Unlike just about every other TI calculator, homebrew developers are locked out of the nSpire CX and CX CAS. Without the ability to run native applications on this calculator, [Josh] would be locked out of his platform of choice without the work of the TI calculator community and Ndless, the SDK for this series of calculators.
With the right development environment, [Josh] managed to get the full Android stack up and running and ironed the bugs out. Everything he’s done is available on the GitHub for this project, and with the instructions on the xda developers post, anyone can get a version of Android running on this TI calculator.
While [Josh] has Android Donut running along with most of the 1.6 apps, a terminal emulator, keyboard, WiFi, USB, and Bluetooth running, this calculator-come-Android isn’t as useful as you think it would be. The vast majority of calculator emulators on the Google Play store require Android version 2.2 and up. Yes, [Josh] can still run a TI-83 emulator on his calculator, but finding an app that’s compatible with his version of Android is a challenge.
Still, even with a 150MHz processor and 64MB of RAM – far less than what was found in phones that shipped with Donut – [Josh] is still getting surprisingly good performance out of his calculator. He can play some 2D games on it, and the ability to browse the web with a calculator is interesting, to say the least. It is, however, the perfect example that you don’t need the latest and greatest phone to run Android. Sometimes you don’t even need a phone.
This was both an amusing and frightening talk. [Sam Bowne] presented How to Trojan Financial Android Apps on Saturday afternoon at the LayerOne Conference. [Sam] calculates that 80-90% of the apps provided by major financial institutions like banks and investment companies are vulnerable and the ease with which trojans can be rolled into them is incredible.
[Sam] did a great job of concisely describing the circumstances that make Android particularly vulnerable to the attacks which are the subject of the talk. Android programs are packaged as APK files which are easy to unpack. The “compiled” code itself is called smali and is readable in a similar way as Java. It’s super easy to unpack and search this byte code using grep. Once the interesting parts are located, the smali code can be altered and the entire thing can be repackaged. The app will need to be resigned but Google doesn’t control the signing keys so an attacker can simply generate a new key and use that to sign the app. The user still needs to install the file, but Android allows app installation from webpages, email, etc. so this isn’t a problem for the bad guys either.
So what can be done? This is about information harvesting. [Sam’s] proof of concept uses a python script to insert logging for every local variable. The script looks at the start of every module in the smali code, grabs the number of local variables, increments it by one and uses this extra variable to write out the values through logcat.
He demonstrated live on the Bank of America app. From the user side of things it looks exactly like the official app, because it is the official app. However, when you register your account the log reports the card number as you can see here. Obviously this information could easily be phoned-home using a number of techniques.
As mentioned, the vast majority of banking and financial apps are vulnerable to this, but some have made an attempt to make it more difficult. He found the Bancorp app never exposes this information in local variables so it can’t just be logged out. However, the same trojan technique works as a keylogger since he found the same function kept getting called every time a key is pressed. The same was true of the Capital One app, but it echos out Google’s Android keymap values rather than ascii; easy enough to translate back into readable data though.
The Inability to Report Vulnerabilities
What is the most troubling is that none of these companies have a means of reporting security vulnerabilities. It was amusing to hear [Sam] recount his struggle to report these issues to Charles Schwab. Online contact forms were broken and wouldn’t post data and several publicly posted email addresses bounced email. When he finally got one to accept the email he later discovered another user reporting on a forum that nobody ever answers back on any of the Schwab accounts. He resorted to a trick he has used many times in the past… Tweeting to the CEO of Charles Schwab to start up a direct-message conversation. This itself is a security problem as @SwiftOnSecurity proves by pointing out that whenever @SamBowne Tweets a CEO it’s because he found a vulnerability in that company’s platform and can’t find a reasonable way to contact the company.
There is Hope
Although very rare, sometimes these apps do get patched. The Trade King app was updated after his report and when [Sam] tried the exploit again it crashes at start-up. The log reports a verification failure. This indicates that the injected code is being noticed, but [Sam] wonders if the verification is included in the app itself. If it is, then it will be possible to track it down and disable it.
This may sound like all of us Android users should despair but that’s not the case. Adding verification, even if it’s possible to defeat it, does make the apps safer; attackers may not want to invest the extra time to try to defeat it. Also, there are obsfucators available for a few thousand dollars that will make these attacks much more difficult by making variable names unreadable. The free obsfucator available now with the Android development suites doesn’t change names of everything… local variables are left unaltered and programmers have a habit of using descriptive names for variables. For instance, BofA used “CARDNUM” in the example above.
[Sam Bowne’s] slides and testing results for the entire talk are available under the “Upcoming Events” part of his website.
Here’s a tip from a wizened engineer I’ve heard several times. If you’re poking around a circuit that has failed, look at the resistor color codes. Sometimes, if a resistor overheats, the color code bands will change color – orange to brown, blue to black, and so forth. If you know your preferred numbers for resistors, you might find a resistor with a value that isn’t made. This is where the circuit was overheating, and you’re probably very close to discovering the problem.
The problem with this technique is that you have to look at and decode all the resistors. If automation and computer vision is more your thing, [Parth] made an Android app that will automatically tell you the value of a resistor by pointing a camera at it.
The code uses OpenCV to scan a small line of pixels in the middle of the screen. Colors are extracted from this, and the value of the resistor is displayed on the screen. It’s perfect for scanning through a few hundred through hole resistors, if you don’t want to learn the politically correct mnemonic they’re teaching these days.
[Christian Holz, Senaka Buthpitiya, and Marius Knaust] are researchers at Yahoo that have created a biometric solution for those unlucky folks that always forget their smartphone PIN codes. Bodyprint is an authentication system that allows a variety of body parts to act as the password. These range from ears to fists.
Bodyprint uses the phone’s touchscreen as an image scanner. In order to do so, the researchers rooted an LG Nexus 5 and modified the touchscreen module. When a user sets up Bodyprint, they hold the desired body part to the touchscreen. A series of images are taken, sorted into various intensity categories. These files are stored in a database that identifies them by body type and associates the user authentication with them. When the user wants to access their phone, they simply hold that body part on the touchscreen, and Bodyprint will do the rest. There is an interesting security option: the two person authentication process. In the example shown in the video below, two users can restrict file access on a phone. Both users must be present to unlock the files on the phone.
How does Bodyprint compare to capacitive fingerprint scanners? These scanners are available on the more expensive phone models, as they require a higher touchscreen resolution and quality sensor. Bodyprint makes do with a much lower resolution of approximately 6dpi while increasing the false rejection rate to help compensate. In a 12 participant study using the ears to authenticate, accuracy was over 99% with a false rejection rate of 1 out of 13.
“Wizard Staff” or “Wisest Wizard” is a drinking game played at parties where the attendees participate by taping the empty cans of the drinks they’ve consumed on top of one another to form a staff of inebriated power. A person with a longer staff is considered to be at a higher level and can therefore command lesser wizards to pound their current beverage to a point they see fit. Not everyone at a party necessarily drinks their tasty libation of choice from a can however. So, [Ahmed] and his group came up with a solution for those of us who might alternately prefer to wield a pint glass of power instead.
In their hardware project for Hack Illinois 2015, [Brady Salz], [Ahmed Suhyl], [Dario Aranguiz], and [Kashev Dalmia] decided to add a zest of tech to the game. For their updated rendition, glasses are equipped with battery packs for mobility, a Spark micro-controller, and different colored LEDs as indicators. A couple of wires reach into the bottom of each glass to measure conductivity and keep track of the number of times it is filled and then emptied. In leu of towers of aluminum husks and duct-tape, the group developed a simple Android app for participants to log into which will track and visualize the standings of each player registered to one of the glasses. They even created a pebble version of the app that will display all the same information in case you don’t want to risk handling your phone while drinking… heh.
For an added level of fun, once a player reaches a certain level above someone else, they unlock the option to “challenge” the lesser adversary. By selecting that person’s user name in the app, the LED and buzzer on their glass will spring to life, letting them know they’ve been chosen to chug the rest of their drink. If you’re curious how they made it work, you can check out the team’s code on Github and maybe take a stab at giving the game a makeover of your own.
There are a myriad of modern ways to lock and unlock doors. Keypads, Fingerprint scanners, smart card readers, to name just a few. Quite often, adding any of these methods to an old door may require replacing the existing locking mechanism. Donning his Bollé sunglasses allowed [Dheera] to come up with a slightly novel idea to unlock doors without having to change his door latch. Using simple, off the shelf hardware, a Smartwatch, some code crunching and a Google Now app, he was able to yell “OK Google, Open Sesame” at his Android Wear smartwatch to get his apartment door to open up.
The hardware, in his own words, is trivial. An Arduino, an HC-05 bluetooth module and a servo. The servo is attached to his door latch using simple hardware that looks sourced from the closest hardware store. The code is split in to two parts. The HC-05 listens for a trigger signal, and informs the Arduino over serial. The Arduino in turn activates the servo to open the door. The other part is the Google Now app. Do note that the code, as he clearly points out, is “barebones”. If you really want to implement this technique, it would be wise to add in authentication to prevent all and sundry from opening up your apartment door and stealing your precious funky Sunglasses. Watch a video of how he put it all together after the break. And if you’re interested, here are a few other door lock hacks we’ve featured in the past.
History and [Bil Herd] teaches us that Commodore begged, borrowed, or stole the engineers responsible for the Speak & Spell to add voice synthesis to a few of the computers that came after the C64. This didn’t quite work out in practice, but speech synthesis was something that was part of the Commodore scene for a long time. The Votrax Type ‘n Talk was a stand-alone speech synthesizer that plugged into the expansion port of the VIC-20. It was expensive, rare, but a few games supported it. [Jan] realized the state of speech synthesis has improved tremendously over the last 30 years, and decided to give his VIC a voice with the help of a cheap Android phone.
A few VIC-20 games, including [Scott Adams] adventure games, worked with the Votrax speech synthesizer by sending phonemes as text over the expansion port. From there, the Votrax would take care of assembling everything into something intelligible, requiring no overhead on the VIC-20. [Jan] realized since the VIC is just spitting out characters for each phoneme, he could redirect those words to a better, more modern voice synthesizer.
A small Bluetooth module was wired up to the user port on the VIC, and this module was paired with a cheap Android smartphone. The smartphone receives the serial stream from an adventure game, and speaks the descriptions of all the scenes in these classic adventure games.
It’s a unique experience judging from the video, but the same hardware and software can also be added to any program that will run on the VIC-20, C64, and C128. Video below.