Screenshot of the demonstration video that shows the desktop being unlocked with face recognition, with a camera feed and a terminal showing how the software works.

Open-Source FaceID With RealSense

April 4, 2023 by Arya Voronova 6 Comments

RealSense cameras have been a fascinating piece of tech from Intel — we’ve seen a number of cool applications in the hacker world, from robots to smart appliances. Unfortunately Intel did discontinue parts of the RealSense lineup at one point, specifically the LiDAR and face tracking-tailored models. Apparently, these haven’t been popular, and we haven’t seen these in hacks either. Until now, that is. [Lina] brings us a real-world application for the RealSense face tracking cameras, a FaceID application for Linux.

The project is as simple as it sounds: if the camera’s built-in face recognition module recognizes you, your lockscreen is unlocked. With the target being Linux, it has to tie into the Pluggable Authentication Modules (PAM) subsystem for authentication, and of course, there’s a PAM module for RealSense to go with it, aptly named pam_sauron. This module is written in Zig, a modern C-like language, so it’s both a good example of how to create your own PAM integrations, and a path towards doing that in a different language for once. As usual, there’s TODOs, like improving the UX and taking advantage of some security features RealSense cameras have, but it’s nevertheless a fun and self-sufficient application for one of the F4XX-series RealSense cameras in case you happen to own one.

Ever since the introduction of RealSense we’ve seen these cameras used in robotics and 3D scanning, thanks at least in part due to their ability to be used in Linux. Thankfully, Intel only discontinued the less popular RealSense cameras, which didn’t affect the main RealSense lineup, and the hacker-beloved depth cameras are still available for all of our projects. Wondering about the tech behind it? Here’s a teardown of a RealSense camera module intended for laptop use.

Picture of the PCIce card with a fan attached

Server Network Cards Made Extra Cool

April 3, 2023 by Arya Voronova 25 Comments

Using cheap and powerful server expansion cards in your desktop builds is a tempting option for many hackers. Of course, they don’t always fit mechanically or work perfectly; for instance, some server-purpose cards are designed for intense amounts of cooling that servers come with, and will overheat inside a relatively calm desktop case. Having encountered such a network card, [Chris] has developed and brought us the PCIce – a PCIe card that’s a holder and a controller for a 80mm fan.

The card gets fan 12V from the PCIe slot, and there’s an ATTiny to control the fan’s speed, letting you cycle through speeds with a single button press and displaying the current speed through LEDs. There’s a great amount of polish put into this card – from making it mechanically feature-complete with all the fancy fasteners, to longevity-oriented firmware that even makes sure to notice if the EEPROM-stored settings ever get corrupted. At the moment, the schematics and the ATTiny firmware are open-source, [Chris] has promised to publish hardware files after polishing them, and has also manufactured a batch of PCIce cards for sale.

When it comes to making use of cheap server-purpose cards, a cooling solution is good to see – we’ve generally seen adapters from proprietary form-factors, like this FlexLOM adapter from [TobleMiner] to make use of cheap high-throughput network cards with slightly differing mechanical dimensions and pinouts. Every batch of decommissioned server cards has some potential with only a slight hitch or two, and it’s reassuring to see hackers make their eBay finds really work for them.

Photo of the Echo Dot PCB, highlighting the capacitor that needs to be shorted out for the exploit to work

Squeezing Secrets Out Of An Amazon Echo Dot

April 1, 2023 by Arya Voronova 44 Comments

As we have seen time and time again, not every device stores our sensitive data in a respectful manner. Some of them send our personal data out to third parties, even! Today’s case is not a mythical one, however — it’s a jellybean Amazon Echo Dot, and [Daniel B] shows how to make it spill your WiFi secrets with a bit of a hardware nudge.

There’s been exploits for Amazon devices with the same CPU, so to save time, [Daniel] started by porting an old Amazon Fire exploit to the Echo Dot. This exploit requires tactically applying a piece of tin foil to a capacitor on the flash chip power rail, and it forces the Echo to surrender the contents of its entire filesystem, ripe for analysis. Immediately, [Daniel] found out that the Echo keeps your WiFi passwords in plain text, as well as API keys to some of the Amazon-tied services.

Found an old Echo Dot at a garage sale or on eBay? There might just be a WiFi password and a few API keys ripe for the taking, and who knows what other kinds of data it might hold. From Amazon service authentication keys to voice recognition models and maybe even voice recordings, it sounds like getting an Echo to spill your secrets isn’t all that hard.

We’ve seen an Echo hijacked into an always-on microphone before, also through physical access in the same vein, so perhaps we all should take care to keep our Echoes in a secure spot. Luckily, adding a hardware mute switch to Amazon’s popular surveillance device isn’t all that hard. Though that won’t keep your burned out smart bulbs from leaking your WiFi credentials.

PCIe For Hackers: Extracting The Most

March 30, 2023 by Arya Voronova 25 Comments

So, you now know the basics of approaching PCIe, and perhaps you have a PCIe-related goal in mind. Maybe you want to equip a single-board computer of yours with a bunch of cheap yet powerful PCIe WiFi cards for wardriving, perhaps add a second NVMe SSD to your laptop instead of that Ethernet controller you never use, or maybe, add a full-size GPU to your Raspberry Pi 4 through a nifty adapter. Whatever you want to do – let’s make sure there isn’t an area of PCIe that you aren’t familiar of.

Splitting A PCIe Port

You might have heard the term “bifurcation” if you’ve been around PCIe, especially in mining or PC tinkering communities. This is splitting a PCIe slot into multiple PCIe links, and as you can imagine, it’s quite tasty of a feature for hackers; you don’t need any extra hardware, really, all you need is to add a buffer for REFCLK. See, it’s still needed by every single extra port you get – but you can’t physically just pull the same clock diffpair to all the slots at once, since that will result in stubs and, consequently, signal reflections; a REFCLK buffer chip takes the clock from the host and produces a number of identical copies of the REFCLK signal that you then pull standalone. You might have seen x16 to four NVMe slot cards online – invariably, somewhere in the corner of the card, you can spot the REFCLK buffer chip. In a perfect scenario, this is all you need to get more PCIe out of your PCIe.

Continue reading “PCIe For Hackers: Extracting The Most” →

Screenshot of the SDR software in action, with decoded data in a terminal, and a map that shows the location received from the decoded data

Loudmouth DJI Drones Tell Everyone Where You Are

March 26, 2023 by Arya Voronova 42 Comments

Back when commercial quadcopters started appearing in the news on the regular, public safety was a talking point. How, for example, do we keep them away from airports? Well, large drone companies didn’t want the negative PR, so some voluntarily added geofencing and tracking mechanisms to their own drones.

When it comes to DJI, one such mechanism is DroneID: a beacon on the drone itself, sending out a trove of data, including its operator’s GPS location. DJI also, of course, sells the Aeroscope device that receives and decodes DroneID data, declared to be for government use. As it often is with privacy-compromising technology, turns out it’s been a bigger compromise than we expected.

Questions started popping up last year, as off-the-shelf quadcopters (including those made by DJI) started to play a part in the Russo-Ukrainian War. It didn’t take long for Ukrainian forces to notice that launching a DJI drone led to its operators being swiftly attacked, and intel was that Russia got some Aeroscopes from Syria. DJI’s response was that their products were not meant to be used this way, and shortly thereafter cut sales to both Russia and Ukraine.

But security researchers have recently discovered the situation was actually worse than we expected. Back in 2022, DJI claimed that the DroneID data was encrypted, but [Kevin Finisterre]’s research proved that to be a lie — with the company finally admitting to it after Verge pushed them on the question. It wouldn’t even be hard to implement a worse-than-nothing encryption that holds up mathematically. However, it seems, DroneID doesn’t even try: here’s a GitHub repository with a DroneID decoder you can use if you have an SDR dongle.

Sadly, the days of companies like DJI standing up against the anti-copter talking points seem to be over, Now they’re setting an example on how devices can subvert their owners’ privacy without reservation. Looks like it’s up to hackers on the frontlines to learn how to excise DroneID, just like we’ve done with the un-nuanced RF power limitations, or the DJI battery DRM, or transplanting firmware between hardware-identical DJI flight controller models.

Continue reading “Loudmouth DJI Drones Tell Everyone Where You Are” →

Showing the dock PCB with a Pi Zero attached and wired up onto it

Is Your USB-C Dock Out To Hack You?

March 26, 2023 by Arya Voronova 20 Comments

In today’s installment of Betteridge’s law enforcement, here’s an evil USB-C dock proof-of-concept by [Lachlan Davidson] from [Aura Division]. We’ve seen malicious USB devices aplenty, from cables and chargers to flash drives and even suspicious USB fans. But a dock, however, is new. The gist is simple — you take a stock dock, find a Pi Zero W and wire it up to a USB 2.0 port tapped somewhere inside the dock. Finding a Pi Zero is unquestionably the hardest part in this endeavor — on the software side, everything is ready for you, just flash an SD card with a pre-cooked malicious image and go!

On the surface level, this might seem like a cookie-cutter malicious USB attack. However, there’s a non-technical element to it; USB-C docks are becoming more and more popular, and with the unique level of convenience they provide, the “plug it in” temptation is much higher than with other devices. For instance, in shared workspaces, having a USB-C cable with charging and sometimes even a second monitor is becoming a norm. If you use USB-C day-to-day, the convenience of just plugging a USB-C cable into your laptop becomes too good to pass up on.

This hack doesn’t exactly use any USB-C specific technical features, like Power Delivery (PD) – it’s more about exploiting the convenience factor of USB-C that incentivizes you to plug a USB-C cable in, amplifying an old attack. Now, BadUSB with its keystroke injection is no longer the limit — with a Thunderbolt-capable USB-C dock, you can connect a PCIe device to it internally and even get access to a laptop’s RAM contents. Of course, fearing USB-C cables is not a viable approach, so perhaps it’s time for us to start protecting from BadUSB attacks on the software side.

Picture of the miniJen structure on a presentation desk

A Jenkins Demo Stand For Modern Times

March 24, 2023 by Arya Voronova 7 Comments

Once you’re working on large-scale software projects, automation is a lifesaver, and Jenkins is a strong player in open-source automation – be it software builds, automated testing or deploying onto your servers. Naturally, it’s historically been developed with x86 infrastructure in mind, and let’s be fair, x86 is getting old. [poddingue], a hacker and a Jenkins contributor, demonstrates that Jenkins keeps up with the times, with a hardware demo stand called miniJen, that has Jenkins run on three non-x86 architectures – arm8v (aarch64), armv7l and RISC-V.

There’s four SBCs of different architectures involved in this, three acting as Jenkins agents executing tasks, and one acting as a controller, all powered with a big desktop PSU from Pine64. The controller’s got a bit beefier CPU for a reason – at FOSDEM, we’ve seen it drive a separate display with a Jenkins dashboard. It’s very much a complete demo for its purpose, and definitely an eyecatcher for FOSDEM attendees passing by the desk! As a bonus, there’s also a fascinating blog post about how [poddingue] got to running Jenkins on RISC-V in particular.

Even software demonstrations get better with hardware, and this stood out no doubt! Looking to build a similar demo, or wondering how it came together? [poddingue] has blog posts on the demo’s structure, a repo with OpenSCAD files, and a trove of videos demonstrating the planning, design and setup process. As it goes with continuous integrations, we’ve generally seen hackers and Jenkins collide when it comes to build failure alerts, from rotating warning lights to stack lights to a Christmas tree; however, we’ve also seen a hacker use it to keep their firmware size under control between code changes. And, if you’re wondering what continuous integration holds for you, here’s our hacker-oriented deep dive.