Year: 2016

The Terrible Security Of Bluetooth Locks

August 8, 2016 by 53 Comments

Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.

Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.

At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Other Bluetooth ‘smart locks’ are made of plastic.

The tools [Anthony] used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi. This entire setup can be powered by a single battery, making it very stealthy.

The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well, with quite a few models of smart lock using eight digit pins. Even locks with ‘patented security’ (read: custom crypto, bad) were terrible; this patented security was just an XOR with a hardcoded key.

What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver. These locks are rare. Twelve of the sixteen locks tested could be easily broken. The majority of Bluetooth smart locks are not built with security in mind, which, by the way, is the entire point of a lock.

[Anthony]’s work going forward will concentrate expanding his library of scripts to exploit these locks, and evaluate the Bluetooth locks on ATMs. Yes, ATMs also use Bluetooth locks. The mind reels.

Electroshock Timer Will Speed Up Every Game Of Settlers Of Catan

August 8, 2016 by 6 Comments

The fun of playing Settlers of Catan is only matched by the desire to punch your friend when their turn drags on with endless deliberating. [Alpha Phoenix] has solved that quandary of inefficient play by building the Settlers of Catan: Electroshock Therapy Expansion.

[Alpha Phoenix] is holding back on the details of the device to forestall someone trying this at home and injuring themselves or others, but there’s plenty to glean from his breakdown of how the device works. An Adafruit Trinket microcontroller connects to a single pole 12 throw switch — modified from a double pole six throw rotary switch — to select up to six different players (with the other six positions alternated in as pause spaces) and the shocks are delivered through a simple electrode made from a wire hot glued to HDPE plastic from a milk jug. The power supply is capable of delivering up to 1100V, but the actual output is much less than that, thanks to its built-in impedance of about 2.5M Ohms, as well as added resistance by [Alpha Phoenix].

To define what constitutes a ‘long turn,’ the Trinket calculates the mean of up to the first 100 turn lengths (instead of a static timer to accommodate for the relative skills of the players in each game) and zaps any offending player — and then repeatedly at a set time afterwards — to remind them that they need to pick up the pace.

Continue reading “Electroshock Timer Will Speed Up Every Game Of Settlers Of Catan”

Hackaday Prize Entry: A WiFi Swiss Army Knife

August 7, 2016 by 18 Comments

WiFi is all around us, but if you want to work with this ubiquitous networking protocol, you’ll need to pull out a laptop or smartphone like a caveman. [Daniel] has a better idea. It’ s a simple, compact tool for cracking WiFi passwords or sending deauth packets to everyone at the local Starbucks. It’s an ESP Swiss Army Knife, and a great entry for the Hackaday Prize.

As you would expect, this WiFI Swiss Army Knife is powered by the ESP8266 and features a tiny OLED display and a bunch of buttons for the UI. With this, [Daniel] is able to perform a deauth attack on a network, kicking anyone off the network, provided this device already has the MAC address of the victim.

This tiny wireless tool also has an SD card, making it possible to collect authentication frames for later decryption on a device that actually has the power to crack a network. With a LiPo charge controller and a sufficiently large battery, this tiny device could be left in the corner of an office collecting authentication packets for days until it’s later retrieved, opening up the network to anyone with a sufficiently fast computer. It’s a great build and very useful, making this a great entry for The Hackaday Prize.

The HackadayPrize2016 is Sponsored by:

Two Pins For The Price Of One

August 7, 2016 by 22 Comments
One of the most common problems in the world of microcontrollers is running out of resources. Sometimes it’s memory, where the code must be pared down to fit into the flash on the microcontroller. Other times, as [Fabien] found out when he ran out of pins, the limitations are entirely physical. Not one to give up, he managed to solve the problem by using one pin for two tasks. (Google Translate from French)
During a recent project, [Fabien] realized he had forgotten to add a piezo buzzer to his project. All of the other pins were in use, though, so his goal was to use one of the input pins to handle button presses but to occasionally switch to output mode when the piezo buzzer was needed. After all, the button is only used at certain times, and the microcontroller pin sits unused otherwise. After a few trials, he has a working solution that manages to neither burn out itself nor the components in the circuit, and none of the components interfere with the other’s normal operation.
While it isn’t the most technically advanced thing we’ve ever seen here, it is a great example of using the tools at your disposal to elegantly solve a problem. More than that, though, it’s a thorough look into the details of pull-up and pull-down resistors, how microcontrollers see voltage as logic levels, and how other pieces of hardware interact with microcontrollers of all different types. This is definitely worth a read, especially if you are a beginner in this world.

Hackaday Links: August 7, 2016

August 7, 2016 by 12 Comments

The Starship Enterprise (no bloody A, B, C, or D) recently got a makeover. It was donated to the Smithsonian, and the workers at the Air and Space Museum took it apart and put it back together. Why? It’s the 50th anniversary of TOS. Hopefully the new show will be using some practical effects.

After years of trying, we’ve finally attained max buzzword. Here’s a pentesting hacker quadcopter drone, “a hacker’s laptop that can fly.” Why would anyone do this? Because, “You need to be close to the wireless signal to be able to read it. [Danger Drone] removes that barrier of physical access.” For just $500, you can do the same thing a coat hanger yagi can do. Amazing.

Q2 reports for 3D printer companies! Lulzbot is going gangbusters yet again. We’re looking at the greatest success of Open Source Hardware here. Stratasys, on the other hand, lost less money in Q2 2016. That’s their good news.

About a year ago, we heard about an LCD that was one inch high and ten inches long. That’s bizarre, but great for rackmount gear. The company behind this weird LCD is updating this weird and wonderful LCD and giving it touchscreen capability.

On this week’s edition of, ‘you’re going to cut your arm off with that thing’, here’s an angle grinder converted into a chainsaw.

A few weeks ago, we posted a link to this video, demonstrating an absurdly clever method for creating a mold for a fiberglass dome. You can just use a pendulum and a pile of dirt. Now, the mold for this fiberglass dome is complete. [J Mantzel] has already pulled 1/8th of his gigantic fiberglass sphere out of his mold, and there are only seven more to go. After that, he’ll find out if these sphere sections actually line up.

UK peeps! Hackaday and Tindie are doing a London Meetup! Details to come, but follow the event page on Hackaday.io.

I arrived in Vegas a day (or two) early for DEF CON. Instead of contemplating the banality of existence on the strip, I decided on a meetup at the grave of James T. Kirk. The meetup was a huge success. Walking two miles in 115° heat was not a great idea, but I didn’t die.

DNS Tunneling: Getting The Data Out Over Other Peoples’ WiFi

August 7, 2016 by 65 Comments

[KC Budd] wanted to make a car-tracking GPS unit, and he wanted it to be able to phone home. Adding in a GSM phone with a data plan would be too easy (and more expensive), so he opted for the hacker’s way: tunneling the data over DNS queries every time the device found an open WiFi hotspot. The result is a device that sends very little data, and sends it sporadically, but gets the messages out.

This system isn’t going to be reliable — you’re at the mercy of the open WiFi spots that are in the area. This certainly falls into an ethical grey zone, but there’s very little harm done. He’s sending a 16-byte payload, plus the DNS call overhead. It’s not like he’s downloading animated GIFs of cats playing keyboards or something. We’d be stoked to provide this service to even hundreds of devices per hour, for instance.

If you’re new here, the idea of tunneling data over DNS requests is as old as the hills, or older, and we’ve even covered this hack before in different clothes. But what [KC] adds to the mix is a one-stop code shop on his GitHub and a GPS application.

Why don’t we see this being applied more in your projects? Or are you all tunneling data over DNS and just won’t admit it in public? You can post anonymously in the comments!

Homemade EDM Can Cut Through Difficult Materials Like Magnets With Ease

August 7, 2016 by 32 Comments

Many years ago [ScorchWorks] built an electrical-discharge machining tool (EDM) and recently decided to write about it. And there’s a video embedded after the break.

The build is based on the designs described in the book “Build an EDM” by Robert Langolois. An EDM works by creating lots of little electrical discharges between an electrode in the desired shape and a material underneath a dielectric solvent bath. This dissolves the material exactly where the operator would like it dissolved. It is one of the most precise and gentle machining operations possible.

His EDM is built mostly out of found parts. The power supply is a microwave oven transformer rewired with 18 gauge wire to drop the voltage to sixty volts instead of the oven’s original boost to 1.5kV.  The power resistor comes from a dryer element robbed from a unit sitting beside the road. The control board was etched using a hand traced schematic on the copper with a Sharpie.

The linear motion element are two square brass tubes, one sliding inside the other. A stepper motor slowly drives the electrode into the part. Coolant is pumped through the electrode which is held by a little 3D printed part.

The EDM works well, and he has a few example parts showing its ability to perform difficult cuts. Things such as a hole through a razor blade., a small hole through a very small piece of thick steel, and even a hole through a magnet.

Continue reading “Homemade EDM Can Cut Through Difficult Materials Like Magnets With Ease”