Steampunk Water Thief Clock Steals Attention, Too

The funny thing about clocks is that the more intriguing they are to look at, the more precious time is wasted. This steampunk clepsydra is no exception. A clepsydra, or water thief clock is an ancient design that takes many forms. Any clock that uses the inflow or outflow of water to measure time could be considered a clepsydra, even if it uses electronics like this steampunk version.

[DickB1]’s sticky-fingered timepiece works by siphoning water from the lower chamber into the upper chamber on a one-minute cycle. An MSP430 and a MOSFET control the 12 V diaphragm pump. As the water level rises in the upper chamber, a float in the siphon pushes a lever that moves a ratchet and pawl that’s connected to the minute hand. The hour hand is driven by gears. A hidden magnet and Hall effect sensor help keep the clock clicking at one-minute intervals.

Although [DickB1] doesn’t tell you exactly how to replicate this clock, he offers enough information to get started in designing your own. Take a second to check it out after the break.

Most of the thieving around here is done for the joules, so here’s a joule thief running a clock.

Continue reading “Steampunk Water Thief Clock Steals Attention, Too”

This Week In Security: BGP Bogons, Chrome Zero Day, And Save Game Attacks

Our own [Pat Whetman] wrote about a clever technique published by the University of Michigan, where lasers can be used to trigger a home assistant device. It’s an interesting hack, and you should go read it.

Borrowing IP Addresses

We’ve lived through several IPv4 exhaustion milestones, and the lack of available addresses is really beginning to show, even for trolls and scammers. A new approach takes advantage of the weak security of the Border Gateway Protocol, and allows bad actors to temporarily take over reserved address blocks. These particular providers operate out of Russia, operating network services they advertise as “bulletproof”, or immune to takedown requests. What better way to sidestep takedowns than to use IP addresses that aren’t really yours to begin with?

BGP spoofing has been at the center of other types of attacks and incidents, like in 2018 when a misconfiguration in a Nigerian ISP’s BGP tables routed traffic intended for Google’s servers through Chinese and Russian infrastructure. In that case it appeared to be a genuine mistake, but little prevents malicious BGP table poisoning.

Chrome Zero-day

Google released an update to Chrome on the 31st that addresses two CVEs, one of which is being actively exploited. That vulnerability, CVE-2019-13720, is a race condition resulting in a potential use-after-free. Kaspersky Labs found this one being actively used on a Korean news site. The attack runs entirely from Javascript, and simply visiting a malicious site is enough for compromise, so update Chrome if it’s installed.

Anti-anti-doping

What do you do when you feel you’ve been unfairly targeted by an anti-doping investigation? Apparently hacking the investigating agency and releasing stolen information is an option. It seems like this approach is more effective when there are shenanigans revealed in the data dump. In this case, the data being released seems rather mundane.

Firefox Blocking Sideload Extensions

Mozilla made a controversial announcement on the 31st. They intend to block “sideload” browser extensions. Until this change, it was possible to install browser extensions by copying them to a particular folder on the computer. Some legitimate extensions used this installation method, but so did malware, adware, and other unwanted software. While this change will block some malicious add-ons, it does present a bit of a challenge to a user installing an extension that isn’t on the official Mozilla store or signed by Mozilla.

As you might imagine, the response has been… less than positive. While making malware harder to install is certainly welcome, this makes some use cases very difficult. An example that comes to mind is a Linux package that includes a browser extension. It remains to be seen exactly how this change will shake out.

Save Games as Attack Vector

An oddball vulnerability caught my eye, published by [Denis Andzakovic] over at Pulse Security. He discovered that a recent indy game, Untitled Goose Game, can be manipulated into running arbitrary code as a result of loading a maliciously modified save file. The vulnerability is rooted in a naive deserialization routine.

If you’re interested in a deeper dive into .net deserialization bugs, a great paper was submitted to Blackhat 2012 discussing the topic. The short version is that if a programmer isn’t careful, the deserialization routine can overwrite variables in unexpected ways, potentially leading to code execution.

At first glance, a vulnerability triggered by a malicious save file seems relatively harmless. The level of access needed to modify a save file on a hard drive is enough to compromise that computer in a multitude of better ways. Enter cloud save synchronization. Steam, for instance, will automatically sync save games across a user’s install locations. This is a very useful feature for those of us that might play the same game on a laptop and a desktop. Having the save game automatically synced to all your devices is quite useful, but if an attacker compromised your Steam account, your save games could be manipulated. This leads to the very real possibility that an attacker could use a save game vulnerability to turn a Steam account compromise into an attack on all your machines with Steam installs.

Keep An Eye On The Neighborhood With This Passive Radar

If your neighborhood is anything like ours, walking across the street is like taking your life in your own hands. Drivers are increasingly unconcerned by such trivialities as speed limits or staying under control, and anything goes when they need to connect Point A to Point B in the least amount of time possible. Monitoring traffic with this passive radar will not do a thing to slow drivers down, but it’s a pretty cool hack that will at least yield some insights into traffic patterns.

The principle behind active radar – the kind police use to catch speeders in every neighborhood but yours – is simple: send a microwave signal towards a moving object, measure the frequency shift in the reflected signal, and do a little math to calculate the relative velocity. A passive radar like the one described in the RTL-SDR.com article linked above is quite different. Rather than painting a target with an RF signal, it relies on signals from other transmitters, such as terrestrial TV or radio outlets in the area. Two different receivers are used, both with directional antennas. One points to the area to be monitored, while the other points directly to the transmitter. By comparing signals reflected off moving objects received by the former against the reference signal from the latter, information about the distance and velocity of objects in the target area can be obtained.

The RTL-SDR test used a pair of cheap Yagi antennas for a nearby DVB-T channel to feed their KerberosSDR four-channel coherent SDR, a device we last looked at when it was still in beta. Essentially four SDR dongles on a common board, it’s available now for $149. Using it to build a passive radar might not save the neighborhood, but it could be a lot of fun to try.

Real Life QWOP Probably Stings A Fair Bit

QWOP was a flashgame released by [Bennett Foddy] in the distant past. Players would use individual keys to trigger muscle spasms in their character’s legs, attempting to sprint as far as possible without hitting the ground. Hackaday alumus [The Hacksmith] wanted to recreate this in real life, and set to work.

Initially planning to hack some TENS units to cause muscle contractions, instead a pair of lithium batteries were used. Supplying up to 48 volts through a MOSFET using PWM control, it’s quite effective at triggering muscle movement, albeit with a slight pain factor. With the MOSFETs under the control of an Arduino fitted with a USB keyboard, it allows a player to control [The Hacksmith]’s leg muscles, albeit without much finesse.

While the jumps are just video magic, the players do succeed in making some purposeful spasms happen. It’s about as effective as our attempts to play the original game, anyway. Don’t try this at home if you’d like to avoid possible burns or nerve injuries! It’s not the first moderately dangerous build we’ve seen from [The Hacksmith], either. Video after the break.

Continue reading “Real Life QWOP Probably Stings A Fair Bit”