Electronic Message In a Bottle

We remember going to grandfather’s garage. There he would be, his tobacco pipe clenched between his teeth, wisps of smoke trailing into the air around him as he focused, bent over another of his creations. Inside of a simple glass bottle was something impossible. Carefully, ever so carefully, he would use his custom tools to twist wire. He would carefully place each lead. Eventually when the time was right he would solder. Finally he’d place it on the shelf next to the others, an LED matrix in a bottle.

led-message-in-a-bottle-assemblyWell, maybe not, but [Mariko Kosaka]’s father [Kimio Kosaka] has done it. In order to build the matrix, he needed tools that could reach inside the mouth of the bottle without taking up too much space to allow for precise movement. To do this he bent, brazed, twisted, and filed piano wire into tools that are quite beautiful by themselves. These were used to carefully bend and position the LEDs, wires, and other components inside the bottle.

Once the part was ready, he used a modified Hakko soldering iron to do the final combination. We wonder if he even had to be careful to solder quickly so as not to build up a residue on the inside of the bottle? The electronics are all contained inside the bottle. One of the bottles contained another impressive creation of his: an entire Arduino with only wire, dubbed the Arduino Skeleton. Batteries are attached to the cork so when the power runs low it can be removed and replaced without disturbing the creation.

It’s a ridiculous labor of love, and naturally, we love it. There’s a video of it in operation as well as one with him showing how it was done which is visible after the break. He showed them off at the Tokyo Maker Faire where they were surely a hit.

Continue reading “Electronic Message In a Bottle”

Cheap Toy Airboat Gets a Cheap R/C Upgrade

[Markus Gritsch] and his son had a fun Sunday putting together a little toy airboat from a kit. They fired it up and it occurred to [Markus] that it was pretty lame. It went forward and sometimes sideward when a stray current influenced its trajectory, but it had no will of its own.

The boat was extracted from water before it could wander off and find itself lost forever. [Markus] did a mental inventory of his hacker bench and decided this was a quickly rectified design shortcoming. He applied a cheap knock-off arduino, equally cheap nRF24L01+ chip of dubious parentage, and their equivalent hobby servo to the problem.

Some quick coding later, assisted by prior work from other RC enthusiasts, the little boat was significantly upgraded. Now the boat could be brought back to shore using any R/C controller that supported the, “Bayang,” protocol. He wouldn’t have to face the future in which he’d have to explain to his son that the boat, like treacherous helium balloons, was just gone. Video after the break.

Continue reading “Cheap Toy Airboat Gets a Cheap R/C Upgrade”

Apollo: The Alignment Optical Telescope

The Apollo program is a constant reminder that we just don’t need so much to get the job done. Sure it’s easier with today’s tools, but hard work can do it too. [Bill Hammack] elaborates on one such piece of engineering: The Alignment Optical Telescope.

The telescope was used to find the position of the Lunar Module in space so that its guidance computer could do the calculations needed to bring the module home. It does this using techniques that we’ve been using for centuries on land and still use today in space; although now it’s done with computer vision. It was used to align the craft to the stars. NASA used stars as the fixed reference points for the coordinate system used to locate objects in space. But how was this accomplished with great precision?

The alignment optical telescope did this by measuring two unknowns needed by the guidance computer. The astronaut would find the first value by pointing the telescope in the general area necessary to establish a reading, then rotate the first reticle (a horizontal line) on the telescope until it touched the correct star. A ring assembly was then adjusted, moving an Archimedes spiral etched onto the viewfinder. When the spiral touches the star you can read the second value, established by how far the ring has been rotated.

If you’ve ever seen the Lunar Module in person, your first impression might be to giggle a bit at how crude it is. The truth is that much of that crudeness was hard fought to achieve. They needed the simplest, lightest, and most reliable assembly the world had ever constructed. As [Bill Hammack] states at the end of the video, breaking the complicated tool usually used into two simple dials is an amazing engineering achievement.

Continue reading “Apollo: The Alignment Optical Telescope”

Arduino + Software Defined Radio = Millions of Vulnerable Volkswagens

As we’ve mentioned previously, the integrity of your vehicle in an era where even your car can have a data connection could be a dubious bet at best. Speaking to these concerns, a soon-to-be published paper (PDF) out of the University of Birmingham in the UK, states that virtually every Volkswagen sold since 1995 can be hacked and unlocked by cloning the vehicle’s keyfob via an Arduino and software defined radio (SDR).

The research team, led by [Flavio Garcia], have described two main vulnerabilities: the first requires combining a cyrptographic key from the vehicle with the signal from the owner’s fob to grant access, while the second takes advantage of the virtually ancient HiTag2 security system that was implemented in the 1990s. The former affects up to 100 million vehicles across the Volkswagen line, while the latter will work on models from Citroen, Peugeot, Opel, Nissan, Alfa Romero, Fiat, Mitsubishi and Ford.

Continue reading “Arduino + Software Defined Radio = Millions of Vulnerable Volkswagens”

Unexpected Betrayal From Your Right Hand Mouse

Some people really enjoy the kind of computer mouse that would not be entirely out of place in a F-16 cockpit. The kind of mouse that can launch a browser with the gentle shifting of one of its thirty-eight buttons ever so slightly to the left and open their garage door with a shifting to the right of that same button. However, can this power be used for evil, and not just frustrating guest users of their computer?

We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.

The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available. [Stefan Keisse] discovered that the 100 command limit on the macros for each button are more than enough to get a full reverse shell on the target computer.

Considering how frustratingly easy it can be to accidentally press an auxiliary button on these mice, all an attacker would need to do is wait after delivering the sabotaged mouse. Video of the exploit after the break.

Continue reading “Unexpected Betrayal From Your Right Hand Mouse”

LastPass Happily Forfeits Passwords to Simple Javascript

Lastpass is a great piece of software when it comes to convenience, but a recent simple hack shows just how insecure software like it can be. [Mathias Karlsson] nabbed a nice $1000 bounty for its discovery.

Lastpass’s auto-fill works by injecting some html into the website you’re visiting. It runs a bit of Javascript to parse the URL. However, the parsing script was laughably vague. By changing the URL of the page, inserting a few meaningless-to-the server slugs into the URL, an attacker could get Lastpass to give it a password and username combo for any website.

The discussion in the HackerNews comment section more-or-less unilaterally agreed that most systems like this have their glaring flaws, but that the overall benefits of having secure passwords generated and managed by software was still worth the risk when compared to having a few commonly reused passwords over multiple sites.

One could get a more secure key manager by using software like KeePass, but it’s missing some of the convenience factor of remote-based services and relies on a user protecting their key files adequately.

Still, as scary as they are, openly discussing hacks like this after responsible disclosure is good because they force companies like Lastpass, who have some very big name clients, to take their code review and transparency more seriously.

Root on the Philips Hue IoT Bridge

Building on the work of others (as is always the case!) [pepe2k] managed to get root access on the Philips Hue Bridge v2 IoT light controller. There’s nothing unusual here, really. Connect to the device over serial, interrupt the boot process, boot up open firmware, dump the existing firmware, and work the hacker magic from there.

Of course, the details are the real story. Philips had set U-Boot to boot the firmware from flash in zero seconds, not allowing [pepe2k] much time to interrupt it. So he desoldered the flash, giving him all the time in the world, and allowing him to change the boot delay. Resoldering the flash and loading up his own system let him dump the firmware.

The “hacker magic” glossed over in the intro consisted of poking around until he found a script that was called on every boot. This is how [pepe2k] gets around not knowing the root password. The script compares the hash of the typed password with an environment variable, set with the hash of the correct password. Changing that environment variable to the hash of his favorite password (“root”) made him master of the box.

And just in case you’re one of the few Hackaday readers who doesn’t understand why we do these things, besides the fact that it’s just fun, consider Philips’ (eventually retracted) clampdown on the interoperability of this very device, or Google’s red bricks. The fatal flaw of IoT devices is that they place you at the whims of companies who may decide that they’re not making enough money any more, and shut them down. Keep your hacking skills sharp.

Thanks [Jan] for the great tip!