OK, we haven’t heard of a Ford Cylon either. However, there is now a Mustang Cobra out there that has been given a famous Cylon characteristic. [Monta Elkins] picked himself up an aftermarket third brake light assembly, hacked it, and installed it on said Mustang.
The brake light assembly contains 12 LEDs, which unfortunately, are not individually addressable. Additionally, by the looks of it, the brake light housing was not meant to be opened up. That didn’t get [Monta] down though. There’s more than one way to skin a cat, but he chose to use a hot knife to open the assembly, which worked quite well. A rotary cutter tool was used to cut the traces between the LEDs allowing them to be individually controlled with an Arduino. A Bluetooth module allows him to control the new brake light from his smartphone. There are different modes (including a special mode that he shows off at the end of the video) that can be selected via a Bluetooth Terminal app.
There is no schematic or code link in the video itself or the description, but [Monta] did hit the high points. Therefore, it shouldn’t be too hard to replicate.
This isn’t the first brake light hack we’ve featured. This one goes way beyond just animated lights. This one requires no programming. Rather wear your brake light? We’ve got your back(pack).
CheckPoint researchers published in the company blog a warning about a vulnerability affecting several video players. They found that VLC, Kodi (XBMC), Popcorn-Time and strem.io are all vulnerable to attack via malicious subtitle files. By carefully crafting a subtitles file they claim to have managed to take complete control over any type of device using the affected players when they try to load a video and the respective subtitles.
According to the researchers, things look pretty grim:
We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.
One of the reasons you might want to make sure your software is up to date is that some media players download subtitles automatically from several shared online repositories. An attacker, as the researchers proved, could manipulate the website’s ranking algorithm and not only would entice more unsuspecting users to manually download his subtitles, but would also guarantee that his crafted malicious subtitles would be those automatically downloaded by the media players.
No additional details were disclosed yet about how each video player is affected, although the researchers did share the details to each of the software developers so they can tackle the issue. They reported that some of the problems are already fixed in their current versions, while others are still being investigated. It might be a good idea to watch carefully and update your system before the details come out.
Meanwhile, we can look at the trailer:
Continue reading “Hacked by Subtitles”
Great news everyone, Windows is not the only operating system with remote code execution via SMB. Linux has also its own, seven-year-old version of the bug. /s
This Linux remote execution vulnerability (CVE-2017-7494) affects Samba, the Linux re-implementation of the SMB networking protocol, from versions 3.5.0 onwards (since 2010). The SambaCry moniker was almost unavoidable.
The bug, however, has nothing to do on how Eternalblue works, one of the exploits that the current version of WannaCry ransomware packs with. While Eternalblue is essentially a buffer overflow exploit, CVE-2017-7494 takes advantage of an arbitrary shared library load. To exploit it, a malicious client needs to be able to upload a shared library file to a writeable share, afterwards it’s possible for the attacker to cause the server to load and execute it. A Metasploit exploit module is already public, able to target Linux ARM, X86 and X86_64 architectures.
A patch addressing this defect has been posted to the official website and Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are also available. If you can’t apply the patch at the moment, the workaround is to add the parameter “nt pipe support = no” to the [global] section of your
smb.conf and restart
smbd. Note that this can disable some expected functionality for Windows clients.
Meanwhile, NAS vendors start to realise they have work on their hands. Different brands and models that use Samba for file sharing (a lot, if not all, of them provide this functionality) will have to issue firmware updates if they want to patch this flaw. If the firmware updates for these appliances take the same time they usually do, we will have this bug around for quite some time.
Early and low-cost detection of a Heart Failure is the proposal of [Jean Pierre Le Rouzic] for his entry for the 2017 Hackaday Prize. His device is based on a low-cost Doppler device, like those fetal Doppler devices used to listen an unborn baby heart, feeding a machine learning algorithm that could differentiate between a healthy and an unhealthy heart.
The theory behind it is that a regular, healthy heart tissue has a different acoustic impedance than degenerated tissue. Based on the acoustic impedance, the device would classify the tissue as: normal, degenerated, granulated or fibrous. Each category indicates specific problems mostly in connective tissues.
There are several advantages to have a working device like the one [Rouzic] is working on. To start, it would be possible to use it at home, without the intervention of a doctor or medical staff. It seems to us that would be as easy as using a blood pressure device or a fetal Doppler. It’s also relatively cheap (estimated under 150$) and it needs no gel to work. We covered similar projects that measure different heart signals, like Open Source electrocardiography, but ECG has the downfall that it requires attaching electrodes to the body.
One interesting proposed feature is that what is learn from a single case, is sent to every devices at their next update, so the devices get ‘smarter’ as they are used. Of course, there are a lot of ways for this to go wrong, but it’s a good idea to begin with.
“Dammit Jim, I’m a hacker, not a musician!”, to paraphrase McCoy
Scotty from the original Star Trek series. Well, some of us are also musicians, some, like me, are also hack-musicians, and some wouldn’t know a whole note from a treble clef. But every now and then the music you want is in the form of sheet music and you need to convert that to something your hack can play. If you’re lucky, you can find software that will read the sheet music for you and spit out a MIDI or WAV file. Or, as with my hand-cranked music player, you may have to read just enough of the music yourself to convert musical notes to frequencies for something like a 555 timer chip. We’ll dive into both cases here.
Continue reading “Music Reading for Machines”
If you were a child of the late 1970s or early 1980s, the chances are that your number one desire was to own a games console. The one to have was the Atari 2600, notwithstanding that dreadful E.T. game.
Of course, there were other consoles during that era. One of these also-ran products came from Coleco, a company that had started in the leather business but by the mid 1970s had diversified into handheld single-game consoles. Their ColecoVision console of 1982 sold well initially, but suffered badly in the video game crash of 1983. By 1985 it was gone, and though Coleco went on to have further success, by the end of the decade they too had faded away.
The Coleco story was not over though, because in 2005 the brand was relaunched by a successor company. Initially it appeared on an all-in-one retro console, and then on an abortive attempt to crowdfund a new console, the Coleco Chameleon. This campaign came to a halt after the Chameleon prototypes were shown to be not quite what they seemed by eagle-eyed onlookers. Continue reading “Coleco In Spat With ColecoVision Community”
It is hard to get very far into electronics without knowing Ohm’s law. Named after [Georg Ohm] it describes current and voltage relationships in linear circuits. However, there are two laws that are even more basic that don’t get nearly the respect that Ohm’s law gets. Those are Kirchhoff’s laws.
In simple terms, Kirchhoff’s laws are really an expression of conservation of energy. Kirchhoff’s current law (KCL) says that the current going into a single point (a node) has to have exactly the same amount of current going out of it. If you are more mathematical, you can say that the sum of the current going in and the current going out will always be zero, since the current going out will have a negative sign compared to the current going in.
You know the current in a series circuit is always the same, right? For example, in a circuit with a battery, an LED, and a resistor, the LED and the resistor will have the same current in them. That’s KCL. The current going into the resistor better be the same as the current going out of it and into the LED.
This is mostly interesting when there are more than two wires going into one point. If a battery drives 3 magically-identical light bulbs, for instance, then each bulb will get one-third of the total current. The node where the battery’s wire joins with the leads to the 3 bulbs is the node. All the current coming in, has to equal all the current going out. Even if the bulbs are not identical, the totals will still be equal. So if you know any three values, you can compute the fourth.
If you want to play with it yourself, you can simulate the circuit below.
The current from the battery has to equal the current going into the battery. The two resistors at the extreme left and right have the same current through them (1.56 mA). Within rounding error of the simulator, each branch of the split has its share of the total (note the bottom leg has 3K total resistance and, thus, carries less current).
Continue reading “Ohm? Don’t Forget Kirchhoff!”