Day: October 30, 2020

ESP8266 Does RC Without The Transmitter

October 30, 2020 by 27 Comments

While the cost of a hobby-grade remote control transmitter has dropped significantly over the last decade or so, even the basic models are still relatively expensive. It’s not such a big deal if you only need to get one for personal use, but for a school to outfit a classroom’s worth of students their own radios, they’d need to have a serious STEM budget.

Which is why [Miharix], himself an educator with a decade of experience, developed a project that leverages the ESP8266 to create affordable RC vehicles that can be controlled with a smartphone’s web browser. There’s a bit of irony at play since the smartphones are more expensive than the RC transmitters would have been; but with more and more school-age kids having their own mobile devices, it takes the cost burden off of the educators. Depending on the age of the students, the teacher would only need to keep a couple of burner phones on hand for student that doesn’t have a device of their own.

A custom PCB makes connections easier for students.

In its fully realized form, the project uses an open hardware board that allows standard RC hobby servos to be connected to the GPIO pins of a ESP-12E module. But if you don’t want to go through the trouble of building the custom hardware, you could put something similar together with an ESP development board. From there it’s just a matter of installing the firmware, which starts up a server providing a touch-based controller interface that’s perfect for a smartphone’s screen.

Since the ESP8266 pops up as an Access Point that client devices can connect to, you don’t even need to have an existing network in place. Or Internet access, for that matter. [Miharix] says that in tests, the range between a common smartphone and the ESP8266 is approximately 85 meters (260 feet), which should be more than enough to get the job done.

In the videos after the break you can see this system being used with an RC car and boat, though the only limit to what you could control with this project is your own imagination.

Continue reading “ESP8266 Does RC Without The Transmitter”

This Week In Security: Discord, Chromium, And WordPress Forced Updates

October 30, 2020 by 42 Comments

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates”

Color E-Ink Display Photo Frame Pranks [Mom]

October 30, 2020 by 34 Comments

As a general rule, it’s not nice to prank your mother. Moms have a way of exacting subtle revenge, generally in the form of guilt. That’s not to say it might not be worth the effort, especially when the prank is actually wrapped in a nice gesture, like this ever-changing e-paper family photo frame.

The idea the [CNLohr] had was made possible by a new generation of multicolor e-paper displays by Waveshare. The display [Charles] chose was a generous 5.65″ unit with a total of seven colors. A little hacking revealed an eighth color was possible, adding a little more depth to the images. The pictures need a little pre-processing first, of course — dithering to accommodate the limited palette — but look surprisingly good on the display. They have a sort of stylized look, as if they were printed on a textured paper with muted inks.

The prank idea was simple — present [Mrs. Lohr] with a cherished family photo to display, only to find out that it had changed to another photo overnight. The gaslighting attempt required a bit more hacking, including some neat tricks to keep the power consumption very low. It was also a bit of a squeeze to get it into a frame that was slim enough not to arouse suspicion. The video below details some of the challenges involved in this build.

In the end, [Mom] wasn’t tricked, but she still seemed pleased with the final product. These displays seem like they could be a lot of fun — perhaps a version of the very-slow-motion player but for color movies would be doable.

Continue reading “Color E-Ink Display Photo Frame Pranks [Mom]”

Crowd Funded Jumping Cubes

October 30, 2020 by 5 Comments

The Japan Aerospace Exploration Agency (JAXA) recently contributed their Int-Ball  technology to a Kickstarter campaign operated by the Japanese electronics manufacturer / distributor Bit Trade One (Japanese site). This technology is based on the Cubli project out of the Swiss Federal Institute of Technology in Zurich (ETH Zurich), which we covered back in 2013. The Cubli-based technology has been appearing in various projects since then, including the Nonlinear Mechatronic Cube in 2016.  Alas, the current JAXA-based “3-Axis Attitude Control Module” project doesn’t have a catchy name — yet.

One interesting application of these jumping cubes, presumably how JAXA got involved with these devices, is a floating video camera that was put to use on board the International Space Station (ISS) in 2017.  The version being offered by the Kickstarter campaign doesn’t include the cameras, and you will need to provide your own a gravity-free environment to duplicate that application.  Instead, they seem to be marketing this for educational uses.  You’d better dig deep in your wallet if you want one — a fully assembled unit requires a pledge of over $5000 ( there is a “some assembly required” kit that can save you about $1000 ).  Most of us won’t be backing this project for that reason alone, but it is nice to see the march of progress of such a cool technology:  from inception to space applications to becoming available to the general public.  Thanks to [Lincoln Uehara] for sending in this tip.

Continue reading “Crowd Funded Jumping Cubes”