“Borrow” Payment Cards with NFC Proxy Hardware

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.

Remotely Controlling a Not-So-Miniature Hot Air Balloon

Calling [Matt Barr]’s remote controlled hot air balloon a miniature is a bit misleading. Sure, it’s small compared with the balloons that ply cold morning skies with paying passengers and a bottle of champagne for the landing. Having been in on a few of those landings, we can attest to the size of the real thing. They’re impressively big when you’re up close to them.

While [Matt]’s balloon is certainly smaller, it’s not something you’d just whip together in an afternoon. Most of [Matt]’s build log concentrates mainly on the gondola and its goodies — the twin one-pound camp stove-style propane tanks, their associated plumbing, and the burner, a re-tasked propane weed torch from Harbor Freight. Remote control is minimal; just as in a full-size balloon, all the pilot can really do is turn the burner on or off. [Matt]’s approach is a high-torque RC servo to control the burner valve, which is driven by an Arduino talking to the ground over a 2.4-GHz RF link. The balloon is big enough to lift 30 pounds and appears to be at least 12 feet tall; we’d think such a craft would run afoul of some civil aviation rules, so perhaps it’s best that the test flight below was a tethered one.

Sadly, no instructions are included for making the envelope, which would be a great excuse for anyone to learn a little about sewing. And knowing how to roll your own hot air balloon might come in handy someday.

Continue reading “Remotely Controlling a Not-So-Miniature Hot Air Balloon”

Zero-Intrusion Wireless Light Switch

What do you do if your light switch is too far from your desk, and you’re in a rental property so you can’t put in extra wiring to install an electronic control for it? Get up and turn it on or off by hand? Of course not!

If you are [Guyfromhe], you solve this problem with a servo attached to a screw-on light switch faceplate, and you control it with a pair of Arduino/nRF24L01 combos. It’s a pretty simple arrangement, the wireless link simply takes the place of a serial cable that instructs the Arduino on the light switch to operate the servo that in turn moves the switch. The whole thing is triggered through his home automation system, which in turn responds to an Amazon Dash button on his desk. Yes, it’s complex. But turning on the light has been automated without intrusion into his landlord’s domain, and that’s all that matters.

On a more serious note, he’s put some Arduino code up on his write-up, as well as a YouTube video we’ve put below the break.

Continue reading “Zero-Intrusion Wireless Light Switch”

Robot Hand Goes Wireless

We can’t decide if [MertArduino’s] robotic hand project is more art or demonstration project. The construction using springs, fishing line, and servo motors isn’t going to give you a practical hand that could grip or manipulate anything significant. However, the project shows off a lot of interesting construction techniques and is a fun demonstration for using nRF24L01 wireless in a project. You can see a video of the contraption, below.

A glove uses homemade flex sensors to send wireless commands to the hand. Another Arduino drives an array of servo motors that make the fingers flex. You don’t get fine control, nor any real grip strength, but the hand more or less will duplicate your movements. We noticed one finger seemed poorly controlled, but we suspect that was one of the homemade flex sensors going rouge.

Continue reading “Robot Hand Goes Wireless”

Interactive Game Board Helps Toddler Learn Colors and Shapes

Most parents would do anything to enrich their kids’ worlds and teach them what they need to know. Hacker parents often take it one step further by modifying the kid’s world to allow them to work past a disability. To wit we have an interactive game board to help a toddler learn her shapes and colors.

The toddler in question is [Becca], and her needs are special because of the progressive nature of the blindness that will result from her Usher Syndrome. [Becca] will need visual acuity testing much earlier than most toddlers, but a standard eye chart is meaningless to kids before they get their letters. This is where Lea shapes come in – a set of four shapes that are used to make visual testing a game and help practitioners assess what a child can and cannot see.

[Jake] and his wife [Beth] were advised to familiarize [Becca] with the shapes, but all she wanted to do was eat the printed sheet. In order to make the task more entertaining, [Jake] built an interactive board where brightly colored Lea shapes trigger the room lights to change to the same color as the block when it’s inserted into the correct spot on the board, as a visual reward. Reed switches, magnets, and an Arduino comprise the game logic, and the board communicates to the Philips Hue smart bulbs over an NRF24L01. The video below also shows some cool under-bed lights and a very engaged [Becca] learning her shapes and colors.

As we expected when we last covered his efforts to help [Rebecca], [Jake] has leveraged the Raspberry Pi he used as a hub for the stairwell lighting project. We’re looking forward to seeing what else he comes up with, and to see how [Becca] is thriving.

Continue reading “Interactive Game Board Helps Toddler Learn Colors and Shapes”

Sentry Robot Turns Bad Cat to Good

The household of [James Watts] has cats, and those cats have decided that various spots of carpet are just great for digging up with their claws. After some efforts at training the cats, [James] enlisted a robotic cat trainer with remote wireless sensors. The automated trainer does only one job, but it does that one job reliably and tirelessly, which is just what is needed in this case. A task like “automate training the cats to stop clawing the carpet” is really made up of many smaller problems, and [James] implemented a number of clever ideas in his solution.

First of all, the need for an automated solution has a lot to do with how pets form associations, and the need to have the negative reinforcement be in the right place at the right time to be effective. A harmless spritz of water in this case is used for correction and needed to be applied immediately, consistently, and “from out of nowhere” (instead of coming from a person.) Otherwise, as [James] discovered, spraying water when the cats clawed the carpet simply meant that they stopped doing it when he was around.

There were a number of tricky problems to solve in the process. One was how to reliably detect cats actually clawing the carpet. Another was how to direct the harmless spray of water to only the spot in question, and how to rig and manage a water supply without creating another mess in the process. Finally, the whole thing needed to be clean and tidy; a hackjob with a mess of wires strung everywhere just wouldn’t do.

base_frontTo achieve all this, [James] created a main sprayer unit that is wirelessly connected to remote sensor units using NRF24L01+ serial packet radios. When a remote senses that a trouble spot is being clawed, the main unit uses an RC servo to swivel a spray nozzle in the correct direction and give the offending feline a watery reminder.

The self-contained remote sensors use an accelerometer to detect the slight lifting of the carpet when it’s being clawed. [James] programmed the MMA8452Q three axis accelerometer to trigger an external pin when motion is sensed above a certain threshold, and this event is sent over the wireless link.

For the main sprayer unit itself, [James] cleverly based it around an off-the-shelf replacement windshield washer tank. With an integrated pump, tubing, and assortment of nozzles there was no need to design any of those elements from scratch. If you want to give the project a shot, check out the github repository — probably worth it it since one night is all it took to change the cat behavior which explains the lack of any action video.

Pet projects usually center around automating the feeding process, but it’s nice to see other applications. For something on the positive-reinforcement end of training, check out this cat exercise wheel that integrates a treat dispenser to encourage an exercise regimen.

PIC Mesh, Accessible Distributed Networking

Wireless networks have been reduced to a component, for most of us. We fit a device, maybe an ESP8266 module or similar, and as if by magic a network exists. The underlying technology has been abstracted into the firmware of the device, and we never encounter it directly. This is no bad thing, because using wireless communication without having to worry about its mechanics gives us the freedom to get on with the rest of our work.

It is however interesting once in a while to take a look at the operation of a real wireless network, and [Alex Wong], [Brian Clark], and [Raghava Kumar] have given us a project with the opportunity to do just that. Their PIC Mesh university project is a distributed wireless mesh network using 2.4GHz NRF24L01 transceiver modules and PIC32 microcontrollers. They have it configured for demonstration purposes with a home automation system at the application layer, however it could be applied to many other applications.

The real value in this project is in its comprehensive but easy to read write-up of the kind you’d expect from a university project. The front page linked above has an overview of how the mesh works, but there are also pages taking us through the hardware, the networking software layer, and the home automation application layer. If you have ever wanted to understand a simple mesh networking system, this is a good place to start.

We’ve covered quite a few mesh networks over the years, but sadly we can only link you to a few of them. We’ve had a mesh network using the Raspberry Pi, Project Byzantium’s “ad-hoc wireless mesh networking for the zombie apocalypse“, and a 1000-node Xbee network for testing purposes.