LibSSH Vuln: You Don’t Need to See my Authentication

Another day, another CVE (Common Vulnerabilities and Exposures). Getting a CVE number assigned to a vulnerability is a stamp of authenticity that you have a real problem on your hands. CVE-2018-10933 is a worst case scenario for libssh.  With a single response, an attacker can completely bypass authentication, giving full access to a system.

Before you panic and yank the power cord on your server, know that libssh is not part of OpenSSH. Your Linux box almost certainly uses OpenSSH as the SSH daemon, and that daemon is not vulnerable to this particular problem. Libssh does show up in a few important places, the most notable is probably Github and their security team already announced their implementation was not vulnerable.

Libssh has released a new version that fixes the problem. Stick around for the details after the break.

Continue reading “LibSSH Vuln: You Don’t Need to See my Authentication”

FIDO2 Authentication In All The Colors

Here at Hackaday, we have a soft spot for security dongles. When a new two-factor-authentication dongle is open source, uses USB and NFC, and supports FIDO2, the newest 2FA standard, we take notice. That just happens to be exactly what [Conor Patrick] is funding on Kickstarter.

We’ve looked at [Conor]’s first generation hardware key, and the process of going from design to physical product.  With that track record, the Solo security key promises to be more than the vaporware that plagues crowdfunding services.

Another player, Yubikey, has also recently announced a new product that supports FIDO2 and NFC. While Yubikey has stepped away from their early open source policy, Solo is embracing the open source ethos. The Kickstarter promises the release of both the software and hardware design as fully open, using MIT and CC BY-SA licenses.

For more information, see the blog post detailing the project goals and initial design process.  As always, caveat emptor, but this seems to be a crowdfunding project worth taking a look at.

Modular Violin Takes A Bow

They say the only difference between a violin and a fiddle is the way you play it. If that’s so, this modular violin will need a new name, since it can be broken apart and changed in ways that make it sound completely different, all within a few minutes.

The fiddle is the work of [David Perry] and has 3D printed body, neck, pegbox, and bridge. While it might seem useful on the surface as a way to get less expensive instruments out in the world where virtually anyone has access to them, the real interesting qualities are shown when [David] starts playing all of the different versions he’s created. The sound changes in noticeable ways depending on the style of print, type of plastic used, and many other qualities.

Of course you will need a bow, strings, pegs, and a fingerboard, but the rest is all available if you have a 3D printer around. If you’re already a skilled violinist this could be a very affordable way to experiment with new sounds. It’s not the first time we’ve seen 3D printed violins, but it is the first time we’ve seen them designed specifically to alter the way they sound rather than their physical characteristics. If you want to make your own, all of the .stl files are available on the project’s site.

Continue reading “Modular Violin Takes A Bow”

Hacker Pops Top On NFC Vending Machines

Vending machines used to be a pretty simple affair: you put some coins in, and food or drink that in all likelihood isn’t fit for human consumption comes out. But like everything else today, they are becoming increasingly complex Internet connected devices. Forget fishing around for pocket change; the Coke machine at the mall more often than not has a credit card terminal and a 30 inch touch screen display to better facilitate dispensing cans of chilled sugar water. Of course, increased complexity almost always goes hand in hand with increased vulnerability.

So when [Matteo Pisani] recently came across a vending machine that offered users the ability to pay from an application on their phone, he immediately got to wondering if the system could be compromised. After all, how much thought would be put into the security of a machine that basically sells flavored water? The answer, perhaps not surprisingly, is very little.

The write-up [Matteo] has put together is an outstanding case study in hacking Android applications, from pulling the .apk package off the phone to decompiling it into its principal components with programs like apktool and jadx. He even shows how you can reassemble the package and get it suitable for reinstallation on your device after fiddling around with the source code. If you’ve ever wanted a crash course on taking a peek inside of Android programs, this is a great resource.

By snooping around in the source code, [Matteo] was able to discover not only the location of the encrypted database that serves as the “wallet” for the user, but the routine that generates the encryption key. To cut a long story short, the program simply uses the phone’s IMEI as the key to get into the database. With that in hand, he was able to get into the wallet and give himself a nice stack of “coins” for the next time he hit the vending machines. Given his new-found knowledge of how the system works, he even came up with a separate Android app that allows adding credit to the user’s account on a rooted device.

In the video after the break, [Matteo] demonstrates his program by buying a soda and then bumping his credit back up to buy another. He ends his write-up by saying that he has reported his findings to the company that manufacturers the vending machines, but no word on what (if any) changes they plan on making. At the end of the day, you have to wonder what the cost-befit analysis looks like for a full security overhaul when when you’re only selling sodas and bags of chips.

When he isn’t liberating carbonated beverages from their capitalistic prisons, he’s freeing peripherals from their arbitrary OS limitations. We’re starting to get a good idea about what makes this guy tick.

Continue reading “Hacker Pops Top On NFC Vending Machines”

These Twenty Projects Won The Musical Instrument Challenge In The Hackaday Prize

The Hackaday Prize is the greatest hardware competition on the planet. It’s the Academy Awards of Open hardware, and over the past few months we’ve challenged makers and artists to create the Next Big Thing. All things must come to an end, though, and last week we wrapped up the final challenge in the Hackaday Prize. The results were fantastic, with over one hundred entries to the Musical Instrument Challenge. Now, we’re ready to announce the winners.

Over the past few months, we’ve been running a series of five challenges, and picking the best twenty projects to come out of these challenges. The Musical Instrument Challenge was the final challenge in The Hackaday Prize, and now we’re happy to announce the winners. These projects have been awarded a $1,000 cash prize, and they’re moving onto the final round where one lucky winner will receive the Grand Prize of $50,000. Here are the winners of the Musical Instrument Challenge, in no particular order:

Musical Instrument Challenge Hackaday Prize finalists:

Continue reading “These Twenty Projects Won The Musical Instrument Challenge In The Hackaday Prize”

Cool Tools: Deus Ex Autorouter

The first thing you probably asked yourself when learning how to lay out PCBs was “can’t the computer do this?” which inevitably led to the phrase “never trust the autorouter!”. Even if it hooks up a few traces the result will probably be strange to human eyes; not a design you’d want to use.

But what if the autorouter was better? What if it was so far removed from the autorouter you know that it was something else? That’s the technology that JITX provides. JITX is a company that has developed new tools that can translate a coarse textual specification of a board to KiCAD outputs autonomously.

Continue reading “Cool Tools: Deus Ex Autorouter”

Just in Time for Halloween: Another Talking Skull

It isn’t a unique idea, but we liked [Eric Wiemers’s] take on the classic animated skull for Halloween. In addition to showing you the code and the wiring, the video spends some time discussing what the audio looks like and what has to happen to get it into a format suitable for the Arduino. You can see the spooky video, below.

Of course, this is also a 3D printing project, although the skull is off-the-shelf. We wondered if he felt like a brain surgeon taking the Dremel to the poor skull. To fix the two parts of the device, he used brass threaded inserts that are heat set, something we’ve seen before, but are always surprised we don’t see more often.

Continue reading “Just in Time for Halloween: Another Talking Skull”