* Posts by Matthew1471!

24 posts • joined 6 Jan 2014

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019

Matthew1471!

Re: RTFM

Looks like the IS-GPS-200 documents 2 frequencies called L1 and L2. L2 fixes this but is a different frequency : http://www.catb.org/gpsd/hacking.html#y2k1 and https://www.gps.gov/technical/icwg/IS-GPS-200H.pdf (for "frequency")

"1575.42 MHz (10.23 MHz × 154) called L1;

and a second at 1227.60 MHz (10.23 MHz × 120), called L2."

CNAV is wrapped up in L2 but L2 is "pre-operational" and not to be used for critical usage.

L1 C/A (under "Legacy Signals" in Wiki has a section about 10 bits and rollover) is affected. L2C CNAV ("pre-operational") is not (blurb in wiki under "CNAV navigation message" explains increase in bits).

https://en.wikipedia.org/wiki/GPS_signals was also helpful.

Sounds like some newer receivers are on the L2 bandwagon.. but that doesn't mean there isn't a tonne of L1 only devices still around.

Matthew1471!

Not entirely uncommon :).

Matthew1471!

Re: Still only 13 bits? That's just 8192 weeks!

What I find also interesting is that the new protocol mentioned when you google it also comes up as "Pre-operational" with a warning about not using it for anything critical yet ;-).

Matthew1471!

Re: RTFM

>Yes, it's entirely possible that some poor coder relied on the 10-bit week number

https://www.tomtom.com/en_gb/updates/

https://easyconnect.renault.co.uk/

and the Emergency Services Network AirWave references above :)

I don't think anyone is saying life will be destroyed as we know it.. I think they're saying perhaps consider checking where you're reliant on GPS (particularly for time syncronisation) and check your vendor follows IS-GPS-200 and/or has a patch for this if they need to.

Matthew1471!

Re: Week count?

Also leap seconds.. whether they should be using the date to calculate leap seconds or whether there is another field for that is a question for someone who knows the GPS spec better.. but I found at least one reference online of a manufacturer doing leap seconds off the date.

Matthew1471!

Re: Base Stations

4G does care :).

Matthew1471!

Re: New cars too

How I found this news story too (also a Zoe driver) :).

To the person commenting about not owning the battery with the ZOE, if you have a "ZOE i" model (like I do) then you do.. have been able to buy it all rather than just lease the battery since Nov 2015 (car was released 2013).

Links:

Is My Renault affected? : https://easyconnect.renault.co.uk/

Is My TomTom affected? : https://www.tomtom.com/en_gb/updates/

Matthew1471!

That's what some did in 1999 :)

Matthew1471!

Thing that throws me is Googling for CNAV tells me that it's "Pre-operational" and not to be used for anything important? Am I the only one who thinks the advisory should probably point that one out before pushing people in that direction?

Matthew1471!

Leap seconds I believe are also calculated by the correct date on some devices.

Matthew1471!

https://easyconnect.renault.co.uk/pages/software-upgrade

Matthew1471!

Re: Yay landfill!

https://www.tomtom.com/en_gb/updates/

Matthew1471!

Time too

I believe leap seconds are also calculated off the date. So potential for time to be incorrect.

Are you sure your disc drive has stopped rotating, or are you just ignoring the messages?

Matthew1471!

Re: I can believe it!

Netgear has a better system for their ReadyNAS.. to delete a volume one has to type in "DESTROY" into a text area and click okay. Can hardly ring up Netgear and complain that your disk volume has been erased then can you?

Hacker backdoors Linksys, Netgear, Cisco and other routers

Matthew1471!

Re: Factory reset only ?

Factory reset was one of many options available. Read the presentation or one of my summary comments. The reg article is slightly incorrect in saying it always triggers a factory reset.

I doubt it has anything to do with the NSA, it looks like it would have been useful for legitimate device testing and in most cases it's not even accessible via the Internet (only the local internal network).

Matthew1471!

Re: Not likely

There's one well known manufacturer which had "802.11 pre-n" devices that when they got a little too warm (which was caused by themselves) they'd reboot. Having had to play with one I vowed to never buy one of their products again and haven't.

You get a feel after a while for which manufacturers are trustworthy or not. Vote with your wallet and make sensible recommendations to your friends/colleagues.

I was quite surprised that SerComm actually were outsourced by some of the big names to make some of their products.. would of thought the big names had their own expertise.

Matthew1471!

Re: Weird not one word of how the the company ....

The vendors have been told AFTER this was posted online. They're having to play catchup. Feel rather sorry for them. They just outsourced the manufacture of some devices, now they're getting told there was a backdoor in them...

Also a lot of Linksys products. Linksys was bought out ages ago. Belkin have now inherited this backdoor mess through no fault of their own.

Matthew1471!

Re: Hmmmmm

Doubt it. It's more than likely just a diagnostic mode left into shipped products. A lot of the modes offered are useful for diagnostic purposes when you are developing a device and don't really serve any other purpose.

Matthew1471!
Megaphone

Re: "alert the victim that something had happened"

The article is slightly wrong, the backdoor allows several options of which factory resetting is one of them.

they're listed in the presentation and source code for the proof of concept but ...for the non-technical or those who struggled to read it:

#1. Output all of the settings, all of the usernames, all of the passwords for the device.

#2. Read just one specified setting/username/password.

#3. Set one specified setting/username/password just while it's running ("apply").

#4. Save all the settings that are currently set so they persist a reboot.

#5. Join the network as if you are not connected to the Internet but another router.

#6. Output how fast we currently think our Internet or network connection is.

#7. Allow me to run any Linux (busybox) command I want on this device.

#8. Store a file on the device.

#9. Write what version of the software we are running.

#10. Write out our IP address.

#11. Factory reset. Lose all settings.

#12. Read the memory contents of the device.

#13. Save the memory contents to disk.

The researcher tried all the options and accidentally hit on #11.

I wished this had been responsibly disclosed to the manufacturers before it was given to Github, Hacker News and Reddit but now it's out there I hope it helps people who have the same devices know that an update to their device is proably coming that they will need to apply.

Matthew1471!
Holmes

Re: "alert the victim that something had happened"

As commented, the factory reset is one of the many options.

On some of the devices it is accessible from the outside.

I see many issues/options even from the inside:

#1 I may grant you access to my Wireless network but that doesn't mean I want you to recover the password to my devices?

#2 Same as above but you could on some routers obtain the username and password I use with my Internet provider / dynamic DNS.

#3 I may grant you access to my "guest" WiFi, you could use that as a launch pad to then get my main WiFi password and/or communicate with my other devices.

#4 You could just plug something into my router and obtain my WiFi password despite me not actually having given it to you.

#5 Say I am a business providing you with free WiFi, I don't exactly want you to login to my access point and screw around with any of the settings...

Matthew1471!

Re: "alert the victim that something had happened"

"Yes, but to do that you've got to factory reset it first"... not accurate. Most routers/access points I have updated do not factory reset after a firmware upgrade. The config is often stored in a different location to the firmware.

Matthew1471!

Re: "alert the victim that something had happened"

The factory reset is one of the options a user has. On most devices the port is not internet accessible thankfully, so an attacker would have to be on your local network.

However on *some* of those affected devices they don't need to be.

Test yours to be sure. It's easy to see if you can telnet (if you don't feel up to running the Python script that he's provided) to your public IP on that port from another Internet connection.

Biting the hand that feeds IT © 1998–2019