Seek Out Scammers With Skimmer Scanner

September 25, 2017 by 39 Comments

Last week we reported on some work that Sparkfun had done in reverse engineering a type of hardware card skimmer found installed in gasoline pumps incorporating card payment hardware. The device in question was a man-in-the-middle attack, a PIC microcontroller programmed to listen to the serial communications between card reader and pump computer, and then store the result in an EEPROM.

The devices featured a Bluetooth module through which the crooks could harvest the card details remotely, and this in turn provides a handy way to identify them in the wild. If you find a Bluetooth connection at the pump bearing the right identification and with the right password, it can then be fingered as a skimmer by a simple response test. And to make that extra-easy they had written an app, which when we reported on it was available from a GitHub repository.

In a public-spirited move, they are now calling upon the hardware hacker and maker community to come together today, Monday, September 25th, and draw as much attention as possible to these devices in the wild, and with luck to get a few shut down. To that end, they have put a compiled version of the app in the Google Play Store to make it extra-easy to install on your phone, and they are asking for your help. They are asking for people to first read their tutorial linked above, then install the app and take it on the road. Then should any of you find a skimmer, please Tweet about it including your zip code and the #skimmerscanner hashtag. Perhaps someone with a bit of time on their hands might like to take such a feed of skimmer location data and map it.

It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway.

Gasoline pump image: Michael Rivera [CC BY-SA 3.0].

SCiO “Pocket Molecular Scanner” Teardown

July 20, 2017 by 21 Comments

Some of you may remember the SCiO, originally a Kickstarter darling back in 2014 that promised people a pocket-sized micro spectrometer. It was claimed to be able to scan and determine the composition of everything from fruits and produce to your own body. The road from successful crowdsourcing to production was uncertain and never free from skepticism regarding the promised capabilities, but the folks at [Sparkfun] obtained a unit and promptly decided to tear it down to see what was inside, and share what they found.

The main feature inside the SCiO is the optical sensor, which consists of a custom-made NIR spectrometer. By analyzing the different wavelengths that reflect off an object, the unit can make judgments about what the object is made of. The SCiO was clearly never built to be disassembled, but [Sparkfun] pulls everything apart and provides some interesting photos of a custom-made optical unit with an array of different sensors, various filters, apertures, and a microlens array.

It’s pretty interesting to see inside the SCiO’s hardware, which unfortunately required destructive disassembly of the unit in question. The basic concept of portable spectroscopy is solid, as shown by projects such as the Farmcorder which is intended to measure plant health, and the DIY USB spectrometer which uses a webcam as the sensor.

A 3D Scanner That Archimedes Could Get Behind

July 14, 2017 by 48 Comments

3D-scanning seems like a straightforward process — put the subject inside a motion control gantry, bounce light off the surface, measure the reflections, and do some math to reconstruct the shape in three dimensions. But traditional 3D-scanning isn’t good for subjects with complex topologies and lots of nooks and crannies that light can’t get to. Which is why volumetric 3D-scanning could become an important tool someday.

As the name implies, volumetric scanning relies on measuring the change in volume of a medium as an object is moved through it. In the case of [Kfir Aberman] and [Oren Katzir]’s “dip scanning” method, the medium is a tank of water whose level is measured to a high precision with a float sensor. The object to be scanned is dipped slowly into the water by a robot as data is gathered. The robot removes the object, changes the orientation, and dips again. Dipping is repeated until enough data has been collected to run through a transformation algorithm that can reconstruct the shape of the object. Anywhere the water can reach can be scanned, and the video below shows how good the results can be with enough data. Full details are available in the PDF of their paper.

While optical 3D-scanning with the standard turntable and laser configuration will probably be around for a while, dip scanning seems like a powerful method for getting topological data using really simple equipment.

[wpvideo xx88I1SN]

Thanks to [bmsleight] for the tip.

Old Chart Recorder Becomes Single-Pixel Scanner

July 8, 2017 by 7 Comments

With so many ways to capture images from paper, do we really need another one? Especially one that takes 15 minutes to capture a 128×128 pixel image? Probably not, but building a single-pixel RGB scanner is pretty instructive, and good clean fun to boot.

We have to admit that when [Kerry Wong] scored an ancient Hewlett-Packard X-Y chart recorder a while back, we wondered if it would lead to anything useful. One may quibble with the claim that the Lorenz attractor plotter he built with it is useful, and this single pixel scanner is equally suspect, but we like the idea. Using an Arduino to drive the X- and X-axis of the recorder through a raster pattern over the bed and replacing the pen with an RGB sensor board, [Kerry] was able to collect the color data for each pixel and reconstruct the image. It wouldn’t be too hard to replicate this if you don’t have an analog X-Y recorder, which just goes to show that not everything needs to be steppers and digital to get something useful done. Or at least semi-useful.

As for the RGB sensor used, they’ve made appearances here many times before, mostly in M&M sorters but with the occasional synesthesia simulator.

Continue reading “Old Chart Recorder Becomes Single-Pixel Scanner”

Dropping Zip Bombs On Vulnerability Scanners

July 8, 2017 by 117 Comments

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.

Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.

Visual Scanner Turns Obstacles Into Braille

June 9, 2017 by 8 Comments

This interesting project out of MIT aims to use technology to help visually impaired people navigate through the use of a haptic feedback belt, chest-mounted sensors, and a braille display.

The belt consists of a vibration motors controlled by what appears to be a Raspberry Pi (for the prototype anyway) with a distance sensor and camera connected as well. The core algorithm is designed to take input from the camera and distance sensors to compute the distance to obstacles, and to buzz the right motor to alert the user — fairly expected stuff. However, the project has a higher goal: to assist in identifying and using chairs.

Aiming to detect the seat and arms, the algorithm looks for three horizontal surfaces near each other, taking extra care to ensure the chair isn’t occupied. The study found that, used in conjunction with a cane, the system noticeably helped users navigate through realistic environments, as measured by minor and major collisions. Users recorded dramatically fewer collisions as compared to using the system alone or the cane alone. The project also calls for a belt-mounted braille display to relay more complicated information to the user.

We at HaD have followed along with several braille projects, including a refreshable braille display, a computer with a braille display and keyboard, and this braille printer.

Continue reading “Visual Scanner Turns Obstacles Into Braille”

Simple Scanner Finds The Best WiFi Signal

April 21, 2017 by 8 Comments

Want to know which way to point your WiFi antenna to get the best signal? It’s a guessing game for most of us, but a quick build of a scanning WiFi antenna using mostly off-the-shelf components could point you in the right direction.

With saturation WiFi coverage in most places these days, optimizing your signal might seem like a pointless exercise. And indeed it seems [shawnhymel] built this more for fun than for practical reasons. Still, we can see applications where a scanning Yagi-Uda antenna would come in handy. The build started with a “WiFi divining rod” [shawnhymel] created from a simple homebrew Yagi-Uda and an ESP8266 to display the received signal strength indication (RSSI) from a specific access point. Tired of manually moving the popsicle stick and paperclip antenna, he built a two-axis scanner to swing the antenna through a complete hemisphere.

The RSSI for each point is recorded, and when the scan is complete, the antenna swings back to the strongest point. Given the antenna’s less-than-perfect directionality — [shawnhymel] traded narrow beam width for gain — we imagine the “strongest point” is somewhat subjective, but with a better antenna this could be a handy tool for site surveys, automated radio direction finding, or just mapping the RF environment of your neighborhood.

Yagi-Uda antennas and WiFi are no strangers to each other, whether it be a WiFi sniper rifle or another recycling bin Yagi.  Of course this scanner isn’t limited to WiFi. Maybe scanning a lightweight Yagi for the 2-meter band would be a great way to lock onto the local Ham repeater.

Continue reading “Simple Scanner Finds The Best WiFi Signal”