"We believe that Fisher Price / Mattel should explain why they chose not to implement a more secure pairing process." I bet the explanation goes something like this: Engineer: "Here's my design." Bean Counter: "We need to shave $10,000 off the production cost to meet projected profits." Suit: "Will the device still work if we skip this part?" Engineer: "Well, yes it will work exactly the same, but-" Suit: "Then we skip that part."
Actually, most if not all of the security features dosent need hardware, just software, this is either lazy programming or a programmer didn't get paid enough to do it properly
I got in the habit many years ago of pasting anything copied from the internet into notepad or some other text editor. Was mostly to deal with getting rid of the formatting. But would prob work as a good defense for hidden stuff like this too
Prepending the command with a # is not a defense. They can simply put a newline at the beginning of the cmd too to completely mitigate that. Big thanks for pointing out this attack vector, because I had never even considered it before.
@@fish3977 But how many times are you actually going to do that? If I need to just find a git command about doing something specific, I don't think I'll do that, and certainly not everytime. Best case, you can just always open the dev-tools, and copy from there.
@@VivekYadav-ds8oz oh definitelly also guess you could just copy paste some part of the text and write the base command yourself. and if you are willing to live in uglier world you can always just go and disable shit
Some terminal emulators (like xfce4's) will give you a warning when you paste something containing a newline and display what is about to be pasted with an ok/cancel dialog - I recommend switching to one of them to protect from this.
xfce4-terminal is hella underrated, imo. did you know that xfce4-terminal has a yakuake style drop down/background daemon mode if you launch it with the --drop-down flag?
@@FlameRat_YehLon Nobody, except that the US government presumably only found out about it when it was publicly disclosed and the patch was already available. Of course if the NSA's own researchers discovered it independently a year ago, they could have been using it all that time, but at least they have to discover it themselves and don't just get a free 2-week ride off every exploit ever discovered by an American.
@@joemck85 if you put it that way then everyone had the chance to discover it before it being publicly disclosed. I doubt national security of any country would disclose the list of exploit they found anyway. And by the way, Alibaba is in a cyber security alliance hosted by Chinese government. They do have the responsibility to report it and they didn't so their membership got suspended. Plus giving that some Chinese government services are hosted on Ali Cloud, they (and anyone else that uses Ali Cloud) deserves to get the information asap anyway. Not gonna discuss about conspiracy or even history of initiating cyber attacks here because that ends nowhere.
The better way to not get caught off guard by clever copy/paste sites is to paste into notepad (or the Linux equivalent), and THEN select it there and copy paste into a terminal. That won't protect you from code you don't understand, but at least it will show whatever is actually on the clipboard.
Wow, that Linux command copy-paste thing is crazy! Thanks for the heads up! I mess around with Linux from time to time, so I’m sure I would’ve fallen for that!
Some terminals will warn you if you paste a line break character, so you have to click OK before the paste happens. Should be a standard feature of terminals IMO (personally I'm in the habit of never copying the end of lines anyway)
I knew about the command thing ever since I've noticed some sites adding the URL and stuff to text you copied a long time ago. I however did not know that you can just add a line break to make it execute on paste. That's pretty scary tbh. I always assumed you would notice instantly when you paste it that something is wrong and not press enter. This has potential to become a bigger issue in the future. But even today many install instructions for bigger projects to something like: "curl -fsSL URL | sudo -E bash -" which also seems pretty scary especially if you engrain it into newer users that this is an okay way to do things.
@@ApusApus I think they meant it the other way round: run the malicious command/s, then clear the terminal. That would work properly if it was your very first command, and the malicious command/s ran faster than your eyes can detect. See how this isn't really invisible...
@@elliott8175 The user might know that something executed, but not what. Edit: Also, might as well add visible output for the script that was copied, giving an impression that was a graphical bug or smth
Awesome video! As a Cyber Security professional though, I'd like to point one thing out. Placing a hash (#) before pasting a command in a terminal is not sufficient to protect you from being hacked. The reason this is commonly recommended is because a # symbol will comment out the first line of code, which *usually* stops maliciously copied commands from running. However, this can be easily circumvented by simply placing a right at the start of your malicious string, followed by the malicious command, followed by a final . The beginning gets rid of any pesky comment characters on the command line, allowing the malicious command to still run. A better alternative is to paste commands from websites into a text editor, which cannot run the command, and only then deciding whether or not to paste into the terminal. Thanks for the great video!
linux has a paste as plain text feature (highlight then middle-click, or three-finger tap) that gets around this issue. the multiple paste options that have existed since the early days of the linux desktop are one of the most compelling reasons to use linux for desktop imo.
regarding js copy hack... the best defense measure imo is to split view the browser and the terminal and start typing the commands yourself. doing so, you'd want to be careful for typos. another good defense measure would be to preview the command you're actually running when pasting it to the terminal (that's how firefox behaves: first time paste prompts you to type "allow pasting"), but that's a pretty huge task to be done by terminal emulators maintainers.
it's not possible to load the machine the wrong way. The machine gets its components loaded from a reel and each of those are facing the same way. The reel might have been rolled up the opposite way but as far as placing the reel in backwards, that's not possible.
I use KDE and yakuake, and when I paste something into the terminal with a line-break, it prevents it and throws a pop up with what I was attempting to paste, and a confirmation button. Maybe other terminal devs should implement this?
I usually type out the Linux commands, not because I'm scared of malicious code, but because I feel like I have a greater understanding of what I'm doing when I'm typing the code myself.
Hmm.. Then I guess you think copy/paste is a vulnerability then? Thing is, I use copy/paste into terminals frequently, and if they "patched" this by just blocking copied CR/LF/CRLFs in the terminal, they would kill my entire process of how I use my server. I think instead of blocking/blaming it on the terminal, we should instead use judgment and paste it somewhere else first.
8:39 - We need a way to control access to our clipboard when we "right click and copy" from a web site. This is kind of huge actually. As there exists bugs in programs, such as ms word, where you could copy an exploit payload when you want to copy an image. The only reason this feature exists is to allow "copy this" buttons / allowing the page to intercept the object you're trying to copy, and "format it" for you with correct info (eg: you're trying to copy a graph that's renderer in svg, and it will provide the png of it for you). This needs to be patched yesterday. Silently doing this is horrible, especially if people assume the right click menu cannot be messed with by a web page.
Good example of how sometimes simpler is better. The original was a toy and kids could use their imagination. The Bluetooth feels like a gimmick to "reboot" a franchise, but like many other electronic toys it makes them more fragile and while they "can do more" the purpose/playstyle is based around what they do and not what the user imagines.
8:33 "If you are dubious about a command, you can always stick a hash before you go to paste it" I would highly recommend pasting into an editor, or better, retyping commands. Doesn't seem like it'd do much other than slow you down, but at least an editor will save you from *# sudo apt update **_ _** rm -rf /* and retyping really does help to understand things, albeit slowly.
@@rubenfasola5402 Thanks for pointing that out: no need to include the helpful command at all! I've also been informed that many terminals and shells will paste the whole contents, newlines and all, as a single block, instead of breaking at carriage returns and line feeds and executing each subcommand.
I'm pretty sure that the "fish" shell (a bash alternative) has measures against this copy-paste vulnerability (I believe it ignores newlines that were entered very quickly after another character, which is more or less what happens when text is pasted into a terminal emulator).
Some terminals provide protection against clipboard pasting terminal text. For example, KDE's terminal will paste the text but NEVER perform the line break action; it just previews it and allows you to cancel right then and there. I think more terminal software could stand to provide features like these.
Tip: ctrl+x, ctrl+e That combination opens an instance of your editor in which you can paste and evaluate the commands. Exiting without writing the file will discard the command.
With the motherboard fire issue it is probably due to that Polymer (solid) electrolyte capacitors have the positive side marked with a stripe, where as "normal electrolytic caps" has the negative side marked with stripe. If you use the "wrong" symbol in the schematics it might be linked to the wrong components orientation in the board files and the component gets put in "backwards". It could also be a "busy body" who thought "dam, this components stripe is connected to positive supply! I better correct this in pick and place script so electrolytic cap has stripe leg on Gnd". It's a bit of sneaky issue.
7:05 some Linux operating systems have a fix for this where if the pasted command contains a character it warns you with "unsafe paste" and lets you view the command before it executes in the terminal... I'm not sure which distributions specifically but I use manjaro an it warns me
The macOS terminal and alternative terminals for macOS like iTerm2 actually interpret newline characters when pasting as line breaks and not the 'return' sequence, meaning they are effectively immune from that vulnerability.
So copying a command from a webpage is dangerous, noted. That's a reason to manually type the command looking at the page instead of copying it from the page straight to the terminal. Or copy it to a text editor before you put it into terminal to see if the command pasted is actually the one you selected and copied. If not, it's probably best to just manually type it in the terminal instead, or copy it from the page source code, there's no javascript that's going to run in a webpage source code view when you copy and paste a command from there. Although, this might be tricky, and won't help you if the malicious website builds the page with a Javascript code from an obscure source.
When copy and pasting from uncertain sources I will generally paste it into a text editor before recopying from the editor and into a terminal shell or some other more sensitive application.
I've been doing videos on APTs and large scale incidents, but as a smaller creator I've had trouble with the dredded algorithm. Would love to work on something with you!
Found your channel today and I’m fearing I’ll run out of content….. this subject is so amazing & desperately need to get into cybersecurity before I’m old
Someone broke into my house a few years ago, it didn't take long to find out how they managed to gain entry. It turned out that when they originally built my house they fitted a door to it.
Glad ur switching to mint👌 I switched to arch Linux a while ago and I'm loving it. Also I would love to have a quick segment at the end about how Linux is going each video.
I run a pick-and-place machine at work. Most likely was either a programming error, or the part had to be added by hand. The parts typically come in reels that can only be fed into the machines in a specific direction. With the chip shortages, however, we've been needing to forgo the reels (which are out of stock) and just place the components on by hand. That said, any errors should have been picked up in quality control, as we have separate machines that will automatically detect polarity problems.
Javascript should probably not be able to interact with the clipboard. There isn't really a good reason other than "my website layout is so jacked you can't select text". There's was also a problem with android apps automatically reading and uploading the contents of the clipboard, just hoping there'd be some juicy data in there. The clipboard should exclusively be operated by the user.
Relying on a hash to protect yourself is so easily circumvented a simple addition newline character at the start of the payload. Frankly your options are either typing the commands manually or pasting them into something harmless like a text editor to preview the clipboard text first. Well either that or change your choice of terminal to one that implements protection against this some terminals will display the pasted command and prompt the user for confirmation if pasted text contains one or more newline characters.
7:05 - In many cases, a lot of terminals will warn you when pasting code with a line break in it automatically. Mine does, and so I don't worry about malicious commands as much. More often though, rather than copy and pasting things to get stuff done, I usually prefer to learn how the command works so I can use it myself.
This is why I usually run noscript by default. Unfortunately, the page usually doesn't load properly unless I trust some non-tracking scripts, and the copy tricker might be tied to the same-domain scripts.
Reguarding the paste issue: ctrl+x ctrl+e in bash will open a temp file in the default editor, where you can safely paste the copied text. If it looks good, save and exit. Bash will run the commands in the saved temp file. If it looks bad, exit without saving and bash will have nothing to run.
Re Paste attack. Decades ago, I figured out how to pack BASIC code with hidden characters, including backspace characters. So the program listing might appear to be 10 PRINT "No!!", but when RUN it would output: Yes!! The technique allowed arbitrary LISTings, what appeared on the screen as the BASIC program was entirely under separate control. LIST could made to look like RUN, and vice versa. Much comedy ensued. All based on packing backspace characters into the BASIC code.
A few years ago I heard about another exploit for that copy-paste code situation. It's where the malicious website hides the extra code simply via CSS. From what I recall it also automatically executes the script so is just as problematic. In fact, even slightly worse since it will work even with scripts disabled (granted very few people disable scripts on non-whitelisted sites, so it's not much difference, but it's still huge from an objective/absolute security standpoint since that's normally _the_ way to prevent virtually all web danger) That being said, something that would have been great for you to mention is that terminals (I don't know which ones. Probably most if not "all" of them) do have an option to ignore newline characters from pasted data. When enabled it would obviously make things safer (to careful users). edit: I see a ton of people are pointing this out as well. In fact many of them seem to be saying that it's either on by default, or maybe not even an option to disable.
Also make a 2 way antenna and pick up on the signals which is another way you can basically listen on to the conversation the same capabilities that the device promotes as being advanced to communicate is the same capabilities you can exploit for other purposes
I recommend using a terminal emulator like tabby that alert you when you paste multi line shell command, edit: I tried it and it doesn't even see the second line it just ignores the new line
Thanks for the 'hash' tip.. I have often found myself trying every suggested shell command found in obscure corners when trying to shoehorn something not quite intended out of a *nix system.. when using a vm or remote desktop i find it useful to paste all commands into an external text doc both to keep track of whats been happening and to double check i have copied the intended text.. but wnen working on a local pi or similar i think the hash tip will come in useful Cheers..
Do not rely on this, an additional at the beginning is all it takes to circumvent this. I would recommend either typing the commands out yourself or pasting them into a text editor first so you can verify what text is actually in your clipboard prior to pasting it into a terminal.
If you wanna copy paste on Linux, but are worried. Just open up a text editor, write the bin bash script opener at the top then paste. It’ll show you right there what you’re actually pasting. Terminal runs on bash, so doing this will have the same outcome being printed, it just won’t execute it.
that last one is pretty nuts and it's crazy it hasn't been fixed and instead news sites are using it for copyright strings. which i mean fair usage but still hidden text strings in copy pastes shouldn't be a thing.
Hey man, I'd really like case study video's on e.g. hardware hacking like file exfiltration using hacked printers and RF. I can't find any HQ video's on this
I didn’t know that about the characters.. I know about invisible characters but not copyrighted or obscured ones. Definitely something to remember and look into
Regarding the Asus burning boards, the pic and place rotation as the cause is most likely or the setup not letting the setup people know it was an electrolytic capacitor. As a capacitor, most SMD do not need to be placed in a specific orientation so it would just have to mat h pad location, not location and orientation. As a poly-cap, it matters and the tape reels only are made with the mark always on the same side, reducing the time to visually inspect each, rotate to the correct orientation, then place.
I got a chatter phone. It is pretty awesome. It says the numbers out loud while your using the rotary dial. With a feature like that, who cares a about a silly connectivity "issue"? thats what the off switch is for on the bottom is for. I use mine for important calls while out, the rubber wheels on the sides make pulling it around with me while out easy and almost effortless. . .
I like how in the copy-paste example, FT inserts a random GUID with probably unintended messages. It ends "acab", which, of course, is short for "all copyrighters are bastards".
The hash will not save you in the copy&paste exploit. They could just add a second line in the copied text and that second command would still run (as well as any further ones).
A telephone with a built-in rotary dial. I figured phones with rotary dials or real buttons were out of date. Then mom or dad should give the unlocked phone to the kids to play with. The little ones will surely soon have found out the number for abroad. Is baby blabla the same in china or afrika?
8:15 if they were super clever, they would also have the copied command clear the last line and then include what you thought you were actually copying. It would be completely silent
I always use a notepad when pasting code and text, so I make sure the text is alright without source issues like spaces or tab lines. Well, guess there's one more reason to.
Even with the hash at the beginning, if the hacker puts a newline at the start of their script then it will negate the comment and run the command anyway. It’s better to paste it in a text editor
I dont do much with terminal/bash stuff or even windows command line but its good to know about that last part there, I'll have to watch out what I copy and paste into CMD and Bash from now on. ALSO news websites that stop you from copy pasting stuff can be defeated by just printing out the page to a PDF or XPS
