Yik Yak MITM Hack (Give The Dog A Bone)

December 10, 2014 by Rick Osgood 24 Comments

Yik Yak is growing in popularity lately. If you are unfamiliar with Yik Yak, here’s the run down. It’s kind of like Twitter, but your messages are only shared with people who are currently within a few miles of you. Also, your account is supposed to be totally anonymous. When you combine anonymity and location, you get some interesting results. The app seems to be most popular in schools. The anonymity allows users to post their honest thoughts without fear of scrutiny.

[Sanford Moskowitz] decided to do some digging into Yik Yak’s authentication system. He wanted to see just how secure this “anonymous” app really is. As it turns out, not as much as one would hope. The primary vulnerability is that Yik Yak authenticates users based solely on a user ID. There are no passwords. If you know the user’s ID number, it’s game over.

The first thing [Sanford] looked for was an encrypted connection to try to sniff out User ID’s. It turned out that Yik Yak does actually encrypt the connection to its own servers, at least for the iPhone app. Not to worry, mobile apps always connect to other services for things like ad networks, user tracking, etc. Yik Yak happens to make a call to an analytics tool called Flurry every time the app is fired. Flurry needs a way to track the users for Yik Yak, so of course the Yik Yak App tells Flurry the user’s ID. What other information would the anonymous app have to send?

Unfortunately, Flurry disables HTTPS by default, so this initial communication is in plain text. That means that even though Yik Yak’s own communications are protected, the User ID is still exposed and vulnerable. [Sanford] has published a shell script to make it easy to sniff out these user ID’s if you are on the same network as the user.

Once you have the user ID, you can take complete control over the account. [Sanford] has also published scripts to make this part simple. The scripts will allow you to print out every single message a user has posted. He also describes a method to alter the Yik Yak installation on a rooted iPhone so that the app runs under the victim’s user ID. This gives you full access as if you owned the account yourself.

Oh, there’s another problem too. The Android app is programmed to ignore bad SSL certificates. This means that any script kiddie can perform a simple man in the middle attack with a fake SSL certificate and the app will still function. It doesn’t even throw a warning to the user. This just allows for another method to steal a user ID.

So now you have control over some poor user’s account but at least they are still anonymous, right? That depends. The Yik Yak app itself appears to keep anonymity, but by analyzing the traffic coming from the client IP address can make it trivial to identify a person. First of all, [Sanford] mentions that a host name can be a dead giveaway. A host named “Joe’s iPhone” might be a pretty big clue. Other than that, looking out for user names and information from other unencrypted sites is easy enough, and that would likely give you everything you need to identify someone. Keep this in mind the next time you post something “anonymously” to the Internet.

[via Reddit]

Reverse Engineering The Proto X Quadcopter Radio

December 10, 2014 by Adam Fabio 10 Comments

Just a few years ago, palm sized radio controlled toys were nothing more than a dream. Today, you can find them at every mall, toy store, and hobby shop. [Alvaro] couldn’t resist the tiny Estes Proto X quadcopter. While he enjoyed flying the Proto X, he found that the tiny controller left quite a bit to be desired. Not a problem for [Alvaro], as he embarked on a project to reverse engineer the little quad.

Inside the quadcopter and its lilliputian radio, [Alvaro] found a STM8 based processor and an Amiccom A7105 2.4G FSK/GFSK Transceiver radio. The A7105 is well documented, with datasheets easily obtained on the internet. The interface between the processor and the radio chip was the perfect place to start a reverse engineering effort.

With the help of his Saleae logic analyzer, [Alvaro] was able to capture SPI data from both the quadcopter and the transmitter as the two negotiated a connection. The resulting hex files weren’t very useful, so [Alvaro] wrote a couple of Python scripts to decode the data. By operating each control during his captures, [Alvaro] was able to reverse engineer the Proto X’s control protocol. He tested this by removing the microcontroller from the remote control unit and wiring the A7105 to a STM32F4 dev board. Connecting the STM32 to his computer via USB, [Alvaro] was able to command the quad to take off. It wasn’t a very graceful flight, but it did prove that his grafted control system worked. With basic controls covered, [Alvaro] knocked up a quick user interface on his computer. He’s now able to fly the quadcopter around using keyboard and mouse. Not only did this prove the control system worked, it also showed how hard it is to fly a real aircraft (even a tiny model) with FPS controls.

The Estes Proto X is actually manufactured by Hubsan, a China based manufacturer best known for the x4 series of mini quadcopters. Since the Proto X and the x4 share the same communication protocol, [Alvaro’s] work can be applied to both. With fully computer controlled quads available for under $30 USD, we’re only a few cameras (and a heck of a lot of coding) away from cooperative drone swarms akin to those found in the University of Pennsylvania GRASP Lab.

Continue reading “Reverse Engineering The Proto X Quadcopter Radio” →

The Epoch Christmas Tree

December 10, 2014 by Brian Benchoff 8 Comments

It’s that time of the year again, and the halls are being decked with trees, the trees covered in lights, and everyone working in retail is slowly going insane from Christmas songs piped over the PA. [Dan] has a tree and a bunch of programmable LEDs, but merely pumping jollity down that strip of LEDs wouldn’t be enough. The Nerd Quotient must be raised even higher with a tree that displays a Unix timestamp.

This build was inspired by an earlier, non-tree-based build that displays Unix time on a 32 LED array. That build used an ATMega328p for toggling LEDs on and off. This time around, [Dan] is using a dedicated LED controller – the AllPixel – that just wrapped up a very successful Kickstarter campaign. The AllPixel is, in turn, controlled by a Raspberry Pi running the BiblioPixel library,

The tree displays the current time stamp in binary across 32 spaces, with green representing a ‘one’ and a red representing ‘zero’. The top of the tree is the least significant bit, but in case [Dan] gets tired of the bottom of the tree staying completely still for the rest of this holiday season, he can switch the order making the base of the tree the LSB.

Video below.

Continue reading “The Epoch Christmas Tree” →

Trinket Everyday Carry Contest Drawing #2 Results

December 9, 2014 by Adam Fabio 6 Comments

We’ve held our second drawing for the Trinket Everyday Carry Contest. This week we used a Pro Trinket to pick the random winner. The winner is [mikeneiderhauser] with his project WorkoutAid!

[Mike] loves hitting the gym, but hates pulling out his phone or fumbling with his headphones to change songs during his routine. WorkoutAid is designed to fix this problem. It’s essentially a Bluetooth media display and remote. Track metadata will be displayed on a 128×64 OLED. 6 buttons will allow the user to change tracks, volume, or perform other functions. The whole device will communicate with a custom Android application through an RN42X Bluetooth radio.

We hope [Mike] enjoys his new Cordwood Puzzle from The Hackaday Store. No jigsaws here, cordwood is a puzzle that involves solder! It’s built using the cordwood assembly technique which was popular in the 1950’s and 1960s. We’re not kidding about it being a puzzle either – there are no instructions for this kit! [Mike] will know he’s got it right when all 3 LEDs light up.

If you didn’t win this week, don’t worry, there are still three more chances to win a random drawing! Our next drawing will be on 12/16/2014 at 9pm EST. The prize will be the ever handy Bus Pirate V3.6. To be eligible you need to submit your project as an official entry and publish at least one project log during the week.

The deadline for the big contest is January 2, 2014! More than 60 projects are entered so far, but only the top 50 will receive custom t-shirts. The top three projects will win some seriously awesome prizes, including a Rigol DS1054Z Oscilloscope, a Fluke 179 meter, and a Hakko/Panavise soldering bundle.

So what are you waiting for? Get off the couch and get hacking!

Digging Into The APA102 Serial LED Protocol

December 9, 2014 by Ethan Zonca 18 Comments

[Tim] got his hands on some APA102 RGB LEDs, which are similar in function to the common WS2812 addressable LEDs seen in many projects we’ve featured. The advantage of APA102 LEDs is that they don’t have the strict timing requirements of the WS2812. These LEDs are controlled with a SPI bus that can be clocked at any arbitrary rate, making them easy to use with pretty much any microcontroller or embedded system.

After working with the LEDs, [Tim] discovered that the LEDs function a bit differently than the datasheet led him to believe. [Tim] controlled a strand of APA102 LEDs with an ATtiny85 and connected a logic analyzer between some of the LEDs. He discovered that the clock signal of the SPI interface isn’t just passed through each LED, it actually looks like it’s inverted on the output. After some investigation, [Tim] found that the clock signal is delayed by a half period (which looks like an inversion) before it’s passed to the next LED. This gives the next LED in the strand enough time for data on the data line to become valid before latching it in.

Since the clock is delayed, [Tim] discovered that additional bits must be clocked as an “end frame” to generate clock signals which propagate the remaining data to the end of the strand. Although the datasheet specifies a 32-bit end frame, this only works for strings of up to 64 LEDs. More bits must be added to the end frame for longer strands, which the datasheet doesn’t even mention. Check out [Tim]’s post for more information, where he walks you through his logic analysis of the APA102 LEDs.

12 Mbps Communication Between A PC And MCU

December 9, 2014 by Brian Benchoff 31 Comments

The world of hobby electronics have only started putting USB in projects for the last few years, and right now, pushing 1.5 Mbps down a USB port is good enough for most cases. This isn’t true for all cases; that’s a terrible data rate, really, and to get the most out of a USB connection, you can at least move up to USB Full Speed and 12 Mbps.

[Linas] is using the STM32F4 microcontroller for this example, an extremely large and very capable chip. [Linas] is using FTDI’s FT2232D USB UART to send data from an SPI port over USB. This chip does support 12 Mbps, but only after a few additions; an external EEPROM must be connected to the FTDI chip to provide a USB 2.0 device descriptor, otherwise the connection between the microcontroller and a computer is limited to 1.5 Mbps. Even using the USB on the STM32 would be a bottleneck in this case; [Linas] is moving data out of the processor using only the DMA controller – using the USB on the STM32 would eat up processor cycles in the microcontroller.

Thanks to the DMA controller inside the STM32, the microcontroller is capable of sending and receiving data through SPI at the same time. The STM32 is capable of reading and writing to the Tx and Rx buffer at the same time, but the computer is only capable of half-duplex operation – it can only read or write at any one time. [Linas] is setting up the DMA controller on the STM32 as a circular mode, putting everything in the buffer into the FTDI chip, and reading everything sent from the computer back into the STM32’s memory. After counting off the correct number of packets. the controller resets everything, moves the circular buffer back to the beginning, and starts the whole process over again.

The circuit was prototyped with an STM Discovery board. With Labview, [Linas] can see the bits coming out of the microcontroller, and send some bits back to the micro over USB. [Linas] has an extraordinarily detailed video tutorial on this project. You can check that out below.

Continue reading “12 Mbps Communication Between A PC And MCU” →

A Calculator With Free Software And Open Hardware

December 9, 2014 by Bryan Cockfield 57 Comments

We’re fond of open source things here. Whether it’s 3D printers, circuit modeling software, or a global network of satellite base stations, the more open it is the more it improves the world around us. [Pierre Parent] and [Ael Gain] have certainly taken these values to heart with their open handheld graphing calculator.

While the duo isn’t giving away the calculators themselves, they are releasing all of the hardware designs so that anyone can build this calculator. It’s based on a imx233 processor because this chip (and most everything else about this calculator) is easy to source and easy to use. That, and there is a lot of documentation on it that is in the public domain. All of the designs, including the circuit board and CAD files for the case, are available to anyone who is curious, or wants to build their own.

The software on the calculator (and the software that was used to design the calculator) is all free software too. The calculator runs Linux (of course) and a free TI simulator environment in the hopes of easing the transition of anyone who grew up using TI’s graphing calculators. The project is still in a prototype phase, but it looks very promising. Even though the calculator can already run Pokemon, maybe one day it will even be able to run Super Smash Bros as well!