Fooling Samsung Galaxy S8 Iris Recognition

We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.

Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!

Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode.  A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right.  No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.

Continue reading “Fooling Samsung Galaxy S8 Iris Recognition”

First Look at ABC: Basic Connections

[Alberto Piganti], aka [pighixxx] has been making circuit diagram art for a few years now, and has just come out with a book that’s available on Kickstarter. He sent us a copy to review, and we spent an hour or so with a refreshing beverage and a binder full of beautiful circuit diagrams. It doesn’t get better than that!

[pighixxx] started out making very pretty and functional pinout diagrams for a number of microcontrollers, and then branched out to modules and development boards like the Arduino and ESP8266. They’re great, and we’ll admit to having a printout of his SMD ATMega328 and the ESP-12 on our wall. His graphical style has been widely copied, which truly is the sincerest form of flattery.

But after pinouts, what’s next? Fully elaborated circuit diagrams, done in the same style, of course. “ABC: Basic Connections” started out life as a compendium of frequently used sub-circuits in Arduino projects. But you can take “Arduino” with a grain of salt — these are all useful for generic microcontroller-based projects. So whether you want to drive a 12 V solenoid from a low-voltage microcontroller, drive many LEDs with shift registers, or decode a rotary encoder, there is a circuit snippet here for you. Continue reading “First Look at ABC: Basic Connections”

A Few of Our Favorite Chips: 4051 Analog Mux

Raindrops on roses, and whiskers on kittens? They’re alright, I suppose. But when it comes down to it, I’d probably rather have a bunch of 4051, 4052, and 4053 analog multiplexers on the component shelf. Why? Because the ability to switch analog signals around, routing them at will, under control of a microcontroller is tremendously powerful.

Whether you want to read a capacitive-sensing keyboard or just switch among audio signals, nothing beats a mux! Read on and see if you agree.

Continue reading “A Few of Our Favorite Chips: 4051 Analog Mux”

The Long Tail of DIY Electronics

These are the Golden Years of electronics hacking. The home DIY hacker can get their hands on virtually any part that he or she could desire, and for not much money. Two economic factors underlie this Garden of Electronic Eden that we’re living in. Economies of scale make the parts cheap: when a factory turns out the same MEMS accelerometer chip for hundreds of millions of cell phones, their setup and other fixed costs are spread across all of these chips, and a $40 million factory ends up only costing $0.50 per unit sold.

But the unsung hero of the present DIY paradise is how so many different parts are available, and from so many different suppliers, many of them on the other side of the globe. “The Internet” you say, as if that explains it. Well, that’s not wrong, but it’s deeper than that. The reason that we have so much to choose from is that the marginal cost of variety has fallen, and with that many niche products and firms have become profitable where before they weren’t.

So let’s take a few minutes to sing the praises of the most important, and sometimes overlooked, facet of the DIY economy over the last twenty years: the falling marginal cost of variety.

Continue reading “The Long Tail of DIY Electronics”

Javascript Art is in the URL

[Alexander Reben] makes tech art, and now he’s encouraging you to do the same — within a URL. The gimmick? Making the code small enough to fit the data portion of a link. And to help with that, he has set up a webpage that uncompresses and wraps code from the URL and inserts it into the HTML on the fly. His site essentially applies or un-applies all the tricks of JS minification in the URL, and turns that into content.

So, for instance, uncompresses to a webpage that says “Hello World!”. But the fun really starts when you start coding up “art” in Javascript or HTML5. There are a few examples up in the gallery right now, but [Alexander] wants you to contribute your own. The banner is from this link.

Something strikes us as fishy about passing JS code opaquely in links, but since the URL decodes on [Alexander]’s server, we don’t see the XSS attack just yet. If you can find the security problem with this setup, or better yet if you write up a nice animation, let us know in the comments.

How a Hacker Remembers a PIN

If you have more than a few bank cards, door-entry keycodes, or other small numeric passwords to remember, it eventually gets to be a hassle. The worst, for me, is a bank card for a business account that I use once in a blue moon. I probably used it eight times in five years, and then they gave me a new card with a new PIN. Sigh.

Quick, What’s My PIN?

How would a normal person cope with a proliferation of PINs? They’d write down the numbers on a piece of paper and keep it in their wallet. We all know how that ends, right? A lost wallet and multiple empty bank accounts. How would a hacker handle it? Write each number down on the card itself, but encrypted, naturally, with the only unbreakable encryption scheme there is out there: the one-time pad (OTP).

The OTP is an odd duck among encryption methods. They’re meant to be decrypted in your head, but as long as the secret key remains safe, they’re rock solid. If you’ve ever tried to code up the s-boxes and all that adding, shifting, and mixing that goes on with a normal encryption method, OTPs are refreshingly simple. The tradeoff is a “long” key, but an OTP is absolutely perfect for encrypting your PINs.

The first part of this article appears to be the friendly “life-hack” pablum that you’ll get elsewhere, but don’t despair, it’s also a back-door introduction to the OTP. The second half dives into the one-time pad with some deep crypto intuition, some friendly math, and hopefully a convincing argument that writing down your encrypted PINs is the right thing to do. Along the way, I list the three things you can do wrong when implementing an OTP. (And none of them will shock you!) But in the end, my PIN encryption solution will break one of the three, and remain nonetheless sound. Curious yet? Read on.

Continue reading “How a Hacker Remembers a PIN”

DIY Tiny Single-PCB Synthesizer

[Jan Ostman] has been pushing the limits of sound synthesis on the lowly AVR ATMega microcontrollers, and his latest two project is so cute that we just had to write it up. The miniTS shares the same basic sound-generation firmware with his previous TinyTS, which we’ve covered here before, but adds a lot more keys, an OLED, and MIDI, while taking away some of the knobs.

Both feature keyboards that are just copper pads placed over a ground plane, and the code does simple capacitive-sensing to figure out if they’re being touched or not. The point here is that you could pick up a PCB from [Jan] on the cheap, and experiment around with the code. Or you could just take the code and make a less refined version for yourself with a cheapo Arduino and some copper plates.

Either way, we like the combination of minimal materials and maximum tweakability, and think it’s cool that [Jan] shares the code, if not also the PCB designs. Anyone with PCB layout practice could get a clone worked up in an afternoon, although it’s going to be cheaper to get these made in bulk, and you’re probably better off just buying one from [Jan].