Nel corso di un’analisi di sicurezza effettuata sul prodotto ZENIC ONE R58 di ZTE Corporations, il RED Team Research di TIM ha individuato un bug critico di tipo Formula Injection, una vulnerabilità che interessa le applicazioni che esportano file di fogli di calcolo costruiti dinamicamente da dati di input non adeguatamente convalidati.

La CVE-2024-22063 su ZENIC ONE R58 di ZTE Corporations

La Formula Injection (CSV o XLSX Injection) si verifica quando un file di calcolo (in formato CSV oppure XLSX) contiene valori che, una volta aperti in programmi come Microsoft Excel vengono interpretati come formule anziché come semplici dati, portando potenzialmente all’esecuzione di comandi o all’esfiltrazione di dati.

ZTE Corporations, multinazionale asiatica di telecomunicazioni, è uno dei principali fornitori di apparecchiature per le telecomunicazioni, dispositivi mobili e soluzioni di rete a livello mondiale. e attraverso il sistema ZENIC ONE R58 permette la gestione e il controllo della rete, fornendo diversi servizi, come la gestione della topologia, l’analisi delle risorse e il monitoraggio della rete.

La vulnerabilità identificata, classificata con il codice CVE-2024-22063, è stata rilevata sulla versione V16.22.40 del prodotto ZENIC ONE R58 e valutata 9 nella scala CVSSv3 (da 1 a 10).

L’assenza di un’adeguata neutralizzazione dei dati di input permette ad un utente malintenzionato, una volta autenticatosi, di iniettare formule arbitrarie all’interno di file XLSX al fine di esfiltrare dati sensibili, eseguire codice remotamente, o di condurre campagne di phishing.

Merita attenzione il fatto che nel bollettino di sicurezza emesso da ZTE Corportations, sia stato esplicitamente ringraziato il Red Team Research di TIM, dimostrando quanto sia ormai sempre più alta l’attenzione delle aziende nei confronti della sicurezza informatica, e quanto i lavori di ricerca e segnalazione di vulnerabilità siano fondamentali al suo raggiungimento.

Al fine di risolvere il problema, ZTE Corporations ha rilasciato un aggiornamento di sicurezza che recepisce le misure di mitigazione.

Uno sguardo al laboratorio Red Team Research di TIM

Si tratta di uno tra i pochi centri italiani di ricerca sui bug di sicurezza, dove da diverso tempo vengono effettuate attività che mirano all’identificazione di vulnerabilità non documentate (0day). Le attività condotte dal team, portano ad una successiva emissione di CVE sul National Vulnerability Database (NVD) degli Stati Uniti D’America, terminato il percorso di Coordinated Vulnerability Disclosure (CVD) con il vendor del prodotto.

Nel corso di 5 anni di attività, abbiamo visto il laboratorio, emettere moltissime CVE su prodotti best-in-class e big vendor di valenza internazionale, come ad esempio Oracle, IBM, Fortinet, F5, Ericsson, Red Hat, Nokia, Computer Associates, Siemens, F5, Fortinet, QNAP, Johnson & Control, Schneider Electric, oltre ad altri fornitori su tipologie differenti di architetture software/hardware.

Nel corso del tempo, il laboratorio ha emesso 170 CVE circa, dove 14 risultano con severità Critical (>= 9.0 di score CVSSv3).

Relativamente ad una vulnerabilità rilevata dal gruppo di ricerca sul prodotto Metasys Reporting Engine (MRE) Web Services, del fornitore Johnson & Control, la Cybersecurity and Infrastructure Security Agency (CISA) degli Stati Uniti D’America, ha emesso uno specifico bollettino di sicurezza riportandolo all’attenzione dei settori: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/AREAS DEPLOYED e COMPANY HEADQUARTERS LOCATION”.

Si tratta di un gruppo di ricerca tutto italiano che emette CVE con costanza, contribuendo in maniera fattiva alla ricerca delle vulnerabilità non documentate a livello internazionale. Il Red TIM Research si sta distinguendo a livello Italia sull’elevata caratura delle attività svolte, oltre a contribuire all’innalzamento dei livelli di sicurezza dei prodotti utilizzati da organizzazioni internazionali.

L'articolo Red Team Research di TIM pubblica una CVE critica (9.0) su ZENIC ONE R58 di ZTE Corporations proviene da il blog della sicurezza informatica.

In March 2023, researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users’ image galleries in search of crypto wallet access recovery phrases. The search employed an OCR model which selected images on the victim’s device to exfiltrate and send to the C2 server. The campaign, which targeted Android and Windows users, saw the malware spread through unofficial sources. In late 2024, we discovered a new malware campaign we dubbed “SparkCat”, whose operators used similar tactics while attacking Android and iOS users through both official and unofficial app stores. Our conclusions in a nutshell:

• We found Android and iOS apps, some available in Google Play and the App Store, which were embedded with a malicious SDK/framework for stealing recovery phrases for crypto wallets. The infected apps in Google Play had been downloaded more than 242,000 times. This was the first time a stealer had been found in Apple’s App Store.
• The Android malware module would decrypt and launch an OCR plug-in built with Google’s ML Kit library, and use that to recognize text it found in images inside the gallery. Images that matched keywords received from the C2 were sent to the server. The iOS-specific malicious module had a similar design and also relied on Google’s ML Kit library for OCR.
• The malware, which we dubbed “SparkCat”, used an unidentified protocol implemented in Rust, a language untypical of mobile apps, to communicate with the C2.
• Judging by timestamps in malware files and creation dates of configuration files in GitLab repositories, SparkCat has been active since March 2024.

A malware SDK in Google Play apps

The first app to arouse our suspicion was a food delivery app in the UAE and Indonesia, named “ComeCome” (APK name: com.bintiger.mall.android), which was available in Google Play at the time of the research, with more than 10,000 downloads.

The onCreate method in the Application subclass, which is one of the app’s entry points, was overridden in version 2.0.0 (f99252b23f42b9b054b7233930532fcd). This method initializes an SDK component named “Spark”. It was originally obfuscated, so we statically deobfuscated it before analyzing.

Suspicious SDK being called

Spark is written in Java. When initialized, it downloads a JSON configuration file from a GitLab URL embedded in the malware body. The JSON is decoded with base64 and then decrypted with AES-128 in CBC mode.

The config from GitLab being decrypted

If the SDK fails to retrieve a configuration, the default settings are used.

We managed to download the following config from GitLab:
{
"http": ["https://api.aliyung.org"],
"rust": ["api.aliyung.com:18883"],
"tfm": 1
}
The “http” and “rust” fields contain SDK-specific C2 addresses, and the tfm flag is used to select a C2. With tfm equal to 1, “rust” will be used as the C2, and “http” if tfm has any other value.

Spark uses POST requests to communicate with the “http” server. It encrypts data with AES-256 in CBC mode before sending and decrypts server responses with AES-128 in CBC mode. In both cases, the keys are hard-coded constants.

The process of sending data to “rust” consists of three stages:

• Data is encrypted with AES-256 in CBC mode using the same key as in the case of the “http” server.
• The malware generates a JSON, where <PATH> is the data upload path and <DATA> is the encrypted data from the previous stage.
  {
  "path": "upload@<PATH>",
  "method": "POST",
  "contentType": "application/json",
  "data": "<DATA>"
  }
• The JSON is sent to the server with the help of the native libmodsvmp.so library via the unidentified protocol over TCP sockets. Written in Rust, the library disguises itself as a popular Android obfuscator.

Static analysis of the library wasn’t easy, as Rust uses a non-standard calling convention and the file had no function names in it. We managed to reconstruct the interaction pattern after running a dynamic analysis with Frida. Before sending data to the server, the library generates a 32-byte key for the AES-GCM-SIV cipher. With this key, it encrypts the data, pre-compressed with ZSTD. The algorithm’s nonce value is not generated and set to “unique nonce” (sic) in the code.

Extending the AES key using the hard-coded nonce value

The AES key is encrypted with RSA and is then also sent to the server. The public key for this RSA encryption is passed when calling a native method from the malicious SDK, in PEM format. The message is padded with 224 random bytes prior to AES key encryption. Upon receiving the request, the attackers’ server decrypts the AES key with a private RSA key, decodes the data it received, and then compresses the response with ZSTD and encrypts it with the AES-GCM-SIV algorithm. After being decrypted in the native library, the server response is passed to the SDK where it undergoes base64 decoding and decryption according to the same principle used for communication with the “http” server. See below for an example of communication between the malware module and the “rust” server.

An example of communication with the “rust” server

Once a configuration has been downloaded, Spark decrypts a payload from assets and executes it in a separate thread. It uses XOR with a 16-byte key for a cipher.

A payload being decrypted

The payload (c84784a5a0ee6fedc2abe1545f933655) is a wrapper for the TextRecognizer interface in Google’s ML Kit library. It loads different OCR models depending on the system language to recognize Latin, Korean, Chinese or Japanese characters in images. The SDK then uploads device information to /api/e/d/u on the C2 server. The server responds with an object that controls further malware activities. The object is a JSON file, its structure shown below. The uploadSwitch flag allows the malware to keep running (value 1).
{
"code": 0,
"message": "success",
"data": {
"uploadSwitch": 1,
"pw": 0,
"rs": ""
}
}
The SDK then registers an application activity lifecycle callback. Whenever the user initiates a chat with the support team, implemented with the legitimate third-party Easemob HelpDesk SDK, the handler requests access to the device’s image gallery. If the pw flag in the aforementioned object is equal to 1, the module will keep requesting access if denied. The reasoning behind the SDK’s request seems sound at first: users may attach images when contacting support.

The reason given when requesting read access to the gallery

If access is granted, the SDK runs its main functionality. This starts with sending a request to /api/e/config/rekognition on the C2 and getting parameters for processing OCR results in a response.
{
"code": 0,
"message": "success",
"data": {
"letterMax": 34,
"letterMin": 2,
"enable": 1,
"wordlistMatchMin": 9,
"interval": 100,
"lang": 1,
"wordMin": 12,
"wordMax": 34
}
}
These parameters are used by processor classes that filter images by OCR-recognized words. The malware also requests a list of keywords at /api/e/config/keyword for KeywordsProcessor, which uses these to select images to upload to the C2 server.

Searching for keywords among OCR image processing results

Besides KeywordsProcessor, the malware contains two further processors: DictProcessor and WordNumProcessor. The former filters images using localized dictionaries stored decrypted inside rapp.binary in the assets, and the latter filters words by length. The letterMin and letterMax parameters for each process define the permitted range of word length. For DictProcessor, wordlistMatchMin sets a minimum threshold for dictionary word matches in an image. For WordNumProcessor, wordMin and wordMax define the acceptable range for the total number of recognized words. The rs field in the response to the request for registering an infected device controls which processor will be used.

Images that match the search criteria are downloaded from the device in three steps. First, a request containing the image’s MD5 hash is sent to /api/e/img/uploadedCheck on the C2. Next, the image is uploaded to either Amazon’s cloud storage or to file@/api/res/send on the “rust” server. After that, a link to the image is uploaded to /api/e/img/rekognition on the C2. So, the SDK, designed for analytics as suggested by the package name com.spark.stat, is actually malware that selectively steals gallery content.

Uploading an image link

We asked ourselves what kind of images the attackers were looking for. To find out, we requested from the C2 servers a list of keywords for OCR-based search. In each case, we received words in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish and Portuguese. The terms all indicated that the attackers were financially motivated, specifically targeting recovery phrases also known as “mnemonics” that can be used to regain access to cryptocurrency wallets.
{
"code": 0,
"message": "success",
"data": {
"keywords": ["助记词", "助記詞", "ニーモニック", "기억코드", "Mnemonic",
"Mnemotecnia", "Mnémonique", "Mnemonico", "Mnemotechnika", "Mnemônico",
"클립보드로복사", "복구", "단어", "문구", "계정", "Phrase"]
}
}
Unfortunately, ComeCome was not the only app we found embedded with malicious content. We discovered a number of additional, unrelated apps covering a variety of subjects. Combined, these apps had been installed over 242,000 times at the time of writing this, and some of them remained accessible on Google Play. A full inventory can be found under the Indicators of Compromise section. We alerted Google to the presence of infected apps in its store.

Popular apps containing the malicious payload

Furthermore, our telemetry showed that malicious apps were also being spread through unofficial channels.

SDK features could vary slightly from app to app. Whereas the malware in ComeCome only requested permissions when the user opened the support chat, in some other cases, launching the core functionality acted as the trigger.

One small detail…

As we analyzed the trojanized Android apps, we noticed how the SDK set deviceType to “android” in device information it was sending to the C2, which suggested that a similar Trojan existed for other platforms.

Collecting information about an infected Android device

A subsequent investigation uncovered malicious apps in App Store infected with a framework that contained the same Trojan. For instance, ComeCome for iOS was infected in the same way as its Android version. This is the first known case of an app infected with OCR spyware being found in Apple’s official app marketplace.

The ComeCome page in the App Store

Negative user feedback about ComeCome

Malicious frameworks in App Store apps

We detected a series of apps embedded with a malicious framework in the App Store. We cannot confirm with certainty whether the infection was a result of a supply chain attack or deliberate action by the developers. Some of the apps, such as food delivery services, appeared to be legitimate, whereas others apparently had been built to lure victims. For example, we saw several similar AI-featured “messaging apps” by the same developer:

Messaging apps in the App Store designed to lure victims

Besides the malicious framework itself, some of the infected apps contained a modify_gzip.rb script in the root folder. It was apparently used by the developers to embed the framework in the app:

The contents of modify_gzip.rb

The framework itself is written in Objective-C and obfuscated with HikariLLVM. In the apps we detected, it had one of three names:

1. GZIP;
2. googleappsdk;
3. stat.

As with the Android-specific version, the iOS malware utilized the ML Kit interface, which provided access to a Google OCR model trained to recognize text and a Rust library that implemented a custom C2 communication protocol. However, in this case, it was embedded directly into the malicious executable. Unlike the Android version, the iOS framework retained debugging symbols, which allowed us to identify several unique details:

• The lines reveal the paths on the framework creators’ device where the project was stored, including the user names:
  
  • /Users/qiongwu/: the project author’s home directory
  • /Users/quiwengjing/: the Rust library creator’s home directory

  
  

• The C2-rust communication module was named im_net_sys. Besides the client, it contains code that the attackers’ server presumably uses to communicate with victims.
• The project’s original name is GZIP.

Project details from code lines in the malicious framework

The framework contains several malicious classes. The following are of particular interest:

• MMMaker: downloads a configuration and gathers information about the device.
• ApiMgr: sends device data.
• PhotoMgr: searches for photos containing keywords on the device and uploads them to the server.
• MMCore: stores information about the C2 session.
• MMLocationMgr: collects the current location of the device. It sent no data during our testing, so the exact purpose of this class remained unclear.

Certain classes, such as MMMaker, could be missing or bear a different name in earlier versions of the framework, but this didn’t change the malware’s core functionality.

Obfuscation significantly complicates the static analysis of samples, as strings are encrypted and the program’s control flow is obscured. To quickly decrypt the strings of interest, we opted for dynamic analysis. We ran the application under Frida and captured a dump of the _data section where these strings were stored. What caught our attention was the fact that the app bundleID was among the decrypted data:

com.lc.btdj: the ComeCome bundleID as used in the +[MMCore config] selector

As it turned out, the framework also stored other app bundle identifiers used in the +[MMCore config] selector. Our takeaways are as follows:

1. The Trojan can behave differently depending on the app it is running in.
2. There are more potentially infected apps than we originally thought.

For the full list of bundle IDs we collected from decrypted strings in various framework samples, see the IoC section. Some of the apps associated with these IDs had been removed from the App Store at the time of the investigation, whereas others were still there and contained malicious code. Some of the IDs on the list referred to apps that did not contain the malicious framework at the time of this investigation.

As with the Android-specific version, the Trojan implements three modes of filtering OCR output: keywords, word length, and localized dictionaries stored in encrypted form right inside the framework, in a “wordlists” folder. Unfortunately, we were unable to ascertain that the malware indeed made use of the last method. None of the samples we analyzed contained links to the dictionaries or accessed them while running.

Sending selected photos containing keywords is a key step in the malicious framework’s operation. Similar to the Android app, the Trojan requests permission to access the gallery only when launching the View Controller responsible for displaying the support chat. At the initialization stage, the Trojan, depending on the application it is running in, replaces the viewDidLoad or viewWillAppear method in the relevant controller with its own wrapper that calls the method +[PhotoMgr startTask:]. The latter then checks if the application has access to the gallery and requests it if needed. Next, if access is granted, PhotoMgr searches for photos that match sending criteria among those that are available and have not been processed before.

The code snippet of the malicious wrapper around the viewDidLoad method that determines which application the Trojan is running in

Although it took several attempts, we managed to make the app upload a picture to Amazon’s cloud and then send information about it to the attackers’ server. The app was using HTTPS to communicate with the server, not the custom “rust” protocol:

The communication with the C2 and upload to AWS

The data being sent looks as follows:
POST /api/e/img/uploadedCheck
{
"imgSign": <imgMD5>,
"orgId": <implantId>,
"deviceId": <deviceUUID>
}

POST api/e/img/rekognition
{
"imgUrl": "https://dmbucket102.s3.ap-northeast-
1.amazonaws.com/"<app_name>_<device_uuid>"/photo_"<timestamp>".jpg",
"deviceName": "ios",
"appName": <appName>,
"deviceUUID": <deviceUUID>,
"imgSign": <imgMD5>,
"imgSize": <imgSize>,
"orgId":<implantId>,
"deviceChannel": <iphoneModel>,
"keyword":<keywordsFoundOnPicture>,
"reksign":<processor type>
}
The oldest version of the malicious framework we were investigating was built on March 15, 2024. While it doesn’t differ significantly from newer versions, this one contains more unencrypted strings, including API endpoints and a single, hardcoded C2 address. Server responses are received in plaintext.

URLs hard-coded into the oldest version of the malicious framework

File creation date in the app

Campaign features

While analyzing the Android apps, we found that the word processor code contained comments in Chinese. Error descriptions returned by the C2 server in response to malformed requests were also in Chinese. These, along with the name of the framework developer’s home directory which we obtained while analyzing the iOS-specific version suggest that the creator of the malicious module speaks fluent Chinese. That being said, we have insufficient data to attribute the campaign to a known cybercrime gang.

Our investigation revealed that the attackers were targeting crypto wallet recovery phrases, which were sufficient for gaining full control over a victim’s crypto wallet to steal the funds. It must be noted that the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots. Multiple OCR results processing modes mitigate the effects of model errors that could affect the recognition of access recovery phrase images if only keyword processing were used.

Our analysis of the malicious Rust code inside the iOS frameworks revealed client code for communicating with the “rust” server and server-side encryption components. This suggests that the attackers’ servers likely also use Rust for protocol handling.

Server-side private RSA key import

We believe that this campaign is targeting, at a minimum, Android and iOS users in Europe and Asia, as indicated by the following:

• The keywords used were in various languages native to those who live in European and Asian countries.
• The dictionaries inside assets were localized in the same way as the keywords.
• Some of the apps apparently operate in several countries. Some food delivery apps support signing up with a phone number from the UAE, Kazakhstan, China, Indonesia, Zimbabwe and other countries.

We suspect that mobile users in other regions besides Europe and Asia may have been targeted by this malicious campaign as well.

One of the first malicious modules that we started our investigation with was named “Spark”. The bundle ID of the malicious framework itself, “bigCat.GZIPApp”, caught our attention when we analyzed the iOS-specific Trojan. Hence the name, “SparkCat”. The following are some of the characteristics of this malware:

• Cross-platform compatibility;
• The use of the Rust programming language, which is rarely found in mobile apps;
• Official app marketplaces as a propagation vector;
• Stealth, with C2 domains often mimicking legitimate services and malicious frameworks disguised as system packages;
• Obfuscation, which hinders analysis and detection.

Conclusion

Unfortunately, despite rigorous screening by the official marketplaces and general awareness of OCR-based crypto wallet theft scams, the infected apps still found their way into Google Play and the App Store. What makes this Trojan particularly dangerous is that there’s no indication of a malicious implant hidden within the app. The permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance. The malware also runs quite stealthily. This case once again shatters the myth that iOS is somehow impervious to threats posed by malicious apps targeting Android. Here are some tips that can help you avoid becoming a victim of this malware:

• If you have one of the infected apps installed on your device, remove it and avoid reinstalling until a fix is released.
• Avoid storing screenshots with sensitive information, such as crypto wallets recovery phrases, in the gallery. You can store passwords, confidential documents and other sensitive information in special apps.
• Use a robust security product on all your devices.

Our security products return the following verdicts when detecting malware associated with this campaign:

• HEUR:Trojan.IphoneOS.SparkCat.*
• HEUR:Trojan.AndroidOS.SparkCat.*

Indicators of compromise

Infected Android apps
0ff6a5a204c60ae5e2c919ac39898d4f
21bf5e05e53c0904b577b9d00588e0e7
a4a6d233c677deb862d284e1453eeafb
66b819e02776cb0b0f668d8f4f9a71fd
f28f4fd4a72f7aab8430f8bc91e8acba
51cb671292eeea2cb2a9cc35f2913aa3
00ed27c35b2c53d853fafe71e63339ed
7ac98ca66ed2f131049a41f4447702cd
6a49749e64eb735be32544eab5a6452d
10c9dcabf0a7ed8b8404cd6b56012ae4
24db4778e905f12f011d13c7fb6cebde
4ee16c54b6c4299a5dfbc8cf91913ea3
a8cd933b1cb4a6cae3f486303b8ab20a
ee714946a8af117338b08550febcd0a9
0b4ae281936676451407959ec1745d93
f99252b23f42b9b054b7233930532fcd
21bf5e05e53c0904b577b9d00588e0e7
eea5800f12dd841b73e92d15e48b2b71

iOS framework MD5s:
35fce37ae2b84a69ceb7bbd51163ca8a
cd6b80de848893722fa11133cbacd052
6a9c0474cc5e0b8a9b1e3baed5a26893
bbcbf5f3119648466c1300c3c51a1c77
fe175909ac6f3c1cce3bc8161808d8b7
31ebf99e55617a6ca5ab8e77dfd75456
02646d3192e3826dd3a71be43d8d2a9e
1e14de6de709e4bf0e954100f8b4796b
54ac7ae8ace37904dcd61f74a7ff0d42
caf92da1d0ff6f8251991d38a840fb4a

Trojan configuration in GitLab
hxxps://gitlab[.]com/group6815923/ai/-/raw/main/rel.json
hxxps://gitlab[.]com/group6815923/kz/-/raw/main/rel.json

C2
api.firebaseo[.]com
api.aliyung[.]com
api.aliyung[.]org
uploads.99ai[.]world
socket.99ai[.]world
api.googleapps[.]top

Photo storage
hxxps://dmbucket102.s3.ap-northeast-1.amazonaws[.]com

Names of Infected Android APKs from Google Play
com.crownplay.vanity.address
com.atvnewsonline.app
com.bintiger.mall.android
com.websea.exchange
org.safew.messenger
org.safew.messenger.store
com.tonghui.paybank
com.bs.feifubao
com.sapp.chatai
com.sapp.starcoin

BundleIDs encrypted inside the iOS frameworks
im.pop.app.iOS.Messenger
com.hkatv.ios
com.atvnewsonline.app
io.zorixchange
com.yykc.vpnjsq
com.llyy.au
com.star.har91vnlive
com.jhgj.jinhulalaab
com.qingwa.qingwa888lalaaa
com.blockchain.uttool
com.wukongwaimai.client
com.unicornsoft.unicornhttpsforios
staffs.mil.CoinPark
com.lc.btdj
com.baijia.waimai
com.ctc.jirepaidui
com.ai.gbet
app.nicegram
com.blockchain.ogiut
com.blockchain.98ut
com.dream.towncn
com.mjb.Hardwood.Test
com.galaxy666888.ios
njiujiu.vpntest
com.qqt.jykj
com.ai.sport
com.feidu.pay
app.ikun277.test
com.usdtone.usdtoneApp2
com.cgapp2.wallet0
com.bbydqb
com.yz.Byteswap.native
jiujiu.vpntest
com.wetink.chat
com.websea.exchange
com.customize.authenticator
im.token.app
com.mjb.WorldMiner.new
com.kh-super.ios.superapp
com.thedgptai.event
com.yz.Eternal.new
xyz.starohm.chat
com.crownplay.luckyaddress1

securelist.com/sparkcat-steale…

Surface mount devices have gotten really small, so small that a poorly timed sneeze can send your 0603 and 0402 parts off to live with the dust motes lurking at the edge of your bench. While soldering such parts is a challenge, it’s not always size that matters. Some parts with larger footprints can be a challenge because of the pin pitch, and getting them to land just right on the PCB pads can be a real pain.

To fight this problem, [rahmanshaber] came up with this clever custom PCB fixture. The trick is to create a jig to hold the fine-pitch parts securely while still leaving room to work. In his case, the parts are a couple of SMD ribbon cable connectors and some chips in what appear to be TQFP packages. [rahmanshaber] used FreeCAD to get the outline of each part from the 3D model of his PCB, and KiCad to design the cutouts; skip to 7:30 or so in the video below if you don’t need the design lesson. The important bit is to leave enough room around the traces so that the part’s leads can rest of the PCB while still having room to access them.

Using the fixture is pretty intuitive. The fixture is aligned over the footprint of the part and fixed in place with some tape. Solder paste is applied to the pads, the part is registered into the hole, and you’re ready for soldering. [rahmanshaber] chose to use a hot plate to do the soldering, but it looks like there’s enough room for a soldering iron, if that’s your thing.

It’s a simple idea, but sometimes the simplest tools are the best. We’ve seen lots of other simple SMD tools, from assembly jigs to solder paste stencil fixtures.

youtube.com/embed/2zebD-ByTC8?…

hackaday.com/2025/02/04/custom…

Google ha rilasciato il set di patch di febbraio per Android. In totale, gli aggiornamenti risolvono 48 vulnerabilità, tra cui una vulnerabilità 0-day del kernel che è già stata sfruttata attivamente dagli hacker.

Alla vulnerabilità zero-day è stato assegnato l’identificatore CVE-2024-53104 ed è correlata all’escalation dei privilegi nel driver USB Video Class del kernel Android. Lo sfruttamento di questo problema ha consentito ad aggressori locali autenticati di aumentare i propri privilegi.

L’errore era correlato al fatto che il driver analizzava in modo errato i frame di tipo UVC_VS_UNDEFINED nella funzione uvc_parse_format. Di conseguenza, la dimensione del framebuffer è stata calcolata in modo errato, causando scritture fuori dai limiti e potrebbe essere utilizzata per eseguire codice arbitrario o attacchi di negazione del servizio (DoS).

Oltre alla vulnerabilità zero-day sfruttata, le patch Android di febbraio hanno corretto una vulnerabilità critica nel componente WLAN di Qualcomm. Qualcomm descrive questo bug critico (CVE-2024-45569) come un problema di danneggiamento della memoria del firmware causato da una convalida errata dell’indice array nella comunicazione host WLAN a causa di un contenuto di frame non valido.

Il CVE-2024-45569 può essere utilizzato dagli aggressori remoti per eseguire codice o comandi arbitrari, leggere o modificare la memoria o causare arresti anomali. Tuttavia, gli attacchi non richiedono privilegi o interazione da parte dell’utente.

A febbraio 2025, Google ha rilasciato due pacchetti di patch: 2025-02-01 e 2025-02-05. Quest’ultima include tutte le correzioni del primo lotto, oltre a correzioni aggiuntive per moduli closed-source di terze parti ed elementi del kernel che non si applicano a tutti i dispositivi Android.

L'articolo Allarme sicurezza su Android: hacker sfruttano un grave bug 0-day nel driver USB! proviene da il blog della sicurezza informatica.

l senatore, vice capo del Consiglio per lo sviluppo dell’economia digitale presso il Consiglio della Federazione Russa Artem Sheikin ha inviato una richiesta al Ministero dello sviluppo digitale sulla possibilità di identificare i white hacker.

In precedenza, Sheikin aveva detto all’agenzia che il Consiglio della Federazione aveva elaborato un disegno di legge che avrebbe introdotto nella legislazione russa le attività inerenti la ricerca di vulnerabilità nell’infrastruttura informatica della Federazione Russa. Secondo il documento, le loro attività saranno autorizzate dal Servizio federale per il controllo tecnico e delle esportazioni (FSTEC).

La decisione della sezione del Consiglio per lo sviluppo dell’economia digitale del Consiglio della Federazione, firmata da Sheikin, parla di una raccomandazione al Ministero dello sviluppo digitale, delle comunicazioni e dei mass media di valutare la fattibilità dell’utilizzo del Sistema unificato di identificazione e autenticazione (UIAS) – il portale dei servizi statali – per registrare i ricercatori che identificano vulnerabilità nei prodotti software e nei sistemi hardware e software.

Secondo il senatore, il disegno di legge è attualmente in fase di discussione con i dipartimenti interessati e gli operatori del mercato. Il documento è stato inviato al Ministero dello sviluppo digitale, delle comunicazioni e dei mass media della Federazione Russa, al Servizio federale per il controllo tecnico e delle esportazioni della Russia, alla Procura generale della Federazione Russa e al Ministero degli affari interni della Russia per l’esame e la fornitura di posizioni ufficiali.

Sheikin ha chiarito che, dopo aver ricevuto le risposte dai dipartimenti competenti e una replica dal governo russo, il disegno di legge verrà sottoposto alla Duma di Stato per l’esame.

L'articolo White Hacker sotto controllo: la Russia vuole identificare i ricercatori di bug nella Federazione proviene da il blog della sicurezza informatica.

L’analogia con il Great Cannon creato dal Governo Cinese sorge spontanea quando si parla di repressione di sistemi attraverso gli attacchi DDoS. Ma sembra che l’influenza tecnologica sia oggi una grave minaccia e questa porta (come abbiamo visto) a moltissime perdite finanziarie che non possono essere sottovalutate.

La società cinese di intelligenza artificiale DeepSeek sta affrontando un’ondata di Attacchi DDoS-attacchi che hanno seriamente compromesso il funzionamento dei suoi servizi. Gli attacchi all’infrastruttura sono iniziati poco dopo il rilascio del modello DeepSeek-R1, che è diventato un degno concorrente degli sviluppi di OpenAI e ha offerto una soluzione più accessibile nel campo dell’intelligenza artificiale generativa.

Secondo i dati dei ricercatori di NSFOCUS, il 25, 26 e 27 gennaio sono stati registrati attacchi all’API DeepSeek, in cui gli aggressori hanno utilizzato varie tecniche di attacco. La durata media degli attacchi è stata di 35 minuti e gli attacchi stessi hanno causato interruzioni nei servizi. DeepSeek-R1 offre agli utenti ampie capacità di generazione di dialoghi e di completamento automatico, rendendo la piattaforma interessante per gli sviluppatori.

Inoltre, il 20 e il 25 gennaio sono stati registrati attacchi al sistema di chat DeepSeek, della durata superiore a un’ora. Contemporaneamente, l’azienda ha presentato il suo nuovo modello, caratterizzato da un processo di apprendimento per rinforzo migliorato e da un’elevata precisione nelle attività matematiche e di programmazione.

La situazione è peggiorata il 28 gennaio, quando il team di DeepSeek ha annunciato un massiccio attacco informatico che ha costretto l’azienda a cambiare gli indirizzi IP per proteggere la propria infrastruttura. Tuttavia, i criminali si sono adattati rapidamente e hanno lanciato una nuova ondata di attacchi, tra cui gli attacchi di CLDAP reflaction. I domini principali di DeepSeek sono stati nuovamente colpiti e la piattaforma API è rimasta paralizzata.

Gli esperti sottolineano l’elevato livello di organizzazione e precisione delle azioni degli aggressori. Il cambio di indirizzo IP non ha impedito gli attacchi, poiché i criminali hanno reagito immediatamente e hanno adattato le loro tattiche. NSFOCUS sottolinea che l’attacco è di natura internazionale: le fonti delle minacce sono localizzate negli Stati Uniti, in Gran Bretagna e in Australia. L’uso di server distribuiti rende difficile l’identificazione degli autori, cosa tipica degli attacchi organizzati professionalmente.

L’attacco evidenzia l’importanza di DeepSeek nel mercato globale dell’intelligenza artificiale e dimostra la complessità della concorrenza nel settore tecnologico. Oltre a sviluppare nuovi modelli, le aziende si concentrano sempre di più sulla sicurezza informatica per contrastare gli attacchi mirati. Nelle condizioni moderne l’infrastruttura sta diventando parte integrante del successo delle aziende tecnologiche.

L'articolo Five Eyes Great Cannon e La Guerra Contro L’influenza Tecnologica di DeepSeek proviene da il blog della sicurezza informatica.

This technique shared by [Andy Kong] is for 3D printed lenses, but would probably be worth a shot for any resin prints that need to be made nice and clear. The link to his post on X is here, but we’ll summarize below.

It’s entirely possible to print lenses on a resin printer, but some amount of polishing is inevitable because an SLA print still has layer lines, however small. We have seen ways to minimize the work involved to get a usable lens, but when it comes right down to it the printing process creates tiny (but inevitable) surface imperfections that have to be dealt with, one way or another.
3D-printed lenses fresh (and wet) from the printer look clear, but have tiny surface imperfections that must be dealt with.
One technique involves applying a thin layer of liquid resin to the surface of the printed lens, then curing it. This isn’t a complete solution because getting an even distribution of resin over the surface can be a challenge. [Andy] has refined this technique to make it ridiculously simple, and here’s how it works.

After printing the lens, place a drop of liquid resin on the lens surface and stretch some cling wrap over the lens. The cling wrap conforms to the shape and curve of the lens while trapping a super thin layer of liquid resin between the cling wrap film and the lens surface. One then cures the resin while holding the cling film taut. After curing, [Andy] says the film peels right off, leaving an ultra-smooth surface behind. No tedious polishing required!

But what about the flat back of the lens? [Andy] suggests that instead of using cling film (which is better at conforming to a curved surface) simply use a drop of resin in a similar way to bond the flat side of the lens to a smooth piece of glass. Or bond the backs of two lenses together to make a duplex lens. This technique opens quite a few possibilities!

Even if one isn’t 3D printing optical lenses, we suspect this technique might be applicable to making crystal-clear 3D prints with a little less effort than would otherwise be needed.

Keep it in mind, and if you find success (or failure!) let us know on the tips line because we absolutely want to hear about it.

hackaday.com/2025/02/04/the-lo…

The invention of the computer is a tricky thing to pinpoint. There were some early attempts that were not well known and some early attempts that were deliberately secret. [Alan Turing]’s efforts with Colossus were top secret for years, and while that work built on earlier efforts in Poland, [Turing] has as much claim to be the father of computers as anyone. But [Jack Copland] points out in a recent post that the famous computer scientist was also involved in another secret project: Delilah.

While [Turing] is best known for his work breaking ciphers at Bletchley Park, he also put time in on a second project about ten miles away in a secret electronics lab at Hanslope Park. There he worked with an assistant, [Donald Bayley] on Delilah — a portable system for encrypting voice transmissions.

The keyword is “portable.” In 1942, Bell Labs created SIGSALY for the U.S. Army to encrypt voice. It took up an entire room and weighed about 25 metric tons. [Turing] found a way to get the job done in a box that, including power, weighed in at 39 kilograms — not a cellphone, but portable in a truck. For comparison, an SCR-300 (the backpack radio used in the war, carried by “the lucky soldier”) weighed about 17 kilos with a full-sized battery.

The machine worked by generating a pseudo-random number sequence, synchronized with a similar unit on the other end of the transmission. Voice input was converted to digital, the numbers added on one end were transmitted, and the same numbers were subtracted from the other end. The result was not perfect for a number of reasons, but you could understand it, reportedly. But with the end of the war, interest in voice encryption wore off, and [Turing] and [Bayley] went on to other projects.

Luckily, [Bayley] saved his papers, which were auctioned off after his death for nearly half a million dollars. Without those papers, we wouldn’t know much about Delilah outside of a previously classified report (paywalled) and a few other notes.

The British National Museum of Computing rebuilt the device back in 2024, and you can see a video about it below. You can also see an interview in the video below with [Turing’s] nephew that mentions Delilah at the very end.

youtube.com/embed/4iRA9ghLhj0?…

Title photo from The National Archives, London.

hackaday.com/2025/02/04/inside…

For better or worse, the fundamental design of guitars has remained familiar since they electrified around a century ago. A few strings, a fretboard, and a body of some sort will get you most of the way there for an acoustic guitar, with the addition of electromagnetic pickups and wiring for electric variants. However, technology has advanced rapidly in the last 100 years outside the musical world, so if you want to see what possibilities lie ahead for modernizing guitars take a look at the Cyberbass created by [Matteo].

The guitar starts its life as many guitars do: with a block of wood. One of the design goals was to be able to use simple tools to build the guitar, so the shape of the instrument was honed with a Japanese hacksaw and the locations for the pickups and other electronics were carved out with chisels.

The neck of the guitar was outsourced since they take some pretty specialized tools to build, so simply bolting it to the body takes care of that part of the build, but [Matteo] had a few false starts setting the bridge in the exact location it needed to be.

Luckily he was able to repair the body and move the bridge. With the core of the guitar ready, it was on to paint and then to its custom electronics. [Matteo] built in not only a set of pickups and other common electric guitar parts but also integrated a synth pedal into the body as well as including a chromatic tuner.

With everything assembled and a few finishing touches added including a custom-engraved metal signature plate, the Cyberbass is ready to go on tour. [Matteo] learned a lot about guitar building in general, as well as a few things about electronics relating to musical instruments (including how expensive tuners work just as well as cheap ones).

youtube.com/embed/EMKPP32UIzQ?…

hackaday.com/2025/02/04/cyberb…

When live-action role playing, or LARPing, one must keep fully in tune with the intended era. That means no digital watches, and certainly no pulling out your fantastic rectangle from the future to find out if you’re late picking up the kid.

So what do you do when you’re LARPing at 2 PM, but you gotta be back at the soccer practice field by 5 PM? Well, you fashion a period-appropriate timepiece like [mclien]’s 17 o’ Clock. Visually, it’s about as close to a pocket sundial as you can get. It’s deliberately non-connected, and its only function is to tell the time.

But how? If you visually divide the watch across the top and bottom, you get two sets of Roman numerals. The top half handles the hour, and the bottom half the minute. [mclien] started designing this in 2018 and picked it back up in the second half of 2024.

Back to the non-connected part. The only permanently-powered part of the project is a high-precision real-time clock (RTC). The rest uses a power latching circuit, which turns on the Adafruit Trinket M0 to show the time using a NeoPixel ring. Be sure to check out the awesome project logs with fantastic pictures throughout.

Looking for a smarter pocket watch? It’s time you built one yourself. And speaking of pocket sundials…

hackaday.com/2025/02/04/what-i…

Microsoft ha recentemente rilasciato un avviso di sicurezza per CVE-2025-21396, una vulnerabilità critica di bypass dell’autenticazione che potrebbe consentire agli attaccanti di falsificare credenziali e ottenere accesso non autorizzato agli account Microsoft. La falla, classificata con il codice CWE-290 (Authentication Bypass by Spoofing), colpisce i meccanismi di autenticazione che si basano su metodi di validazione insufficienti o difettosi.

Questa vulnerabilità rappresenta un rischio concreto per le organizzazioni che si affidano a controlli di autenticazione basati su IP o DNS, entrambi facilmente manipolabili da attaccanti esperti.

Dettagli del CVE-2025-21396

Il problema nasce da meccanismi di autenticazione mal progettati che non convalidano in modo robusto le richieste in ingresso. Gli exploit possono includere:

• IP Spoofing: Un attaccante falsifica il proprio indirizzo IP per impersonare un sistema attendibile.
• DNS Spoofing: Veleno nella cache DNS per far apparire un dominio controllato dall’attaccante come legittimo.
• Manipolazione delle richieste: Attacco alla logica di validazione nei protocolli applicativi.

Esempi di Attacco

1. IP Spoofing (Java)

Un attaccante che riesce a falsificare il proprio IP può facilmente aggirare questo controllo.

2. DNS Spoofing (C)

Un attaccante potrebbe avvelenare la cache DNS per ingannare il sistema e ottenere accesso fraudolento.

Mitigazione e contromisure

Microsoft ha rilasciato patch per risolvere il problema alla radice. Tuttavia, oltre all’installazione degli aggiornamenti, le organizzazioni dovrebbero adottare misure di sicurezza proattive:

• Applicare gli aggiornamenti di sicurezza: Verificare regolarmente il Microsoft Security Update Guide.
• Evitare autenticazioni basate su IP/DNS: Preferire metodi più sicuri come:
  
  • Autenticazione a più fattori (MFA)
  • Token crittografici per la validazione dell’identità
  • Mutual TLS per connessioni sicure

  
  

• Monitorare il traffico di rete: Utilizzare sistemi di rilevamento intrusioni (IDS) per identificare pacchetti sospetti o comportamenti DNS anomali.
• Rafforzare l’infrastruttura DNS: Implementare DNSSEC per ridurre il rischio di spoofing.
• Abilitare il logging avanzato: Mantenere registri dettagliati delle richieste di autenticazione per un’analisi forense.

Microsoft ha dichiarato che “la vulnerabilità è stata completamente mitigata e non è richiesta alcuna azione per gli utenti del servizio”. Tuttavia, la trasparenza nel divulgare questa minaccia sottolinea l’importanza di un approccio preventivo alla sicurezza informatica. Gli attaccanti sono sempre alla ricerca di nuovi punti deboli, e CVE-2025-21396 dimostra ancora una volta che la sicurezza non è mai statica, ma una continua corsa contro il tempo.

L'articolo Un Bypass dell’autenticazione espone gli account Microsoft agli attaccanti remoti! proviene da il blog della sicurezza informatica.

If you watch the New Year’s festivities from New York, you know that they mark midnight with the dropping of a big, gaudy ball. You might assume this was just an arbitrary gimmick, but it turns out dropping balls has a place in the history of timekeeping, especially for ships at sea. The New York ball doesn’t work precisely the same, but it was clearly inspired by an ancient method of indicating the time.

Apparently, even the ancient Greeks used ball dropping to indicate time. But the modern ball got its start with [Captain Robert Wauchope], who installed one at Portsmouth, England, in 1829. The Royal Observatory in Greenwich got one in 1833, which you can see working in the video below.

youtube.com/embed/1JnLuQxNxaw?…

The Problem to Solve

The time ball in Greenwich (photo by [ChrisO] CC-BY-SA-3.0)Ships need accurate timing for navigation purposes, so when you made harbor, you wanted to set your clocks in case they were a bit off. But if you were far from the nearby town, you might not be able to hear a clocktower bell or a cannon shot at noon. Even if you did, the speed of sound could be significant. The signal needs to be something visible and preferably something that can indicate that it is “almost” time to get people’s attention.

You want something tall so it can be easily seen. You also need something that clearly indicates the exact moment of the time mark, so that precludes something like raising or dropping a signal flag.

The Solution

[Wauchope’s] idea was to put a tower with a ball near a solar observatory with an accurate clock. Every day at noon, someone would sight the sun and determine the exact moment of noon, setting the accurate clock.

Then, at 1300, an hour later, you’d drop the ball. Everyone could set their clock to coincide with the ball drop. The moment the ball started falling was 1300.

About 1255, you’d raise the ball halfway. Around 1258, it would go to the top of the rod going through the center of the ball. The release would be at exactly 1300.

The American Take

The Boston Time Ball in 1881 (Public Domain)
Well, that’s not usually true in the United States. The first ball in the US was at the United States Naval Observatory in 1845. They would drop their ball at noon, exactly.

The Times Square ball first dropped on January 1, 1908. However, in another American difference, the stroke of midnight is when the ball reaches the bottom, not the instant it starts to drop.

End of the Ball

Of course, radio time signals made this technology obsolete. Still, there are about sixty balls still around, including many in Australia, the United Kingdom, and several scattered in other parts of the world. In the United States, you can find time balls at the Naval Observatory, the New York City Titanic Memorial, and the Plymouth Light in Massachusetts.

The Greenwich Time Ball located at the Royal Observatory in London still drops its ball every day at 1300, as you saw in the earlier video. The guide at Greenwich mentions that the expression “on the ball” relates to time balls, but we’ve also read it is a sports idiom, so we aren’t sure about that. Surprisingly, it isn’t the tallest Time Ball in England. That honor goes to the one in Hull, which, as you can see below, was recently restored and is once again operational. You can also watch a deep dive into the history of that particular ball.

youtube.com/embed/XKTvD1OcYbI?…

Ships at sea have driven our time-keeping technology in many ways. Not to mention things like GPS or LORAN.

Featured image: “Working New Years Eve Social Media for NBC” by Anthony Quintano. Thumbnail: “Newyearseve loz batrch” by Alex Lozupone.

hackaday.com/2025/02/04/tellin…

È stato rilasciato l’Android Security Bulletin per il mese di febbraio 2025: al suo interno, gli aggiornamenti per 46 vulnerabilità di cui una che risulta essere già attivamente sfruttata in attacchi mirati. Ecco tutti i dettagli e i consigli per mettere in sicurezza i propri dispositivi mobile

L'articolo Aggiornamenti Android febbraio 2025, corretta una vulnerabilità sfruttata attivamente: i dettagli proviene da Cyber Security 360.

Le botnet sono nate come reti di elaboratori usati per gestire e mantenere attivi servizi Web. I criminal hacker le hanno trasformate in reti di computer compromessi da usare per eseguire attività fraudolente. Ecco le giuste contromisure per rilevarle e mettere al sicuro la rete e i PC aziendali

L'articolo Botnet: cosa sono, come funzionano, i consigli per proteggere la rete aziendale dagli zombie del Web proviene da Cyber Security 360.

A well-known secret in the world of open source software is that many projects rely on donated hosting for everything from their websites to testing infrastructure. When the company providing said hosting can no longer do so for whatever reason, it leaves the project scrambling for a replacement. This is what just happened for Alpine Linux, as detailed on their blog.
Modern-day infrastructure, as visualized by XKCD. (Credit: Randall Munroe)
Previously Equinix Metal provided the hosting, but as they are shutting down their bare-metal services, the project now has to find an alternative. As described in the blog post, this affects in particular storage services, continuous integration, and development servers.

As if that wasn’t bad enough, Equinix was also providing hosting for the Freedesktop.org project. In a post on their GitLab, [Benjamin Tissoires] thanks the company for supporting them as long as they have, and details the project’s current hosting needs.

As the home of X.org and Wayland (and many more), the value of Freedesktop.org to the average user requires no explanation. For its part, Alpine Linux is popular in virtualization, with Docker images very commonly using it as a base. This raises the uncomfortable question of why such popular open source projects have to depend on charity when so many companies use them, often commercially.

We hope that these projects can find a new home, and maybe raise enough money from their users to afford such hosting themselves. The issue of funding (F)OSS projects is something that regularly pops up, such as the question of whether FOSS bounties for features are helpful or harmful.

hackaday.com/2025/02/04/freede…

Nel loro ultimo post sul canale Telegram “Pro-Palestine Hackers”, il gruppo DXPLOIT – parte di una rete più ampia di hacker a sostegno della causa palestinese – afferma di aver preso di mira due siti italiani, portandoli al blocco.

Questo episodio sottolinea come ancora una volta le tensioni internazionali che si riflettano sempre più nel cyberspazio, colpendo aziende locali che, sebbene lontane dai conflitti geopolitici, diventano bersagli simbolici in questa nuova forma di protesta digitale.

L’immagine mostra un post di un canale Telegram denominato “Pro-Palestine Hackers” con oltre 5.200 iscritti. Il messaggio, datato 3 febbraio, annuncia che il sito web di Granda Gourmet, Italia, è stato attaccato e reso inaccessibile dal gruppo hacker DXPLOIT.

Va notato che al momento mentre scriviamo questo articolo, non risulta più attivo il deface pubblicizzato dal gruppo di hacktivisti, ma risponde una pagina di default del sito.

Il post include un testo in inglese e in arabo, in cui si afferma che il gruppo si considera la “voce dei dimenticati”, difensori del cyberspazio contro l’oppressione e promotori di un Islam pacifico. Tuttavia, il loro attacco dimostra un uso aggressivo delle capacità cyber per diffondere il loro messaggio politico e religioso.

Il post fornisce anche due link: uno al sito della vittima dell’attacco e un altro a Zone-H, una piattaforma che monitora defacement e attacchi informatici.

Inoltre nella giornata di oggi, anche il sito exclusivam.it/index.php è stato preso di mira dagli hacktivisti ma anche questo ad ora sembra sia stato ripristinato.

Questa informazione è stata acquisita attraverso l’utilizzo della piattaforma Recorded Future, partner strategico di Red Hot Cyber e leader nell’intelligence sulle minacce informatiche, che fornisce analisi avanzate per identificare e contrastare le attività malevole nel cyberspazio.

L'articolo Gli Attacchi Pro-Palestina da parte del gruppo DXploit continuano a colpire l’Italia proviene da il blog della sicurezza informatica.

A few weeks ago we brought you news of a new palmtop computer for hackers, powered by the new Espressif ESP32-P4 application processor. The Tanmatsu (Japanese for “Terminal”) is a compact handheld device with a QWERTY keyboard and an 800×480 DSI display, and while it currently exists at the final prototype stage there is a pre-order page upon which you can reserve an early production model for yourself. We’ve been lucky enough to be invited to give one a close-up inspection, so it was time to hot-foot it on the train to a Dutch hackerspace in order to bring you a preview.

A Little History, And First Impressions

Recesses in the case fit well against the hands.
Before looking at the device, it’s time for a little history. The Tanmatsu has its origin in badge.team, the Netherlands-based group that has produced so many European event badges over the years, and it was destined to eventually become the badge for the upcoming WHY2025 hacker camp. As sometimes happens in any community there has been a significant difference of opinion between the event orga and the badge.team folks that it’s inappropriate to go into here, so now it exists as a standalone project. It’s destined to be open-source in its entirety including hardware and software (and we will hold them to that, never fear), but because of the events surrounding its conception the full repositories will be not be made public until some time late in the summer.

Picking the Tanmatsu up and holding it, it’s a rectangular slab a bit larger and thicker than a CD case with that QWERTY keyboard and display on its front face, an array of ports including an SMA socket for a LoRA antenna on its sides, and an expansion connector on its rear. It has a sandwich construction, with a PCB front face, a 3D printed spacer, the PCB itself, and a 3D printed back cover all held together with a set of screws. The recesses on its bottom edge and the lower halves of the sides locate neatly with fingers and thumbs when it’s held in two hands for two-thumb typing. The keyboard is a silicone moulding as is common on this type of device, and while the keys are quite small it was not difficult to type on it. The display meanwhile feels of much higher quality than the SPI parts previously seen on badges.

A Hardware Quick Tour

All the main components are on the rear of the PCB.
Unscrewing the rear cover, and the circuitry is revealed. We must apologise for only having a mobile phone to hand to take photographs, but from the accompanying image you should be able to identify the main parts. In the centre of the board is the P4 processor, above it is an ESP32-C6 which does the job of a network card. To the left of that is an Ai-Thinker Ra-01SH LoRA module, and to the right is the power circuitry. Mid-right is a USB hub chip for the USB-A and USB-C sockets, and the microcontrollers. Below the P4 is an expansion connector, to the left of which is an audio DAC and amplifier with 3.5mm socket, and to the right of which is a CH32 microcontroller. This last component serves the keyboard, and performs housekeeping tasks for the device. The peripheral connectors aside from those already mentioned include a PMOD that doubles as JTAG and SAO, a micro SD socket, a Qwiic connector, and a camera connector that is compatible with certain Raspberry Pi cameras. Finally, there are three physical buttons on the left hand side. The battery, below the bottom of the photo, is the usual LiPo pouch cell with built-in protection, and it sits under the keyboard. On the front of the board next to the screen are some addressable LEDs. Having seen several earlier prototypes and now having held this production-ready model, we can say that the accumulated experience of the team behind it in making event badges really shows. It feels solid and ready for manufacture, and looking at the component choices we don’t find ourselves concerned by inappropriate connectors or annoying layouts.

The expansion port on the back is intended to foster an ecosystem of clip-on add-ons, with early signs of boards such as a Flipper Zero style RF hacking device and a companion board with interfaces for talking to computers in data centres being in the works. It is said that boards with MIDI, a high quality audio codec, and a camera, will follow.

What About The Software?

The GUI interface for the name tag editor.
The best hardware in the world is of limited use without software, so it’s time to look at this side of the device, The team behind the Tanmatsu have a history of producing badges with a common operating system platform supporting an app infrastructure, and this one continues that legacy.

It’s a new version of their OS for the P4, and we understand that as with the MCH2022 badge OS it is adapted from the AppFS system originally written for the PocketSprite game console, with the addition of a GUI launcher and an open source badge.team app store. It will support apps written in high level scripting languages such as MicroPython, as well as native apps compiled for the P4. The device we were handling had the OS with GUI and launcher, and a single name badge app installed. On an earlier prototype though, we saw work in progress on more useful apps, and even an x86 PC emulator running Windows 3.0. It’s clear that the OS is being designed for a productive pocket computer rather than a toy badge, and this is something we’ll give a more detailed look in the future.

In Conclusion

Having given the Tanmatsu a detailed physical examination and seen the operating system as it exists today, our conclusion is that it’s a device which is physically well-designed and ready for manufacture, and like the badges produced in the past by the same team, it shows every indication of being delivered on time and with working software. As we said earlier it will be fully open-sourced in the summer and we will hold them to that, and thus it’s a device that we’re quite excited about.

As a general purpose hacker’s palmtop computer it occupies an interesting space between devices such as the Flipper Zero or existing event badges, and Linux-based devices such as the uConsole or Raspberry Pi based machines. We think it wins handsomely over the Linux devices on price, so for anyone who wants the extra power of the full-fat OS the question becomes whether that convenience is worth the expenditure. If you want one they can be pre-ordered for €99.17 (about $102) if you are outside the EU and don’t have to pay sales tax, or €120 with the tax included for EU customers. We’ve got one on order, and we’ll being you our full review when it lands.

hackaday.com/2025/02/04/a-clos…

Si chiama Aquabot la nuova cyber minaccia in grado di sfruttare una vulnerabilità nei telefoni Mitel, consentendo ai criminal hacker di prendere il controllo completo dei dispositivo e usarli per condurre attacchi DDoS. Ecco le misure di prevenzione e mitigazione

L'articolo Aquabot, il malware che prende di mira i sistemi telefonici VoIP: come difendersi proviene da Cyber Security 360.