D-Link Router Captcha Broken


We reported last week that D-Link was adding captchas to their routers to prevent automated login by malware. Unsurprisingly, it doesn’t work all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA configuration. Once activated, any nearby client can request the WPA key using a tool like WPSpy. Only user level credentials are needed to pull this off, so changing just the admin password won’t prevent it.

[photo: schoschie]

HVACMonitor: Web Enabled Monitoring


[Marc] submitted this project he’s been building. It’s a web enabled HVAC monitoring system. He’s using a pic-web development board with a custom I/O daughter board to control the HVAC system.  The project allows for the system to be monitored and controlled via the web. It should be able to interface with most commercial and residential systems. As usual, schematics and source files are available on his site.

Goggle Camera Mod

finished-goggles (Custom)

[Will] submitted his ski goggle mod. He has mounted an Oregon Scientific ATC3K digicam in his goggles. This should make recording ski trips a lot easier. Most of the electronics fit just fine in the mask, though he did need to use an IDE cable to extend parts of it to the custom pack mounted on the strap. We’re also curious how much wind noise he’s going to get on that microphone.