Connect with us

Gadgets

Samsung spilled SmartThings app source code and secret keys – TechCrunch

Published

on

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens (Image: supplied)

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Gadgets

Stadia controllers could become e-waste unless Google issues Bluetooth update

Published

on

Enlarge / Ars originally liked the Stadia controller, describing it as “solidly built, with springy, responsive inputs.” It could still be that way without a giant USB cord if Google unlocked its full Bluetooth capabilities.

Kyle Orland

Google’s Stadia game-streaming service will die a nearly inevitable death early next year. Google is refunding players the cost of all their hardware and game purchases. But, so far, Google is also leaving Stadia players with controllers that, while once costing $70, will soon do less than a $20 Bluetooth gamepad.

Stadia’s controllers were custom-made to connect directly to the Internet, reducing lag and allowing for instant firmware updates and (sometimes painful) connections to smart TVs. There’s Bluetooth inside the Stadia controller, but it’s only used when you’re setting up Stadia, either with a TV, a computer with the Chrome browser, or a Chromecast Ultra.

The Google Store’s page for the Stadia controller states in a footnote: “Product contains Bluetooth Classic radio. No Bluetooth Classic functionality is enabled at this time. Bluetooth Classic may be implemented at a later date.” (Bluetooth Classic is a more traditional version of Bluetooth than modern low-energy or mesh versions.)

That potential later date can’t get much later for fans of the Stadia controller. Many cite the controller’s hand feel and claim it as their favorite. They’d like to see Google unlock Bluetooth to make their favorite something more than a USB-only controller and avoid a lot of plastic and circuit board trash.

“Now if you’d just enable Bluetooth on the controller, we could help the environment by not letting them become electronic waste,” writes Roadrunner571 on one of many controller-related threads on the r/Stadia subreddit. “They created trash and they at least owe it to me to do their best within reason to prevent millions of otherwise perfectly good controllers from filling landfills,” another wrote.

Many have called for Google, if they’re not going to push a firmware update themselves to unlock the functionality, to open up access to the devices themselves, so the community can do it for them. That’s often a tricky scenario for large companies relying on a series of sub-contracted manufacturers to produce hardware. Some have suggested that the full refunds give Google more leeway to ignore the limited function of their devices post-shutdown.

You can still plug the Stadia controller into the USB port on your Smart TV, computer, or gaming console and use it as a controller through a standard HID (Human Interface Device) connection. How-To Geek reports that it’s working well on PCs and with Android devices but not great on Xbox or Playstation consoles. At least one Github project reportedly improves the Stadia controller’s Windows function (as an Xbox controller). One intrepid Stadia fan, Parth Shah, had already cobbled together a “Stadia Wireless” Python hack to get the Stadia controller working “wirelessly”: connected to a phone, then that phone connecting to a Windows PC over Wi-Fi, emulating a standard Xbox controller.

Yet Shah is also active in the Stadia subreddit, asking for his creation to be made obsolete: “Not having to go through all this trouble would be so amazing. Hopefully [G]oogle does something about it.”

There’s some precedent to pushing new firmware to old business ideas. Valve, makers of the Steam PC gaming store and assorted hardware connected to it, enabled Bluetooth Low-Energy on Steam Controllers just before its Steam Box and Steam Link hardware ambitions fizzled out. Valve had something else in mind for them, namely its Steam Link software on other platforms. But Valve made Steam Controllers viable for lots of other platforms and prevented them from ending up in, at best, e-waste sorting facilities.

E-waste from abandoned hardware is an area where Google, along with many other large tech companies, is far more quiet than it is about carbon emissions, water, or even food waste. The company’s pledge to create “A circular Google” states that the company believes that by “incorporating circularity into our designs from inception, things created today can become the resources of tomorrow and enable reuse, repair, and recovery.”

In this case, it seems like circularity, in the form of a standard Bluetooth controller, is sitting inside Stadia controllers. The reuse and recovery would be much appreciated by customers.

Continue Reading

Gadgets

Rewritten OpenGL drivers make AMD’s GPUs “up to 72%” faster in some pro apps

Published

on

AMD

Most development effort in graphics drivers these days, whether you’re talking about Nvidia, Intel, or AMD, is focused on new APIs like DirectX 12 or Vulkan, increasingly advanced upscaling technologies, and specific improvements for new game releases. But this year, AMD has also been focusing on an old problem area for its graphics drivers: OpenGL performance.

Over the summer, AMD released a rewritten OpenGL driver that it said would boost the performance of Minecraft by up to 79 percent (independent testing also found gains in other OpenGL games and benchmarks, though not always to the same degree). Now those same optimizations are coming to AMD’s officially validated GPU drivers for its Radeon Pro-series workstation cards, providing big boosts to professional apps like Solidworks and Autodesk Maya.

“The AMD Software: PRO Edition 22.Q3 driver has been tested and approved by Dell, HP, and Lenovo for stability and is available through their driver downloads,” the company wrote in its blog post. “AMD continues to work with software developers to certify the latest drivers.”

AMD says the OpenGL driver rewrite in its 22.Q3 professional GPU drivers will bring big benefits to pro apps that rely on the older graphics API.
Enlarge / AMD says the OpenGL driver rewrite in its 22.Q3 professional GPU drivers will bring big benefits to pro apps that rely on the older graphics API.

AMD

Using a Radeon Pro W6800 workstation GPU, AMD says that its new drivers can improve Solidworks rendering speeds by up to 52 or 28 percent at 4K and 1080p resolutions, respectively. Autodesk Maya performance goes up by 34 percent at 4K or 72 percent at the default resolution. The size of the improvements varies based on the app and the GPU, but AMD’s testing shows significant, consistent improvements across the board on the Radeon Pro W6800, W6600, and W6400 GPUs, improvements that AMD says will help those GPUs outpace analogous Nvidia workstation GPUs like the RTX A5000 and A2000 and the Nvidia T600.

A full list of compatible Radeon Pro-series GPUs is available in the 22.Q3 driver’s release notes; in addition to desktop cards, the driver is compatible with the mobile GPUs in a variety of laptops from Dell, HP, Lenovo, and Panasonic. AMD didn’t show any performance numbers for Radeon Pro GPUs older than the 6000 series, though presumably, all GPUs supported by the new drivers will see at least some benefit.

The OpenGL API is old, but it’s still in relatively wide use among older games (the PC version of Minecraft being one prominent example), in professional apps, and as a rendering backend for game console emulators, among other places. AMD also rewrote its DirectX 11 drivers earlier this year, though the performance gains in most games were generally much smaller than the improvements provided by the new OpenGL drivers.

Continue Reading

Gadgets

USB-IF says goodbye to confusing SuperSpeed USB branding

Published

on

Enlarge / The USB-IF no longer recommends SuperSpeed logos or branding for speedy USB ports.

When SuperSpeed USB was announced in 2007, the branding was a logical differentiator. The term launched with USB 3.0, which brought max data transfer rates from USB 2.0’s measly 0.48 Gbps all the way to 5Gbps. But by 2022, there were three flavors of SuperSpeed USB in various connector types facing consumers, plus the potentially faster USB4. Looking ahead, USB products will continue to offer different performance capabilities while looking the same, but there’s at least one thing we can all agree on: The word “SuperSpeed” isn’t a helpful differentiator anymore.

SuperSpeed branding already felt pretty unremarkable by 2019, when the USB-IF, which makes USB standards, renamed USB 3.0 to USB 3.1 Gen 1; USB 3.1 to USB 3.1 Gen 2, and then USB 3.2 Gen 2; and USB 3.2 to USB 3.2 Gen 2×2. The group sought to make things easier for consumers by recommending to vendors that they label products not by specification name but by “SuperSpeed USB” followed by max speed (USB 3.2 Gen 2×2, for example, would be SuperSpeed USB 20Gbps).

Per updated guidelines and logos that started coming out this quarter and that you may see before 2022 ends, as reported by The Verge today, the USB-IF now recommends vendors label products as, simply, USB 20Gbps (for USB 3.2 Gen 2×2), USB 10Gbps (for USB 3.2 Gen 2), etc. No SuperSpeed necessary.

The USB-IF's USB performance logos.
Enlarge / The USB-IF’s USB performance logos.

USB4, meanwhile, gets the same treatment, with the USB-IF recommending USB 40Gbps and USB 20Gbps branding for the spec. When it comes out, USB4 Version 2.0 should be called USB 80Gbps.

“USB4 Version 1.0, USB Version 2.0, USB 3.2, SuperSpeed Plus, Enhanced SuperSpeed, and SuperSpeed+ are defined in the USB specifications; however, these terms are not intended to be used in product names, messaging, packaging, or any other consumer-facing content,” the USB-IF’s language usage guidelines updated in September read [PDF].

The USB-IF still recommends vendors label USB 2.0, which can take the form of USB-C, USB-A, USB-B, and more, as “Hi-Speed USB” with no performance indicator. Most products using the USB 2.0 spec are peripherals, like keyboards and printers, Jeff Ravencraft, USB-IF president and COO, told Ars Technica, so the industry group doesn’t think consumers will mistake the tech for being faster than, say, USB 5Gbps. The USB-IF also feared consumers confusing “USB 480Mbps” as being faster than USB 5Gbps, due to the larger number (we guess “USB 0.48Gbps” doesn’t look so pretty).

“Hi-Speed USB has been around for over 20 years and is well established in the marketplace, so we focused our rebranding efforts to 5Gbps and up,” the USB-IF spokesperson said.

Recommended USB 1.0 branding, meanwhile, is untouched.

For USB-C cables, the USB-IF now recommends packaging and logos show both max data transfer rate and power delivery.

The USB-IF's USB-C cable logos.
Enlarge / The USB-IF’s USB-C cable logos.

This doesn’t change much

The changed recommendations align with what many vendors had already been doing: listing speeds alone without any spec name or the term SuperSpeed. Some vendors list USB spec names only. With all this in mind, it’s not surprising to see the official demise of SuperSpeed branding, especially with the USB-IF revealing its optional, SuperSpeed-free USB-C logos a year ago.

The primary issue at the heart of USB confusion remains. Even as USB-C becomes more ubiquitous and, in some places, eventually required by law, USB-C products can have a range of capabilities, including data transfer rates of 0.48–40Gbps.

The USB-IF’s guidelines also don’t specify other capabilities, like Intel Thunderbolt support, whether a cable’s active or passive, and PCIe tunneling.

SuperSpeed labels like this (under the USB-A and USB-C ports) should be no more.
Enlarge / SuperSpeed labels like this (under the USB-A and USB-C ports) should be no more.

Scharon Harding

But according to Ravencraft, the typical consumer doesn’t really care about any of those things. The exec told The Verge that consumer study groups showed that most consumers only care about “the highest data performance level the product can achieve” and “the highest power level I can get or drive from this product.”

Most consumers don’t understand USB branding, messaging, revision control, or spec names, he told The Verge.

Everything’s optional

Despite its efforts to simplify what consumers see, the USB-IF also can’t ensure widespread usage of its optional logos and certification. The USB-IF-certified products list currently contains 2,500 items when there are countless devices, cables, and products using USB.

Ravencraft admitted to Ars that some companies may view the costs associated with getting USB-IF-certified, including passing USB-IF compliance testing and acquiring a USB-IF trademark license agreement, as “prohibitive.” There are discounts for USB-IF members.

Ravencraft also suggested that some companies may forego certification if they know they cut corners to save costs and, thus, wouldn’t pass compliance testing.

So, the Wild West of USB labeling will probably continue to some degree, but customers have options, too. Products with USB-IF logos, if available, immediately tell you how much power delivery and speed to expect. Whether or not that rate should be considered a super speed is up to you.

Continue Reading

Trending