Yik Yak MITM Hack (Give the Dog a Bone)

Yik Yak is growing in popularity lately. If you are unfamiliar with Yik Yak, here’s the run down. It’s kind of like Twitter, but your messages are only shared with people who are currently within a few miles of you. Also, your account is supposed to be totally anonymous. When you combine anonymity and location, you get some interesting results. The app seems to be most popular in schools. The anonymity allows users to post their honest thoughts without fear of scrutiny.

[Sanford Moskowitz] decided to do some digging into Yik Yak’s authentication system. He wanted to see just how secure this “anonymous” app really is. As it turns out, not as much as one would hope. The primary vulnerability is that Yik Yak authenticates users based solely on a user ID. There are no passwords. If you know the user’s ID number, it’s game over.

The first thing [Sanford] looked for was an encrypted connection to try to sniff out User ID’s. It turned out that Yik Yak does actually encrypt the connection to its own servers, at least for the iPhone app. Not to worry, mobile apps always connect to other services for things like ad networks, user tracking, etc. Yik Yak happens to make a call to an analytics tool called Flurry every time the app is fired. Flurry needs a way to track the users for Yik Yak, so of course the Yik Yak App tells Flurry the user’s ID. What other information would the anonymous app have to send?

Unfortunately, Flurry disables HTTPS by default, so this initial communication is in plain text. That means that even though Yik Yak’s own communications are protected, the User ID is still exposed and vulnerable. [Sanford] has published a shell script to make it easy to sniff out these user ID’s if you are on the same network as the user.

Once you have the user ID, you can take complete control over the account. [Sanford] has also published scripts to make this part simple. The scripts will allow you to print out every single message a user has posted. He also describes a method to alter the Yik Yak installation on a rooted iPhone so that the app runs under the victim’s user ID. This gives you full access as if you owned the account yourself.

Oh, there’s another problem too. The Android app is programmed to ignore bad SSL certificates. This means that any script kiddie can perform a simple man in the middle attack with a fake SSL certificate and the app will still function. It doesn’t even throw a warning to the user. This just allows for another method to steal a user ID.

So now you have control over some poor user’s account but at least they are still anonymous, right? That depends. The Yik Yak app itself appears to keep anonymity, but by analyzing the traffic coming from the client IP address can make it trivial to identify a person. First of all, [Sanford] mentions that a host name can be a dead giveaway. A host named “Joe’s iPhone” might be a pretty big clue. Other than that, looking out for user names and information from other unencrypted sites is easy enough, and that would likely give you everything you need to identify someone. Keep this in mind the next time you post something “anonymously” to the Internet.

[via Reddit]

Tweet Messages from Punch Cards

It all started with a conversation about the early days of computing. The next thing he knew, [Tim Jagenberg’s] colleague gave him a stack of punch cards and a challenge.  [Tim] attempted to read them with a mechanical contact and failed.  Undeterred, he decided to make a punch card-to-keyboard interface using optical parts from disassembled HP print stations.  Specifically, he took apart the slotted optical interrupter switches to use their IR-LEDs and photo-transistors. Next, [Tim] drilled holes into two pieces of plastic, gluing the LEDs on one piece of plastic and the photo-transistors on the other. The photo-transistors tell the Teensy 3.1 whenever a hole is detected.

[Tim] developed an interpreter on the Teensy that reads the punch card according to IBM model 029 keypunch codes. The Teensy enumerates as a USB keyboard when connected to a computer. As a punch card is read, the Teensy outputs the decoded characters as key presses.  When a punch card has been completely read, an ‘Enter’ key press is transmitted.  Tweeting the punch cards is no more complicated than typing the text yourself. Naturally, the first message posted on Twitter from the stack of punch cards was “Hello World!”  [Tim’s] binary and source code is available for download on Github.

We’ve enjoyed covering the backstory of the punch card and a previous project reading these cards using a digital camera setup. It’s always interesting to see the clever ways people use current technology and can-do attitude to read data from obsolete systems that would otherwise be lost.  We wonder what is on the rest of those punch cards?  Let’s hope [Tim] has more punch card tweets soon!

Twittering Chicken Coops, Batman!

By now you’ve seen almost anything Tweet. But have you seen the (French) twittering chicken coop? (Google translate link) [Hugo] had kept two chickens as part of a household-waste reduction campaign, and then afterward started work.

Even if you don’t read French, the chickens’ twitter feed basically tells the story.

The setup can take IR photographs of sleeping chickens and notify [Hugo] when it’s time to collect the eggs. Naturally, an abundance of other sensors are available. The coop can tweet based on ambient temperature, nest temperature, light level, motion sensor status, or the amount of remaining chicken feed. You can easily follow whether the two fowl are in the coop or out in the yard. It’s like Big Brother, only for birds.

The application is, frankly, ridiculous. But if you’re into home (or coop) automation, there’s a lot to be learned and the project is very well documented. [Hugo] used OpenCV for visual egg detection, and custom Python code to slightly randomize the tweets’ text. All of these details are up on his Github account.

And if you just can’t get enough chicken-coop hacks, be sure to check out this mobile chicken coop, this coop in the shape of a golden spiral, or this Bluetooth-enabled, talking chicken coop, among others. You’d think our name was Coop-a-Day.

Bluetooth Thingies at Maker Faire

In case you haven’t noticed, one of the more popular themes for new dev boards is Bluetooth. Slap a Bluetooth 4.0 module on a board, and you really have something: just about every phone out there has it, and the Low Energy label is great for battery-powered Internets of Things.

Most of these boards fall a little short. It’s one thing to throw a Bluetooth module on a board, but building the software to interact with this board is another matter entirely. Revealing Hour Creations is bucking that trend with their Tah board. Basically, it’s your standard Arduino compatible board with a btle module. What they’ve done is add the software for iOS and Android that makes building stuff easy.

Putting Bluetooth on a single board is one thing, but how about putting Bluetooth on everything. SAM Labs showed off their system of things at Maker Faire with LEDs, buttons, fans, motors, sensors, and just about every electrical component you can imagine.

All of these little boards come with a Bluetooth module and a battery. The software for the system is a graphical interface that allows you to draw virtual wires between everything. Connect a button to a LED in the software, and the LED will light up when the button is pressed. Move your mouse around the computer, and the button will turn on a motor when it’s pressed.

There are a few APIs that also come packaged into the programming environment – at the booth, you could open a fridge (filled with cool drinks that didn’t cost five dollars, a surprise for the faire) and it would post a tweet.

Roll with Dicebot, the Tweeting Dice Roller

dicebot

[David] modernized a 1920’s dice rolling game to bring us DiceBot, a twitter enabled dice rolling robot. DiceBot started with an antique dice tin. The original tin was human controlled. Pushing a button on the side of the tin would spin the bottom, rolling the dice.

It’s a bit hard to push a button from across the world, so [David] added a small motor to spin the tin. He connected the motor to a simple L298 motor driver chip, and wired that up to a Raspberry Pi. The Pi runs a few custom Ruby scripts which get it on the internet and connect to the Twitter API.

Operation is pretty straightforward. A tweet to @IntrideaDiceBot with the hashtag #RollTheDice will cause the Dicebot to spin up the dice. Once things have settled, DiceBot captures an image with its Raspberry Pi camera. The dice values are checked using OpenCV. The results are then tweeted back, and displayed on DiceBot’s results page.

Continue reading “Roll with Dicebot, the Tweeting Dice Roller”

Oinker is Twitter for HAMs

oinker

Have you ever wanted to send a quick message to your HAM radio buddies over the air but then realized you forgot your radio at home? [Troy] created Oinker to remedy this problem. Oinker is a Perl script that turns emails into audio.

The script monitors an email account for new messages and then uses the Festival text-to-speech engine to transform the text into audio. [Troy] runs Oinker on a Raspberry Pi, with the Pi’s audio output plugged directly into an inexpensive ham radio. The radio is then manually tuned to the desired transmit frequency. Whenever Oinker see’s a new email, that message is converted into speech and then output to the transmitter.

The script automatically appends your HAM radio call sign to the end of every message to ensure you stay within FCC regulations. Now whenever [Troy] runs into some bad traffic on the road, he can send a quick SMS to his email address and warn his HAM radio buddies to stay clear of the area.