Connect with us

Biz & IT

Researcher shows how popular app ES File Explorer exposes Android device data

Published

on

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has more than 500 million downloads under its belt since 2014, making it one of the most used apps to date. Its simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

“All connected devices on the local network can get [data] installed on the device,” he said.

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 4.1.9.5.2 and below have the open port.

“It’s clearly not good,” he said.

A script, developed by a security researcher to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”

But most probably don’t realize that the open port leaves them exposed from the moment they open the app.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Biden’s executive order limits government’s use of commercial spyware

Published

on

Getty Images

President Joe Biden on Monday signed an executive order barring many uses by the federal government of commercial spyware, which has been increasingly used by other countries in recent years to surveil dissidents, journalists, and politicians.

The signing of the executive order came as administration officials told journalists that roughly 50 US government personnel in at least 10 countries had been infected or targeted by such spyware, a larger number than previously known. The officials didn’t elaborate.

Commercial spyware is sold by a host of companies, with the best known being NSO Group of Israel. The company sells a hacking tool known as Pegasus that can surreptitiously compromise both iPhones and Android devices using “clickless” exploits, meaning they require no user interaction. By sending a text or ringing the device, Pegasus can install spying software that steals contacts, messages, geo locations, and more, even when the text or call isn’t answered. Other companies selling commercial spyware include Cytrox, Candiru, and Paragon.
While NSO describes Pegasus as a “lawful intercept” tool that’s sold only to legitimate law-enforcement agencies to investigate crime and terrorism. Mexico, India, Saudi Arabia, the United Arab Emerates, Morocco, and other countries have been caught deploying it against political dissidents, journalists, and other citizens that aren’t accused of any crimes. In November 2021, the Biden administration restricted the export, re-export, and in-country transfer of products from NSO and three other companies in Israel, Russia, and Singapore.

Monday’s executive order goes further by barring federal agencies, including those engaged in law enforcement, defense, or intelligence activities, from “operationally using” commercial spyware.

“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of US Government personnel and their families,” a fact sheet published by the White House said. “US Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of US Government information and information systems.”

White House officials aren’t naming the specific spyware that’s barred, but using the term commercial spyware strongly implies it includes tools sold by NSO, Cytrox, Candiru, and others. Criteria for tools falling under the order include if:

  • they’re abused by a foreign government in an attempt to access the device of a US citizen
  • a foreign actor deploys them against activists or dissidents in an attempt to intimidate or curb dissent or opposition or squelch expressions of free speech
  • they’re supplied to governments for which there are credible reports that they engage in systematic acts of political repression.

The officials declined to say if US law enforcement and intelligence agencies currently use commercial spyware. Last year, the FBI confirmed a New York Times report that the bureau had bought NSO Group’s Pegasus tool for product testing and evaluation but said they weren’t used for operational purposes or to support any investigation. The US Drug Enforcement Agency, the NYT has also reported, deployed a surveillance tool called Graphite for use in counternarcotics operations.

Continue Reading

Biz & IT

The power of AI compels you to believe this fake image of Pope in a puffy coat

Published

on

Enlarge / An AI-generated photo of Pope Francis wearing a puffy white coat that went viral on social media.

Over the weekend, an AI-generated image of Pope Francis wearing a puffy white coat went viral on Twitter, and apparently many people believed it was a real image. Since then, the puffy pontiff has inspired commentary on the deceptive nature of AI-generated images, which are now nearly photorealistic.

The pope image, created using Midjourney v5 (an AI image synthesis model), first appeared in a tweet by a user named Leon (@skyferrori) on Saturday and quickly began circulating as part of other meme tweets featuring similar images as well, including one that humorously speculates about a pope “lifestyle brand.”

Not long after, Twitter attached a reader-added context warning to the tweet that reads, “This is an AI-generated image of Pope Francis. It is not a genuine photo.

As noted in our piece on last week’s AI-generated Donald Trump arrest photos, Twitter guidelines state that users “may not deceptively share synthetic or manipulated media that are likely to cause harm.” Although in this case, the line between harm and parody might be a fuzzy one.

How do we know the image is fake? Aside from a Reddit post containing alternative images of the Pope from the person that likely made it, The Verge breaks down the evidence fairly well in a piece analyzing the impact of the false image. For example, if you zoom in on details, you’ll see telltale signs of image synthesis in warped details like the pope’s crucifix necklace, the crooked shadow of his glasses, and whatever he is carrying in his hand (a cup?).

But still, upon a quick glance, the false photo (“fauxto”?) looks fairly realistic. And as The Verge notes, a stylish image of Pope Francis plays into our beliefs about the papacy, which often involves wild non-fake imagery—although Pope Francis is known for his “humble” outfits.

A Midjourney journey

The image service used to create the fake photo, Midjourney, debuted last year. Along with DALL-E and Stable Diffusion, it’s one of three major image synthesis models that have become popular online. All three allow users to generate novel images using only text descriptions called “prompts.”

Our experiments with
Enlarge / Our experiments with “Pope Francis in a 1990s white puffer jacket,” created using Midjourney v5.

Midjourney

In this case, the prompt used to create the puffy pope photo might have been as simple as “Pope Francis in a puffy white coat” because Midjourney has made huge leaps in photorealism recently, rendering complex scenes full of details from relatively simple prompts.

What this almost effortless capability to fake photos means for the future of media is still uncertain, but as we’ve speculated before, due to image synthesis, we may never be able to believe what we see online again.

Continue Reading

Biz & IT

Hobbyist builds ChatGPT client for MS-DOS

Published

on

Enlarge / A photo of an IBM PC 5155 portable computer running a ChatGPT client written by Yeo Kheng Meng.

On Sunday, Singapore-based retrocomputing enthusiast Yeo Kheng Meng released a ChatGPT client for MS-DOS that can run on a 4.77 MHz IBM PC from 1981, providing a unique way to converse with the popular OpenAI language model.

Vintage computer development projects come naturally to Yeo, who created a Slack client for Windows 3.1 back in 2019. “I thought to try something different this time and develop for an even older platform as a challenge,” he writes on his blog. In this case, he turned his attention to MS-DOS, a text-only operating system first released in 1981, and ChatGPT, an AI-powered large language model (LLM) released by OpenAI in November.

As a conversational AI model, ChatGPT draws on knowledge scraped from the Internet to answer questions and generate text. Thanks to an API that launched his month, anyone with the programming chops can interface ChatGPT with their own custom application.

Thanks to his new app, which can run on MS-DOS, Yeo can use a vintage IBM PC-compatible computer to chat with ChatGPT over the Internet. It’s a similar back-and-forth conversation as the traditional ChatGPT web interface, albeit as a text-only, full-screen application running on the antique machine.

Development challenges

A photo of an IBM PC 5155 computer running a ChatGPT client written by Yeo Kheng Meng.
Enlarge / A photo of an IBM PC 5155 computer running a ChatGPT client written by Yeo Kheng Meng.

MS-DOS posed a particularly challenging platform for a ChatGPT client, lacking native networking abilities. In addition, Yeo targeted a computer with very limited processing power: a 1984 IBM 5155 Portable PC, which includes an Intel 8088 4.77 MHz CPU, 640KB conventional memory, CGA ISA graphics, and MS-DOS 6.22.

To create the client, Yeo used Open Watcom C/C++, a modern compiler running on Windows 11 that can target 16-bit DOS platforms. For testing purposes, he used a VirtualBox virtual machine running DOS 6.22 to streamline the development process, then he transferred the compiled binary to the target IBM DOS PC for testing.

To handle networking on the IBM PC, Yeo needed to weave his way through several layers. First, Yeo utilized a “Packet Driver API” standard invented in 1983. He integrated the open source MTCP library by Michael B. Brutman into the application to communicate with the Packet Driver, enabling networking capabilities for the client.

For the ChatGPT API, Yeo used OpenAI’s Chat Completion API, constructing the POST request (and parsing the JSON-formatted response) manually in C.

However, Yeo hit a major snag: the ChatGPT APIs require encrypted HTTPS connections. Since there are no native HTTPS libraries for MS-DOS, Yeo had to create an HTTP-to-HTTPS proxy that can run on a modern computer and translate the requests and responses between the MS-DOS client and ChatGPT’s secure API, acting as a transparent middleman in the communication process.

Yeo says that reading and writing input to the console presented another challenge due to the single-threaded nature of DOS applications. He devised a method to check and receive keypresses without pausing the program using the MTCP page and online samples as a reference.

In the end, the client works better than Yeo expected, and he looks forward to more retro challenges in the future: “After experiencing this, I will definitely be writing more retro-software in future,” he writes in a blog post that describes his development process in more detail.

Yeo has released his code (called “doschgpt”) on GitHub if others want to run it themselves—or perhaps improve or extend the code in the future. With a little creativity, the latest tech in AI language models need not be limited to cutting-edge machines.

Continue Reading

Trending