676
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
677
678
Tesla infotainment jailbreak unlocks paid features, extracts secrets
Researchers from the Technical University of Berlin have developed a method to jailbreak the AMD-based infotainment systems used in all recent Tesla car models and make it run any software they choose.
Additionally, the hack allows the researchers to extract the unique hardware-bound RSA key that Tesla uses for car authentication in its service network, as well as voltage glitching to activate software-locked features such as seat heating and 'Acceleration Boost' that Tesla car owners normally have to pay for.
The German researchers shared the full details of their hack with BleepingComputer, which will be published in an upcoming BlackHat 2023 presentation scheduled for August 9, 2023, titled 'Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater.'
The researchers were able to hack the infotainment system using techniques based on the team's previous AMD research, which uncovered the potential for fault injection attacks that can extract secrets from the platform.
Tesla's infotainment APU is based on a vulnerable AMD Zen 1 CPU; hence the researchers could experiment with the exploitation of the previously discovered weaknesses to achieve jailbreak.
"For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system," explains the researcher's BlackHat brief summary.
"First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP's early boot code."
"We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distribution."
By gaining root permissions, the researchers were free to perform arbitrary changes that survive infotainment system reboots and Tesla's 'over-the-air' updates.
Moreover, they could access and decrypt sensitive information stored on the car's system, such as the owner's personal data, phonebook, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords, and locations visited.
The jailbreak enables an attacker to extract the TPM-protected attestation key that Tesla uses to authenticate the car and verify its hardware platform's integrity, and migrate it to another car.
Besides car ID impersonation on Tesla's network, this could also help in using the car in unsupported regions or performing independent repairs and modding, explain the researchers.
As for what tools are needed to jailbreak Tesla's infotainment system, one of the researchers Christian Werling, explains that a soldering iron and $100 worth of electronic equipment, like the Teensy 4.0 board, should be enough to do the trick.
Werling also told BleepingComputer that they responsibly disclosed their findings to Tesla, and the carmaker is in the process of remediating the discovered issues.
"Tesla informed us that our proof of concept enabling the rear seat heaters was based on an old firmware version."
"In newer versions, updates to this configuration item are only possible with a valid signature by Tesla (and checked/enforced by the Gateway)."
"So while our attacks lay some important groundwork for tinkering with the overall system, another software or hardware-based exploit of the Gateway would be necessary to enable the rear seat heaters or any other soft-locked feature." - Christian Werling.
However, the key extraction attack still works in the latest Tesla software update, so the problem remains exploitable for now, Werling told BleepingComputer.
Finally, some news outlets have claimed that the jailbreak can unlock Full-Self Driving (FSD), but the researcher told us this is false.
679
Google Gmail continuously nagging to enable Enhanced Safe Browsing
Google is urging users to activate its Enhanced Safe Browsing feature via numerous alerts in Gmail that keep coming back, even after you acknowledge them.
Enhanced Safe Browsing was released in 2007 as an upgrade to Google's standard Safe Browsing feature that warns users when they visit known phishing and malware sites.
The difference between the two security features is that Safe Browsing will compare a visited site to a locally stored list of domains, compared to Enhanced Safe Browser, which will check if a site is malicious in real-time against Google's cloud services.
While it may seem like Enhanced Safe Browsing is the better way to go, there is a slight trade-off in privacy, as Chrome and Gmail will share URLs with Google to check if they are malicious and temporarily associate this information with your signed-in Google account.
Google pushing Enhanced Safe Browsing feature
Over the last week, I received five alerts urging me to turn on Enhanced Safe Browsing, despite declining the offer each time. Other BleepingComputer journalists were also shown the alerts when in Gmail.
Google pushing Enhanced Safe Browsing alerts via Gmail.com in Chrome
Source: BleepingComputer
A banner with the message "Get additional protection against phishing. Turn on Enhanced Safe Browsing to get additional protection against dangerous emails" persistently shows up in Gmail on both Chrome for Windows and Android, providing users with two options: 'Continue' and 'No, thanks'.
Gmail's Enhanced Safe Browsing alerts on Android
Source: BleepingComputer
While the intent behind the feature is understandable - safeguarding users from potential online threats - Google's aggressive push towards its adoption raises issues.
Firstly, it seems to overlook user choice. Every time a user clicks 'No, thanks', the expectation is that their choice is respected and registered. However, the recurrence of these alerts suggests otherwise.
Such persistent reminders may feel intrusive to some users, bordering on nagging.
Furthermore, there's a privacy concern tied to this feature. When users are signed in to Chrome, the data related to Safe Browsing is temporarily linked to their Google Account.
Google justifies this by stating, "We do this so that when an attack is detected against your browser or account, Safe Browsing can tailor its protections to your situation. After a short period, Safe Browsing anonymizes this data so it is no longer connected to your account."
However, despite the promised benefits, not all users may be comfortable linking their Google account to Chrome or their browsing data to their Google account.
In an era where data privacy is a growing concern, users should have the right to make informed decisions about their online safety measures without being constantly nudged toward a particular choice.
With that said, Enhance Safe Browsing will provide you with increased security in Gmail by protecting you from links to malicious phishing and malware sites in your emails.
If you are sick of the warnings or just want better security, even though you may have reduced privacy, you can enable the feature by following these steps:
- Open your Google Account.
- Click on Security
- Scroll down to Enhanced Safe Browsing and click on Manage Enhanced Safe Browsing.
- Toggle the Enhanced Safe Browsing setting to enabled.
BleepingComputer reached out to Google about the repeated prompts and will update the story if we receive a response.
680
Google News, Discover links showing 404 Not Found? Here's how to fix
It happens every once in a while when a story on your Google Discover news feed will mysteriously take you to Google's 404 (Not Found) page—despite the story being very much live at the time.
BleepingComputer has been observing this behavior over the past few weeks at random on Android devices, and we are able to identify the cause of the problem.
Here's how you can still read your favorite stories, and even workaround the bug that has occasionally bothered some users in the past.
Google News (or Discover) stories not found
Every now and then you may tap on a story served by Google Discover or Google News Showcase on an Android device. Except, the story takes you to Google's clunky "Error 404 (Not Found)!!1" page.
A sample Google Discover Showcase story taking you to 404 (Not Found) despite being up
(BleepingComputer)
This happens in some cases, even though the story is otherwise live on the news outlet:
https://www.liverpoolecho.co.uk/news/uk-world-news/easyjet-ryanair-tui-jet2-rule-27346395
Further, we noticed that the story publisher had not changed the original URL of the story at any point for an error like this to have occurred.
BleepingComputer has observed this behavior with the Google app on Android devices at random, which makes it hard to reproduce.
Other users seem to have also noticed the glitch:
User reports Google Discover News story taking them to a 404 page (X)
In fact, none of the links shared by these users on social media or with their friends (such as via WhatsApp) will work—these lead to 404 pages, even though the stories they meant to take you to, are up.
Users share Google Discover News stories with 'dead' links (X)
Why does the issue occur?
When you tap on a story served by Google News feed, the URL it's taking you to looks like this (taking the Liverpool Echo story above as an example):
This link is functional and can be tested by copying-pasting it in a web browser. It should take you to the page shown below:
Liverpool Echo examplearticle served by Google News
The first part of the URL, that uses Google Play's play.google.com domain, is essentially a "redirect" service taking you to the desired news story.
The bits at the end following a question mark are a long string of GET parameters, that we have discarded from the view, as these serve no functional purposes with regards to the redirect and are purportedly being used for tracking and analytics.
The problem arises when multiple Google accounts are signed onto a device.
Whenever, multiple Google (think Gmail) accounts are logged in on a device, the URLs for Google services get "rewritten" with an account identifier.
For example, Gmail Desktop users may have noticed the mail.google.com/mail/ URL turning into mail.google.com/mail/u/0/ when they are using multiple Gmail accounts simultaneously (the '/u/0' part denotes which account is currently in the user's view).
Similarly, the URLs for these news stories, in some cases, get rewritten with an account identifier:
https://play.google.com**/u/0/**newsstand/api/v3/articleaccess?url=https://www.liverpoolecho.co.uk/news/uk-world-news/easyjet-ryanair-tui-jet2-rule-27346395?gaa...
And this causes the redirect service to break, showing you a 404 (Not Found) page for the story instead of Google Play's servers honoring or ignoring the account identifier parameter ("/u/...").
We submitted bug reports to Google, via the "Send Feedback" button on multiple occasions that we witnessed the issue but it remains unclear if that has helped with the remediation of the issue.
What can you do?
We tried clearing the cache for both Google and Google News apps on Android device, but the error would recur on random occasions.
Going to the Google Play store and ensuring we had the latest version of each apps (and tapping "update" when not) appeared to yield minimal improvement and did not completely eradicate the issue.
A workaround we have identified is, for Google News/Discover stories that show a 404 page, users can simply return to their news feed screen.
You can then tap on the three-dots next to a story, on the bottom right corner, and select "About this source & topic."
Workaround for stories with 'dead' links on Discover (BleepingComputer)
This will now show you the story as an organic search result on Google Search that can proceed to normally.
Of course, a longer workaround would involve using Google Search to type and look up the story's headline.
A bug like this might not occur frequently and be hard to reproduce, but given other users who have reported experiencing it, BleepingComputer is sharing this information in hopes that it makes your Google News journey a tad smoother.
681
682
683
How to enable hidden Windows 11 features with Microsoft StagingTool
Microsoft has accidentally revealed an internal 'StagingTool' utility that can be used to enable hidden features, or Moments, in Windows 11.
When developing new features, Microsoft adds them to public Windows preview builds in a hidden and disabled state. These features, or Moments, can be enabled when they want to perform public A/B or internal tests.
For years, Windows enthusiasts have been searching for hidden features in new Insider preview builds and using specialized third-party tools, like ViveTool, to enable them for a sneak peek into what's coming in the future.
Now, Microsoft has revealed its own tool used to enable these hidden features.
Microsoft accidentally reveals StagingTool
As first discovered by Windows sleuth XenoPanther, Microsoft has a utility for enabling hidden development features in Windows 11 called 'StagingTool'.
While the tool was previously only used internally, Microsoft accidentally revealed its existence in a Feedback Hub quest during the August 2023 Bug Bash, an event held by Microsoft to find the most bugs in the operating system.
In this quest, Microsoft wanted users in China to test a new passwordless sign-in feature and offered instructions on using and downloading the StagingTool.exe to enable the feature.
Feedback Hub question accidentally revealing linkg to StagingTool
Source: XenoPanther
While Microsoft has since made the tool unavailable, it has now been widely spread among Windows enthusiasts, allowing them to use a Microsoft-sanctioned tool to enable hidden features.
How to use the Windows StagingTool to enable hidden features
Microsoft's StagingTool is a command-line program that allows you to enable hidden features, otherwise known as Moment features, in Windows 11.
To enable a hidden feature, you must know its numeric feature ID, which Microsoft developers internally use.
However, it is possible to find new feature IDs and their associated feature name by scanning Windows 11 debug symbols (PDBs) that are released along with new preview builds. A tool called ViVeTool GUI Feature Scanner can be used to help find new feature IDs in preview builds.
Once you have a feature ID for a hidden feature you want to test, you can use Microsoft's StagingTool to enable or disable it.
To use StagingTool, you will need administrative privileges, so the tool needs to be run from an elevated command prompt in a console, such as the Command Prompt or Windows Terminal.
StagingTool includes a built-in help file that can be displayed by entering the StagingTool.exe /? command, which displays the following help text:
[StagingTool.exe] Controls the feature configurations for this device Usage: StagingTool.exe [/enable ] [/disable ] [/query [featureId]] [/reset ] [/testmode] [/setvariant [payload]] [/serialize] [/setlkg] [/restorelkg] [/trace [ ... ]] [/setbootconfigs ] /enable Enable the specified feature /disable Disable the specified feature /query Query the specified feature (or all features, if featureId is omitted) for enablement and variant information /v Optional parameter to also print ImageDefault and ImageOverride features /reset Reset the specified feature to its default state Specifies a feature by its feature Id Example: Enable features with Id 1 StagingTool.exe /enable 1 /testmode Used in conjunction with /enable /disable /reset Applied feature configs will revert after reboot /telemetry Used in conjunction with /enable /disable /reset Enables sending additional telemetry /setvariant Select a feature variant to use (note: the feature must be enabled for variants to be expressed). Use /query to list configured variants. Specifies a feature by its feature Id Specifies a feature variant by id. [payload] (Optional) Unsigned int payload for the variant (for variants that support fixed payload) /serialize Rather than apply changes to the local machine, use this option to print out (in reg.exe/hex format) a new config with all of the requested changes. This can be used for offline updates to VHDs prior to first boot. /setlkg Set Boot time feature override states as LKG Configurations /restorelkg Restore Boot time LKG configurations states Feature Configurations /trace Realtime ETW trace for the specified feature(s) usage in code E.g. enable trace for the feature with ID 1235441: StagingTool.exe /trace 1235441 /? Show command usage
Before continuing, it should be noted that these are experimental, in-development features that could cause system instability in Windows 11. Therefore, it is strongly advised that you test these features in a virtual machine to easily roll back to an earlier snapshot if something goes wrong.
With that warning shared, you can use the StagingTool.exe /query command to see a list of available feature IDs. However, this command will only list the feature ID numbers and an internal Microsoft link to information about the experiment, which is not very helpful.
Using StagingTool to query for feature IDs
Source: BleepingComputer
If you cannot discover what a particular feature IDs is for, you can follow Windows enthusiasts on Twitter, who sometimes share new hidden features. Some recommended people to follow include Albacore, XenoPanther, Rafael Rivera, and PhantomOcean3.
To enable a hidden feature, you can use the StagingTool.exe /enable command. For example, to enable feature ID 33001637, you would use the StagingTool.exe /enable 33001637 command from an elevated command prompt.
To disable a feature, you would use the StagingTool.exe /disable command. For example, StagingTool.exe /disable 33001637.
Therefore, if you enable a hidden feature and find that it breaks something in Windows 11, you can deactivate it to resolve the conflict.
For some features, you must restart Windows 11 after enabling or disabling a new feature.
Many other StagingTool commands are for more advanced usage, likely enabling feature variants, specific payloads, or telemetry.
Two interesting commands are the /serialize and /trace command line arguments.
The trace option will debug an enabled feature using Event Tracing for Windows (ETW), while the serialize option will create a new config to enable/disable features via the Registry as offline updates to VHDs.
Serialized configuration to enable feature in VHDs
Source: BleepingComputer
However, most of these advanced features are for internal use by Microsoft and do not need to be used.
Playing with these tools to test hidden features can be fun for Windows enthusiasts, but as previously said, they can also cause instability in the operating system.
Therefore, using ViveTool or StagingTool on your main Windows 11 computer is not advised. Instead, play with them on installs you can reinstall or restore.
684
1
Colorado Department of Higher Education (CDHE) discloses data breach after ransomware attack
(securityaffairs.com)
685
686
1
BlueCharlie changes attack infrastructure in response to reports on its activity
(securityaffairs.com)
687
1
Security Affairs newsletter Round 431 by Pierluigi Paganini – International edition
(securityaffairs.com)
688