With all of the various web applications we use nowadays, it can be daunting to remember all of those passwords. Many people turn to password management software to help with this. Rather than remembering 20 passwords, you can store them all in a (presumably) secure database that’s protected by a single strong password. It’s a good idea in theory, but only if the software is actually secure. [Matteo] was recently poking around an Android password management software and made some disturbing discoveries.
The app claimed to be using DES encryption, but [Matteo] wanted to put this claim to the test. He first decompiled the app to get a look at the code. The developer used some kind of code obfuscation software but it really didn’t help very much. [Matteo] first located the password decryption routine.
He first noticed that the software was using DES in ECB mode, which has known issues and really shouldn’t be used for this type of thing. Second, the software simply uses an eight digit PIN as the encryption key. This only gives up to 100 million possible combinations. It may sound like a lot, but to a computer that’s nothing. The third problem was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.
As if that wasn’t bad enough, it actually gets worse. [Matteo] found a function that actually stores the PIN in a plain text file upon generation. When it comes time to decrypt a password, the application will check the PIN you enter with the one stored in the plain-text file. So really, you don’t have to crack the encryption at all. You can simply open the file and reveal the PIN.
[Matteo] doesn’t name the specific app he was testing, but he did say in the Reddit thread that the developer was supposedly pushing out a patch to fix these issues. Regardless, it goes to show that before choosing a password manager you should really do some research and make sure the developer can be trusted, lest your secrets fall into the wrongs hands.
Listening tests reveal significant sound quality differences between various digital music storage technologies. Finally the audiophile press is tackling the important questions. This listening test looks at the difference between two four-bay NAS boxes, with one making the piano on Scherzo and Trio from Penguin Café Orchestra’s Union Cafe sound more Steinway-like, while another NAS makes it sound more like a Bosendörfer. Yes, your choice of digital storage medium can change the timbre of a piano. Another gem: “Additionally, the two units also had different processor architectures, which might also affect perceived audible differences.” There must be a corollary to Poe’s Law when it comes to audiophiles…
[10p6] has begun a project that can play every old Atari cartridge. Right now it’s just a few bits of plastic that fits every non-Jaguar Atari cartridge, but it’s a start.
The Android IMSI-Catcher Detector. You’ve heard about Stingrays, devices used by law enforcement that are basically fake cell towers. These Stingrays downgrade or disable the encryption present in all cellphones, allowing anyone, with or without a warrant, to listen in on any cell phone conversation. Now there’s an effort to detect these Stingrays. It’s open source, and they’re looking for volunteers.
[Rob] sent in something that’s the perfect application of projection mapping. It’s called Face Hacking, and it’s pretty much just a motion capture systems, a few projectors, a whole lot of CG work, and just a tiny bit of dubstep. It look cool, but we’re wondering what the applications would be. Theatre or some sort of performance art is the best I can come up with.
A while ago, [4ndreas] saw a 3D printed industrial robot arm. He contacted the guy for the files, but nothing came of that. [4ndreas] did what anyone should do – made his own 3D printable industrial robot arm. The main motors are NEMA 17, and printing this will take a long time. Still, it looks really, really cool.
Are you tired of being ignored? Do you want a fashion accessory that says, “Pay attention to me!” If so, you should check out [Al’s] recent instructable. He’s built himself a necklace that includes a display made up of 512 individual LEDs.
This project was built from mostly off-the-shelf components, making it an easy beginner project. The LED display is actually a product that you can purchase for just $25. It includes 512 LEDs aligned in a 16 x 32 grid. The module is easily controlled with a Pixel maker’s kit. This board comes with built-in functionality to control one of these LED modules and can accept input from a variety of sources including Android or PC. The unit is powered from a 2000 mAH LiPo battery.
[Al] had to re-flash the firmware of the Pixel to set it to a low power mode. This mode allows him to get about seven hours of battery life with the 2000 mAH battery. Once the hardware was tested and confirmed to work correctly, [Al] had to pretty things up a bit. Some metallic gold spray paint and rhinestones transformed the project’s cyberpunk look into something you might see in a hip hop video, or at least maybe a Weird Al hip hop video.
The Pixel comes with several Android apps to control the display via Bluetooth. [Al] can choose one of several modes. The first mode allows for pushing animated gif’s to the display. Another will allow the user to specify text to scroll on the display. The user can even specify the text using voice recognition. The final mode allows the user to specify a twitter search string. The phone will push any new tweets matching the terms to the display as scrolling text.
Moonpig is a well-known greeting card company in the UK. You can use their services to send personalized greeting cards to your friends and family. [Paul] decided to do some digging around and discovered a few security vulnerabilities between the Moonpig Android app and their API.
First of all, [Paul] noticed that the system was using basic authentication. This is not ideal, but the company was at least using SSL encryption to protect the customer credentials. After decoding the authentication header, [Paul] noticed something strange. The username and password being sent with each request were not his own credentials. His customer ID was there, but the actual credentials were wrong.
[Paul] created a new account and found that the credentials were the same. By modifying the customer ID in the HTTP request of his second account, he was able to trick the website into spitting out all of the saved address information of his first account. This meant that there was essentially no authentication at all. Any user could impersonate another user. Pulling address information may not sound like a big deal, but [Paul] claims that every API request was like this. This meant that you could go as far as placing orders under other customer accounts without their consent.
[Paul] used Moonpig’s API help files to locate more interesting methods. One that stood out to him was the GetCreditCardDetails method. [Paul] gave it a shot, and sure enough the system dumped out credit card details including the last four digits of the card, expiration date, and the name associated with the card. It may not be full card numbers but this is still obviously a pretty big problem that would be fixed immediately… right?
[Paul] disclosed the vulnerability responsibly to Moonpig in August 2013. Moonpig responded by saying the problem was due to legacy code and it would be fixed promptly. A year later, [Paul] followed up with Moonpig. He was told it should be resolved before Christmas. On January 5, 2015, the vulnerability was still not resolved. [Paul] decided that enough was enough, and he might as well just publish his findings online to help press the issue. It seems to have worked. Moonpig has since disabled its API and released a statement via Twitter claiming that, “all password and payment information is and has always been safe”. That’s great and all, but it would mean a bit more if the passwords actually mattered.
[Oliver] is back with an update to his recent coffee maker hacks. His latest hack allowed him to add a coffee payment system to an off-the-shelf coffee maker without modifying the coffee maker itself. This project is an update to his previous adventures in coffee maker hacking which logged who was using up all of the coffee.
The payment system begins with an Arduino Uno clone inside of a small project enclosure. The Arduino communicates with the coffee maker via serial using the coffee maker’s service port. This port is easily available from outside the machine, so you won’t have to crack open the case and risk voiding your warranty.
The system also includes an RFID reader and a Bluetooth module. The RFID reader allows each user to have their own identification card. The user can swipe their card over the reader and the system knows how many credits are left in their account. If they have enough credit, the machine will pour a delicious cup of coffee.
The Arduino communicates to an Android phone using the Bluetooth module. [Oliver’s] Android app was built using MIT’s app inventor. It keeps track of the account credits and allows the user to add more. The system can currently keep track of up to forty accounts. [Oliver] also mentions that you can use any Bluetooth terminal program to control the system instead of a smart phone app. Continue reading “Coffee Payment System Doesn’t Void Your Warranty”
Like many mobile gamers, [Daniel] has found himself caught up by the addictive “White Tiles” game. Rather than play the game himself though, [Daniel] decided to write his own automatic White Tiles player. While this hack has been pulled off before, it’s never been well documented. [Daniel] used knowledge he gleaned on Hackaday and Hackaday.io to achieve his hack.
The basic problem is sensing white vs black tiles and activating the iPad’s capacitive touch screen. On the sensing end, [Daniel] could have used phototransistors, but it turned out that simple CdS cells, or photoresistors, were fast enough in this application. Activating the screen proved to be a bit harder. [Daniel] initially tried copper tape tied to transistors, but found they wouldn’t reliably trigger the screen. He switched over to relays, and that worked perfectly. We’re guessing that changing the wire length causes enough of a capacitance change to cause the screen to detect a touch.
The final result is a huge success, as [Daniel’s] Arduino-based player tears through the classic game in only 3.9 seconds! Nice work [Daniel]!
Click past the break to see [Daniel’s] device at work, and to see a video of him explaining his creation.
Continue reading “Arduino Plays White Tiles On Your Mobile Touchscreen”
[johannes] wrote in to tell us about his latest project, a home automation setup he named Botman. While he calls it a home automation system, controlling lights and home appliances (which it does wirelessly on 433MHz) is just a small part of its functionality. The front panel of Botman includes a servo which points to laser-etched icons of the current weather. It also has a display which shows indoor and outdoor weather conditions along with the status of public transportation around [johannes]’s house.
Botman is built around an Arduino with an Ethernet shield. The Arduino has very little memory, so [johannes] used the Google Apps engine as a buffer between his Arduino and the JSON APIs of his data sources. This significantly reduces the amount of data the Arduino has to keep in memory and parse.
[johannes] also wrote an Android app that communicates with Botman. The app has buttons for controlling lights in his house and duplicates all the information shown on the front panel. [johannes] also built some logging features into Botman. The temperature readings and other information are uploaded from the Arduino to a Google Docs spreadsheet where he can view and graph them from anywhere. Check out the video after the break to see Botman in action.
Continue reading “Home Automation Setup Keeps You Informed”