Security Problems with Gas Station Automated Tank Gauges

[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.

Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. Some of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.

The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.

Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.

Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.

[Thanks Ellery]

DIY USB Stereo Headphone Amplifier

The biggest and best audiophile projects are usually huge tube amps, monstrous speaker cab builds, or something else equally impressive. It doesn’t always have to be that way, though, as [lowderd] demonstrates with a tiny DIY USB DAC build that turns a USB port into a headphone output.

In the Bad Old Days™ putting a DAC on a USB bus would require some rather fancy hardware and a good amount of skill. These days, you can just buy a single chip USB stereo DAC that still has very good specs. [lowderd] used the TI PCM2707 USB DAC, a chip that identifies as a USB Audio Class 1.0 device, so no drivers are needed for it to work in either Windows or OS X.

The circuit fits on a tiny PCB with a USB port on one side, a headphone jack on the other, and the chip and all related components in between. There are some pins on the chip that allow for volume, play/pause. and skip, but these pins were left unconnected for sake of simplicity.

The board was fabbed up at OSH Park, and the second revision of the case laser cut out of bamboo and acrylic by Ponoko. It’s a great looking little box, and something that fits right inside [lowderd]’s headphone case.

Reprogramming Super Mario World from Inside The Game

[SethBling] recently set a world record speed run of the classic Super Nintendo game Super Mario World on the original SNES hardware. He managed to beat the game in five minutes and 59.6 seconds. How is this possible? He actually reprogrammed the game by moving specific objects to very specific places and then executing a glitch. This method of beating the game was originally discovered by Twitch user [Jeffw356] but it was performed on an emulator. [SethBling] was able to prove that this “credits warp” glitch works on the original hardware.

If you watch the video below, you’ll see [SethBling] visit one of the first available levels in the game. He then proceeds to move certain objects in the game to very specific places. What he’s doing here is manipulating the game’s X coordinate table for the sprites. By moving objects to specific places, he’s manipulating a section of the game’s memory to hold specific values and a specific order. It’s a meticulous process that likely took a lot of practice to get right.

Once the table was setup properly, [SethBling] needed a way to get the SNES to execute the X table as CPU instructions. In Super Mario World, there are special items that Mario can obtain that act as a power up. For example, the mushroom will make him grow in size. Each sprite in the game has a flag to tell the SNES that the item is able to act as a power up. Mario can either collect the power up by himself, or he can use his friendly dinosaur Yoshi to eat the power up, which will also apply the item’s effects to Mario.

The next part of the speed run involves something called the item swap glitch. In the game, Mario can collect coins himself, or Yoshi can also collect them by eating them. A glitch exists where Yoshi can start eating a coin, but Mario jumps off of Yoshi and collects the coin himself simultaneously. The result is that the game knows there is something inside of Yoshi’s mouth but it doesn’t know what. So he ends up holding an empty sprite with no properties. The game just knows that it’s whatever sprite is in sprite slot X.

Now comes the actual item swap. There is an enemy in the game called Chargin’ Chuck. This sprite happens to have the flag set as though it’s a power up. Normally this doesn’t matter because it also has a set flag to tell the game that it cannot be eaten by Yoshi. Also, Chuck is an enemy so it actually hurts Mario rather than act as a power up. So under normal circumstances, this sprite will never actually act as a power up. The developers never programmed the game to properly handle this scenario, because it was supposed to be impossible.

If the coin glitch is performed in a specific location within the level, a Chargin’ Chuck will spawn just after the coin is collected. When the Chuck spawns, it will take that empty sprite slot and suddenly the game believes that Yoshi is holding the Chuck in his mouth. This triggers the power up condition, which as we already know was never programmed into the game. The code ends up jumping to an area of memory that doesn’t contain normal game instructions.

The result of all of this manipulation and glitching is that all of the values in the sprite X coordinate table are executed as CPU instructions. [SethBling] setup this table to hold values that tell the game to jump to the end credits. The console executes them and does as commanded, and the game is over just a few minutes after it began. The video below shows the speed run but doesn’t get too far into the technical details, but you can read more about it here.

This isn’t the first time we’ve seen this type of hack. Speed runs have been performed on Pokemon with very similar techniques. Another hacker managed to program and execute a version of single player pong all from within Pokemon Blue. We can’t wait to see what these game hackers come up with next. Continue reading “Reprogramming Super Mario World from Inside The Game”

Save Data from Old Scopes with a GPIB Disk Emulator

If you still use old test equipment on a regular basis, you probably have been frustrated by the lack of options for pulling data off these aging devices. Many higher-end devices are equipped with GPIB ports, which are general purpose buses for communicating with a variety of obsolete peripherals. Since GPIB disk drives aren’t too common (or practical) these days, [Anders] made a GPIB adapter that emulates a disk drive and stores data to an SD card.

[Anders] designed a PCB with a PIC microcontroller that plugs into a GPIB port. The PIC emulates a disk drive using the AMIGO protocol or the SS/80 protocol, which can be selected in a configuration file on the SD card. Most test equipment supports one of these two protocols, so his adapter should work with pretty much any GPIB-equipped kit.

Data is saved to a single image file on the SD card, which is encoded in a native HP disk format. The image file can be opened on Windows and Linux with some utilities that [Anders] mentioned on his project page. If you have any old test equipment withGPIB lying around and want to build your own, the schematic and source code are up on his site or [Anders] is selling bare boards.

Now if it’s a protocol converter that you need we’ve seen those in a couple of different varieties.

Laser Etched Surface Redefines Dry

Just the other day we stood in the kitchen making eggs, staring suspiciously at a long scratch carved in the center of the frying pan. With all the articles passing through social media prompting us to be wary of things in our environment that are supposedly killing us, Teflon included, I wondered to myself if humans would ever start coming up with solutions to daily problems… like sticky eggs, which don’t involve the use of complex chemicals. Alas, the universe responds with uncanny timing. A group of researchers led by [Chunlei Guo] from Rochester University’s Institute of Optics has recently published their development of a surface textured by lasers which repels fluid like a rubber ball… without any chemical treating involved. You really need to see this happen in the video below.

This physical magic trick gets its inspiration from nature, mimicking properties of surface tension from living things that repel water such as lotus leaves or butterfly wings. To achieve a similar effect, a precision laser is used to etch nanoscale patterns onto metal which change the surface properties in such a way that fluid molecules prefer not to stick. The benefit to texturizing a material’s surface as opposed to glazing it in some other repellant, is that the pattern becomes intrinsically part of the surface structure and will not fade over time the way a chemical seal will chip or flake. This hydrophobic technology could improve the way we keep surfaces sanitary as well as lend itself to new methods of frost prevention. Not to mention the dozens of other less important applications that we’ve just thought of for our own amusement.

In addition to creating the hydrophobic surface, the Institute of Optic has employed similar tactics to come up with a material capable of absorbing fluid and carrying it upward swiftly against gravity. With the knowledge of physics and the power of lasers combined, we’re glad to see humans coming up with smarter ways to manipulate the world we live in for a more comfortable daily life.

Continue reading “Laser Etched Surface Redefines Dry”

When PayPal And Crowdfunding Don’t Mix

For the last decade or so, PayPal has drawn the ire of Internet commentators and people who try to do business on the Internet. The claims go from freezing the accounts of non-profits for months, earning interest all the while, ineffectual support, and generally behaving exactly like a bank but without all those nifty consumer protection laws on the books in every sane country. Then the founder of PayPal turned into Tony Stark and everything was cool again.

This doesn’t mean PayPal isn’t up to its old tricks, though. [Gareth Hayes], the guy behind the HackRF Blue, recently had a run-in with PayPal. The PayPal account associated with the HackRF Blue Indiegogo project was frozen shortly after the campaign ended. To unfreeze his account, [Gareth] was required to submit a few forms of identification and proof of residence. He could submit this via fax (‽) or through an ‘upload’ button in the PayPal resolution center that didn’t exist.

[Gareth] is not one to mess around, and it was only after several emails, ending with him demanding PayPal release the funds with interest and a few hours of consulting at $300/hr that the funds were released. When somebody is keeping $40,000 from you, it’s a good idea to play hardball. However, [Gareth]’s PayPal account was still frozen for the better part of three weeks. For a crowdfunding campaign, that’s three weeks that suppliers can’t be paid, components can’t be bought, and assembly can’t happen. For any campaign, PayPal is a liability.

This, unfortunately, isn’t anything new. Google News is littered with stories of PayPal withholding funds from crowdfunding campaigns. The message is clear: get your passport, driver’s license, utility bills, dog license, and fourth grade report card uploaded to PayPal somehow before the campaign ends.

Yesterday, [Gareth] received word that his account had been unfrozen, but not before he threatened the nuclear option and started letskillpaypal.com. A worthy cause if we’ve ever seen one.

Ask Hackaday: Your Very First Microcontroller

Necessity is the mother of invention. It is also true that invention necessitates learning new things. And such was the case on the stormy Tuesday morning our story begins.  Distant echos of thunder reverberated in the small 8 x 16 workshop, drawing my attention to the surge suppressor powering my bench.  With only a few vacation days left, my goal of finishing the hacked dancing Santa Claus toy was far from complete. It was for a Secret Santa gift, and I wanted to impress. The Santa moved from side to side as it sang a song. I wanted to replace the song with a custom MP3 track. In 2008, MP3 players were cheap and ripe for hacking. They could readily be picked up at local thrift shops, and I had picked up a few. It soon became clear, however, that I would need a microcontroller to make it do what I wanted it to do.

Continue reading “Ask Hackaday: Your Very First Microcontroller”