The Linkielist

Linking ideas with the world

The Linkielist

Daily Archives: July 19, 2022

Hacker Liberates Hyundai Head Unit, Writes Custom Apps | Hackaday

Posted on by

[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.

In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.

This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.

Source: Hacker Liberates Hyundai Head Unit, Writes Custom Apps | Hackaday

Records reveal the scale of Homeland Security’s phone location data purchases

Posted on by

Investigators raised alarm bells when they learned Homeland Security bureaus were buying phone location data to effectively bypass the Fourth Amendment requirement for a search warrant, and now it’s clearer just how extensive those purchases were. TechCrunch notes the American Civil Liberties Union has obtained records linking Customs and Border Protection, Immigration and Customs Enforcement and other DHS divisions to purchases of roughly 336,000 phone location points from the data broker Venntel. The info represents just a “small subset” of raw data from the southwestern US, and includes a burst of 113,654 points collected over just three days in 2018.

The dataset, delivered through a Freedom of Information Act request, also outlines the agencies’ attempts to justify the bulk data purchases. Officials maintained that users voluntarily offered the data, and that it included no personally identifying information. As TechCrunch explains, though, that’s not necessarily accurate. Phone owners aren’t necessarily aware they opted in to location sharing, and likely didn’t realize the government was buying that data. Moreover, the data was still tied to specific devices — it wouldn’t have been difficult for agents to link positions to individuals.

Some Homeland Security workers expressed internal concerns about the location data. One senior director warned that the Office of Science and Technology bought Venntel info without getting a necessaryPrivacy Threshold Assessment. At one point, the department even halted all projects using Venntel data after learning that key legal and privacy questions had gone unanswered.

More details could be forthcoming, as Homeland Security is still expected to provide more documents in response to the FOIA request. We’ve asked Homeland Security and Venntel for comment. However, the ACLU report might fuel legislative efforts to ban these kinds of data purchases, including the Senate’s bipartisan Fourth Amendment is Not For Sale Act as well as the more recently introduced Health and Location Data Protection Act.

Source: Records reveal the scale of Homeland Security’s phone location data purchases | Engadget

Apple Pay illegally profited by walling off contactless payments, lawsuits in EU, US allege

Posted on by

A proposed class-action lawsuit filed on behalf of payment card issuers accuses Apple of illegally profiting from Apple Pay and breaking antitrust laws. Iowa’s Affinity Credit Union is listed as the plaintiff in the complaint, filed today in the US District Court for the Northern District of California. The lawsuit alleges that by restricting contactless payments on iOS devices to Apple Pay and charging payment card issuers fees to use the mobile wallet, the iPhone maker is engaging in anti-competitive behavior.

While Android users have options for contactless mobile wallets, iOS users can only use tap-to-pay technology through Apple Pay. In other words, while iPhone users can download the Google Pay app, they can’t use it to make contactless payments in stores. Android doesn’t charge payment card issuers for use of any supported mobile wallet. But it’s a different story for Apple Pay, which charges card issuers a 0.15% fee on credit transactions and half of a cent on debit transactions. These fees have brought in up to $1 billion annually for Apple, the lawsuit alleges.

“In the Android ecosystem, where multiple digital wallets compete, there are no issuer fees whatsoever, ” said the complaint. “The upshot is that card issuers pay a reported $1 billion annually in fees on Apple Pay and $0 for accessing functionally identical Android wallets. If Apple faced competition, it could not sustain these substantial fees.”

The suit alleges that by restricting iOS users to only Apple Pay for contactless payments, Apple is blocking competing mobile wallets from the market. Payment card issuers are essentially forced to pay Apple’s transaction fees if they want to offer their service to iPhone users.

Apple is facing a similar challenge over its payment system in the EU, where an antitrust commission in May said that the tech giant is illegally blocking third-party developers from enabling contactless payments. Apple has denied the EU’s allegations, arguing that giving third-party developers access would be a security risk. This is an argument that Apple has used before as a reason why it doesn’t open up its platform, such as in the case of third-party app stores.

Engadget has reached out to Apple for comment on the lawsuit and will update if we hear back.

Source: Apple Pay illegally profited by walling off contactless payments, lawsuit alleges | Engadget

“Parallel Reality” Display Shows Different Info to Different People at Same Time

Posted on by

Imagine if you, me and a dozen other people were standing in a room staring at the same screen—but the screen showed something different to each of us, simultaneously.

A California-based tech company called Misapplied Sciences has made this possible. They’ve developed a “parallel reality” display “enabled by a new pixel that has unprecedented capabilities,” they write. “These pixels can simultaneously project up to millions of light rays of different colors and brightness. Each ray can then be software-directed to a specific person.”

They’ve partnered with Delta Airlines, who will be installing a parallel reality display at Detroit Metropolitan Airport this month. Customers who opt in to using it, either by scanning their boarding pass or by enrolling in Delta’s app-based facial recognition program (no thanks!) will look at the screen and see only the flight and baggage claim information relevant to their trip. A person standing five feet away will see nothing but their own information.

Up to 100 viewers can be accommodated by the single screen. Delta refers to the technology as “mind-bending” and states that the display will be in Concourse A of the McNamara Terminal starting on June 29th.

Source: “Parallel Reality” Display Shows Different Info to Different People at Same Time – Core77