is a Poor Heuristic For Intelligence
This article first describes how autistic people are often incorrectly regarded as lacking intelligence simply because they cannot speak, but revealed to have high intelligence when they use a computer tablet with specialized software (called AAC, for ‘Augmentative/Alternative Communication’). Then it describes the reverse situation with Large Language Models, which can use language, but are in fact utterly unintelligent, with no comprehension of the meaning of their statements.
- 3. GPU First — Execution of Legacy CPU Codes on GPUs
In this paper, we propose a novel compilation scheme called “GPU First” that automatically compiles legacy CPU applications directly for GPUs without any modification of the application source. Apps can run 14 times faster this way.
- 4. Selling Software to the US Government? Know Security Attestation First
Going forward, any organization selling software to the US government will be required to self-attest that it conforms with the secure software development practices outlined by the government in the NIST Secure Software Development Framework.
Organizations must not simply attest that they follow these practices, but also that the open source components they pull into their applications follow these practices as well. This seems to forbid most or all open-source code.
- 5. ‘DarkBERT’ GPT-Based Malware Trains Up on the Entire Dark Web
It uses as its knowledge base the entirety of the Dark Web itself.
- 6. Only 1 in 5 people with opioid addiction get the medications to treat it, study finds
Nationwide, only one in five people with opioid use disorder receive the medications considered the gold standard for opioid treatment, such as methadone, buprenorphine or extended-release naltrexone. Experts say stigma about addiction and lack of training among physicians and other medical workers often limits use of these drugs. This latest study points to one possible solution: It found people with opioid addiction who receive medical support via telehealth – through on-line or telephone consultations – were roughly 38 times more likely to be prescribed proper medications.
- 7. A jargon-free explanation of how AI large language models work
Large Language Models (LLMs) operate on fragments of words called tokens, and express each token as a list of 300 numbers called a "word vector." Each word vector represents a point in an imaginary “word space,” and words with more similar meanings are placed closer together. Google’s word vectors had another intriguing property: You could “reason” about words using vector arithmetic. For example, Google researchers took the vector for "biggest," subtracted "big," and added "small." The word closest to the resulting vector was "smallest." The layers of neurons transform the word sequences, finding verbs and nouns, context, and the larger-scale structure of sentences and paragraphs. For example, the most powerful version of GPT-3 uses word vectors with 12,288 dimensions—that is, each word is represented by a list of 12,288 numbers. That’s 20 times larger than Google’s 2013 word2vec scheme.
- 8. A passenger used a boarding pass found in the trash. CLEAR escorted them through airport security.
In two incidents, a CLEAR employee escorted passengers through TSA security checkpoints who had not displayed any ID, and who were not enrolled in CLEAR’s identity-vetting service. Lawmakers have called for TSA to begin requiring all CLEAR passengers to present their IDs to a TSA agent.
- 9. Robotaxis Are Coming to Los Angeles. Everywhere Could Be Next.
Cruise is expanding its self-driving taxi operation to Los Angeles amid a year of huge growth for autonomous driving. It’s increasing its autonomous rides by 49 percent per month and already doing more than 10,000 rides per week. In L.A., Cruise will begin testing soon and then expand to self-driving ride-hailing. It will be the company’s eighth city of operation, up from one at the start of this year. And it won’t be the last.
- 10. Spyware maker LetMeSpy shuts down after hacker deletes server data
Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones. LetMeSpy was an Android phone monitoring app that was purposefully designed to stay hidden on a victim’s phone home screen, making the app difficult to detect and remove. When planted on a person’s phone — often by someone with knowledge of their phone passcode — apps like LetMeSpy continually steal that person’s messages, call logs and real-time location data