In a feat of over-engineering, [Everett Bradford] hacked his power bank to add power monitor via an OLED display to show live current, voltage, temperature, and capacity information. The idea came when he learned about the INA219 chip. The INA219 is a current shunt and power monitor IC with an I²C or SMBUS compatible interface. The device is able to monitor both shunt voltage drop and bus supply voltage, with programmable conversion times and filtering. A programmable calibration value, combined with an internal multiplier, enables direct readouts of current in amperes. An additional multiplying register calculates power in watts.
With impressive miniaturization skills, [Everett] dissembles the Xiaomi Mi power bank and manages to add a custom power monitoring module and an OLED display. Not only that, he replaced the 4 LEDs that were the battery level indicators and actually consume more amps than his board plus the display. While active, the board consumes about 8mA. In sleep mode, it consumes less than 30µA.
The 32×64 OLED display and the custom-made circuit was assembled and tightly fitted into the original case. The power bank now gives readings of the battery charge level in a small graph, numeric current input/output, voltage and temperature. The seamless integration of the display into the power bank makes it look like something that could perfectly have come from a store. This is not your typical DIY power bank nor a gigantic 64 cells power bank. It is a precise and careful modification of an existing product, adding value, functionality, and dare I say it, style: an awesome hack!
We can see [Everett] process in the following video:
[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.
Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server. Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers, so it seems the impact is not huge so far.
The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method. We decided to test this behaviour with a simple .htaccess file like this:
Security researchers from Armis Labs recently published a whitepaper unveiling eight critical 0-day Bluetooth-related vulnerabilities, affecting Linux, Windows, Android and iOS operating systems. These vulnerabilities alone or combined can lead to privileged code execution on a target device. The only requirement is: Bluetooth turned on. No user interaction is necessary to successfully exploit the flaws, the attacker does not need to pair with a target device nor the target device must be paired with some other device.
The research paper, dubbed BlueBorne (what’s a vulnerability, or a bunch, without a cool name nowadays?), details each vulnerability and how it was exploited. BlueBorne is estimated to affect over five billion devices. Some vendors, like Microsoft, have already issued a patch while others, like Samsung, remain silent. Despite the patches, some devices will never receive a BlueBorne patch since they are outside of their support window. Armis estimates this accounts for around 40% of all Bluetooth enabled devices.
A self-replicating worm that would spread and hop from a device to other nearby devices with Bluetooth turned on was mentioned by the researchers as something that could be done with some more work. That immediately reminds us of the BroadPwn vulnerability, in which the researchers implemented what is most likely the first WiFi only worm. Although it is definitely a fun security exercise to code such worm, it’s really a bad, bad idea… Right?…
Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:
Samsung Galaxy from S3 through S8, inclusive
All Samsung Notes3. Nexus 5, 6, 6X and 6P
All iPhones after iPhone 5
So how did this happen? And how does a bug affect so many different devices?
A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.
All over the world, in particular in underdeveloped countries, people die every year by the thousands because of floods. The sudden rise of water levels often come unannounced and people have no time to react before they are caught in a bad spot. Modern countries commonly have measure equipment deployed around problematic areas but they are usually expensive for third world countries to afford.
[Benne] project devises a low-cost, cloud-connected, water level measuring station to allow remote and central water level monitoring for local authorities. He hopes that by being able to monitor water levels in a more precise and timely fashion, authorities can act sooner to warn potentially affected areas and increase the chance of saving lives in case of a natural disaster.
At the moment, the project is still in an early stage as they are testing with different sensors to figure out which would work best in different scenarios. Latest version consists essentially in an Arduino UNO, an ultrasonic distance sensor, and a DHT temperature/humidity sensor to provide calibration since these characteristics affect the speed of sound. Some years ago, we covered a simple water level monitoring using a Parallax Ping sensor, but back then the IoT and the ‘cloud’ weren’t nearly as fashionable. They also tested with infrared sensors and a rotary encoder.
They made a video of the rotary encoder, which we can see below:
A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.
The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.
The Elite version is bigger, comes with a Micro-SD card reader and four DIP switches, which allow the user to choose which script to run from the card. It also has the LED, which indicates when a script has finished to run. This allows the user to burn the firmware only once and then program the keystroke injection scripts that stored in the Micro-SD card, in contrast to the Lite version which needs to be flashed each time a user wants to run a different script.
These are the two Malduinos and because they are programmed straight from the Arduino IDE, every feature I just mentioned can be re-programmed, re-purposed or dropped all together. You can buy one and just choose to use it like a ‘normal’ Arduino, although there are not a lot of pins to play around with. This freedom was one the first things I liked about it and actually drove me to participate in the crowd-funding campaign. Read on for the full review. Continue reading “Malduino Elite – First Impressions”→
We really don’t know if the world needs it but we’re sure glad [johnnyq90] took the time to build one. We’re talking about a nitro powered rotary tool. Based on a Kyosho GX-12 nitro engine, commonly used in R/C cars, [johnnyq90] machines almost all other parts in his shop to make a really cool ‘Nitro-Dremel’. But success didn’t come at the first try.
The first prototype was made using a COX 049 engine but the lack of proper lubrication cause damage to the crankshaft. Because of this setback, [johnnyq90] swaps it out with a O.S Max 10 Aero engine he had lying around in the shop. That didn’t work out so well as the engine was quite hard to start. On the third try he finally decided to use the 2.1 cc Kyosho GX-12 engine to power up his 20.000 rpm tool. As noisy as one would expect and, from the videos it seems quite powerful too as it easily pierces through an aluminium block, cuts steel like a breeze, and breezes through other less demanding feats.