Shadowhammer, WPA3, And Alexa Is Listening: This Week In Computer Security

Let’s get caught up on computer security news! The big news is Shadowhammer — The Asus Live Update Utility prompted users to download an update that lacked any description or changelog. People thought it was odd, but the update was properly signed by Asus, and antivirus scans reported it as safe.

Nearly a year later, Kaspersky Labs announced they had confirmed this strange update was indeed a supply chain attack — one that attacks a target by way of another vendor. Another recent example is the backdoor added to CCleaner, when an unknown actor compromised the build system for CCleaner and used that backdoor to target other companies who were using CCleaner. Interestingly, the backdoor in CCleaner has some similarities to the backdoor in the Asus updater. Combined with the knowledge that Asus was one of the companies targeted by this earlier breach, the researchers at Kaspersky Lab suggest that the CCleaner attack might have been the avenue by which Asus was compromised.

Shadowhammer sits quietly on the vast majority of machines it infects. It’s specifically targeted at a pool of about 600 machines, identified by their network card’s MAC address. We’ve not seen any reporting yet on who was on the target list, but Kaspersky is hosting a service to check whether your MAC is on the list.

While we’re still waiting for the full technical paper, researchers gave a nearly 30 minute presentation about Shadowhammer, embedded below the break along with news about Dragonblood, Amazon listening to your conversations, and the NSA delivering on Ghidra source code. See you after the jump!
Continue reading “Shadowhammer, WPA3, And Alexa Is Listening: This Week In Computer Security”

State Of The Art Big Mouth Alexa Bass

Hackers seem intent on making sure the world doesn’t forget that, for a brief shining moment, everyone thought Big Mouth Billy Bass was a pretty neat idea. Every so often we see a project that takes this classic piece of home decor and manages to shoehorn in some new features or capabilities, and with the rise of voice controlled home automation products from the likes of Amazon and Google, they’ve found a new ingredient du jour when preparing stuffed bass.

[Ben Eagan] has recently completed his entry into the Pantheon of animatronic fish projects, and while we’ll stop short of saying the world needed another Alexa-enabled fish on the wall, we’ve got to admit that he’s done a slick job of it. Rather than trying to convince Billy’s original electronics to play nice with others, he decided to just rip it all out and start from scratch. The end result is arguably one of the most capable Billy Bass updates we’ve come across, if you’re willing to consider flapping around on the wall an actual capability in the first place.

The build process is well detailed in the write-up, and [Ben] provides many pictures so the reader can easily follow along with the modification. The short version of the story is that he cuts out the original control board and wires the three motors up to an Arduino Motor Driver Shield, and when combined with the appropriate code, this gives him full control over Billy’s mouth and body movements. This saved him the trouble of figuring out how to interface with the original electronics, which is probably for the better since they looked rather crusty anyway.

From there, he just needed to give the fish something to get excited about. [Ben] decided to connect the 3.5 mm audio jack of an second generation Echo Dot to one of the analog pins of the Arduino, and wrote some code that can tell him if Amazon’s illuminated hockey puck is currently yammering on about something or not. He even added a LM386 audio amplifier module in there to help drive Billy’s original speaker, since that will now be the audio output of the Dot.

A decade ago we saw Billy reading out Tweets, and last year we presented a different take on adding an Alexa “brain” to everyone’s favorite battery powered fish. What will Billy be up to in 2029? We’re almost too scared to think about it. Continue reading “State Of The Art Big Mouth Alexa Bass”

ESP8266 And Alexa Team Up To Tend Bar

After a hard day of soldering and posting memes online, sometimes you just want to yell at the blinking hockey puck in the corner and have it pour you out a perfectly measured shot of your favorite libation. It might not be the multi-purpose robot servant we were all hoping to have by the 21st century, but [Jake Lee] figures it’s about as close as we’re likely to get for under fifty bucks or so (Jake’s security certificate seems to have expired a few days ago so your browser may warn you, here’s an archived version).

From the hardware to the software, his Alexa-enabled drink pouring machine is an exercise in minimalism. Not that there’s anything wrong with that, of course. The easiest solutions are sometimes the best ones, and we think the choices [Jake] made here strike a perfect balance between keeping things simple and getting the job done. It’s by no means the most complete or capable robotic bartender we’ve ever seen, but it’s perhaps the one most likely to be duplicated by others looking to get in on the voice-controlled drinking game.

So how does it work? For one, [Jake] didn’t go through the trouble of creating a “proper” Alexa skill, that’s quite a bit of work just to pour a shot of rum. Instead, he took the easy way out and used the FauxMo library on his ESP8266 to emulate a few WeMo smart switches. Alexa (and pretty much every other home automation product) has native support for turning these on and off, so with the proper code you can leverage it as an easy way to toggle the chip’s digital pins.

Using the Alexa’s “Routines” capability, these simple toggles can be chained together and associated with specific phrases to create more complex actions. For example, you could chain the dispensing alcohol, lowering the room lighting, and playing music all to a single voice command. Something like “I give up”, perhaps.

When Alexa tells the drink dispenser to turn on, the ESP8266 fires a relay which starts up a small 12 V air pump. This is connected to the bottle of rum though a glass tube that [Jake] bent with a blow torch, and starts to pressurize it. With the air at the top of the bottle pushing down on it, a second glass tube gives the liquid a way to escape. This method of dispensing liquid is not only easy to implement, but saves you from having to drink something that’s passed through some crusty eBay pump.

If you prefer the “right” way of getting your device talking to Amazon’s popular home surveillance system, our very own [Al Williams] can get you headed in the right direction. On the other hand, if the flowing alcohol is the part of this project that caught your attention, well we’ve got more than a few projects that cover that topic as well.

Alexa, Remind Me Of The First Time Your Product Category Failed

For the last few years, the Last Great Hope™ of the consumer electronics industry has been voice assistants. Alexas and Echos and Google Homes and Facebook Portals are all the rage. Over one hundred million Alexa devices have been sold, an impressive feat given that there are only about 120 Million households in the United States, and a similar number in Europe. Look to your left, look to your right, one of you lives in a house with an Internet connected voice assistant.

2018 saw a huge explosion of Internet connected voice assistants, in sometimes bizarre form factors. There’s a voice controlled microwave, which is great if you’ve ever wanted to defrost a chicken through the Internet. You can get hardware for developing your own voice assistant device. 2019 will be even bigger. Facebook is heavily advertising the Facebook Portal. If you haven’t yet deleted your Facebook account, you can put the Facebook Portal on your kitchen counter and make video calls with your family and friends through Facebook Messenger. With the Google Home Hub and a Nest doorbell camera, you too can be just like Stu Pickles from Rugrats.

This is not the first time the world has been enamored with Internet-connected assistants. This is not the first time the consumer electronics industry put all their hope into one product category. This has happened before, and all those devices failed spectacularly. These were the Internet appliances released between 1999 and 2001: the last great hurrah of the dot-com boom. They were dumb then, and they’re dumb now.

Continue reading “Alexa, Remind Me Of The First Time Your Product Category Failed”

Forcing Amazon Alexa Compatible Stuff To Speak To Google Assistant

It took a long time, but it’s 2019, and we’re starting to get used to the concept of talking to a computer to make it control things around the house. It’s not quite as cool as it seemed when we saw it in films way back when, but that’s just real life. The problem is, there’s a multitude of different systems and standards and they don’t all necessarily work together. In [Blake]’s case, the problem is that Woods brand hardware only works with Amazon Alexa, which simply won’t do.

[Blake] went through the hassle of getting an Amazon Alexa compatible WiFi outlet to work with Google Assistant. It’s a bit of a roundabout way of doing things, but it works. A TP-Link HS-105 WiFi plug is used, which can be controlled through Google Assistant voice commands. The part consists of two PCBs – a control board that speaks WiFi, and a switching board with relays. [Blake] used the control board and hooked it up to a Raspberry Pi. When switched on by a command from Google, the HS-105 sets a pin high, which is detected by the Raspberry Pi. The Raspberry Pi then runs a software implementation of the KAB protocol used by the Woods hardware, triggering it when it receives the signal from the TP-Link hardware.

If we understand correctly, [Blake] had to go to this trouble in order to make his special outdoor-rated outlets work with his Google Home setup. Hopefully interoperability improves in years to come, but we won’t hold our breath.

We’ve seen some pretty convoluted projects in this space before, often using IFTTT — like this ESP8266 voice controlled tank.

I’m Sorry, Alexander, I’m Afraid I Can’t Do That

Getting people to space is extremely difficult, and while getting robots to space is still pretty challenging, it’s much easier. For that reason, robots and probes have been helping us explore the solar system for decades. Now, though, a robot assistant is on board the ISS to work with the astronauts, and rather than something impersonal like a robot arm, this one has a face, can navigate throughout the ship, and can respond to voice inputs.

The robot is known as CIMON, the Crew Interactive Mobile Companion. Built by Airbus, this interactive helper will fly with German astronaut Alexander Gerst to test the concept of robotic helpers such as this one. It is able to freely move about the cabin and can learn about the space it is in without being specifically programmed for it. It processes voice inputs similarly to a smart phone, but still processes requests on Earth via the IBM Watson AI. This means that it’s not exactly untethered, and future implementations of this technology might need to be more self-contained for missions outside of low Earth orbit.

While the designers have listened to the warnings of 2001 and not given it complete control of the space station, they also learned that it’s helpful to create an interactive robot that isn’t something as off-putting as a single creepy red-eye. This robot can display an interactive face on the screen, as well as use the same screen to show schematics, procedure steps, or anything else the astronauts need. If creepy design is more your style though, you can still have HAL watching you in your house.

Thanks to [Marian] for the tip!

Continue reading “I’m Sorry, Alexander, I’m Afraid I Can’t Do That”

RTL-SDR Paves Way To Alexa Controlled Blinds

You’d be forgiven for occasionally looking at a project, especially one that involves reverse engineering an unknown communication protocol, and thinking it might be out of your league. We’ve all been there. But as more and more of the devices that we use are becoming wireless black boxes, we’re all going to have to get a bit more comfortable with jumping into the deep end from time to time. Luckily, there are no shortage of success stories out there that we can look at for inspiration.

A case in point are the wireless blinds that [Stuart Hinson] decided would be a lot more useful if he could control them with his Amazon Alexa. There’s plenty of documentation on how to get Alexa to do your bidding, so he wasn’t worried about that. The tricky part was commanding the wireless blinds, as all he had to go on was the frequency printed on the back of the remote.

Luckily, in the era of cheap RTL-SDR devices, that’s often all you need. [Stuart] plugged in his receiver and fired up the incredibly handy Universal Radio Hacker. Since he knew the frequency, it was just a matter of tuning in and hitting the button on the remote a couple times to get a good capture. The software then broke it down to the binary sequence the remote was sending out.

Now here’s where [Stuart] lucked out. The manufacturers took the easy way out and didn’t include any sort of security features, or even bother with acknowledging that the signal had been received. All he needed to do was parrot out the binary sequence with a standard 433MHz transmitter hooked up to an ESP8266, and the blinds took the bait. This does mean that anyone close enough can take control of these particular blinds, but that’s a story for another time.

We took a look at the Universal Radio Hacker a year or so back, and it’s good to see it picking up steam. We’ve also covered the ins and outs of creating your own Alexa skills, if you want to get a jump on that side of the project.