Hacking the Nike+ Fuelband

[Simone] was trying to reverse-engineer the Bluetooth protocol of his Nike+ Fuelband and made some surprising discoveries. [Simone] found that the authentication system of the Fuelband can be easily bypassed and discovered that some low-level functions (such as arbitrarily reading and writing to memory) are completely exposed to the end user or anyone else who hacks past the authentication process.

[Simone] started with the official Nike app for the Fuelband. He converted the APK to a JAR and then used JD-Gui to read the Java source code of the app. After reading through the source, he discovered that the authentication method was completely ineffective. The authenticator requires the connecting device to know both a pin code and a nonce, but in reality the authentication algorithm just checks for a hard-coded token of 0xff 0xff 0xff 0xff 0xff 0xff rendering the whole authentication process ineffective.

After he authenticated with the Fuelband, [Simone] started trying various commands to see what he could control over the Bluetooth interface. He discovered that he could send the device into bootloader mode, configure the RTC, and even read/write the first 65k of memory over the Bluetooth interface–not something you typically want to expose, especially with a broken authentication mechanism. If you want to try the exploit yourself, [Simone] wrote an Android app which he posted up on GitHub.

CAMdrive is an Open Source Time-lapse Photography Controller

[Nightflyer] has been working on an open source project he calls CAMdrive. CAMdrive is designed to be a multi-axis controller for time-lapse photography. It currently only supports a single axis, but he’s looking for help in order to expand the functionality.

You may already be familiar with the idea of time-lapse photography. The principal is that your camera takes a photo automatically at a set interval. An example may be once per minute. This can be a good way to get see gradual changes over a long period of time. While this is interesting in itself, time-lapse videos can often be made more interesting by having the camera move slightly each time a photo is taken. CAMdrive aims to aid in this process by providing a framework for building systems that can pan, tilt, and slide all automatically.

The system is broken out into separate nodes. All nodes can communicate with each other via a communication bus. Power is also distributed to each node along the bus, making wiring easier. The entire network can be controlled via Bluetooth as long as any one of the nodes on the bus include a Bluetooth module. Each node also includes a motor controller and corresponding motor. This can either be a stepper motor or DC motor.

The system can be controlled using an Android app. [Nightflyer’s] main limitation at the moment is with the app. He doesn’t have much experience programming apps for Android and he’s looking for help to push the project forward. It seems like a promising project for those photography geeks out there. Continue reading “CAMdrive is an Open Source Time-lapse Photography Controller”

Tearing Apart an Android Password Manager

With all of the various web applications we use nowadays, it can be daunting to remember all of those passwords. Many people turn to password management software to help with this. Rather than remembering 20 passwords, you can store them all in a (presumably) secure database that’s protected by a single strong password. It’s a good idea in theory, but only if the software is actually secure. [Matteo] was recently poking around an Android password management software and made some disturbing discoveries.

The app claimed to be using DES encryption, but [Matteo] wanted to put this claim to the test. He first decompiled the app to get a look at the code. The developer used some kind of code obfuscation software but it really didn’t help very much. [Matteo] first located the password decryption routine.

He first noticed that the software was using DES in ECB mode, which has known issues and really shouldn’t be used for this type of thing. Second, the software simply uses an eight digit PIN as the encryption key. This only gives up to 100 million possible combinations. It may sound like a lot, but to a computer that’s nothing. The third problem was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.

As if that wasn’t bad enough, it actually gets worse. [Matteo] found a function that actually stores the PIN in a plain text file upon generation. When it comes time to decrypt a password, the application will check the PIN you enter with the one stored in the plain-text file. So really, you don’t have to crack the encryption at all. You can simply open the file and reveal the PIN.

[Matteo] doesn’t name the specific app he was testing, but he did say in the Reddit thread that the developer was supposedly pushing out a patch to fix these issues. Regardless, it goes to show that before choosing a password manager you should really do some research and make sure the developer can be trusted, lest your secrets fall into the wrongs hands.

[via Reddit]

Hackaday Links: January 11, 2015

Listening tests reveal significant sound quality differences between various digital music storage technologies. Finally the audiophile press is tackling the important questions. This listening test looks at the difference between two four-bay NAS boxes, with one making the piano on Scherzo and Trio from Penguin Café Orchestra’s Union Cafe sound more Steinway-like, while another NAS makes it sound more like a Bosendörfer. Yes, your choice of digital storage medium can change the timbre of a piano. Another gem: “Additionally, the two units also had different processor architectures, which might also affect perceived audible differences.” There must be a corollary to Poe’s Law when it comes to audiophiles…

[10p6] has begun a project that can play every old Atari cartridge. Right now it’s just a few bits of plastic that fits every non-Jaguar Atari cartridge, but it’s a start.

The Android IMSI-Catcher Detector. You’ve heard about Stingrays, devices used by law enforcement that are basically fake cell towers. These Stingrays downgrade or disable the encryption present in all cellphones, allowing anyone, with or without a warrant, to listen in on any cell phone conversation. Now there’s an effort to detect these Stingrays. It’s open source, and they’re looking for volunteers.

[Rob] sent in something that’s the perfect application of projection mapping. It’s called Face Hacking, and it’s pretty much just a motion capture systems, a few projectors, a whole lot of CG work, and just a tiny bit of dubstep. It look cool, but we’re wondering what the applications would be. Theatre or some sort of performance art is the best I can come up with.

A while ago, [4ndreas] saw a 3D printed industrial robot arm. He contacted the guy for the files, but nothing came of that. [4ndreas] did what anyone should do – made his own 3D printable industrial robot arm. The main motors are NEMA 17, and printing this will take a long time. Still, it looks really, really cool.

iBling is an LED Display Necklace

Are you tired of being ignored? Do you want a fashion accessory that says, “Pay attention to me!” If so, you should check out [Al’s] recent instructable. He’s built himself a necklace that includes a display made up of 512 individual LEDs.

This project was built from mostly off-the-shelf components, making it an easy beginner project. The LED display is actually a product that you can purchase for just $25. It includes 512 LEDs aligned in a 16 x 32 grid. The module is easily controlled with a Pixel maker’s kit. This board comes with built-in functionality to control one of these LED modules and can accept input from a variety of sources including Android or PC. The unit is powered from a 2000 mAH LiPo battery.

[Al] had to re-flash the firmware of the Pixel to set it to a low power mode. This mode allows him to get about seven hours of battery life with the 2000 mAH battery. Once the hardware was tested and confirmed to work correctly, [Al] had to pretty things up a bit. Some metallic gold spray paint and rhinestones transformed the project’s cyberpunk look into something you might see in a hip hop video, or at least maybe a Weird Al hip hop video.

The Pixel comes with several Android apps to control the display via Bluetooth. [Al] can choose one of several modes. The first mode allows for pushing animated gif’s to the display. Another will allow the user to specify text to scroll on the display. The user can even specify the text using voice recognition. The final mode allows the user to specify a twitter search string. The phone will push any new tweets matching the terms to the display as scrolling text.

When Responsible Disclosure Isn’t Enough

Moonpig is a well-known greeting card company in the UK. You can use their services to send personalized greeting cards to your friends and family. [Paul] decided to do some digging around and discovered a few security vulnerabilities between the Moonpig Android app and their API.

First of all, [Paul] noticed that the system was using basic authentication. This is not ideal, but the company was at least using SSL encryption to protect the customer credentials. After decoding the authentication header, [Paul] noticed something strange. The username and password being sent with each request were not his own credentials. His customer ID was there, but the actual credentials were wrong.

[Paul] created a new account and found that the credentials were the same. By modifying the customer ID in the HTTP request of his second account, he was able to trick the website into spitting out all of the saved address information of his first account. This meant that there was essentially no authentication at all. Any user could impersonate another user. Pulling address information may not sound like a big deal, but [Paul] claims that every API request was like this. This meant that you could go as far as placing orders under other customer accounts without their consent.

[Paul] used Moonpig’s API help files to locate more interesting methods. One that stood out to him was the GetCreditCardDetails method. [Paul] gave it a shot, and sure enough the system dumped out credit card details including the last four digits of the card, expiration date, and the name associated with the card. It may not be full card numbers but this is still obviously a pretty big problem that would be fixed immediately… right?

[Paul] disclosed the vulnerability responsibly to Moonpig in August 2013. Moonpig responded by saying the problem was due to legacy code and it would be fixed promptly. A year later, [Paul] followed up with Moonpig. He was told it should be resolved before Christmas. On January 5, 2015, the vulnerability was still not resolved. [Paul] decided that enough was enough, and he might as well just publish his findings online to help press the issue. It seems to have worked. Moonpig has since disabled its API and released a statement via Twitter claiming that, “all password and payment information is and has always been safe”. That’s great and all, but it would mean a bit more if the passwords actually mattered.

Coffee Payment System Doesn’t Void Your Warranty

[Oliver] is back with an update to his recent coffee maker hacks. His latest hack allowed him to add a coffee payment system to an off-the-shelf coffee maker without modifying the coffee maker itself. This project is an update to his previous adventures in coffee maker hacking which logged who was using up all of the coffee.

The payment system begins with an Arduino Uno clone inside of a small project enclosure. The Arduino communicates with the coffee maker via serial using the coffee maker’s service port. This port is easily available from outside the machine, so you won’t have to crack open the case and risk voiding your warranty.

The system also includes an RFID reader and a Bluetooth module. The RFID reader allows each user to have their own identification card. The user can swipe their card over the reader and the system knows how many credits are left in their account. If they have enough credit, the machine will pour a delicious cup of coffee.

The Arduino communicates to an Android phone using the Bluetooth module. [Oliver’s] Android app was built using MIT’s app inventor. It keeps track of the account credits and allows the user to add more. The system can currently keep track of up to forty accounts. [Oliver] also mentions that you can use any Bluetooth terminal program to control the system instead of a smart phone app. Continue reading “Coffee Payment System Doesn’t Void Your Warranty”