Tiny Cube Hosts A Hearty Tube

Tiny PCBAs and glowy VFD tubes are like catnip to a Hackaday writer, so when we saw [hamster]’s TubeCube tube segment driver we had to dig in to learn more. We won’t bury the lede here; let’s enjoy a video of glowing tubes before we go further:

The TubeCube is built to fit the MiniBadge badge addon standard, which is primarily used to host modules on the SAINTCON conference badge. A single TubeCube hosts a VFD tube, hardware to provide a 70 V supply, and a microcontroller for communication and control. Each TubeCube is designed to accept ASCII characters via UART to display on it’s display, but they can also be chained together for even more excitement. We’re not sure how [hamster] would be able to physically wear the beast in the video above, but if he can find a way, they all work together. If you’re interested in seeing the dead simple UART communication scheme take a look at this file.

We think it’s also worth pointing about the high voltage supply. To the software or mechanically minded among us it’s easy to get trapped thinking about switching power supplies as a magical construct which can only be built using all-in-one control ICs. But [hamster]’s supply is a great reminder that a switching supply, even a high voltage one, isn’t as complex as all that. His design (which he says was cribbed from Adafruit’s lovely Ice Tube Clock) is essentially composed of the standard primitives. A big low voltage capacitor C1 to source the burst of energy which will be boosted, the necessary inductor/high voltage cap C2 which ends up at the target voltage, and a smoothing cap C3 to make the output a little nicer. It’s controlled by the microcontroller toggling Q1 to control the current flow through L1. The side effect is that by controlling the PWM frequency [hamster] can vary the brightness of the tubes.

Right now it looks like the repository has a schematic and sources, which should be enough to build a small tube driver of your own. If you can’t get enough TubeCubes, there’s one more video (of a single module) after the break.

Continue reading “Tiny Cube Hosts A Hearty Tube”

This Week In Security: The Robots Are Watching, Insecure VPNs, Graboids, And Biometric Fails

A Japanese hotel chain uses robots for nearly everything. Check in, room access, and most importantly, bedside service. What could possibly go wrong with putting embedded Android devices, complete with mics and cameras, right in every hotel room? While I could imagine bedside robots ending badly in many ways, today we’re looking at the possibility that a previous guest installed an app that can spy on the room. The kiosk mode used on these devices left much to be desired. Each bot has an NFC reader, and all it takes is an URL read by that reader to break out of the kiosk jail. From there, a user has full access to the Android system underneath, and can install whatever software they wish.

[Lance Vick] discovered this potential problem way back in July, and after 90 days of inaction has released the vulnerability. More of these hotels are being rolled out for the 2020 Olympics, and this sort of vulnerability is sure to be present in other similar kiosk devices.

VPN Compromise

In March 2018, a server in a Finnish data center was compromised through a remote management system. This was probably a Baseboard Management Controller (BMC), which is as dangerous as it is useful. Most BMCs have their own Ethernet adapter, not controlled by the host computer, and allows a remote user to access the machine just as if they had a monitor and keyboard connected to it. This particularly server was one rented by NordVPN, who was apparently not notified of the data center breach.

So what was captured from this server? Apparently the OpenVPN credentials stored on that server, as well as a valid TLS key. (Document mirror via TechCrunch) It’s been noted that this key is now expired, which does mean that it’s not being actively exploited. There were, however, about 7 months between the server break-in and the certificate expiration, during which time it could have been used for man-in-the-middle attacks.

NordVPN has confirmed the breach, and tried to downplay the potential impact. This report doesn’t seem to entirely match the leaked credentials. An attacker with this data and root access to the server would have likely been able to decrypt VPN traffic on the fly.


Named in honor of a certain sci-fi worm, Graboid is an unusual piece of malware aimed at Docker instances. It is a true worm, in that compromised hosts are used to launch attacks against other vulnerable machines. Graboid isn’t targeting a Docker vulnerability, but simply looking for an unsecured Docker daemon exposed to the internet. The malware downloads malicious docker images, one of which is used for crypto-currency mining, while another attempts to compromise other servers.

Graboid has an unusual quirk — the quirk that earned it the name: It doesn’t constantly mine or attempt to spread, but waits over a minute between bursts of activity. This was likely an attempt to mask the presence of mining malware. It’s notable that until discovered, the malicious Docker images were hosted on the Docker Hub. Be careful what images you trust, and look for the “Docker Official Image” tag.

Iran and Misdirection

Remember a couple weeks ago, when we discussed the difficulty of attack attribution? It seems a healthy dose of such paranoia might be warranted. The American NSA and British NCSC revealed that they now suspect Russian actors compromised Iranian infrastructure and deployed malware developed by Iranian coders. The purpose of this seems to have been redirection — to compromise targets and put the blame on Iran. To date it’s not certain that this particular gambit fooled any onlookers, but this is likely not the only such effort.

Android Biometrics

New Android handsets have had a rough week. First, the Samsung Galaxy S10 had an issue with screen protectors interfering with the under-the-screen fingerprint reader. This particular problem seems to only affect fingerprints that are enrolled after a screen protector has been applied. With the protector still in place, anyone’s fingerprint is able to unlock the device. What’s happening here seems obvious. The ultrasonic fingerprint scanner isn’t able to penetrate the screen protector, so it’s recording an essentially blank fingerprint. A patch to recognize these blank prints has been rolled out to devices in Samsung’s home country of South Korea, with the rest of the world soon to follow.

The second new handset is the Google Pixel 4, which includes a new Face Unlock feature. While many have praised the feature, there is trouble in paradise. The Pixel’s Face Unlock works even when the user is asleep or otherwise unmoving. To their credit, Apple’s Face ID also checks for user alertness, trying to avoid unlocking unless the user is intentionally doing so.

The humorous scenario is a child or spouse unlocking your phone while you’re asleep, but a more sobering possibility is your face being used against you unwillingly, or even while unconscious or dead. Based on leaks, it’s likely that there was an “eyes open” mode planned but cut before launch. Hopefully the bugs can be worked out of that feature, and it can be re-added in a future update. Until then, it’s probably best not to use Google’s Face Unlock on Pixel 4 devices.

TI-99/4A KSP Controller Has A Handle On Vintage NASA Styling

[MelkorsGreatestHits] had an extra USB MAME board burning a hole in his parts bin, so he turned it into fuel for this far-out Kerbal Space Program controller. Cool your jets — no fully-functioning TI-99/4As were harmed in the making of this baby. Besides, this is a KAL 9000 from Kexas Instruments. See the badges?

After donating the usable parts deemed unnecessary for space exploration, [MelkorsGreatestHits] had even more room inside the case for the throng of toggles that make this controller so touchable. We love the two tiers of toggles here — the important ones are separated with 3D-printed Space Shuttle-style switch guards, and the super-important toggles have flip-up covers to protect them from errant flicks of the hand. The vintage embosser labels are an impressive touch, and make us wish we had one that stamps vertically.

[MelkorsGreatestHits] modeled the combo throttle/roll handle and the joystick after the Apollo 11 command module controls. Unfortunately, the MAME board didn’t like his 3-axis analog joystick, so both are 2-axis and give WASD control. Good enough to get to the Mün!

We’ve seen more than a few KSP controllers around here, but none so overdone as this wonderful stand-up command station.

Via r/DIY

A Visual Infrared Thermometer That Runs Off Your Laptop

A common measurement for circuits is heat dissipation inspection. While single point thermometers do the trick, they can be quite annoying to use. Meanwhile, a thermal imaging camera is often out of the budget for hobbyists. How about building your own visual thermometer for cheap? That’s what [Thomas Fischl] decided to do, using an infrared thermal sensor array (MLX90640) connected through a PIC16LF1455 to a host computer. The computer handles the temperature calculation and visualization of hot spots, gathered from data collected by the IR pixel.

The interface board, USB2FIR, has full access to MLX90640 memory and can handle bulk transfer for faster data transmission of the raw sensor data collected by the pixel. A USB driver is needed to access the board – once the data is fetched, the visualizations can be created from a Matplotlib and TKinter GUI showing frame data and a real time heat map with minimum, maximum, and central temperature.

The hardware isn’t complicated, since the board relies on several ICs for processing the sensor data and immediately sends over the data to be processed externally. With some modifications – a 3D-printed enclosure, for instance – this can easily be made into a discreet tool for heat detection.