This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

July 8, 2022 by 16 Comments

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result. Continue reading “This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It”

A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

July 8, 2022 by 76 Comments

Honda cars have been found to be severely  vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.

Badges Of 2022: BornHack

July 8, 2022 by 4 Comments

While the rest of the world’s hacker camps shut their doors through the pandemic there was one which managed through a combination of careful planning and strict observation of social distancing to keep going. The Danish hacker community gather every August for BornHack, a small and laid-back event in a forest on the isle of Fyn that has us coming back for more every year. They always have an interesting badge thanks to the designs of [Thomas Flummer], and this year looks to be no exception as they’ve dropped some details of the upcoming badge.

In short, it’s a beautifully designed hand-held games console with a colour screen, powered by the ubiquitous-in-the-chip-shortage RP2040 microcontroller. On board are the usual interfaces and a prototyping area plus CircuitPython for easy coding, and we expect it to sprout some addictive and playable gaming action. It’s the sort of PCB that we could imagine coming as a product from the likes of Pimoroni, but for now the only way to get your hands on one is to go to the event. We’ll being you a review when we have one. Meanwhile you can take a look at a previous year’s badge.

LoRa Helps With Remote Water Tank Level Sensing

July 7, 2022 by 9 Comments

[Renzo Mischianti]’s friend has to keep a water tank topped up. Problem is, the tank itself is 1.5 km away, so its water level isn’t typically known. There’s no electricity available there either — whichever monitoring solution is to be used, it has to be low-power and self-sufficient. To help with that, [Renzo] is working on a self-contained automation project, with a solar-powered sensor that communicates over LoRa, and a controller that receives the water level readings and powers the water pump when needed.

[Renzo] makes sure to prototype every part using shields and modules before committing to a design, and has already wrote and tested code for both the sensor and the controller, as well as created the PCBs. He’s also making sure to document everything as he goes – in fact, there’s whole seven blog posts on this project, covering the already completed software, PCB and 3D design stages of this project.

These worklogs have plenty of explanations and pictures, and [Renzo] shows a variety of different manufacturing techniques and tricks for beginners along the way. The last blog post on 3D designing and printing the sensor enclosure was recently released, and that likely means we’ll soon see a post about this system being installed and tested!

[Renzo] has been in the “intricately documented worklogs” business for a while. We’ve covered his 3D printed PCB mill and DIY soldermask process before, and recently he was seen adding a web interface to a 3D printer missing one. As for LoRa, there’s plenty of sensors you can build – be it mailbox sensors, burglar alarms, or handheld messengers; and now you have one more project to draw inspiration and knowledge from. [Renzo] has previously done a LoRa tutorial to get you started, and we’ve made one about LoRaWAN!

Continue reading “LoRa Helps With Remote Water Tank Level Sensing”

A Mostly Fair Deal For All With A Raspberry Pi

July 7, 2022 by 3 Comments

To be a professional card dealer takes considerable skill, something that not everybody might even have the dexterity to acquire. Fortunately even for the most ham-fisted of dealers there’s a solution, in the form of the Dave-O-matic, [David Stern]’s automated card dealer using a Raspberry Pi 4 with a camera and pattern recognition.

It takes the form of a servo-controlled arm with a sucker on the end, which is able to pick up the cards and present them to the camera. They can then be recognized by value, and pre-determined hands can be dealt or alternatively a random hand. It seems that the predetermined hands aren’t an aid in poker cheating, but a part of the bridge player’s art. You can see it in action in the video below the break.

We like the project, but sadly at this point we must take [Dave] to task, because while tantalizing us with enough detail to get us interested he’s slammed the door in our faces by failing to show us the code. it would be nice to think that the clamor from disaffected Hackaday readers might spur him into throwing us a crumb or two.

It probably won’t surprise you to find that this isn’t the first Raspberry Pi to find itself dealing cards.

Continue reading “A Mostly Fair Deal For All With A Raspberry Pi”

Trying Out A 3D Printed Microscope Lens Adapter

July 7, 2022 by 11 Comments

If you want to take pictures of tiny things close up, you need a macro lens. Or a microscope. [Nicholas Sherlock] thought “Why not both?” He designed a 3D-printed microscope lens adapter that you can find on Thingiverse. Recently, [Micael Widell] tried it out with a microscope lens and you can see the results in the video below.

A $20 microscope lens allows for some amazing shots. There are two designs that fit different cropped-image and full-frame cameras. As you might expect, the depth of field is razor-thin, probably sub-millimeter. Additionally, with a 4X lens on a 35 mm sensor, the field of view is about 9 mm so you have to have a steady hand just to keep everything in frame.

Continue reading “Trying Out A 3D Printed Microscope Lens Adapter”

ESP32 Powers Fresh Take On An IoT Geiger Counter

July 7, 2022 by 17 Comments

Over the years we’ve covered many projects aimed at detecting elevated radiation levels, and a fair number of them have been Internet connected in some way. But as they are often built around the Soviet-era SBM-20 Geiger–Müller tube, these devices have generally adhered to a fairly conservative design. With the current situation in Europe heightening concerns over potential radiation exposure, [g3gg0] thought it was a good a time as any to revisit the idea of an Internet-connected Geiger counter using more modern components.

Now to be clear, even this modernized approach still makes use of that same SBM-20 tube. There’s such an incredible wealth of information floating around out there about how to work with them that you’d almost put yourself at a disadvantage to chose something else to base your design on. Put simply, it’s hard to go wrong with a classic.

An unfortunate bug was discovered in the HV circuit.

That said, [g3gg0] decided early on that the design would use as many SMD components as possible, a considerable departure from many of the SBM-20 counters we’ve seen. That meant coming up with a new high-voltage power supply capable of providing the tube with the necessary 400 V, which from the sound of things, took a few attempts to complete. The final result is perhaps the smallest and cleanest looking board we’ve ever seen play host to this particular tube.

To run the show, [g3gg0] selected the ESP32-PICO-D4. You certainly don’t need such a powerful microcontroller to read the impulses from the SBM-20 tube and publish them via MQTT, but to be fair, the chip has a number of other duties. It’s handling the WS2812 RGB LEDs that go off in response to detected particles, running the (apparently optional) 2.9 inch WaveShare electronic paper display, and also pulling data from a BME280 environmental sensor as well as a CCS811 VOC sensor — so it’s keeping fairly busy.

As impressive as this build is, we do hate that it had to be built. From certain world leaders dropping casual comments about the strength of their nuclear arsenal to foolhardy attempts to capture the Chernobyl power station, having access to a reliable Geiger counter isn’t an unreasonable precaution right now. For everyone’s sake, let’s hope the fancy RGB LEDs on this particular build remain as dark as possible.

Continue reading “ESP32 Powers Fresh Take On An IoT Geiger Counter”