This Week In Security: Default Passwords, Lock Slapping, And Mastodown

May 3, 2024 by No comments

The UK has the answer to all our IoT problems: banning bad default passwords. Additionally, the new UK law requires device makers to provide contact info for vulnerability disclosures, as well as a requirement to advertise vulnerability fix schedules. Is this going to help the security of routers, cameras, and other devices? Maybe a bit.

I would argue that default passwords are in themselves the problem, and complexity requirements only nominally help security. Why? Because a good default password becomes worthless once the password, or algorithm leaks. Let’s lay out some scenarios here. First is the static default password. Manufacturer X makes device Y, and sets the devices to username/password admin/new_Complex_P@ssword1!. Those credentials make it onto a default password list, and any extra security is lost.

What about those devices that have a different, random-looking password for each device? Those use an algorithm to derive that password from the MAC address and/or serial number. That may help the situation, but the algorithm can be retrieved from the firmware, and most serial numbers are predictable in one way or another. This approach is better, but not a silver bullet.

So what would a real solution to the password problem look like? How about no default password at all, but no device functionality until the new password passes a cracklib complexity and uniqueness check. I have seen a few devices that do exactly this. The requirement for a disclosure address is a great idea, which we’ve talked about before regarding the similar EU legislation.

Continue reading “This Week In Security: Default Passwords, Lock Slapping, And Mastodown”

The ROG Ally with the second screen mod installed

Dual-Screen Mod For The ROG Ally Handheld

May 3, 2024 by 4 Comments

In our continuing coverage of the ROG Ally modding community, we would be amiss to not mention a seriously impressive mod — a dual screen project for the x86 gaming handheld by [YesItsKira]! Single screen devices can feel cramped, and this mod is a prime example of a dedicated hacker taking things into her own hands. In particular, the mechanics of this mod are done wonderfully, thanks to a custom-designed 3D printed Ally back cover.

The second screen connects through a USB-C port, held above the main screen by a sturdy printed hinge at whatever angle you want it. As a pleasant surprise, it’s also touch-enabled! The mod is fully open source and well documented — everything you need to print is published on Thingiverse, a detailed assembly guide with pictures is on GitHub, and the BOM is at the bottom of the guide.

Apart from printed parts, you only need a few things off Amazon, it’s that easy to source. Electronics-wise, this mod uses a Raspberry Pi-suited HDMI screen, wiring it up through an integrated USB-C dock; which means you can still charge your handheld while using the dual-screen solution!

Interested in modifications for your ROG Ally, but not quite ready to bolt on a second display? Check out this phenomenally documented battery upgrade from an iFixit staffer that we recently covered.

MUDLink Is Making UART Data Links More Reliable

May 3, 2024 by 5 Comments

Many of us have used UARTs to spit data from one system or chip to another. Normally, for quick and dirty maker projects, this is good enough. However, you’ll always get the odd dropped transmission or glitch that can throw a spanner in the works if you’re not careful. [Jake Read] decided to work on a system that could use UARTs while being far more reliable. Enter MUDLink.

MUDLink is a library that works with an Arduino’s UART port and stacks on a bit of protocol to clean things up. It uses a packetized method of sending data to ensure that transmissions are received reliably as intended by the sender. Packets are framed using a method called Consistent Overhead Byte Stuffing, which is a nice lightweight way of doing so. The system also uses CRC16-CCITT as an error checking mechanism. There’s also an ack-and-retransmit system for ensuring any dropped transmissions are repeated and received successfully.

If you need reliable UART transmissions without too much overhead, you might want to look at what Jake is doing. It’s a topic we’ve looked at before, too. Video after the break.

Screenshot of the YouTube channel videos list, showing a number of videos like the ones described in this article.

[DiyOtaku] Gives Old Devices A New Life

May 2, 2024 by No comments

Sometimes we get sent a tip that isn’t just a single article or video, but an entire blog or YouTube channel. Today’s channel, [Diy Otaku], is absolutely worth a watch if you want someone see giving a second life to legendary handheld devices, and our creator has been going at it for a while. A common theme in most of the videos so far – taking an old phone or a weathered gaming console, and improving upon them in a meaningful way, whether it’s lovingly restoring them, turning them into a gaming console for your off days, upgrading the battery, or repairing a common fault.

The hacks here are as detailed as they are respectful to the technology they work on. The recent video about putting a laptop touchpad into a game controller, for instance, has the creator caringly replace the controller’s epoxy blob heart with a Pro Micro while preserving the original board for all its graphite-covered pads. The touchpad is the same used in an earlier video to restore a GPD Micro PC with a broken touchpad, a device that you can see our hacker use in a later video running FreeCAD, helping them design a 18650 battery shell for a PSP about to receive a 6000 mAh battery upgrade.

Continue reading “[DiyOtaku] Gives Old Devices A New Life”

Don’t Object To Python Objects

May 2, 2024 by 12 Comments

There’s the old joke about 10 kinds of programmers, but the truth is when it comes to programming, there are often people who make tools and people who use tools. The Arduino system is a good example of this. Most people use it like a C compiler. However, it really uses C++, and if you want to provide “things” to the tool users, you need to create objects. For example, when you put Serial in a program, you use an object someone else wrote. Python — and things like Micropython — have the same kind of division. Python started as a scripting language, but it has added object features, allowing a rich set of tools for scripters to use. [Damilola Oladele] shows the ins and outs of object-oriented Python in a recent post.

Like other languages, Python allows you to organize functions and data into classes and then create instances that belong to that class. Class hierarchies are handy for reusing code, customizing behavior, and — through polymorphism — building device driver-like architectures.

Continue reading “Don’t Object To Python Objects”

Start Your Creepy Jack-O-Lantern Project Early This Year With Gourdan

May 2, 2024 by No comments

For a lot of us, projects take time, and they have to be squeezed in around the regular chores of real life. Thus, if you’re starting your Halloween builds after the holiday displays have already hit the stores, you’re probably too late. We’re here to implore you to start building early this year—and you can take inspiration from a great pumpkin called Gourdan.

Gourdan is the work of [Braden Sunwold]. It’s a pumpkin with a fearsome visage and creepy eyes that follow you around the room. This is achieved thanks to a Raspberry Pi 3 nestled within Gourdan’s gourdy body. Gourdan’s eyes are a pair of 1.54-inch LCDs which display animated eyes. Thus, no mechanical wizardry is required here—it’s all done digitally. A camera attached to the Raspberry Pi tracks people with the aid of OpenCV, and the eyes are created and animated with the help of Adafruit example code.

There’s never a better time to start hacking for Halloween than right now. And hey, who knows—your neighbour might have kicked off in January, so they’ll have an almighty head start. They could have something really impressive in the works!

And don’t forget—you can always send us your holiday hacks, whatever the time of year! Just hit up the tipsline. Happy making!

Starlink terminal being injected with 12V from an external PSU

Bypass PoE And Power Your Starlink Terminal Directly

May 2, 2024 by 3 Comments

Sometimes, you will want to power a device in a way it wasn’t designed for, and you might find that the device in question is way too tailored to the original power source. Today, [Oleg Kutkov] is here to give us a master class on excising unnecessary power conversion out of your devices, with the Starlink terminal as an example. This device can only be officially powered from 48V PoE, but can technically work from about 12V – and, turns out, many people want to mount a Starlink terminal to their cars.

[Oleg] shows us the power circuit of the Starlink terminal, explaining which component is responsible for what, and gives us a block diagram. Then, he shows you the 12V rail that all internal components actually draw power from, and where to feed power into it. Plus, he warns you about possible caveats, like having to disable the builtin 12V regulator to prevent it from backfeeding-induced damage. If you’re looking to modify a similar device, this tutorial gives you heaps of insight on what you might need on your foray.

Thinking to modify your own Starlink terminal, perhaps, and wondering about the power consumption? [Oleg] has current consumption graphs for you, collected with a data logger for Uni-T UT800 of his own design, providing detailed figures on just how much energy you ought to supply to power the terminal from 12V, and where to (not) get it. After all, even a seemingly suitable power supply might not do.